diff options
author | David S. Miller <davem@davemloft.net> | 2010-02-16 14:15:13 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2010-02-16 14:15:13 -0500 |
commit | 749f621e20ab0db35a15ff730088922603c809ba (patch) | |
tree | 2684d12199b58f2b9e0c5b7e6cc0ea3f002e611a | |
parent | 339c6e99853d2ef1f02ad8a313e079050a300427 (diff) | |
parent | 3e5e524ffb5fcf2447eb5dd9f8e54ad22dd9baa7 (diff) |
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6
111 files changed, 2313 insertions, 1836 deletions
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h index 48c54960773c..70079454ffd0 100644 --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h | |||
@@ -114,15 +114,17 @@ struct nf_sockopt_ops { | |||
114 | int set_optmin; | 114 | int set_optmin; |
115 | int set_optmax; | 115 | int set_optmax; |
116 | int (*set)(struct sock *sk, int optval, void __user *user, unsigned int len); | 116 | int (*set)(struct sock *sk, int optval, void __user *user, unsigned int len); |
117 | #ifdef CONFIG_COMPAT | ||
117 | int (*compat_set)(struct sock *sk, int optval, | 118 | int (*compat_set)(struct sock *sk, int optval, |
118 | void __user *user, unsigned int len); | 119 | void __user *user, unsigned int len); |
119 | 120 | #endif | |
120 | int get_optmin; | 121 | int get_optmin; |
121 | int get_optmax; | 122 | int get_optmax; |
122 | int (*get)(struct sock *sk, int optval, void __user *user, int *len); | 123 | int (*get)(struct sock *sk, int optval, void __user *user, int *len); |
124 | #ifdef CONFIG_COMPAT | ||
123 | int (*compat_get)(struct sock *sk, int optval, | 125 | int (*compat_get)(struct sock *sk, int optval, |
124 | void __user *user, int *len); | 126 | void __user *user, int *len); |
125 | 127 | #endif | |
126 | /* Use the module struct to lock set/get code in place */ | 128 | /* Use the module struct to lock set/get code in place */ |
127 | struct module *owner; | 129 | struct module *owner; |
128 | }; | 130 | }; |
@@ -161,11 +163,8 @@ static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook, | |||
161 | struct sk_buff *skb, | 163 | struct sk_buff *skb, |
162 | struct net_device *indev, | 164 | struct net_device *indev, |
163 | struct net_device *outdev, | 165 | struct net_device *outdev, |
164 | int (*okfn)(struct sk_buff *), int thresh, | 166 | int (*okfn)(struct sk_buff *), int thresh) |
165 | int cond) | ||
166 | { | 167 | { |
167 | if (!cond) | ||
168 | return 1; | ||
169 | #ifndef CONFIG_NETFILTER_DEBUG | 168 | #ifndef CONFIG_NETFILTER_DEBUG |
170 | if (list_empty(&nf_hooks[pf][hook])) | 169 | if (list_empty(&nf_hooks[pf][hook])) |
171 | return 1; | 170 | return 1; |
@@ -177,7 +176,7 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, struct sk_buff *skb, | |||
177 | struct net_device *indev, struct net_device *outdev, | 176 | struct net_device *indev, struct net_device *outdev, |
178 | int (*okfn)(struct sk_buff *)) | 177 | int (*okfn)(struct sk_buff *)) |
179 | { | 178 | { |
180 | return nf_hook_thresh(pf, hook, skb, indev, outdev, okfn, INT_MIN, 1); | 179 | return nf_hook_thresh(pf, hook, skb, indev, outdev, okfn, INT_MIN); |
181 | } | 180 | } |
182 | 181 | ||
183 | /* Activate hook; either okfn or kfree_skb called, unless a hook | 182 | /* Activate hook; either okfn or kfree_skb called, unless a hook |
@@ -197,36 +196,48 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, struct sk_buff *skb, | |||
197 | coders :) | 196 | coders :) |
198 | */ | 197 | */ |
199 | 198 | ||
200 | /* This is gross, but inline doesn't cut it for avoiding the function | 199 | static inline int |
201 | call in fast path: gcc doesn't inline (needs value tracking?). --RR */ | 200 | NF_HOOK_THRESH(uint8_t pf, unsigned int hook, struct sk_buff *skb, |
202 | 201 | struct net_device *in, struct net_device *out, | |
203 | /* HX: It's slightly less gross now. */ | 202 | int (*okfn)(struct sk_buff *), int thresh) |
204 | 203 | { | |
205 | #define NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, thresh) \ | 204 | int ret = nf_hook_thresh(pf, hook, skb, in, out, okfn, thresh); |
206 | ({int __ret; \ | 205 | if (ret == 1) |
207 | if ((__ret=nf_hook_thresh(pf, hook, (skb), indev, outdev, okfn, thresh, 1)) == 1)\ | 206 | ret = okfn(skb); |
208 | __ret = (okfn)(skb); \ | 207 | return ret; |
209 | __ret;}) | 208 | } |
210 | 209 | ||
211 | #define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) \ | 210 | static inline int |
212 | ({int __ret; \ | 211 | NF_HOOK_COND(uint8_t pf, unsigned int hook, struct sk_buff *skb, |
213 | if ((__ret=nf_hook_thresh(pf, hook, (skb), indev, outdev, okfn, INT_MIN, cond)) == 1)\ | 212 | struct net_device *in, struct net_device *out, |
214 | __ret = (okfn)(skb); \ | 213 | int (*okfn)(struct sk_buff *), bool cond) |
215 | __ret;}) | 214 | { |
215 | int ret = 1; | ||
216 | if (cond || | ||
217 | (ret = nf_hook_thresh(pf, hook, skb, in, out, okfn, INT_MIN) == 1)) | ||
218 | ret = okfn(skb); | ||
219 | return ret; | ||
220 | } | ||
216 | 221 | ||
217 | #define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \ | 222 | static inline int |
218 | NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, INT_MIN) | 223 | NF_HOOK(uint8_t pf, unsigned int hook, struct sk_buff *skb, |
224 | struct net_device *in, struct net_device *out, | ||
225 | int (*okfn)(struct sk_buff *)) | ||
226 | { | ||
227 | return NF_HOOK_THRESH(pf, hook, skb, in, out, okfn, INT_MIN); | ||
228 | } | ||
219 | 229 | ||
220 | /* Call setsockopt() */ | 230 | /* Call setsockopt() */ |
221 | int nf_setsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt, | 231 | int nf_setsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt, |
222 | unsigned int len); | 232 | unsigned int len); |
223 | int nf_getsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt, | 233 | int nf_getsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt, |
224 | int *len); | 234 | int *len); |
225 | 235 | #ifdef CONFIG_COMPAT | |
226 | int compat_nf_setsockopt(struct sock *sk, u_int8_t pf, int optval, | 236 | int compat_nf_setsockopt(struct sock *sk, u_int8_t pf, int optval, |
227 | char __user *opt, unsigned int len); | 237 | char __user *opt, unsigned int len); |
228 | int compat_nf_getsockopt(struct sock *sk, u_int8_t pf, int optval, | 238 | int compat_nf_getsockopt(struct sock *sk, u_int8_t pf, int optval, |
229 | char __user *opt, int *len); | 239 | char __user *opt, int *len); |
240 | #endif | ||
230 | 241 | ||
231 | /* Call this before modifying an existing packet: ensures it is | 242 | /* Call this before modifying an existing packet: ensures it is |
232 | modifiable and linear to the point you care about (writable_len). | 243 | modifiable and linear to the point you care about (writable_len). |
@@ -325,8 +336,7 @@ static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook, | |||
325 | struct sk_buff *skb, | 336 | struct sk_buff *skb, |
326 | struct net_device *indev, | 337 | struct net_device *indev, |
327 | struct net_device *outdev, | 338 | struct net_device *outdev, |
328 | int (*okfn)(struct sk_buff *), int thresh, | 339 | int (*okfn)(struct sk_buff *), int thresh) |
329 | int cond) | ||
330 | { | 340 | { |
331 | return okfn(skb); | 341 | return okfn(skb); |
332 | } | 342 | } |
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild index 2aea50399c0b..a5a63e41b8af 100644 --- a/include/linux/netfilter/Kbuild +++ b/include/linux/netfilter/Kbuild | |||
@@ -6,6 +6,7 @@ header-y += nfnetlink_queue.h | |||
6 | header-y += xt_CLASSIFY.h | 6 | header-y += xt_CLASSIFY.h |
7 | header-y += xt_CONNMARK.h | 7 | header-y += xt_CONNMARK.h |
8 | header-y += xt_CONNSECMARK.h | 8 | header-y += xt_CONNSECMARK.h |
9 | header-y += xt_CT.h | ||
9 | header-y += xt_DSCP.h | 10 | header-y += xt_DSCP.h |
10 | header-y += xt_LED.h | 11 | header-y += xt_LED.h |
11 | header-y += xt_MARK.h | 12 | header-y += xt_MARK.h |
diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h index a374787ed9b0..c608677dda60 100644 --- a/include/linux/netfilter/nf_conntrack_common.h +++ b/include/linux/netfilter/nf_conntrack_common.h | |||
@@ -72,6 +72,28 @@ enum ip_conntrack_status { | |||
72 | /* Connection has fixed timeout. */ | 72 | /* Connection has fixed timeout. */ |
73 | IPS_FIXED_TIMEOUT_BIT = 10, | 73 | IPS_FIXED_TIMEOUT_BIT = 10, |
74 | IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT), | 74 | IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT), |
75 | |||
76 | /* Conntrack is a template */ | ||
77 | IPS_TEMPLATE_BIT = 11, | ||
78 | IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT), | ||
79 | }; | ||
80 | |||
81 | /* Connection tracking event types */ | ||
82 | enum ip_conntrack_events { | ||
83 | IPCT_NEW, /* new conntrack */ | ||
84 | IPCT_RELATED, /* related conntrack */ | ||
85 | IPCT_DESTROY, /* destroyed conntrack */ | ||
86 | IPCT_REPLY, /* connection has seen two-way traffic */ | ||
87 | IPCT_ASSURED, /* connection status has changed to assured */ | ||
88 | IPCT_PROTOINFO, /* protocol information has changed */ | ||
89 | IPCT_HELPER, /* new helper has been set */ | ||
90 | IPCT_MARK, /* new mark has been set */ | ||
91 | IPCT_NATSEQADJ, /* NAT is doing sequence adjustment */ | ||
92 | IPCT_SECMARK, /* new security mark has been set */ | ||
93 | }; | ||
94 | |||
95 | enum ip_conntrack_expect_events { | ||
96 | IPEXP_NEW, /* new expectation */ | ||
75 | }; | 97 | }; |
76 | 98 | ||
77 | #ifdef __KERNEL__ | 99 | #ifdef __KERNEL__ |
diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h index 23aa2ec6b7b7..ff8cfbcf3b81 100644 --- a/include/linux/netfilter/nf_conntrack_sip.h +++ b/include/linux/netfilter/nf_conntrack_sip.h | |||
@@ -14,6 +14,7 @@ enum sip_expectation_classes { | |||
14 | SIP_EXPECT_SIGNALLING, | 14 | SIP_EXPECT_SIGNALLING, |
15 | SIP_EXPECT_AUDIO, | 15 | SIP_EXPECT_AUDIO, |
16 | SIP_EXPECT_VIDEO, | 16 | SIP_EXPECT_VIDEO, |
17 | SIP_EXPECT_IMAGE, | ||
17 | __SIP_EXPECT_MAX | 18 | __SIP_EXPECT_MAX |
18 | }; | 19 | }; |
19 | #define SIP_EXPECT_MAX (__SIP_EXPECT_MAX - 1) | 20 | #define SIP_EXPECT_MAX (__SIP_EXPECT_MAX - 1) |
@@ -34,10 +35,10 @@ struct sdp_media_type { | |||
34 | struct sip_handler { | 35 | struct sip_handler { |
35 | const char *method; | 36 | const char *method; |
36 | unsigned int len; | 37 | unsigned int len; |
37 | int (*request)(struct sk_buff *skb, | 38 | int (*request)(struct sk_buff *skb, unsigned int dataoff, |
38 | const char **dptr, unsigned int *datalen, | 39 | const char **dptr, unsigned int *datalen, |
39 | unsigned int cseq); | 40 | unsigned int cseq); |
40 | int (*response)(struct sk_buff *skb, | 41 | int (*response)(struct sk_buff *skb, unsigned int dataoff, |
41 | const char **dptr, unsigned int *datalen, | 42 | const char **dptr, unsigned int *datalen, |
42 | unsigned int cseq, unsigned int code); | 43 | unsigned int cseq, unsigned int code); |
43 | }; | 44 | }; |
@@ -84,7 +85,8 @@ enum sip_header_types { | |||
84 | SIP_HDR_FROM, | 85 | SIP_HDR_FROM, |
85 | SIP_HDR_TO, | 86 | SIP_HDR_TO, |
86 | SIP_HDR_CONTACT, | 87 | SIP_HDR_CONTACT, |
87 | SIP_HDR_VIA, | 88 | SIP_HDR_VIA_UDP, |
89 | SIP_HDR_VIA_TCP, | ||
88 | SIP_HDR_EXPIRES, | 90 | SIP_HDR_EXPIRES, |
89 | SIP_HDR_CONTENT_LENGTH, | 91 | SIP_HDR_CONTENT_LENGTH, |
90 | }; | 92 | }; |
@@ -100,33 +102,40 @@ enum sdp_header_types { | |||
100 | }; | 102 | }; |
101 | 103 | ||
102 | extern unsigned int (*nf_nat_sip_hook)(struct sk_buff *skb, | 104 | extern unsigned int (*nf_nat_sip_hook)(struct sk_buff *skb, |
105 | unsigned int dataoff, | ||
103 | const char **dptr, | 106 | const char **dptr, |
104 | unsigned int *datalen); | 107 | unsigned int *datalen); |
108 | extern void (*nf_nat_sip_seq_adjust_hook)(struct sk_buff *skb, s16 off); | ||
105 | extern unsigned int (*nf_nat_sip_expect_hook)(struct sk_buff *skb, | 109 | extern unsigned int (*nf_nat_sip_expect_hook)(struct sk_buff *skb, |
110 | unsigned int dataoff, | ||
106 | const char **dptr, | 111 | const char **dptr, |
107 | unsigned int *datalen, | 112 | unsigned int *datalen, |
108 | struct nf_conntrack_expect *exp, | 113 | struct nf_conntrack_expect *exp, |
109 | unsigned int matchoff, | 114 | unsigned int matchoff, |
110 | unsigned int matchlen); | 115 | unsigned int matchlen); |
111 | extern unsigned int (*nf_nat_sdp_addr_hook)(struct sk_buff *skb, | 116 | extern unsigned int (*nf_nat_sdp_addr_hook)(struct sk_buff *skb, |
112 | const char **dptr, | ||
113 | unsigned int dataoff, | 117 | unsigned int dataoff, |
118 | const char **dptr, | ||
114 | unsigned int *datalen, | 119 | unsigned int *datalen, |
120 | unsigned int sdpoff, | ||
115 | enum sdp_header_types type, | 121 | enum sdp_header_types type, |
116 | enum sdp_header_types term, | 122 | enum sdp_header_types term, |
117 | const union nf_inet_addr *addr); | 123 | const union nf_inet_addr *addr); |
118 | extern unsigned int (*nf_nat_sdp_port_hook)(struct sk_buff *skb, | 124 | extern unsigned int (*nf_nat_sdp_port_hook)(struct sk_buff *skb, |
125 | unsigned int dataoff, | ||
119 | const char **dptr, | 126 | const char **dptr, |
120 | unsigned int *datalen, | 127 | unsigned int *datalen, |
121 | unsigned int matchoff, | 128 | unsigned int matchoff, |
122 | unsigned int matchlen, | 129 | unsigned int matchlen, |
123 | u_int16_t port); | 130 | u_int16_t port); |
124 | extern unsigned int (*nf_nat_sdp_session_hook)(struct sk_buff *skb, | 131 | extern unsigned int (*nf_nat_sdp_session_hook)(struct sk_buff *skb, |
125 | const char **dptr, | ||
126 | unsigned int dataoff, | 132 | unsigned int dataoff, |
133 | const char **dptr, | ||
127 | unsigned int *datalen, | 134 | unsigned int *datalen, |
135 | unsigned int sdpoff, | ||
128 | const union nf_inet_addr *addr); | 136 | const union nf_inet_addr *addr); |
129 | extern unsigned int (*nf_nat_sdp_media_hook)(struct sk_buff *skb, | 137 | extern unsigned int (*nf_nat_sdp_media_hook)(struct sk_buff *skb, |
138 | unsigned int dataoff, | ||
130 | const char **dptr, | 139 | const char **dptr, |
131 | unsigned int *datalen, | 140 | unsigned int *datalen, |
132 | struct nf_conntrack_expect *rtp_exp, | 141 | struct nf_conntrack_expect *rtp_exp, |
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h index 49d321f3ccd2..53923868c9bd 100644 --- a/include/linux/netfilter/nfnetlink.h +++ b/include/linux/netfilter/nfnetlink.h | |||
@@ -73,11 +73,11 @@ struct nfnetlink_subsystem { | |||
73 | extern int nfnetlink_subsys_register(const struct nfnetlink_subsystem *n); | 73 | extern int nfnetlink_subsys_register(const struct nfnetlink_subsystem *n); |
74 | extern int nfnetlink_subsys_unregister(const struct nfnetlink_subsystem *n); | 74 | extern int nfnetlink_subsys_unregister(const struct nfnetlink_subsystem *n); |
75 | 75 | ||
76 | extern int nfnetlink_has_listeners(unsigned int group); | 76 | extern int nfnetlink_has_listeners(struct net *net, unsigned int group); |
77 | extern int nfnetlink_send(struct sk_buff *skb, u32 pid, unsigned group, | 77 | extern int nfnetlink_send(struct sk_buff *skb, struct net *net, u32 pid, unsigned group, |
78 | int echo, gfp_t flags); | 78 | int echo, gfp_t flags); |
79 | extern void nfnetlink_set_err(u32 pid, u32 group, int error); | 79 | extern void nfnetlink_set_err(struct net *net, u32 pid, u32 group, int error); |
80 | extern int nfnetlink_unicast(struct sk_buff *skb, u_int32_t pid, int flags); | 80 | extern int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u_int32_t pid, int flags); |
81 | 81 | ||
82 | extern void nfnl_lock(void); | 82 | extern void nfnl_lock(void); |
83 | extern void nfnl_unlock(void); | 83 | extern void nfnl_unlock(void); |
diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h index ed4ef8d0b11b..9ed534c991b9 100644 --- a/include/linux/netfilter/nfnetlink_conntrack.h +++ b/include/linux/netfilter/nfnetlink_conntrack.h | |||
@@ -40,6 +40,7 @@ enum ctattr_type { | |||
40 | CTA_NAT_SEQ_ADJ_ORIG, | 40 | CTA_NAT_SEQ_ADJ_ORIG, |
41 | CTA_NAT_SEQ_ADJ_REPLY, | 41 | CTA_NAT_SEQ_ADJ_REPLY, |
42 | CTA_SECMARK, | 42 | CTA_SECMARK, |
43 | CTA_ZONE, | ||
43 | __CTA_MAX | 44 | __CTA_MAX |
44 | }; | 45 | }; |
45 | #define CTA_MAX (__CTA_MAX - 1) | 46 | #define CTA_MAX (__CTA_MAX - 1) |
@@ -159,6 +160,7 @@ enum ctattr_expect { | |||
159 | CTA_EXPECT_TIMEOUT, | 160 | CTA_EXPECT_TIMEOUT, |
160 | CTA_EXPECT_ID, | 161 | CTA_EXPECT_ID, |
161 | CTA_EXPECT_HELP_NAME, | 162 | CTA_EXPECT_HELP_NAME, |
163 | CTA_EXPECT_ZONE, | ||
162 | __CTA_EXPECT_MAX | 164 | __CTA_EXPECT_MAX |
163 | }; | 165 | }; |
164 | #define CTA_EXPECT_MAX (__CTA_EXPECT_MAX - 1) | 166 | #define CTA_EXPECT_MAX (__CTA_EXPECT_MAX - 1) |
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h index 378f27ae7772..a18119fb88f0 100644 --- a/include/linux/netfilter/x_tables.h +++ b/include/linux/netfilter/x_tables.h | |||
@@ -93,8 +93,7 @@ struct _xt_align { | |||
93 | __u64 u64; | 93 | __u64 u64; |
94 | }; | 94 | }; |
95 | 95 | ||
96 | #define XT_ALIGN(s) (((s) + (__alignof__(struct _xt_align)-1)) \ | 96 | #define XT_ALIGN(s) ALIGN((s), __alignof__(struct _xt_align)) |
97 | & ~(__alignof__(struct _xt_align)-1)) | ||
98 | 97 | ||
99 | /* Standard return verdict, or do jump. */ | 98 | /* Standard return verdict, or do jump. */ |
100 | #define XT_STANDARD_TARGET "" | 99 | #define XT_STANDARD_TARGET "" |
@@ -205,6 +204,7 @@ struct xt_match_param { | |||
205 | * @hook_mask: via which hooks the new rule is reachable | 204 | * @hook_mask: via which hooks the new rule is reachable |
206 | */ | 205 | */ |
207 | struct xt_mtchk_param { | 206 | struct xt_mtchk_param { |
207 | struct net *net; | ||
208 | const char *table; | 208 | const char *table; |
209 | const void *entryinfo; | 209 | const void *entryinfo; |
210 | const struct xt_match *match; | 210 | const struct xt_match *match; |
@@ -215,6 +215,7 @@ struct xt_mtchk_param { | |||
215 | 215 | ||
216 | /* Match destructor parameters */ | 216 | /* Match destructor parameters */ |
217 | struct xt_mtdtor_param { | 217 | struct xt_mtdtor_param { |
218 | struct net *net; | ||
218 | const struct xt_match *match; | 219 | const struct xt_match *match; |
219 | void *matchinfo; | 220 | void *matchinfo; |
220 | u_int8_t family; | 221 | u_int8_t family; |
@@ -247,6 +248,7 @@ struct xt_target_param { | |||
247 | * Other fields see above. | 248 | * Other fields see above. |
248 | */ | 249 | */ |
249 | struct xt_tgchk_param { | 250 | struct xt_tgchk_param { |
251 | struct net *net; | ||
250 | const char *table; | 252 | const char *table; |
251 | const void *entryinfo; | 253 | const void *entryinfo; |
252 | const struct xt_target *target; | 254 | const struct xt_target *target; |
@@ -257,6 +259,7 @@ struct xt_tgchk_param { | |||
257 | 259 | ||
258 | /* Target destructor parameters */ | 260 | /* Target destructor parameters */ |
259 | struct xt_tgdtor_param { | 261 | struct xt_tgdtor_param { |
262 | struct net *net; | ||
260 | const struct xt_target *target; | 263 | const struct xt_target *target; |
261 | void *targinfo; | 264 | void *targinfo; |
262 | u_int8_t family; | 265 | u_int8_t family; |
@@ -281,11 +284,11 @@ struct xt_match { | |||
281 | 284 | ||
282 | /* Called when entry of this type deleted. */ | 285 | /* Called when entry of this type deleted. */ |
283 | void (*destroy)(const struct xt_mtdtor_param *); | 286 | void (*destroy)(const struct xt_mtdtor_param *); |
284 | 287 | #ifdef CONFIG_COMPAT | |
285 | /* Called when userspace align differs from kernel space one */ | 288 | /* Called when userspace align differs from kernel space one */ |
286 | void (*compat_from_user)(void *dst, void *src); | 289 | void (*compat_from_user)(void *dst, const void *src); |
287 | int (*compat_to_user)(void __user *dst, void *src); | 290 | int (*compat_to_user)(void __user *dst, const void *src); |
288 | 291 | #endif | |
289 | /* Set this to THIS_MODULE if you are a module, otherwise NULL */ | 292 | /* Set this to THIS_MODULE if you are a module, otherwise NULL */ |
290 | struct module *me; | 293 | struct module *me; |
291 | 294 | ||
@@ -294,7 +297,9 @@ struct xt_match { | |||
294 | 297 | ||
295 | const char *table; | 298 | const char *table; |
296 | unsigned int matchsize; | 299 | unsigned int matchsize; |
300 | #ifdef CONFIG_COMPAT | ||
297 | unsigned int compatsize; | 301 | unsigned int compatsize; |
302 | #endif | ||
298 | unsigned int hooks; | 303 | unsigned int hooks; |
299 | unsigned short proto; | 304 | unsigned short proto; |
300 | 305 | ||
@@ -321,17 +326,19 @@ struct xt_target { | |||
321 | 326 | ||
322 | /* Called when entry of this type deleted. */ | 327 | /* Called when entry of this type deleted. */ |
323 | void (*destroy)(const struct xt_tgdtor_param *); | 328 | void (*destroy)(const struct xt_tgdtor_param *); |
324 | 329 | #ifdef CONFIG_COMPAT | |
325 | /* Called when userspace align differs from kernel space one */ | 330 | /* Called when userspace align differs from kernel space one */ |
326 | void (*compat_from_user)(void *dst, void *src); | 331 | void (*compat_from_user)(void *dst, const void *src); |
327 | int (*compat_to_user)(void __user *dst, void *src); | 332 | int (*compat_to_user)(void __user *dst, const void *src); |
328 | 333 | #endif | |
329 | /* Set this to THIS_MODULE if you are a module, otherwise NULL */ | 334 | /* Set this to THIS_MODULE if you are a module, otherwise NULL */ |
330 | struct module *me; | 335 | struct module *me; |
331 | 336 | ||
332 | const char *table; | 337 | const char *table; |
333 | unsigned int targetsize; | 338 | unsigned int targetsize; |
339 | #ifdef CONFIG_COMPAT | ||
334 | unsigned int compatsize; | 340 | unsigned int compatsize; |
341 | #endif | ||
335 | unsigned int hooks; | 342 | unsigned int hooks; |
336 | unsigned short proto; | 343 | unsigned short proto; |
337 | 344 | ||
@@ -353,6 +360,7 @@ struct xt_table { | |||
353 | struct module *me; | 360 | struct module *me; |
354 | 361 | ||
355 | u_int8_t af; /* address/protocol family */ | 362 | u_int8_t af; /* address/protocol family */ |
363 | int priority; /* hook order */ | ||
356 | 364 | ||
357 | /* A unique name... */ | 365 | /* A unique name... */ |
358 | const char name[XT_TABLE_MAXNAMELEN]; | 366 | const char name[XT_TABLE_MAXNAMELEN]; |
@@ -514,6 +522,9 @@ static inline unsigned long ifname_compare_aligned(const char *_a, | |||
514 | return ret; | 522 | return ret; |
515 | } | 523 | } |
516 | 524 | ||
525 | extern struct nf_hook_ops *xt_hook_link(const struct xt_table *, nf_hookfn *); | ||
526 | extern void xt_hook_unlink(const struct xt_table *, struct nf_hook_ops *); | ||
527 | |||
517 | #ifdef CONFIG_COMPAT | 528 | #ifdef CONFIG_COMPAT |
518 | #include <net/compat.h> | 529 | #include <net/compat.h> |
519 | 530 | ||
@@ -554,11 +565,7 @@ struct compat_xt_entry_target { | |||
554 | * current task alignment */ | 565 | * current task alignment */ |
555 | 566 | ||
556 | struct compat_xt_counters { | 567 | struct compat_xt_counters { |
557 | #if defined(CONFIG_X86_64) || defined(CONFIG_IA64) | 568 | compat_u64 pcnt, bcnt; /* Packet and byte counters */ |
558 | u_int32_t cnt[4]; | ||
559 | #else | ||
560 | u_int64_t cnt[2]; | ||
561 | #endif | ||
562 | }; | 569 | }; |
563 | 570 | ||
564 | struct compat_xt_counters_info { | 571 | struct compat_xt_counters_info { |
@@ -567,26 +574,32 @@ struct compat_xt_counters_info { | |||
567 | struct compat_xt_counters counters[0]; | 574 | struct compat_xt_counters counters[0]; |
568 | }; | 575 | }; |
569 | 576 | ||
570 | #define COMPAT_XT_ALIGN(s) (((s) + (__alignof__(struct compat_xt_counters)-1)) \ | 577 | struct _compat_xt_align { |
571 | & ~(__alignof__(struct compat_xt_counters)-1)) | 578 | __u8 u8; |
579 | __u16 u16; | ||
580 | __u32 u32; | ||
581 | compat_u64 u64; | ||
582 | }; | ||
583 | |||
584 | #define COMPAT_XT_ALIGN(s) ALIGN((s), __alignof__(struct _compat_xt_align)) | ||
572 | 585 | ||
573 | extern void xt_compat_lock(u_int8_t af); | 586 | extern void xt_compat_lock(u_int8_t af); |
574 | extern void xt_compat_unlock(u_int8_t af); | 587 | extern void xt_compat_unlock(u_int8_t af); |
575 | 588 | ||
576 | extern int xt_compat_add_offset(u_int8_t af, unsigned int offset, short delta); | 589 | extern int xt_compat_add_offset(u_int8_t af, unsigned int offset, short delta); |
577 | extern void xt_compat_flush_offsets(u_int8_t af); | 590 | extern void xt_compat_flush_offsets(u_int8_t af); |
578 | extern short xt_compat_calc_jump(u_int8_t af, unsigned int offset); | 591 | extern int xt_compat_calc_jump(u_int8_t af, unsigned int offset); |
579 | 592 | ||
580 | extern int xt_compat_match_offset(const struct xt_match *match); | 593 | extern int xt_compat_match_offset(const struct xt_match *match); |
581 | extern int xt_compat_match_from_user(struct xt_entry_match *m, | 594 | extern int xt_compat_match_from_user(struct xt_entry_match *m, |
582 | void **dstptr, unsigned int *size); | 595 | void **dstptr, unsigned int *size); |
583 | extern int xt_compat_match_to_user(struct xt_entry_match *m, | 596 | extern int xt_compat_match_to_user(const struct xt_entry_match *m, |
584 | void __user **dstptr, unsigned int *size); | 597 | void __user **dstptr, unsigned int *size); |
585 | 598 | ||
586 | extern int xt_compat_target_offset(const struct xt_target *target); | 599 | extern int xt_compat_target_offset(const struct xt_target *target); |
587 | extern void xt_compat_target_from_user(struct xt_entry_target *t, | 600 | extern void xt_compat_target_from_user(struct xt_entry_target *t, |
588 | void **dstptr, unsigned int *size); | 601 | void **dstptr, unsigned int *size); |
589 | extern int xt_compat_target_to_user(struct xt_entry_target *t, | 602 | extern int xt_compat_target_to_user(const struct xt_entry_target *t, |
590 | void __user **dstptr, unsigned int *size); | 603 | void __user **dstptr, unsigned int *size); |
591 | 604 | ||
592 | #endif /* CONFIG_COMPAT */ | 605 | #endif /* CONFIG_COMPAT */ |
diff --git a/include/linux/netfilter/xt_CT.h b/include/linux/netfilter/xt_CT.h new file mode 100644 index 000000000000..1b564106891d --- /dev/null +++ b/include/linux/netfilter/xt_CT.h | |||
@@ -0,0 +1,17 @@ | |||
1 | #ifndef _XT_CT_H | ||
2 | #define _XT_CT_H | ||
3 | |||
4 | #define XT_CT_NOTRACK 0x1 | ||
5 | |||
6 | struct xt_ct_target_info { | ||
7 | u_int16_t flags; | ||
8 | u_int16_t zone; | ||
9 | u_int32_t ct_events; | ||
10 | u_int32_t exp_events; | ||
11 | char helper[16]; | ||
12 | |||
13 | /* Used internally by the kernel */ | ||
14 | struct nf_conn *ct __attribute__((aligned(8))); | ||
15 | }; | ||
16 | |||
17 | #endif /* _XT_CT_H */ | ||
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h index f2336523a9df..0b33980611b2 100644 --- a/include/linux/netfilter_arp/arp_tables.h +++ b/include/linux/netfilter_arp/arp_tables.h | |||
@@ -258,6 +258,7 @@ struct arpt_error { | |||
258 | .target.errorname = "ERROR", \ | 258 | .target.errorname = "ERROR", \ |
259 | } | 259 | } |
260 | 260 | ||
261 | extern void *arpt_alloc_initial_table(const struct xt_table *); | ||
261 | extern struct xt_table *arpt_register_table(struct net *net, | 262 | extern struct xt_table *arpt_register_table(struct net *net, |
262 | const struct xt_table *table, | 263 | const struct xt_table *table, |
263 | const struct arpt_replace *repl); | 264 | const struct arpt_replace *repl); |
diff --git a/include/linux/netfilter_bridge/ebtables.h b/include/linux/netfilter_bridge/ebtables.h index 3cc40c131cc3..1c6f0c5f530e 100644 --- a/include/linux/netfilter_bridge/ebtables.h +++ b/include/linux/netfilter_bridge/ebtables.h | |||
@@ -289,7 +289,7 @@ struct ebt_table { | |||
289 | ~(__alignof__(struct ebt_replace)-1)) | 289 | ~(__alignof__(struct ebt_replace)-1)) |
290 | extern struct ebt_table *ebt_register_table(struct net *net, | 290 | extern struct ebt_table *ebt_register_table(struct net *net, |
291 | const struct ebt_table *table); | 291 | const struct ebt_table *table); |
292 | extern void ebt_unregister_table(struct ebt_table *table); | 292 | extern void ebt_unregister_table(struct net *net, struct ebt_table *table); |
293 | extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff *skb, | 293 | extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff *skb, |
294 | const struct net_device *in, const struct net_device *out, | 294 | const struct net_device *in, const struct net_device *out, |
295 | struct ebt_table *table); | 295 | struct ebt_table *table); |
diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h index 27b3f5807305..364973b42133 100644 --- a/include/linux/netfilter_ipv4/ip_tables.h +++ b/include/linux/netfilter_ipv4/ip_tables.h | |||
@@ -242,7 +242,7 @@ extern void ipt_init(void) __init; | |||
242 | extern struct xt_table *ipt_register_table(struct net *net, | 242 | extern struct xt_table *ipt_register_table(struct net *net, |
243 | const struct xt_table *table, | 243 | const struct xt_table *table, |
244 | const struct ipt_replace *repl); | 244 | const struct ipt_replace *repl); |
245 | extern void ipt_unregister_table(struct xt_table *table); | 245 | extern void ipt_unregister_table(struct net *net, struct xt_table *table); |
246 | 246 | ||
247 | /* Standard entry. */ | 247 | /* Standard entry. */ |
248 | struct ipt_standard { | 248 | struct ipt_standard { |
@@ -282,6 +282,7 @@ struct ipt_error { | |||
282 | .target.errorname = "ERROR", \ | 282 | .target.errorname = "ERROR", \ |
283 | } | 283 | } |
284 | 284 | ||
285 | extern void *ipt_alloc_initial_table(const struct xt_table *); | ||
285 | extern unsigned int ipt_do_table(struct sk_buff *skb, | 286 | extern unsigned int ipt_do_table(struct sk_buff *skb, |
286 | unsigned int hook, | 287 | unsigned int hook, |
287 | const struct net_device *in, | 288 | const struct net_device *in, |
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h index b31050d20ae4..8031eb486a10 100644 --- a/include/linux/netfilter_ipv6/ip6_tables.h +++ b/include/linux/netfilter_ipv6/ip6_tables.h | |||
@@ -297,10 +297,11 @@ ip6t_get_target(struct ip6t_entry *e) | |||
297 | #include <linux/init.h> | 297 | #include <linux/init.h> |
298 | extern void ip6t_init(void) __init; | 298 | extern void ip6t_init(void) __init; |
299 | 299 | ||
300 | extern void *ip6t_alloc_initial_table(const struct xt_table *); | ||
300 | extern struct xt_table *ip6t_register_table(struct net *net, | 301 | extern struct xt_table *ip6t_register_table(struct net *net, |
301 | const struct xt_table *table, | 302 | const struct xt_table *table, |
302 | const struct ip6t_replace *repl); | 303 | const struct ip6t_replace *repl); |
303 | extern void ip6t_unregister_table(struct xt_table *table); | 304 | extern void ip6t_unregister_table(struct net *net, struct xt_table *table); |
304 | extern unsigned int ip6t_do_table(struct sk_buff *skb, | 305 | extern unsigned int ip6t_do_table(struct sk_buff *skb, |
305 | unsigned int hook, | 306 | unsigned int hook, |
306 | const struct net_device *in, | 307 | const struct net_device *in, |
diff --git a/include/net/ip.h b/include/net/ip.h index fb63371c07a8..7bc47873e3fc 100644 --- a/include/net/ip.h +++ b/include/net/ip.h | |||
@@ -352,8 +352,11 @@ enum ip_defrag_users { | |||
352 | IP_DEFRAG_LOCAL_DELIVER, | 352 | IP_DEFRAG_LOCAL_DELIVER, |
353 | IP_DEFRAG_CALL_RA_CHAIN, | 353 | IP_DEFRAG_CALL_RA_CHAIN, |
354 | IP_DEFRAG_CONNTRACK_IN, | 354 | IP_DEFRAG_CONNTRACK_IN, |
355 | __IP_DEFRAG_CONNTRACK_IN_END = IP_DEFRAG_CONNTRACK_IN + USHORT_MAX, | ||
355 | IP_DEFRAG_CONNTRACK_OUT, | 356 | IP_DEFRAG_CONNTRACK_OUT, |
357 | __IP_DEFRAG_CONNTRACK_OUT_END = IP_DEFRAG_CONNTRACK_OUT + USHORT_MAX, | ||
356 | IP_DEFRAG_CONNTRACK_BRIDGE_IN, | 358 | IP_DEFRAG_CONNTRACK_BRIDGE_IN, |
359 | __IP_DEFRAG_CONNTRACK_BRIDGE_IN = IP_DEFRAG_CONNTRACK_BRIDGE_IN + USHORT_MAX, | ||
357 | IP_DEFRAG_VS_IN, | 360 | IP_DEFRAG_VS_IN, |
358 | IP_DEFRAG_VS_OUT, | 361 | IP_DEFRAG_VS_OUT, |
359 | IP_DEFRAG_VS_FWD | 362 | IP_DEFRAG_VS_FWD |
diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h index 8dc3296b7bea..a816c37417bb 100644 --- a/include/net/ip_vs.h +++ b/include/net/ip_vs.h | |||
@@ -26,6 +26,11 @@ | |||
26 | #include <linux/ipv6.h> /* for struct ipv6hdr */ | 26 | #include <linux/ipv6.h> /* for struct ipv6hdr */ |
27 | #include <net/ipv6.h> /* for ipv6_addr_copy */ | 27 | #include <net/ipv6.h> /* for ipv6_addr_copy */ |
28 | 28 | ||
29 | |||
30 | /* Connections' size value needed by ip_vs_ctl.c */ | ||
31 | extern int ip_vs_conn_tab_size; | ||
32 | |||
33 | |||
29 | struct ip_vs_iphdr { | 34 | struct ip_vs_iphdr { |
30 | int len; | 35 | int len; |
31 | __u8 protocol; | 36 | __u8 protocol; |
@@ -592,17 +597,6 @@ extern void ip_vs_init_hash_table(struct list_head *table, int rows); | |||
592 | * (from ip_vs_conn.c) | 597 | * (from ip_vs_conn.c) |
593 | */ | 598 | */ |
594 | 599 | ||
595 | /* | ||
596 | * IPVS connection entry hash table | ||
597 | */ | ||
598 | #ifndef CONFIG_IP_VS_TAB_BITS | ||
599 | #define CONFIG_IP_VS_TAB_BITS 12 | ||
600 | #endif | ||
601 | |||
602 | #define IP_VS_CONN_TAB_BITS CONFIG_IP_VS_TAB_BITS | ||
603 | #define IP_VS_CONN_TAB_SIZE (1 << IP_VS_CONN_TAB_BITS) | ||
604 | #define IP_VS_CONN_TAB_MASK (IP_VS_CONN_TAB_SIZE - 1) | ||
605 | |||
606 | enum { | 600 | enum { |
607 | IP_VS_DIR_INPUT = 0, | 601 | IP_VS_DIR_INPUT = 0, |
608 | IP_VS_DIR_OUTPUT, | 602 | IP_VS_DIR_OUTPUT, |
diff --git a/include/net/ipv6.h b/include/net/ipv6.h index ccab5946c830..639ec53ea081 100644 --- a/include/net/ipv6.h +++ b/include/net/ipv6.h | |||
@@ -246,6 +246,8 @@ extern int ipv6_opt_accepted(struct sock *sk, struct sk_buff *skb); | |||
246 | int ip6_frag_nqueues(struct net *net); | 246 | int ip6_frag_nqueues(struct net *net); |
247 | int ip6_frag_mem(struct net *net); | 247 | int ip6_frag_mem(struct net *net); |
248 | 248 | ||
249 | #define IPV6_FRAG_HIGH_THRESH 262144 /* == 256*1024 */ | ||
250 | #define IPV6_FRAG_LOW_THRESH 196608 /* == 192*1024 */ | ||
249 | #define IPV6_FRAG_TIMEOUT (60*HZ) /* 60 seconds */ | 251 | #define IPV6_FRAG_TIMEOUT (60*HZ) /* 60 seconds */ |
250 | 252 | ||
251 | extern int __ipv6_addr_type(const struct in6_addr *addr); | 253 | extern int __ipv6_addr_type(const struct in6_addr *addr); |
@@ -353,8 +355,11 @@ struct inet_frag_queue; | |||
353 | enum ip6_defrag_users { | 355 | enum ip6_defrag_users { |
354 | IP6_DEFRAG_LOCAL_DELIVER, | 356 | IP6_DEFRAG_LOCAL_DELIVER, |
355 | IP6_DEFRAG_CONNTRACK_IN, | 357 | IP6_DEFRAG_CONNTRACK_IN, |
358 | __IP6_DEFRAG_CONNTRACK_IN = IP6_DEFRAG_CONNTRACK_IN + USHORT_MAX, | ||
356 | IP6_DEFRAG_CONNTRACK_OUT, | 359 | IP6_DEFRAG_CONNTRACK_OUT, |
360 | __IP6_DEFRAG_CONNTRACK_OUT = IP6_DEFRAG_CONNTRACK_OUT + USHORT_MAX, | ||
357 | IP6_DEFRAG_CONNTRACK_BRIDGE_IN, | 361 | IP6_DEFRAG_CONNTRACK_BRIDGE_IN, |
362 | __IP6_DEFRAG_CONNTRACK_BRIDGE_IN = IP6_DEFRAG_CONNTRACK_BRIDGE_IN + USHORT_MAX, | ||
358 | }; | 363 | }; |
359 | 364 | ||
360 | struct ip6_create_arg { | 365 | struct ip6_create_arg { |
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h index f307e133d14c..82b7be4db89a 100644 --- a/include/net/net_namespace.h +++ b/include/net/net_namespace.h | |||
@@ -81,6 +81,8 @@ struct net { | |||
81 | #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) | 81 | #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) |
82 | struct netns_ct ct; | 82 | struct netns_ct ct; |
83 | #endif | 83 | #endif |
84 | struct sock *nfnl; | ||
85 | struct sock *nfnl_stash; | ||
84 | #endif | 86 | #endif |
85 | #ifdef CONFIG_XFRM | 87 | #ifdef CONFIG_XFRM |
86 | struct netns_xfrm xfrm; | 88 | struct netns_xfrm xfrm; |
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index a0904adfb8f7..bde095f7e845 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h | |||
@@ -70,7 +70,7 @@ union nf_conntrack_help { | |||
70 | struct nf_conntrack_helper; | 70 | struct nf_conntrack_helper; |
71 | 71 | ||
72 | /* Must be kept in sync with the classes defined by helpers */ | 72 | /* Must be kept in sync with the classes defined by helpers */ |
73 | #define NF_CT_MAX_EXPECT_CLASSES 3 | 73 | #define NF_CT_MAX_EXPECT_CLASSES 4 |
74 | 74 | ||
75 | /* nf_conn feature for connections that have a helper */ | 75 | /* nf_conn feature for connections that have a helper */ |
76 | struct nf_conn_help { | 76 | struct nf_conn_help { |
@@ -198,7 +198,8 @@ extern void *nf_ct_alloc_hashtable(unsigned int *sizep, int *vmalloced, int null | |||
198 | extern void nf_ct_free_hashtable(void *hash, int vmalloced, unsigned int size); | 198 | extern void nf_ct_free_hashtable(void *hash, int vmalloced, unsigned int size); |
199 | 199 | ||
200 | extern struct nf_conntrack_tuple_hash * | 200 | extern struct nf_conntrack_tuple_hash * |
201 | __nf_conntrack_find(struct net *net, const struct nf_conntrack_tuple *tuple); | 201 | __nf_conntrack_find(struct net *net, u16 zone, |
202 | const struct nf_conntrack_tuple *tuple); | ||
202 | 203 | ||
203 | extern void nf_conntrack_hash_insert(struct nf_conn *ct); | 204 | extern void nf_conntrack_hash_insert(struct nf_conn *ct); |
204 | extern void nf_ct_delete_from_lists(struct nf_conn *ct); | 205 | extern void nf_ct_delete_from_lists(struct nf_conn *ct); |
@@ -267,11 +268,16 @@ extern void | |||
267 | nf_ct_iterate_cleanup(struct net *net, int (*iter)(struct nf_conn *i, void *data), void *data); | 268 | nf_ct_iterate_cleanup(struct net *net, int (*iter)(struct nf_conn *i, void *data), void *data); |
268 | extern void nf_conntrack_free(struct nf_conn *ct); | 269 | extern void nf_conntrack_free(struct nf_conn *ct); |
269 | extern struct nf_conn * | 270 | extern struct nf_conn * |
270 | nf_conntrack_alloc(struct net *net, | 271 | nf_conntrack_alloc(struct net *net, u16 zone, |
271 | const struct nf_conntrack_tuple *orig, | 272 | const struct nf_conntrack_tuple *orig, |
272 | const struct nf_conntrack_tuple *repl, | 273 | const struct nf_conntrack_tuple *repl, |
273 | gfp_t gfp); | 274 | gfp_t gfp); |
274 | 275 | ||
276 | static inline int nf_ct_is_template(const struct nf_conn *ct) | ||
277 | { | ||
278 | return test_bit(IPS_TEMPLATE_BIT, &ct->status); | ||
279 | } | ||
280 | |||
275 | /* It's confirmed if it is, or has been in the hash table. */ | 281 | /* It's confirmed if it is, or has been in the hash table. */ |
276 | static inline int nf_ct_is_confirmed(struct nf_conn *ct) | 282 | static inline int nf_ct_is_confirmed(struct nf_conn *ct) |
277 | { | 283 | { |
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h index 5a449b44ba33..dffde8e6920e 100644 --- a/include/net/netfilter/nf_conntrack_core.h +++ b/include/net/netfilter/nf_conntrack_core.h | |||
@@ -49,7 +49,8 @@ nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse, | |||
49 | 49 | ||
50 | /* Find a connection corresponding to a tuple. */ | 50 | /* Find a connection corresponding to a tuple. */ |
51 | extern struct nf_conntrack_tuple_hash * | 51 | extern struct nf_conntrack_tuple_hash * |
52 | nf_conntrack_find_get(struct net *net, const struct nf_conntrack_tuple *tuple); | 52 | nf_conntrack_find_get(struct net *net, u16 zone, |
53 | const struct nf_conntrack_tuple *tuple); | ||
53 | 54 | ||
54 | extern int __nf_conntrack_confirm(struct sk_buff *skb); | 55 | extern int __nf_conntrack_confirm(struct sk_buff *skb); |
55 | 56 | ||
diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h index 475facc3051a..96ba5f7dcab6 100644 --- a/include/net/netfilter/nf_conntrack_ecache.h +++ b/include/net/netfilter/nf_conntrack_ecache.h | |||
@@ -12,27 +12,12 @@ | |||
12 | #include <linux/netfilter/nf_conntrack_tuple_common.h> | 12 | #include <linux/netfilter/nf_conntrack_tuple_common.h> |
13 | #include <net/netfilter/nf_conntrack_extend.h> | 13 | #include <net/netfilter/nf_conntrack_extend.h> |
14 | 14 | ||
15 | /* Connection tracking event types */ | ||
16 | enum ip_conntrack_events { | ||
17 | IPCT_NEW = 0, /* new conntrack */ | ||
18 | IPCT_RELATED = 1, /* related conntrack */ | ||
19 | IPCT_DESTROY = 2, /* destroyed conntrack */ | ||
20 | IPCT_STATUS = 3, /* status has changed */ | ||
21 | IPCT_PROTOINFO = 4, /* protocol information has changed */ | ||
22 | IPCT_HELPER = 5, /* new helper has been set */ | ||
23 | IPCT_MARK = 6, /* new mark has been set */ | ||
24 | IPCT_NATSEQADJ = 7, /* NAT is doing sequence adjustment */ | ||
25 | IPCT_SECMARK = 8, /* new security mark has been set */ | ||
26 | }; | ||
27 | |||
28 | enum ip_conntrack_expect_events { | ||
29 | IPEXP_NEW = 0, /* new expectation */ | ||
30 | }; | ||
31 | |||
32 | struct nf_conntrack_ecache { | 15 | struct nf_conntrack_ecache { |
33 | unsigned long cache; /* bitops want long */ | 16 | unsigned long cache; /* bitops want long */ |
34 | unsigned long missed; /* missed events */ | 17 | unsigned long missed; /* missed events */ |
35 | u32 pid; /* netlink pid of destroyer */ | 18 | u16 ctmask; /* bitmask of ct events to be delivered */ |
19 | u16 expmask; /* bitmask of expect events to be delivered */ | ||
20 | u32 pid; /* netlink pid of destroyer */ | ||
36 | }; | 21 | }; |
37 | 22 | ||
38 | static inline struct nf_conntrack_ecache * | 23 | static inline struct nf_conntrack_ecache * |
@@ -42,14 +27,24 @@ nf_ct_ecache_find(const struct nf_conn *ct) | |||
42 | } | 27 | } |
43 | 28 | ||
44 | static inline struct nf_conntrack_ecache * | 29 | static inline struct nf_conntrack_ecache * |
45 | nf_ct_ecache_ext_add(struct nf_conn *ct, gfp_t gfp) | 30 | nf_ct_ecache_ext_add(struct nf_conn *ct, u16 ctmask, u16 expmask, gfp_t gfp) |
46 | { | 31 | { |
47 | struct net *net = nf_ct_net(ct); | 32 | struct net *net = nf_ct_net(ct); |
33 | struct nf_conntrack_ecache *e; | ||
48 | 34 | ||
49 | if (!net->ct.sysctl_events) | 35 | if (!ctmask && !expmask && net->ct.sysctl_events) { |
36 | ctmask = ~0; | ||
37 | expmask = ~0; | ||
38 | } | ||
39 | if (!ctmask && !expmask) | ||
50 | return NULL; | 40 | return NULL; |
51 | 41 | ||
52 | return nf_ct_ext_add(ct, NF_CT_EXT_ECACHE, gfp); | 42 | e = nf_ct_ext_add(ct, NF_CT_EXT_ECACHE, gfp); |
43 | if (e) { | ||
44 | e->ctmask = ctmask; | ||
45 | e->expmask = expmask; | ||
46 | } | ||
47 | return e; | ||
53 | }; | 48 | }; |
54 | 49 | ||
55 | #ifdef CONFIG_NF_CONNTRACK_EVENTS | 50 | #ifdef CONFIG_NF_CONNTRACK_EVENTS |
@@ -82,6 +77,9 @@ nf_conntrack_event_cache(enum ip_conntrack_events event, struct nf_conn *ct) | |||
82 | if (e == NULL) | 77 | if (e == NULL) |
83 | return; | 78 | return; |
84 | 79 | ||
80 | if (!(e->ctmask & (1 << event))) | ||
81 | return; | ||
82 | |||
85 | set_bit(event, &e->cache); | 83 | set_bit(event, &e->cache); |
86 | } | 84 | } |
87 | 85 | ||
@@ -92,7 +90,6 @@ nf_conntrack_eventmask_report(unsigned int eventmask, | |||
92 | int report) | 90 | int report) |
93 | { | 91 | { |
94 | int ret = 0; | 92 | int ret = 0; |
95 | struct net *net = nf_ct_net(ct); | ||
96 | struct nf_ct_event_notifier *notify; | 93 | struct nf_ct_event_notifier *notify; |
97 | struct nf_conntrack_ecache *e; | 94 | struct nf_conntrack_ecache *e; |
98 | 95 | ||
@@ -101,9 +98,6 @@ nf_conntrack_eventmask_report(unsigned int eventmask, | |||
101 | if (notify == NULL) | 98 | if (notify == NULL) |
102 | goto out_unlock; | 99 | goto out_unlock; |
103 | 100 | ||
104 | if (!net->ct.sysctl_events) | ||
105 | goto out_unlock; | ||
106 | |||
107 | e = nf_ct_ecache_find(ct); | 101 | e = nf_ct_ecache_find(ct); |
108 | if (e == NULL) | 102 | if (e == NULL) |
109 | goto out_unlock; | 103 | goto out_unlock; |
@@ -117,6 +111,9 @@ nf_conntrack_eventmask_report(unsigned int eventmask, | |||
117 | /* This is a resent of a destroy event? If so, skip missed */ | 111 | /* This is a resent of a destroy event? If so, skip missed */ |
118 | unsigned long missed = e->pid ? 0 : e->missed; | 112 | unsigned long missed = e->pid ? 0 : e->missed; |
119 | 113 | ||
114 | if (!((eventmask | missed) & e->ctmask)) | ||
115 | goto out_unlock; | ||
116 | |||
120 | ret = notify->fcn(eventmask | missed, &item); | 117 | ret = notify->fcn(eventmask | missed, &item); |
121 | if (unlikely(ret < 0 || missed)) { | 118 | if (unlikely(ret < 0 || missed)) { |
122 | spin_lock_bh(&ct->lock); | 119 | spin_lock_bh(&ct->lock); |
@@ -172,18 +169,19 @@ nf_ct_expect_event_report(enum ip_conntrack_expect_events event, | |||
172 | u32 pid, | 169 | u32 pid, |
173 | int report) | 170 | int report) |
174 | { | 171 | { |
175 | struct net *net = nf_ct_exp_net(exp); | ||
176 | struct nf_exp_event_notifier *notify; | 172 | struct nf_exp_event_notifier *notify; |
173 | struct nf_conntrack_ecache *e; | ||
177 | 174 | ||
178 | rcu_read_lock(); | 175 | rcu_read_lock(); |
179 | notify = rcu_dereference(nf_expect_event_cb); | 176 | notify = rcu_dereference(nf_expect_event_cb); |
180 | if (notify == NULL) | 177 | if (notify == NULL) |
181 | goto out_unlock; | 178 | goto out_unlock; |
182 | 179 | ||
183 | if (!net->ct.sysctl_events) | 180 | e = nf_ct_ecache_find(exp->master); |
181 | if (e == NULL) | ||
184 | goto out_unlock; | 182 | goto out_unlock; |
185 | 183 | ||
186 | { | 184 | if (e->expmask & (1 << event)) { |
187 | struct nf_exp_event item = { | 185 | struct nf_exp_event item = { |
188 | .exp = exp, | 186 | .exp = exp, |
189 | .pid = pid, | 187 | .pid = pid, |
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h index 9a2b9cb52271..11e815084fcf 100644 --- a/include/net/netfilter/nf_conntrack_expect.h +++ b/include/net/netfilter/nf_conntrack_expect.h | |||
@@ -56,16 +56,13 @@ struct nf_conntrack_expect { | |||
56 | 56 | ||
57 | static inline struct net *nf_ct_exp_net(struct nf_conntrack_expect *exp) | 57 | static inline struct net *nf_ct_exp_net(struct nf_conntrack_expect *exp) |
58 | { | 58 | { |
59 | #ifdef CONFIG_NET_NS | 59 | return nf_ct_net(exp->master); |
60 | return exp->master->ct_net; /* by definition */ | ||
61 | #else | ||
62 | return &init_net; | ||
63 | #endif | ||
64 | } | 60 | } |
65 | 61 | ||
66 | struct nf_conntrack_expect_policy { | 62 | struct nf_conntrack_expect_policy { |
67 | unsigned int max_expected; | 63 | unsigned int max_expected; |
68 | unsigned int timeout; | 64 | unsigned int timeout; |
65 | const char *name; | ||
69 | }; | 66 | }; |
70 | 67 | ||
71 | #define NF_CT_EXPECT_CLASS_DEFAULT 0 | 68 | #define NF_CT_EXPECT_CLASS_DEFAULT 0 |
@@ -77,13 +74,16 @@ int nf_conntrack_expect_init(struct net *net); | |||
77 | void nf_conntrack_expect_fini(struct net *net); | 74 | void nf_conntrack_expect_fini(struct net *net); |
78 | 75 | ||
79 | struct nf_conntrack_expect * | 76 | struct nf_conntrack_expect * |
80 | __nf_ct_expect_find(struct net *net, const struct nf_conntrack_tuple *tuple); | 77 | __nf_ct_expect_find(struct net *net, u16 zone, |
78 | const struct nf_conntrack_tuple *tuple); | ||
81 | 79 | ||
82 | struct nf_conntrack_expect * | 80 | struct nf_conntrack_expect * |
83 | nf_ct_expect_find_get(struct net *net, const struct nf_conntrack_tuple *tuple); | 81 | nf_ct_expect_find_get(struct net *net, u16 zone, |
82 | const struct nf_conntrack_tuple *tuple); | ||
84 | 83 | ||
85 | struct nf_conntrack_expect * | 84 | struct nf_conntrack_expect * |
86 | nf_ct_find_expectation(struct net *net, const struct nf_conntrack_tuple *tuple); | 85 | nf_ct_find_expectation(struct net *net, u16 zone, |
86 | const struct nf_conntrack_tuple *tuple); | ||
87 | 87 | ||
88 | void nf_ct_unlink_expect(struct nf_conntrack_expect *exp); | 88 | void nf_ct_unlink_expect(struct nf_conntrack_expect *exp); |
89 | void nf_ct_remove_expectations(struct nf_conn *ct); | 89 | void nf_ct_remove_expectations(struct nf_conn *ct); |
diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h index e192dc17c583..2d2a1f9a61d8 100644 --- a/include/net/netfilter/nf_conntrack_extend.h +++ b/include/net/netfilter/nf_conntrack_extend.h | |||
@@ -8,6 +8,7 @@ enum nf_ct_ext_id { | |||
8 | NF_CT_EXT_NAT, | 8 | NF_CT_EXT_NAT, |
9 | NF_CT_EXT_ACCT, | 9 | NF_CT_EXT_ACCT, |
10 | NF_CT_EXT_ECACHE, | 10 | NF_CT_EXT_ECACHE, |
11 | NF_CT_EXT_ZONE, | ||
11 | NF_CT_EXT_NUM, | 12 | NF_CT_EXT_NUM, |
12 | }; | 13 | }; |
13 | 14 | ||
@@ -15,6 +16,7 @@ enum nf_ct_ext_id { | |||
15 | #define NF_CT_EXT_NAT_TYPE struct nf_conn_nat | 16 | #define NF_CT_EXT_NAT_TYPE struct nf_conn_nat |
16 | #define NF_CT_EXT_ACCT_TYPE struct nf_conn_counter | 17 | #define NF_CT_EXT_ACCT_TYPE struct nf_conn_counter |
17 | #define NF_CT_EXT_ECACHE_TYPE struct nf_conntrack_ecache | 18 | #define NF_CT_EXT_ECACHE_TYPE struct nf_conntrack_ecache |
19 | #define NF_CT_EXT_ZONE_TYPE struct nf_conntrack_zone | ||
18 | 20 | ||
19 | /* Extensions: optional stuff which isn't permanently in struct. */ | 21 | /* Extensions: optional stuff which isn't permanently in struct. */ |
20 | struct nf_ct_ext { | 22 | struct nf_ct_ext { |
diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h index d015de92e03f..32c305dbdab6 100644 --- a/include/net/netfilter/nf_conntrack_helper.h +++ b/include/net/netfilter/nf_conntrack_helper.h | |||
@@ -40,14 +40,18 @@ struct nf_conntrack_helper { | |||
40 | }; | 40 | }; |
41 | 41 | ||
42 | extern struct nf_conntrack_helper * | 42 | extern struct nf_conntrack_helper * |
43 | __nf_conntrack_helper_find_byname(const char *name); | 43 | __nf_conntrack_helper_find(const char *name, u16 l3num, u8 protonum); |
44 | |||
45 | extern struct nf_conntrack_helper * | ||
46 | nf_conntrack_helper_try_module_get(const char *name, u16 l3num, u8 protonum); | ||
44 | 47 | ||
45 | extern int nf_conntrack_helper_register(struct nf_conntrack_helper *); | 48 | extern int nf_conntrack_helper_register(struct nf_conntrack_helper *); |
46 | extern void nf_conntrack_helper_unregister(struct nf_conntrack_helper *); | 49 | extern void nf_conntrack_helper_unregister(struct nf_conntrack_helper *); |
47 | 50 | ||
48 | extern struct nf_conn_help *nf_ct_helper_ext_add(struct nf_conn *ct, gfp_t gfp); | 51 | extern struct nf_conn_help *nf_ct_helper_ext_add(struct nf_conn *ct, gfp_t gfp); |
49 | 52 | ||
50 | extern int __nf_ct_try_assign_helper(struct nf_conn *ct, gfp_t flags); | 53 | extern int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl, |
54 | gfp_t flags); | ||
51 | 55 | ||
52 | extern void nf_ct_helper_destroy(struct nf_conn *ct); | 56 | extern void nf_ct_helper_destroy(struct nf_conn *ct); |
53 | 57 | ||
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h index ca6dcf3445ab..e3d3ee3c06a2 100644 --- a/include/net/netfilter/nf_conntrack_l4proto.h +++ b/include/net/netfilter/nf_conntrack_l4proto.h | |||
@@ -49,8 +49,8 @@ struct nf_conntrack_l4proto { | |||
49 | /* Called when a conntrack entry is destroyed */ | 49 | /* Called when a conntrack entry is destroyed */ |
50 | void (*destroy)(struct nf_conn *ct); | 50 | void (*destroy)(struct nf_conn *ct); |
51 | 51 | ||
52 | int (*error)(struct net *net, struct sk_buff *skb, unsigned int dataoff, | 52 | int (*error)(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb, |
53 | enum ip_conntrack_info *ctinfo, | 53 | unsigned int dataoff, enum ip_conntrack_info *ctinfo, |
54 | u_int8_t pf, unsigned int hooknum); | 54 | u_int8_t pf, unsigned int hooknum); |
55 | 55 | ||
56 | /* Print out the per-protocol part of the tuple. Return like seq_* */ | 56 | /* Print out the per-protocol part of the tuple. Return like seq_* */ |
diff --git a/include/net/netfilter/nf_conntrack_zones.h b/include/net/netfilter/nf_conntrack_zones.h new file mode 100644 index 000000000000..0bbb2bd51e89 --- /dev/null +++ b/include/net/netfilter/nf_conntrack_zones.h | |||
@@ -0,0 +1,23 @@ | |||
1 | #ifndef _NF_CONNTRACK_ZONES_H | ||
2 | #define _NF_CONNTRACK_ZONES_H | ||
3 | |||
4 | #include <net/netfilter/nf_conntrack_extend.h> | ||
5 | |||
6 | #define NF_CT_DEFAULT_ZONE 0 | ||
7 | |||
8 | struct nf_conntrack_zone { | ||
9 | u16 id; | ||
10 | }; | ||
11 | |||
12 | static inline u16 nf_ct_zone(const struct nf_conn *ct) | ||
13 | { | ||
14 | #ifdef CONFIG_NF_CONNTRACK_ZONES | ||
15 | struct nf_conntrack_zone *nf_ct_zone; | ||
16 | nf_ct_zone = nf_ct_ext_find(ct, NF_CT_EXT_ZONE); | ||
17 | if (nf_ct_zone) | ||
18 | return nf_ct_zone->id; | ||
19 | #endif | ||
20 | return NF_CT_DEFAULT_ZONE; | ||
21 | } | ||
22 | |||
23 | #endif /* _NF_CONNTRACK_ZONES_H */ | ||
diff --git a/include/net/netfilter/nf_nat_helper.h b/include/net/netfilter/nf_nat_helper.h index 4222220920a5..02bb6c29dc3d 100644 --- a/include/net/netfilter/nf_nat_helper.h +++ b/include/net/netfilter/nf_nat_helper.h | |||
@@ -7,13 +7,27 @@ | |||
7 | struct sk_buff; | 7 | struct sk_buff; |
8 | 8 | ||
9 | /* These return true or false. */ | 9 | /* These return true or false. */ |
10 | extern int nf_nat_mangle_tcp_packet(struct sk_buff *skb, | 10 | extern int __nf_nat_mangle_tcp_packet(struct sk_buff *skb, |
11 | struct nf_conn *ct, | 11 | struct nf_conn *ct, |
12 | enum ip_conntrack_info ctinfo, | 12 | enum ip_conntrack_info ctinfo, |
13 | unsigned int match_offset, | 13 | unsigned int match_offset, |
14 | unsigned int match_len, | 14 | unsigned int match_len, |
15 | const char *rep_buffer, | 15 | const char *rep_buffer, |
16 | unsigned int rep_len); | 16 | unsigned int rep_len, bool adjust); |
17 | |||
18 | static inline int nf_nat_mangle_tcp_packet(struct sk_buff *skb, | ||
19 | struct nf_conn *ct, | ||
20 | enum ip_conntrack_info ctinfo, | ||
21 | unsigned int match_offset, | ||
22 | unsigned int match_len, | ||
23 | const char *rep_buffer, | ||
24 | unsigned int rep_len) | ||
25 | { | ||
26 | return __nf_nat_mangle_tcp_packet(skb, ct, ctinfo, | ||
27 | match_offset, match_len, | ||
28 | rep_buffer, rep_len, true); | ||
29 | } | ||
30 | |||
17 | extern int nf_nat_mangle_udp_packet(struct sk_buff *skb, | 31 | extern int nf_nat_mangle_udp_packet(struct sk_buff *skb, |
18 | struct nf_conn *ct, | 32 | struct nf_conn *ct, |
19 | enum ip_conntrack_info ctinfo, | 33 | enum ip_conntrack_info ctinfo, |
@@ -21,6 +35,10 @@ extern int nf_nat_mangle_udp_packet(struct sk_buff *skb, | |||
21 | unsigned int match_len, | 35 | unsigned int match_len, |
22 | const char *rep_buffer, | 36 | const char *rep_buffer, |
23 | unsigned int rep_len); | 37 | unsigned int rep_len); |
38 | |||
39 | extern void nf_nat_set_seq_adjust(struct nf_conn *ct, | ||
40 | enum ip_conntrack_info ctinfo, | ||
41 | __be32 seq, s16 off); | ||
24 | extern int nf_nat_seq_adjust(struct sk_buff *skb, | 42 | extern int nf_nat_seq_adjust(struct sk_buff *skb, |
25 | struct nf_conn *ct, | 43 | struct nf_conn *ct, |
26 | enum ip_conntrack_info ctinfo); | 44 | enum ip_conntrack_info ctinfo); |
diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h index 9a4b8b714079..2764994c9136 100644 --- a/include/net/netns/ipv4.h +++ b/include/net/netns/ipv4.h | |||
@@ -37,7 +37,9 @@ struct netns_ipv4 { | |||
37 | struct xt_table *iptable_mangle; | 37 | struct xt_table *iptable_mangle; |
38 | struct xt_table *iptable_raw; | 38 | struct xt_table *iptable_raw; |
39 | struct xt_table *arptable_filter; | 39 | struct xt_table *arptable_filter; |
40 | #ifdef CONFIG_SECURITY | ||
40 | struct xt_table *iptable_security; | 41 | struct xt_table *iptable_security; |
42 | #endif | ||
41 | struct xt_table *nat_table; | 43 | struct xt_table *nat_table; |
42 | struct hlist_head *nat_bysource; | 44 | struct hlist_head *nat_bysource; |
43 | unsigned int nat_htable_size; | 45 | unsigned int nat_htable_size; |
diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h index dfeb2d7c425b..1f11ebc22151 100644 --- a/include/net/netns/ipv6.h +++ b/include/net/netns/ipv6.h | |||
@@ -36,8 +36,10 @@ struct netns_ipv6 { | |||
36 | struct xt_table *ip6table_filter; | 36 | struct xt_table *ip6table_filter; |
37 | struct xt_table *ip6table_mangle; | 37 | struct xt_table *ip6table_mangle; |
38 | struct xt_table *ip6table_raw; | 38 | struct xt_table *ip6table_raw; |
39 | #ifdef CONFIG_SECURITY | ||
39 | struct xt_table *ip6table_security; | 40 | struct xt_table *ip6table_security; |
40 | #endif | 41 | #endif |
42 | #endif | ||
41 | struct rt6_info *ip6_null_entry; | 43 | struct rt6_info *ip6_null_entry; |
42 | struct rt6_statistics *rt6_stats; | 44 | struct rt6_statistics *rt6_stats; |
43 | struct timer_list ip6_fib_timer; | 45 | struct timer_list ip6_fib_timer; |
diff --git a/net/bridge/netfilter/ebt_802_3.c b/net/bridge/netfilter/ebt_802_3.c index bd91dc58d49b..5d1176758ca5 100644 --- a/net/bridge/netfilter/ebt_802_3.c +++ b/net/bridge/netfilter/ebt_802_3.c | |||
@@ -52,7 +52,7 @@ static struct xt_match ebt_802_3_mt_reg __read_mostly = { | |||
52 | .family = NFPROTO_BRIDGE, | 52 | .family = NFPROTO_BRIDGE, |
53 | .match = ebt_802_3_mt, | 53 | .match = ebt_802_3_mt, |
54 | .checkentry = ebt_802_3_mt_check, | 54 | .checkentry = ebt_802_3_mt_check, |
55 | .matchsize = XT_ALIGN(sizeof(struct ebt_802_3_info)), | 55 | .matchsize = sizeof(struct ebt_802_3_info), |
56 | .me = THIS_MODULE, | 56 | .me = THIS_MODULE, |
57 | }; | 57 | }; |
58 | 58 | ||
diff --git a/net/bridge/netfilter/ebt_arp.c b/net/bridge/netfilter/ebt_arp.c index b7ad60419f9a..e727697c5847 100644 --- a/net/bridge/netfilter/ebt_arp.c +++ b/net/bridge/netfilter/ebt_arp.c | |||
@@ -120,7 +120,7 @@ static struct xt_match ebt_arp_mt_reg __read_mostly = { | |||
120 | .family = NFPROTO_BRIDGE, | 120 | .family = NFPROTO_BRIDGE, |
121 | .match = ebt_arp_mt, | 121 | .match = ebt_arp_mt, |
122 | .checkentry = ebt_arp_mt_check, | 122 | .checkentry = ebt_arp_mt_check, |
123 | .matchsize = XT_ALIGN(sizeof(struct ebt_arp_info)), | 123 | .matchsize = sizeof(struct ebt_arp_info), |
124 | .me = THIS_MODULE, | 124 | .me = THIS_MODULE, |
125 | }; | 125 | }; |
126 | 126 | ||
diff --git a/net/bridge/netfilter/ebt_arpreply.c b/net/bridge/netfilter/ebt_arpreply.c index 76584cd72e57..f392e9d93f53 100644 --- a/net/bridge/netfilter/ebt_arpreply.c +++ b/net/bridge/netfilter/ebt_arpreply.c | |||
@@ -78,7 +78,7 @@ static struct xt_target ebt_arpreply_tg_reg __read_mostly = { | |||
78 | .hooks = (1 << NF_BR_NUMHOOKS) | (1 << NF_BR_PRE_ROUTING), | 78 | .hooks = (1 << NF_BR_NUMHOOKS) | (1 << NF_BR_PRE_ROUTING), |
79 | .target = ebt_arpreply_tg, | 79 | .target = ebt_arpreply_tg, |
80 | .checkentry = ebt_arpreply_tg_check, | 80 | .checkentry = ebt_arpreply_tg_check, |
81 | .targetsize = XT_ALIGN(sizeof(struct ebt_arpreply_info)), | 81 | .targetsize = sizeof(struct ebt_arpreply_info), |
82 | .me = THIS_MODULE, | 82 | .me = THIS_MODULE, |
83 | }; | 83 | }; |
84 | 84 | ||
diff --git a/net/bridge/netfilter/ebt_dnat.c b/net/bridge/netfilter/ebt_dnat.c index 6b49ea9e31fb..2bb40d728a35 100644 --- a/net/bridge/netfilter/ebt_dnat.c +++ b/net/bridge/netfilter/ebt_dnat.c | |||
@@ -54,7 +54,7 @@ static struct xt_target ebt_dnat_tg_reg __read_mostly = { | |||
54 | (1 << NF_BR_LOCAL_OUT) | (1 << NF_BR_BROUTING), | 54 | (1 << NF_BR_LOCAL_OUT) | (1 << NF_BR_BROUTING), |
55 | .target = ebt_dnat_tg, | 55 | .target = ebt_dnat_tg, |
56 | .checkentry = ebt_dnat_tg_check, | 56 | .checkentry = ebt_dnat_tg_check, |
57 | .targetsize = XT_ALIGN(sizeof(struct ebt_nat_info)), | 57 | .targetsize = sizeof(struct ebt_nat_info), |
58 | .me = THIS_MODULE, | 58 | .me = THIS_MODULE, |
59 | }; | 59 | }; |
60 | 60 | ||
diff --git a/net/bridge/netfilter/ebt_ip.c b/net/bridge/netfilter/ebt_ip.c index d771bbfbcbe6..5de6df6f86b8 100644 --- a/net/bridge/netfilter/ebt_ip.c +++ b/net/bridge/netfilter/ebt_ip.c | |||
@@ -110,7 +110,7 @@ static struct xt_match ebt_ip_mt_reg __read_mostly = { | |||
110 | .family = NFPROTO_BRIDGE, | 110 | .family = NFPROTO_BRIDGE, |
111 | .match = ebt_ip_mt, | 111 | .match = ebt_ip_mt, |
112 | .checkentry = ebt_ip_mt_check, | 112 | .checkentry = ebt_ip_mt_check, |
113 | .matchsize = XT_ALIGN(sizeof(struct ebt_ip_info)), | 113 | .matchsize = sizeof(struct ebt_ip_info), |
114 | .me = THIS_MODULE, | 114 | .me = THIS_MODULE, |
115 | }; | 115 | }; |
116 | 116 | ||
diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c index 784a6573876c..bbf2534ef026 100644 --- a/net/bridge/netfilter/ebt_ip6.c +++ b/net/bridge/netfilter/ebt_ip6.c | |||
@@ -122,7 +122,7 @@ static struct xt_match ebt_ip6_mt_reg __read_mostly = { | |||
122 | .family = NFPROTO_BRIDGE, | 122 | .family = NFPROTO_BRIDGE, |
123 | .match = ebt_ip6_mt, | 123 | .match = ebt_ip6_mt, |
124 | .checkentry = ebt_ip6_mt_check, | 124 | .checkentry = ebt_ip6_mt_check, |
125 | .matchsize = XT_ALIGN(sizeof(struct ebt_ip6_info)), | 125 | .matchsize = sizeof(struct ebt_ip6_info), |
126 | .me = THIS_MODULE, | 126 | .me = THIS_MODULE, |
127 | }; | 127 | }; |
128 | 128 | ||
diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c index f7bd9192ff0c..9dd16e6b10e7 100644 --- a/net/bridge/netfilter/ebt_limit.c +++ b/net/bridge/netfilter/ebt_limit.c | |||
@@ -90,7 +90,7 @@ static struct xt_match ebt_limit_mt_reg __read_mostly = { | |||
90 | .family = NFPROTO_BRIDGE, | 90 | .family = NFPROTO_BRIDGE, |
91 | .match = ebt_limit_mt, | 91 | .match = ebt_limit_mt, |
92 | .checkentry = ebt_limit_mt_check, | 92 | .checkentry = ebt_limit_mt_check, |
93 | .matchsize = XT_ALIGN(sizeof(struct ebt_limit_info)), | 93 | .matchsize = sizeof(struct ebt_limit_info), |
94 | .me = THIS_MODULE, | 94 | .me = THIS_MODULE, |
95 | }; | 95 | }; |
96 | 96 | ||
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c index e4ea3fdd1d41..e873924ddb5d 100644 --- a/net/bridge/netfilter/ebt_log.c +++ b/net/bridge/netfilter/ebt_log.c | |||
@@ -195,7 +195,7 @@ static struct xt_target ebt_log_tg_reg __read_mostly = { | |||
195 | .family = NFPROTO_BRIDGE, | 195 | .family = NFPROTO_BRIDGE, |
196 | .target = ebt_log_tg, | 196 | .target = ebt_log_tg, |
197 | .checkentry = ebt_log_tg_check, | 197 | .checkentry = ebt_log_tg_check, |
198 | .targetsize = XT_ALIGN(sizeof(struct ebt_log_info)), | 198 | .targetsize = sizeof(struct ebt_log_info), |
199 | .me = THIS_MODULE, | 199 | .me = THIS_MODULE, |
200 | }; | 200 | }; |
201 | 201 | ||
diff --git a/net/bridge/netfilter/ebt_mark.c b/net/bridge/netfilter/ebt_mark.c index 2fee7e8e2e93..153e167374a2 100644 --- a/net/bridge/netfilter/ebt_mark.c +++ b/net/bridge/netfilter/ebt_mark.c | |||
@@ -59,7 +59,7 @@ static struct xt_target ebt_mark_tg_reg __read_mostly = { | |||
59 | .family = NFPROTO_BRIDGE, | 59 | .family = NFPROTO_BRIDGE, |
60 | .target = ebt_mark_tg, | 60 | .target = ebt_mark_tg, |
61 | .checkentry = ebt_mark_tg_check, | 61 | .checkentry = ebt_mark_tg_check, |
62 | .targetsize = XT_ALIGN(sizeof(struct ebt_mark_t_info)), | 62 | .targetsize = sizeof(struct ebt_mark_t_info), |
63 | .me = THIS_MODULE, | 63 | .me = THIS_MODULE, |
64 | }; | 64 | }; |
65 | 65 | ||
diff --git a/net/bridge/netfilter/ebt_mark_m.c b/net/bridge/netfilter/ebt_mark_m.c index ea570f214b1d..89abf4030399 100644 --- a/net/bridge/netfilter/ebt_mark_m.c +++ b/net/bridge/netfilter/ebt_mark_m.c | |||
@@ -41,7 +41,7 @@ static struct xt_match ebt_mark_mt_reg __read_mostly = { | |||
41 | .family = NFPROTO_BRIDGE, | 41 | .family = NFPROTO_BRIDGE, |
42 | .match = ebt_mark_mt, | 42 | .match = ebt_mark_mt, |
43 | .checkentry = ebt_mark_mt_check, | 43 | .checkentry = ebt_mark_mt_check, |
44 | .matchsize = XT_ALIGN(sizeof(struct ebt_mark_m_info)), | 44 | .matchsize = sizeof(struct ebt_mark_m_info), |
45 | .me = THIS_MODULE, | 45 | .me = THIS_MODULE, |
46 | }; | 46 | }; |
47 | 47 | ||
diff --git a/net/bridge/netfilter/ebt_nflog.c b/net/bridge/netfilter/ebt_nflog.c index 2a63d996dd4e..40dbd248b9ae 100644 --- a/net/bridge/netfilter/ebt_nflog.c +++ b/net/bridge/netfilter/ebt_nflog.c | |||
@@ -51,7 +51,7 @@ static struct xt_target ebt_nflog_tg_reg __read_mostly = { | |||
51 | .family = NFPROTO_BRIDGE, | 51 | .family = NFPROTO_BRIDGE, |
52 | .target = ebt_nflog_tg, | 52 | .target = ebt_nflog_tg, |
53 | .checkentry = ebt_nflog_tg_check, | 53 | .checkentry = ebt_nflog_tg_check, |
54 | .targetsize = XT_ALIGN(sizeof(struct ebt_nflog_info)), | 54 | .targetsize = sizeof(struct ebt_nflog_info), |
55 | .me = THIS_MODULE, | 55 | .me = THIS_MODULE, |
56 | }; | 56 | }; |
57 | 57 | ||
diff --git a/net/bridge/netfilter/ebt_pkttype.c b/net/bridge/netfilter/ebt_pkttype.c index 883e96e2a542..e2a07e6cbef3 100644 --- a/net/bridge/netfilter/ebt_pkttype.c +++ b/net/bridge/netfilter/ebt_pkttype.c | |||
@@ -36,7 +36,7 @@ static struct xt_match ebt_pkttype_mt_reg __read_mostly = { | |||
36 | .family = NFPROTO_BRIDGE, | 36 | .family = NFPROTO_BRIDGE, |
37 | .match = ebt_pkttype_mt, | 37 | .match = ebt_pkttype_mt, |
38 | .checkentry = ebt_pkttype_mt_check, | 38 | .checkentry = ebt_pkttype_mt_check, |
39 | .matchsize = XT_ALIGN(sizeof(struct ebt_pkttype_info)), | 39 | .matchsize = sizeof(struct ebt_pkttype_info), |
40 | .me = THIS_MODULE, | 40 | .me = THIS_MODULE, |
41 | }; | 41 | }; |
42 | 42 | ||
diff --git a/net/bridge/netfilter/ebt_redirect.c b/net/bridge/netfilter/ebt_redirect.c index c8a49f7a57ba..9be8fbcd370b 100644 --- a/net/bridge/netfilter/ebt_redirect.c +++ b/net/bridge/netfilter/ebt_redirect.c | |||
@@ -59,7 +59,7 @@ static struct xt_target ebt_redirect_tg_reg __read_mostly = { | |||
59 | (1 << NF_BR_BROUTING), | 59 | (1 << NF_BR_BROUTING), |
60 | .target = ebt_redirect_tg, | 60 | .target = ebt_redirect_tg, |
61 | .checkentry = ebt_redirect_tg_check, | 61 | .checkentry = ebt_redirect_tg_check, |
62 | .targetsize = XT_ALIGN(sizeof(struct ebt_redirect_info)), | 62 | .targetsize = sizeof(struct ebt_redirect_info), |
63 | .me = THIS_MODULE, | 63 | .me = THIS_MODULE, |
64 | }; | 64 | }; |
65 | 65 | ||
diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c index 8d04d4c302bd..9c7b520765a2 100644 --- a/net/bridge/netfilter/ebt_snat.c +++ b/net/bridge/netfilter/ebt_snat.c | |||
@@ -67,7 +67,7 @@ static struct xt_target ebt_snat_tg_reg __read_mostly = { | |||
67 | .hooks = (1 << NF_BR_NUMHOOKS) | (1 << NF_BR_POST_ROUTING), | 67 | .hooks = (1 << NF_BR_NUMHOOKS) | (1 << NF_BR_POST_ROUTING), |
68 | .target = ebt_snat_tg, | 68 | .target = ebt_snat_tg, |
69 | .checkentry = ebt_snat_tg_check, | 69 | .checkentry = ebt_snat_tg_check, |
70 | .targetsize = XT_ALIGN(sizeof(struct ebt_nat_info)), | 70 | .targetsize = sizeof(struct ebt_nat_info), |
71 | .me = THIS_MODULE, | 71 | .me = THIS_MODULE, |
72 | }; | 72 | }; |
73 | 73 | ||
diff --git a/net/bridge/netfilter/ebt_stp.c b/net/bridge/netfilter/ebt_stp.c index 75e29a9cebda..92a93d363765 100644 --- a/net/bridge/netfilter/ebt_stp.c +++ b/net/bridge/netfilter/ebt_stp.c | |||
@@ -177,7 +177,7 @@ static struct xt_match ebt_stp_mt_reg __read_mostly = { | |||
177 | .family = NFPROTO_BRIDGE, | 177 | .family = NFPROTO_BRIDGE, |
178 | .match = ebt_stp_mt, | 178 | .match = ebt_stp_mt, |
179 | .checkentry = ebt_stp_mt_check, | 179 | .checkentry = ebt_stp_mt_check, |
180 | .matchsize = XT_ALIGN(sizeof(struct ebt_stp_info)), | 180 | .matchsize = sizeof(struct ebt_stp_info), |
181 | .me = THIS_MODULE, | 181 | .me = THIS_MODULE, |
182 | }; | 182 | }; |
183 | 183 | ||
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c index ce50688a6431..c6ac657074a6 100644 --- a/net/bridge/netfilter/ebt_ulog.c +++ b/net/bridge/netfilter/ebt_ulog.c | |||
@@ -275,7 +275,7 @@ static struct xt_target ebt_ulog_tg_reg __read_mostly = { | |||
275 | .family = NFPROTO_BRIDGE, | 275 | .family = NFPROTO_BRIDGE, |
276 | .target = ebt_ulog_tg, | 276 | .target = ebt_ulog_tg, |
277 | .checkentry = ebt_ulog_tg_check, | 277 | .checkentry = ebt_ulog_tg_check, |
278 | .targetsize = XT_ALIGN(sizeof(struct ebt_ulog_info)), | 278 | .targetsize = sizeof(struct ebt_ulog_info), |
279 | .me = THIS_MODULE, | 279 | .me = THIS_MODULE, |
280 | }; | 280 | }; |
281 | 281 | ||
diff --git a/net/bridge/netfilter/ebt_vlan.c b/net/bridge/netfilter/ebt_vlan.c index 3dddd489328e..be1dd2e1f615 100644 --- a/net/bridge/netfilter/ebt_vlan.c +++ b/net/bridge/netfilter/ebt_vlan.c | |||
@@ -163,7 +163,7 @@ static struct xt_match ebt_vlan_mt_reg __read_mostly = { | |||
163 | .family = NFPROTO_BRIDGE, | 163 | .family = NFPROTO_BRIDGE, |
164 | .match = ebt_vlan_mt, | 164 | .match = ebt_vlan_mt, |
165 | .checkentry = ebt_vlan_mt_check, | 165 | .checkentry = ebt_vlan_mt_check, |
166 | .matchsize = XT_ALIGN(sizeof(struct ebt_vlan_info)), | 166 | .matchsize = sizeof(struct ebt_vlan_info), |
167 | .me = THIS_MODULE, | 167 | .me = THIS_MODULE, |
168 | }; | 168 | }; |
169 | 169 | ||
diff --git a/net/bridge/netfilter/ebtable_broute.c b/net/bridge/netfilter/ebtable_broute.c index d32ab13e728c..ae3f106c3908 100644 --- a/net/bridge/netfilter/ebtable_broute.c +++ b/net/bridge/netfilter/ebtable_broute.c | |||
@@ -71,7 +71,7 @@ static int __net_init broute_net_init(struct net *net) | |||
71 | 71 | ||
72 | static void __net_exit broute_net_exit(struct net *net) | 72 | static void __net_exit broute_net_exit(struct net *net) |
73 | { | 73 | { |
74 | ebt_unregister_table(net->xt.broute_table); | 74 | ebt_unregister_table(net, net->xt.broute_table); |
75 | } | 75 | } |
76 | 76 | ||
77 | static struct pernet_operations broute_net_ops = { | 77 | static struct pernet_operations broute_net_ops = { |
diff --git a/net/bridge/netfilter/ebtable_filter.c b/net/bridge/netfilter/ebtable_filter.c index 60b1a6ca7185..42e6bd094574 100644 --- a/net/bridge/netfilter/ebtable_filter.c +++ b/net/bridge/netfilter/ebtable_filter.c | |||
@@ -107,7 +107,7 @@ static int __net_init frame_filter_net_init(struct net *net) | |||
107 | 107 | ||
108 | static void __net_exit frame_filter_net_exit(struct net *net) | 108 | static void __net_exit frame_filter_net_exit(struct net *net) |
109 | { | 109 | { |
110 | ebt_unregister_table(net->xt.frame_filter); | 110 | ebt_unregister_table(net, net->xt.frame_filter); |
111 | } | 111 | } |
112 | 112 | ||
113 | static struct pernet_operations frame_filter_net_ops = { | 113 | static struct pernet_operations frame_filter_net_ops = { |
diff --git a/net/bridge/netfilter/ebtable_nat.c b/net/bridge/netfilter/ebtable_nat.c index 4a98804203b0..6dc2f878ae05 100644 --- a/net/bridge/netfilter/ebtable_nat.c +++ b/net/bridge/netfilter/ebtable_nat.c | |||
@@ -107,7 +107,7 @@ static int __net_init frame_nat_net_init(struct net *net) | |||
107 | 107 | ||
108 | static void __net_exit frame_nat_net_exit(struct net *net) | 108 | static void __net_exit frame_nat_net_exit(struct net *net) |
109 | { | 109 | { |
110 | ebt_unregister_table(net->xt.frame_nat); | 110 | ebt_unregister_table(net, net->xt.frame_nat); |
111 | } | 111 | } |
112 | 112 | ||
113 | static struct pernet_operations frame_nat_net_ops = { | 113 | static struct pernet_operations frame_nat_net_ops = { |
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 0b7f262cd148..4370e9680487 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c | |||
@@ -82,7 +82,8 @@ static inline int ebt_do_match (struct ebt_entry_match *m, | |||
82 | return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH; | 82 | return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH; |
83 | } | 83 | } |
84 | 84 | ||
85 | static inline int ebt_dev_check(char *entry, const struct net_device *device) | 85 | static inline int |
86 | ebt_dev_check(const char *entry, const struct net_device *device) | ||
86 | { | 87 | { |
87 | int i = 0; | 88 | int i = 0; |
88 | const char *devname; | 89 | const char *devname; |
@@ -100,8 +101,9 @@ static inline int ebt_dev_check(char *entry, const struct net_device *device) | |||
100 | 101 | ||
101 | #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg)) | 102 | #define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg)) |
102 | /* process standard matches */ | 103 | /* process standard matches */ |
103 | static inline int ebt_basic_match(struct ebt_entry *e, struct ethhdr *h, | 104 | static inline int |
104 | const struct net_device *in, const struct net_device *out) | 105 | ebt_basic_match(const struct ebt_entry *e, const struct ethhdr *h, |
106 | const struct net_device *in, const struct net_device *out) | ||
105 | { | 107 | { |
106 | int verdict, i; | 108 | int verdict, i; |
107 | 109 | ||
@@ -156,12 +158,12 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb, | |||
156 | int i, nentries; | 158 | int i, nentries; |
157 | struct ebt_entry *point; | 159 | struct ebt_entry *point; |
158 | struct ebt_counter *counter_base, *cb_base; | 160 | struct ebt_counter *counter_base, *cb_base; |
159 | struct ebt_entry_target *t; | 161 | const struct ebt_entry_target *t; |
160 | int verdict, sp = 0; | 162 | int verdict, sp = 0; |
161 | struct ebt_chainstack *cs; | 163 | struct ebt_chainstack *cs; |
162 | struct ebt_entries *chaininfo; | 164 | struct ebt_entries *chaininfo; |
163 | char *base; | 165 | const char *base; |
164 | struct ebt_table_info *private; | 166 | const struct ebt_table_info *private; |
165 | bool hotdrop = false; | 167 | bool hotdrop = false; |
166 | struct xt_match_param mtpar; | 168 | struct xt_match_param mtpar; |
167 | struct xt_target_param tgpar; | 169 | struct xt_target_param tgpar; |
@@ -395,7 +397,7 @@ ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par, | |||
395 | return 0; | 397 | return 0; |
396 | } | 398 | } |
397 | 399 | ||
398 | static int ebt_verify_pointers(struct ebt_replace *repl, | 400 | static int ebt_verify_pointers(const struct ebt_replace *repl, |
399 | struct ebt_table_info *newinfo) | 401 | struct ebt_table_info *newinfo) |
400 | { | 402 | { |
401 | unsigned int limit = repl->entries_size; | 403 | unsigned int limit = repl->entries_size; |
@@ -442,6 +444,8 @@ static int ebt_verify_pointers(struct ebt_replace *repl, | |||
442 | break; | 444 | break; |
443 | if (left < e->next_offset) | 445 | if (left < e->next_offset) |
444 | break; | 446 | break; |
447 | if (e->next_offset < sizeof(struct ebt_entry)) | ||
448 | return -EINVAL; | ||
445 | offset += e->next_offset; | 449 | offset += e->next_offset; |
446 | } | 450 | } |
447 | } | 451 | } |
@@ -466,8 +470,8 @@ static int ebt_verify_pointers(struct ebt_replace *repl, | |||
466 | * to parse the userspace data | 470 | * to parse the userspace data |
467 | */ | 471 | */ |
468 | static inline int | 472 | static inline int |
469 | ebt_check_entry_size_and_hooks(struct ebt_entry *e, | 473 | ebt_check_entry_size_and_hooks(const struct ebt_entry *e, |
470 | struct ebt_table_info *newinfo, | 474 | const struct ebt_table_info *newinfo, |
471 | unsigned int *n, unsigned int *cnt, | 475 | unsigned int *n, unsigned int *cnt, |
472 | unsigned int *totalcnt, unsigned int *udc_cnt) | 476 | unsigned int *totalcnt, unsigned int *udc_cnt) |
473 | { | 477 | { |
@@ -561,13 +565,14 @@ ebt_get_udc_positions(struct ebt_entry *e, struct ebt_table_info *newinfo, | |||
561 | } | 565 | } |
562 | 566 | ||
563 | static inline int | 567 | static inline int |
564 | ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i) | 568 | ebt_cleanup_match(struct ebt_entry_match *m, struct net *net, unsigned int *i) |
565 | { | 569 | { |
566 | struct xt_mtdtor_param par; | 570 | struct xt_mtdtor_param par; |
567 | 571 | ||
568 | if (i && (*i)-- == 0) | 572 | if (i && (*i)-- == 0) |
569 | return 1; | 573 | return 1; |
570 | 574 | ||
575 | par.net = net; | ||
571 | par.match = m->u.match; | 576 | par.match = m->u.match; |
572 | par.matchinfo = m->data; | 577 | par.matchinfo = m->data; |
573 | par.family = NFPROTO_BRIDGE; | 578 | par.family = NFPROTO_BRIDGE; |
@@ -578,13 +583,14 @@ ebt_cleanup_match(struct ebt_entry_match *m, unsigned int *i) | |||
578 | } | 583 | } |
579 | 584 | ||
580 | static inline int | 585 | static inline int |
581 | ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i) | 586 | ebt_cleanup_watcher(struct ebt_entry_watcher *w, struct net *net, unsigned int *i) |
582 | { | 587 | { |
583 | struct xt_tgdtor_param par; | 588 | struct xt_tgdtor_param par; |
584 | 589 | ||
585 | if (i && (*i)-- == 0) | 590 | if (i && (*i)-- == 0) |
586 | return 1; | 591 | return 1; |
587 | 592 | ||
593 | par.net = net; | ||
588 | par.target = w->u.watcher; | 594 | par.target = w->u.watcher; |
589 | par.targinfo = w->data; | 595 | par.targinfo = w->data; |
590 | par.family = NFPROTO_BRIDGE; | 596 | par.family = NFPROTO_BRIDGE; |
@@ -595,7 +601,7 @@ ebt_cleanup_watcher(struct ebt_entry_watcher *w, unsigned int *i) | |||
595 | } | 601 | } |
596 | 602 | ||
597 | static inline int | 603 | static inline int |
598 | ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt) | 604 | ebt_cleanup_entry(struct ebt_entry *e, struct net *net, unsigned int *cnt) |
599 | { | 605 | { |
600 | struct xt_tgdtor_param par; | 606 | struct xt_tgdtor_param par; |
601 | struct ebt_entry_target *t; | 607 | struct ebt_entry_target *t; |
@@ -605,10 +611,11 @@ ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt) | |||
605 | /* we're done */ | 611 | /* we're done */ |
606 | if (cnt && (*cnt)-- == 0) | 612 | if (cnt && (*cnt)-- == 0) |
607 | return 1; | 613 | return 1; |
608 | EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, NULL); | 614 | EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, NULL); |
609 | EBT_MATCH_ITERATE(e, ebt_cleanup_match, NULL); | 615 | EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, NULL); |
610 | t = (struct ebt_entry_target *)(((char *)e) + e->target_offset); | 616 | t = (struct ebt_entry_target *)(((char *)e) + e->target_offset); |
611 | 617 | ||
618 | par.net = net; | ||
612 | par.target = t->u.target; | 619 | par.target = t->u.target; |
613 | par.targinfo = t->data; | 620 | par.targinfo = t->data; |
614 | par.family = NFPROTO_BRIDGE; | 621 | par.family = NFPROTO_BRIDGE; |
@@ -619,7 +626,8 @@ ebt_cleanup_entry(struct ebt_entry *e, unsigned int *cnt) | |||
619 | } | 626 | } |
620 | 627 | ||
621 | static inline int | 628 | static inline int |
622 | ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo, | 629 | ebt_check_entry(struct ebt_entry *e, struct net *net, |
630 | const struct ebt_table_info *newinfo, | ||
623 | const char *name, unsigned int *cnt, | 631 | const char *name, unsigned int *cnt, |
624 | struct ebt_cl_stack *cl_s, unsigned int udc_cnt) | 632 | struct ebt_cl_stack *cl_s, unsigned int udc_cnt) |
625 | { | 633 | { |
@@ -671,6 +679,7 @@ ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo, | |||
671 | } | 679 | } |
672 | i = 0; | 680 | i = 0; |
673 | 681 | ||
682 | mtpar.net = tgpar.net = net; | ||
674 | mtpar.table = tgpar.table = name; | 683 | mtpar.table = tgpar.table = name; |
675 | mtpar.entryinfo = tgpar.entryinfo = e; | 684 | mtpar.entryinfo = tgpar.entryinfo = e; |
676 | mtpar.hook_mask = tgpar.hook_mask = hookmask; | 685 | mtpar.hook_mask = tgpar.hook_mask = hookmask; |
@@ -726,9 +735,9 @@ ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo, | |||
726 | (*cnt)++; | 735 | (*cnt)++; |
727 | return 0; | 736 | return 0; |
728 | cleanup_watchers: | 737 | cleanup_watchers: |
729 | EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, &j); | 738 | EBT_WATCHER_ITERATE(e, ebt_cleanup_watcher, net, &j); |
730 | cleanup_matches: | 739 | cleanup_matches: |
731 | EBT_MATCH_ITERATE(e, ebt_cleanup_match, &i); | 740 | EBT_MATCH_ITERATE(e, ebt_cleanup_match, net, &i); |
732 | return ret; | 741 | return ret; |
733 | } | 742 | } |
734 | 743 | ||
@@ -737,12 +746,12 @@ cleanup_matches: | |||
737 | * the hook mask for udc tells us from which base chains the udc can be | 746 | * the hook mask for udc tells us from which base chains the udc can be |
738 | * accessed. This mask is a parameter to the check() functions of the extensions | 747 | * accessed. This mask is a parameter to the check() functions of the extensions |
739 | */ | 748 | */ |
740 | static int check_chainloops(struct ebt_entries *chain, struct ebt_cl_stack *cl_s, | 749 | static int check_chainloops(const struct ebt_entries *chain, struct ebt_cl_stack *cl_s, |
741 | unsigned int udc_cnt, unsigned int hooknr, char *base) | 750 | unsigned int udc_cnt, unsigned int hooknr, char *base) |
742 | { | 751 | { |
743 | int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict; | 752 | int i, chain_nr = -1, pos = 0, nentries = chain->nentries, verdict; |
744 | struct ebt_entry *e = (struct ebt_entry *)chain->data; | 753 | const struct ebt_entry *e = (struct ebt_entry *)chain->data; |
745 | struct ebt_entry_target *t; | 754 | const struct ebt_entry_target *t; |
746 | 755 | ||
747 | while (pos < nentries || chain_nr != -1) { | 756 | while (pos < nentries || chain_nr != -1) { |
748 | /* end of udc, go back one 'recursion' step */ | 757 | /* end of udc, go back one 'recursion' step */ |
@@ -808,7 +817,8 @@ letscontinue: | |||
808 | } | 817 | } |
809 | 818 | ||
810 | /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */ | 819 | /* do the parsing of the table/chains/entries/matches/watchers/targets, heh */ |
811 | static int translate_table(char *name, struct ebt_table_info *newinfo) | 820 | static int translate_table(struct net *net, const char *name, |
821 | struct ebt_table_info *newinfo) | ||
812 | { | 822 | { |
813 | unsigned int i, j, k, udc_cnt; | 823 | unsigned int i, j, k, udc_cnt; |
814 | int ret; | 824 | int ret; |
@@ -917,17 +927,17 @@ static int translate_table(char *name, struct ebt_table_info *newinfo) | |||
917 | /* used to know what we need to clean up if something goes wrong */ | 927 | /* used to know what we need to clean up if something goes wrong */ |
918 | i = 0; | 928 | i = 0; |
919 | ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size, | 929 | ret = EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size, |
920 | ebt_check_entry, newinfo, name, &i, cl_s, udc_cnt); | 930 | ebt_check_entry, net, newinfo, name, &i, cl_s, udc_cnt); |
921 | if (ret != 0) { | 931 | if (ret != 0) { |
922 | EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size, | 932 | EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size, |
923 | ebt_cleanup_entry, &i); | 933 | ebt_cleanup_entry, net, &i); |
924 | } | 934 | } |
925 | vfree(cl_s); | 935 | vfree(cl_s); |
926 | return ret; | 936 | return ret; |
927 | } | 937 | } |
928 | 938 | ||
929 | /* called under write_lock */ | 939 | /* called under write_lock */ |
930 | static void get_counters(struct ebt_counter *oldcounters, | 940 | static void get_counters(const struct ebt_counter *oldcounters, |
931 | struct ebt_counter *counters, unsigned int nentries) | 941 | struct ebt_counter *counters, unsigned int nentries) |
932 | { | 942 | { |
933 | int i, cpu; | 943 | int i, cpu; |
@@ -950,7 +960,8 @@ static void get_counters(struct ebt_counter *oldcounters, | |||
950 | } | 960 | } |
951 | 961 | ||
952 | /* replace the table */ | 962 | /* replace the table */ |
953 | static int do_replace(struct net *net, void __user *user, unsigned int len) | 963 | static int do_replace(struct net *net, const void __user *user, |
964 | unsigned int len) | ||
954 | { | 965 | { |
955 | int ret, i, countersize; | 966 | int ret, i, countersize; |
956 | struct ebt_table_info *newinfo; | 967 | struct ebt_table_info *newinfo; |
@@ -1017,7 +1028,7 @@ static int do_replace(struct net *net, void __user *user, unsigned int len) | |||
1017 | if (ret != 0) | 1028 | if (ret != 0) |
1018 | goto free_counterstmp; | 1029 | goto free_counterstmp; |
1019 | 1030 | ||
1020 | ret = translate_table(tmp.name, newinfo); | 1031 | ret = translate_table(net, tmp.name, newinfo); |
1021 | 1032 | ||
1022 | if (ret != 0) | 1033 | if (ret != 0) |
1023 | goto free_counterstmp; | 1034 | goto free_counterstmp; |
@@ -1070,7 +1081,7 @@ static int do_replace(struct net *net, void __user *user, unsigned int len) | |||
1070 | 1081 | ||
1071 | /* decrease module count and free resources */ | 1082 | /* decrease module count and free resources */ |
1072 | EBT_ENTRY_ITERATE(table->entries, table->entries_size, | 1083 | EBT_ENTRY_ITERATE(table->entries, table->entries_size, |
1073 | ebt_cleanup_entry, NULL); | 1084 | ebt_cleanup_entry, net, NULL); |
1074 | 1085 | ||
1075 | vfree(table->entries); | 1086 | vfree(table->entries); |
1076 | if (table->chainstack) { | 1087 | if (table->chainstack) { |
@@ -1087,7 +1098,7 @@ free_unlock: | |||
1087 | mutex_unlock(&ebt_mutex); | 1098 | mutex_unlock(&ebt_mutex); |
1088 | free_iterate: | 1099 | free_iterate: |
1089 | EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size, | 1100 | EBT_ENTRY_ITERATE(newinfo->entries, newinfo->entries_size, |
1090 | ebt_cleanup_entry, NULL); | 1101 | ebt_cleanup_entry, net, NULL); |
1091 | free_counterstmp: | 1102 | free_counterstmp: |
1092 | vfree(counterstmp); | 1103 | vfree(counterstmp); |
1093 | /* can be initialized in translate_table() */ | 1104 | /* can be initialized in translate_table() */ |
@@ -1154,7 +1165,7 @@ ebt_register_table(struct net *net, const struct ebt_table *input_table) | |||
1154 | newinfo->hook_entry[i] = p + | 1165 | newinfo->hook_entry[i] = p + |
1155 | ((char *)repl->hook_entry[i] - repl->entries); | 1166 | ((char *)repl->hook_entry[i] - repl->entries); |
1156 | } | 1167 | } |
1157 | ret = translate_table(repl->name, newinfo); | 1168 | ret = translate_table(net, repl->name, newinfo); |
1158 | if (ret != 0) { | 1169 | if (ret != 0) { |
1159 | BUGPRINT("Translate_table failed\n"); | 1170 | BUGPRINT("Translate_table failed\n"); |
1160 | goto free_chainstack; | 1171 | goto free_chainstack; |
@@ -1204,7 +1215,7 @@ out: | |||
1204 | return ERR_PTR(ret); | 1215 | return ERR_PTR(ret); |
1205 | } | 1216 | } |
1206 | 1217 | ||
1207 | void ebt_unregister_table(struct ebt_table *table) | 1218 | void ebt_unregister_table(struct net *net, struct ebt_table *table) |
1208 | { | 1219 | { |
1209 | int i; | 1220 | int i; |
1210 | 1221 | ||
@@ -1216,7 +1227,7 @@ void ebt_unregister_table(struct ebt_table *table) | |||
1216 | list_del(&table->list); | 1227 | list_del(&table->list); |
1217 | mutex_unlock(&ebt_mutex); | 1228 | mutex_unlock(&ebt_mutex); |
1218 | EBT_ENTRY_ITERATE(table->private->entries, table->private->entries_size, | 1229 | EBT_ENTRY_ITERATE(table->private->entries, table->private->entries_size, |
1219 | ebt_cleanup_entry, NULL); | 1230 | ebt_cleanup_entry, net, NULL); |
1220 | if (table->private->nentries) | 1231 | if (table->private->nentries) |
1221 | module_put(table->me); | 1232 | module_put(table->me); |
1222 | vfree(table->private->entries); | 1233 | vfree(table->private->entries); |
@@ -1230,7 +1241,8 @@ void ebt_unregister_table(struct ebt_table *table) | |||
1230 | } | 1241 | } |
1231 | 1242 | ||
1232 | /* userspace just supplied us with counters */ | 1243 | /* userspace just supplied us with counters */ |
1233 | static int update_counters(struct net *net, void __user *user, unsigned int len) | 1244 | static int update_counters(struct net *net, const void __user *user, |
1245 | unsigned int len) | ||
1234 | { | 1246 | { |
1235 | int i, ret; | 1247 | int i, ret; |
1236 | struct ebt_counter *tmp; | 1248 | struct ebt_counter *tmp; |
@@ -1285,8 +1297,8 @@ free_tmp: | |||
1285 | return ret; | 1297 | return ret; |
1286 | } | 1298 | } |
1287 | 1299 | ||
1288 | static inline int ebt_make_matchname(struct ebt_entry_match *m, | 1300 | static inline int ebt_make_matchname(const struct ebt_entry_match *m, |
1289 | char *base, char __user *ubase) | 1301 | const char *base, char __user *ubase) |
1290 | { | 1302 | { |
1291 | char __user *hlp = ubase + ((char *)m - base); | 1303 | char __user *hlp = ubase + ((char *)m - base); |
1292 | if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN)) | 1304 | if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN)) |
@@ -1294,8 +1306,8 @@ static inline int ebt_make_matchname(struct ebt_entry_match *m, | |||
1294 | return 0; | 1306 | return 0; |
1295 | } | 1307 | } |
1296 | 1308 | ||
1297 | static inline int ebt_make_watchername(struct ebt_entry_watcher *w, | 1309 | static inline int ebt_make_watchername(const struct ebt_entry_watcher *w, |
1298 | char *base, char __user *ubase) | 1310 | const char *base, char __user *ubase) |
1299 | { | 1311 | { |
1300 | char __user *hlp = ubase + ((char *)w - base); | 1312 | char __user *hlp = ubase + ((char *)w - base); |
1301 | if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN)) | 1313 | if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN)) |
@@ -1303,11 +1315,12 @@ static inline int ebt_make_watchername(struct ebt_entry_watcher *w, | |||
1303 | return 0; | 1315 | return 0; |
1304 | } | 1316 | } |
1305 | 1317 | ||
1306 | static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *ubase) | 1318 | static inline int |
1319 | ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase) | ||
1307 | { | 1320 | { |
1308 | int ret; | 1321 | int ret; |
1309 | char __user *hlp; | 1322 | char __user *hlp; |
1310 | struct ebt_entry_target *t; | 1323 | const struct ebt_entry_target *t; |
1311 | 1324 | ||
1312 | if (e->bitmask == 0) | 1325 | if (e->bitmask == 0) |
1313 | return 0; | 1326 | return 0; |
@@ -1328,10 +1341,11 @@ static inline int ebt_make_names(struct ebt_entry *e, char *base, char __user *u | |||
1328 | 1341 | ||
1329 | /* called with ebt_mutex locked */ | 1342 | /* called with ebt_mutex locked */ |
1330 | static int copy_everything_to_user(struct ebt_table *t, void __user *user, | 1343 | static int copy_everything_to_user(struct ebt_table *t, void __user *user, |
1331 | int *len, int cmd) | 1344 | const int *len, int cmd) |
1332 | { | 1345 | { |
1333 | struct ebt_replace tmp; | 1346 | struct ebt_replace tmp; |
1334 | struct ebt_counter *counterstmp, *oldcounters; | 1347 | struct ebt_counter *counterstmp; |
1348 | const struct ebt_counter *oldcounters; | ||
1335 | unsigned int entries_size, nentries; | 1349 | unsigned int entries_size, nentries; |
1336 | char *entries; | 1350 | char *entries; |
1337 | 1351 | ||
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index 90203e1b9187..4db5c1ece0f9 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c | |||
@@ -27,6 +27,7 @@ | |||
27 | 27 | ||
28 | #include <linux/netfilter/x_tables.h> | 28 | #include <linux/netfilter/x_tables.h> |
29 | #include <linux/netfilter_arp/arp_tables.h> | 29 | #include <linux/netfilter_arp/arp_tables.h> |
30 | #include "../../netfilter/xt_repldata.h" | ||
30 | 31 | ||
31 | MODULE_LICENSE("GPL"); | 32 | MODULE_LICENSE("GPL"); |
32 | MODULE_AUTHOR("David S. Miller <davem@redhat.com>"); | 33 | MODULE_AUTHOR("David S. Miller <davem@redhat.com>"); |
@@ -58,6 +59,12 @@ do { \ | |||
58 | #define ARP_NF_ASSERT(x) | 59 | #define ARP_NF_ASSERT(x) |
59 | #endif | 60 | #endif |
60 | 61 | ||
62 | void *arpt_alloc_initial_table(const struct xt_table *info) | ||
63 | { | ||
64 | return xt_alloc_initial_table(arpt, ARPT); | ||
65 | } | ||
66 | EXPORT_SYMBOL_GPL(arpt_alloc_initial_table); | ||
67 | |||
61 | static inline int arp_devaddr_compare(const struct arpt_devaddr_info *ap, | 68 | static inline int arp_devaddr_compare(const struct arpt_devaddr_info *ap, |
62 | const char *hdr_addr, int len) | 69 | const char *hdr_addr, int len) |
63 | { | 70 | { |
@@ -226,7 +233,14 @@ arpt_error(struct sk_buff *skb, const struct xt_target_param *par) | |||
226 | return NF_DROP; | 233 | return NF_DROP; |
227 | } | 234 | } |
228 | 235 | ||
229 | static inline struct arpt_entry *get_entry(void *base, unsigned int offset) | 236 | static inline const struct arpt_entry_target * |
237 | arpt_get_target_c(const struct arpt_entry *e) | ||
238 | { | ||
239 | return arpt_get_target((struct arpt_entry *)e); | ||
240 | } | ||
241 | |||
242 | static inline struct arpt_entry * | ||
243 | get_entry(const void *base, unsigned int offset) | ||
230 | { | 244 | { |
231 | return (struct arpt_entry *)(base + offset); | 245 | return (struct arpt_entry *)(base + offset); |
232 | } | 246 | } |
@@ -273,7 +287,7 @@ unsigned int arpt_do_table(struct sk_buff *skb, | |||
273 | 287 | ||
274 | arp = arp_hdr(skb); | 288 | arp = arp_hdr(skb); |
275 | do { | 289 | do { |
276 | struct arpt_entry_target *t; | 290 | const struct arpt_entry_target *t; |
277 | int hdr_len; | 291 | int hdr_len; |
278 | 292 | ||
279 | if (!arp_packet_match(arp, skb->dev, indev, outdev, &e->arp)) { | 293 | if (!arp_packet_match(arp, skb->dev, indev, outdev, &e->arp)) { |
@@ -285,7 +299,7 @@ unsigned int arpt_do_table(struct sk_buff *skb, | |||
285 | (2 * skb->dev->addr_len); | 299 | (2 * skb->dev->addr_len); |
286 | ADD_COUNTER(e->counters, hdr_len, 1); | 300 | ADD_COUNTER(e->counters, hdr_len, 1); |
287 | 301 | ||
288 | t = arpt_get_target(e); | 302 | t = arpt_get_target_c(e); |
289 | 303 | ||
290 | /* Standard target? */ | 304 | /* Standard target? */ |
291 | if (!t->u.kernel.target->target) { | 305 | if (!t->u.kernel.target->target) { |
@@ -351,7 +365,7 @@ static inline bool unconditional(const struct arpt_arp *arp) | |||
351 | /* Figures out from what hook each rule can be called: returns 0 if | 365 | /* Figures out from what hook each rule can be called: returns 0 if |
352 | * there are loops. Puts hook bitmask in comefrom. | 366 | * there are loops. Puts hook bitmask in comefrom. |
353 | */ | 367 | */ |
354 | static int mark_source_chains(struct xt_table_info *newinfo, | 368 | static int mark_source_chains(const struct xt_table_info *newinfo, |
355 | unsigned int valid_hooks, void *entry0) | 369 | unsigned int valid_hooks, void *entry0) |
356 | { | 370 | { |
357 | unsigned int hook; | 371 | unsigned int hook; |
@@ -372,7 +386,7 @@ static int mark_source_chains(struct xt_table_info *newinfo, | |||
372 | 386 | ||
373 | for (;;) { | 387 | for (;;) { |
374 | const struct arpt_standard_target *t | 388 | const struct arpt_standard_target *t |
375 | = (void *)arpt_get_target(e); | 389 | = (void *)arpt_get_target_c(e); |
376 | int visited = e->comefrom & (1 << hook); | 390 | int visited = e->comefrom & (1 << hook); |
377 | 391 | ||
378 | if (e->comefrom & (1 << NF_ARP_NUMHOOKS)) { | 392 | if (e->comefrom & (1 << NF_ARP_NUMHOOKS)) { |
@@ -456,7 +470,7 @@ static int mark_source_chains(struct xt_table_info *newinfo, | |||
456 | return 1; | 470 | return 1; |
457 | } | 471 | } |
458 | 472 | ||
459 | static inline int check_entry(struct arpt_entry *e, const char *name) | 473 | static inline int check_entry(const struct arpt_entry *e, const char *name) |
460 | { | 474 | { |
461 | const struct arpt_entry_target *t; | 475 | const struct arpt_entry_target *t; |
462 | 476 | ||
@@ -468,7 +482,7 @@ static inline int check_entry(struct arpt_entry *e, const char *name) | |||
468 | if (e->target_offset + sizeof(struct arpt_entry_target) > e->next_offset) | 482 | if (e->target_offset + sizeof(struct arpt_entry_target) > e->next_offset) |
469 | return -EINVAL; | 483 | return -EINVAL; |
470 | 484 | ||
471 | t = arpt_get_target(e); | 485 | t = arpt_get_target_c(e); |
472 | if (e->target_offset + t->u.target_size > e->next_offset) | 486 | if (e->target_offset + t->u.target_size > e->next_offset) |
473 | return -EINVAL; | 487 | return -EINVAL; |
474 | 488 | ||
@@ -533,14 +547,14 @@ out: | |||
533 | return ret; | 547 | return ret; |
534 | } | 548 | } |
535 | 549 | ||
536 | static bool check_underflow(struct arpt_entry *e) | 550 | static bool check_underflow(const struct arpt_entry *e) |
537 | { | 551 | { |
538 | const struct arpt_entry_target *t; | 552 | const struct arpt_entry_target *t; |
539 | unsigned int verdict; | 553 | unsigned int verdict; |
540 | 554 | ||
541 | if (!unconditional(&e->arp)) | 555 | if (!unconditional(&e->arp)) |
542 | return false; | 556 | return false; |
543 | t = arpt_get_target(e); | 557 | t = arpt_get_target_c(e); |
544 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) | 558 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) |
545 | return false; | 559 | return false; |
546 | verdict = ((struct arpt_standard_target *)t)->verdict; | 560 | verdict = ((struct arpt_standard_target *)t)->verdict; |
@@ -550,8 +564,8 @@ static bool check_underflow(struct arpt_entry *e) | |||
550 | 564 | ||
551 | static inline int check_entry_size_and_hooks(struct arpt_entry *e, | 565 | static inline int check_entry_size_and_hooks(struct arpt_entry *e, |
552 | struct xt_table_info *newinfo, | 566 | struct xt_table_info *newinfo, |
553 | unsigned char *base, | 567 | const unsigned char *base, |
554 | unsigned char *limit, | 568 | const unsigned char *limit, |
555 | const unsigned int *hook_entries, | 569 | const unsigned int *hook_entries, |
556 | const unsigned int *underflows, | 570 | const unsigned int *underflows, |
557 | unsigned int valid_hooks, | 571 | unsigned int valid_hooks, |
@@ -761,11 +775,11 @@ static void get_counters(const struct xt_table_info *t, | |||
761 | local_bh_enable(); | 775 | local_bh_enable(); |
762 | } | 776 | } |
763 | 777 | ||
764 | static struct xt_counters *alloc_counters(struct xt_table *table) | 778 | static struct xt_counters *alloc_counters(const struct xt_table *table) |
765 | { | 779 | { |
766 | unsigned int countersize; | 780 | unsigned int countersize; |
767 | struct xt_counters *counters; | 781 | struct xt_counters *counters; |
768 | struct xt_table_info *private = table->private; | 782 | const struct xt_table_info *private = table->private; |
769 | 783 | ||
770 | /* We need atomic snapshot of counters: rest doesn't change | 784 | /* We need atomic snapshot of counters: rest doesn't change |
771 | * (other than comefrom, which userspace doesn't care | 785 | * (other than comefrom, which userspace doesn't care |
@@ -783,11 +797,11 @@ static struct xt_counters *alloc_counters(struct xt_table *table) | |||
783 | } | 797 | } |
784 | 798 | ||
785 | static int copy_entries_to_user(unsigned int total_size, | 799 | static int copy_entries_to_user(unsigned int total_size, |
786 | struct xt_table *table, | 800 | const struct xt_table *table, |
787 | void __user *userptr) | 801 | void __user *userptr) |
788 | { | 802 | { |
789 | unsigned int off, num; | 803 | unsigned int off, num; |
790 | struct arpt_entry *e; | 804 | const struct arpt_entry *e; |
791 | struct xt_counters *counters; | 805 | struct xt_counters *counters; |
792 | struct xt_table_info *private = table->private; | 806 | struct xt_table_info *private = table->private; |
793 | int ret = 0; | 807 | int ret = 0; |
@@ -807,7 +821,7 @@ static int copy_entries_to_user(unsigned int total_size, | |||
807 | /* FIXME: use iterator macros --RR */ | 821 | /* FIXME: use iterator macros --RR */ |
808 | /* ... then go back and fix counters and names */ | 822 | /* ... then go back and fix counters and names */ |
809 | for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){ | 823 | for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){ |
810 | struct arpt_entry_target *t; | 824 | const struct arpt_entry_target *t; |
811 | 825 | ||
812 | e = (struct arpt_entry *)(loc_cpu_entry + off); | 826 | e = (struct arpt_entry *)(loc_cpu_entry + off); |
813 | if (copy_to_user(userptr + off | 827 | if (copy_to_user(userptr + off |
@@ -818,7 +832,7 @@ static int copy_entries_to_user(unsigned int total_size, | |||
818 | goto free_counters; | 832 | goto free_counters; |
819 | } | 833 | } |
820 | 834 | ||
821 | t = arpt_get_target(e); | 835 | t = arpt_get_target_c(e); |
822 | if (copy_to_user(userptr + off + e->target_offset | 836 | if (copy_to_user(userptr + off + e->target_offset |
823 | + offsetof(struct arpt_entry_target, | 837 | + offsetof(struct arpt_entry_target, |
824 | u.user.name), | 838 | u.user.name), |
@@ -835,7 +849,7 @@ static int copy_entries_to_user(unsigned int total_size, | |||
835 | } | 849 | } |
836 | 850 | ||
837 | #ifdef CONFIG_COMPAT | 851 | #ifdef CONFIG_COMPAT |
838 | static void compat_standard_from_user(void *dst, void *src) | 852 | static void compat_standard_from_user(void *dst, const void *src) |
839 | { | 853 | { |
840 | int v = *(compat_int_t *)src; | 854 | int v = *(compat_int_t *)src; |
841 | 855 | ||
@@ -844,7 +858,7 @@ static void compat_standard_from_user(void *dst, void *src) | |||
844 | memcpy(dst, &v, sizeof(v)); | 858 | memcpy(dst, &v, sizeof(v)); |
845 | } | 859 | } |
846 | 860 | ||
847 | static int compat_standard_to_user(void __user *dst, void *src) | 861 | static int compat_standard_to_user(void __user *dst, const void *src) |
848 | { | 862 | { |
849 | compat_int_t cv = *(int *)src; | 863 | compat_int_t cv = *(int *)src; |
850 | 864 | ||
@@ -853,18 +867,18 @@ static int compat_standard_to_user(void __user *dst, void *src) | |||
853 | return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0; | 867 | return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0; |
854 | } | 868 | } |
855 | 869 | ||
856 | static int compat_calc_entry(struct arpt_entry *e, | 870 | static int compat_calc_entry(const struct arpt_entry *e, |
857 | const struct xt_table_info *info, | 871 | const struct xt_table_info *info, |
858 | void *base, struct xt_table_info *newinfo) | 872 | const void *base, struct xt_table_info *newinfo) |
859 | { | 873 | { |
860 | struct arpt_entry_target *t; | 874 | const struct arpt_entry_target *t; |
861 | unsigned int entry_offset; | 875 | unsigned int entry_offset; |
862 | int off, i, ret; | 876 | int off, i, ret; |
863 | 877 | ||
864 | off = sizeof(struct arpt_entry) - sizeof(struct compat_arpt_entry); | 878 | off = sizeof(struct arpt_entry) - sizeof(struct compat_arpt_entry); |
865 | entry_offset = (void *)e - base; | 879 | entry_offset = (void *)e - base; |
866 | 880 | ||
867 | t = arpt_get_target(e); | 881 | t = arpt_get_target_c(e); |
868 | off += xt_compat_target_offset(t->u.kernel.target); | 882 | off += xt_compat_target_offset(t->u.kernel.target); |
869 | newinfo->size -= off; | 883 | newinfo->size -= off; |
870 | ret = xt_compat_add_offset(NFPROTO_ARP, entry_offset, off); | 884 | ret = xt_compat_add_offset(NFPROTO_ARP, entry_offset, off); |
@@ -900,7 +914,8 @@ static int compat_table_info(const struct xt_table_info *info, | |||
900 | } | 914 | } |
901 | #endif | 915 | #endif |
902 | 916 | ||
903 | static int get_info(struct net *net, void __user *user, int *len, int compat) | 917 | static int get_info(struct net *net, void __user *user, |
918 | const int *len, int compat) | ||
904 | { | 919 | { |
905 | char name[ARPT_TABLE_MAXNAMELEN]; | 920 | char name[ARPT_TABLE_MAXNAMELEN]; |
906 | struct xt_table *t; | 921 | struct xt_table *t; |
@@ -959,7 +974,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat) | |||
959 | } | 974 | } |
960 | 975 | ||
961 | static int get_entries(struct net *net, struct arpt_get_entries __user *uptr, | 976 | static int get_entries(struct net *net, struct arpt_get_entries __user *uptr, |
962 | int *len) | 977 | const int *len) |
963 | { | 978 | { |
964 | int ret; | 979 | int ret; |
965 | struct arpt_get_entries get; | 980 | struct arpt_get_entries get; |
@@ -1073,7 +1088,8 @@ static int __do_replace(struct net *net, const char *name, | |||
1073 | return ret; | 1088 | return ret; |
1074 | } | 1089 | } |
1075 | 1090 | ||
1076 | static int do_replace(struct net *net, void __user *user, unsigned int len) | 1091 | static int do_replace(struct net *net, const void __user *user, |
1092 | unsigned int len) | ||
1077 | { | 1093 | { |
1078 | int ret; | 1094 | int ret; |
1079 | struct arpt_replace tmp; | 1095 | struct arpt_replace tmp; |
@@ -1133,8 +1149,8 @@ add_counter_to_entry(struct arpt_entry *e, | |||
1133 | return 0; | 1149 | return 0; |
1134 | } | 1150 | } |
1135 | 1151 | ||
1136 | static int do_add_counters(struct net *net, void __user *user, unsigned int len, | 1152 | static int do_add_counters(struct net *net, const void __user *user, |
1137 | int compat) | 1153 | unsigned int len, int compat) |
1138 | { | 1154 | { |
1139 | unsigned int i, curcpu; | 1155 | unsigned int i, curcpu; |
1140 | struct xt_counters_info tmp; | 1156 | struct xt_counters_info tmp; |
@@ -1238,10 +1254,10 @@ static inline int | |||
1238 | check_compat_entry_size_and_hooks(struct compat_arpt_entry *e, | 1254 | check_compat_entry_size_and_hooks(struct compat_arpt_entry *e, |
1239 | struct xt_table_info *newinfo, | 1255 | struct xt_table_info *newinfo, |
1240 | unsigned int *size, | 1256 | unsigned int *size, |
1241 | unsigned char *base, | 1257 | const unsigned char *base, |
1242 | unsigned char *limit, | 1258 | const unsigned char *limit, |
1243 | unsigned int *hook_entries, | 1259 | const unsigned int *hook_entries, |
1244 | unsigned int *underflows, | 1260 | const unsigned int *underflows, |
1245 | unsigned int *i, | 1261 | unsigned int *i, |
1246 | const char *name) | 1262 | const char *name) |
1247 | { | 1263 | { |
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c index 97337601827a..bfe26f32b930 100644 --- a/net/ipv4/netfilter/arptable_filter.c +++ b/net/ipv4/netfilter/arptable_filter.c | |||
@@ -6,6 +6,7 @@ | |||
6 | */ | 6 | */ |
7 | 7 | ||
8 | #include <linux/module.h> | 8 | #include <linux/module.h> |
9 | #include <linux/netfilter/x_tables.h> | ||
9 | #include <linux/netfilter_arp/arp_tables.h> | 10 | #include <linux/netfilter_arp/arp_tables.h> |
10 | 11 | ||
11 | MODULE_LICENSE("GPL"); | 12 | MODULE_LICENSE("GPL"); |
@@ -15,93 +16,37 @@ MODULE_DESCRIPTION("arptables filter table"); | |||
15 | #define FILTER_VALID_HOOKS ((1 << NF_ARP_IN) | (1 << NF_ARP_OUT) | \ | 16 | #define FILTER_VALID_HOOKS ((1 << NF_ARP_IN) | (1 << NF_ARP_OUT) | \ |
16 | (1 << NF_ARP_FORWARD)) | 17 | (1 << NF_ARP_FORWARD)) |
17 | 18 | ||
18 | static const struct | ||
19 | { | ||
20 | struct arpt_replace repl; | ||
21 | struct arpt_standard entries[3]; | ||
22 | struct arpt_error term; | ||
23 | } initial_table __net_initdata = { | ||
24 | .repl = { | ||
25 | .name = "filter", | ||
26 | .valid_hooks = FILTER_VALID_HOOKS, | ||
27 | .num_entries = 4, | ||
28 | .size = sizeof(struct arpt_standard) * 3 + sizeof(struct arpt_error), | ||
29 | .hook_entry = { | ||
30 | [NF_ARP_IN] = 0, | ||
31 | [NF_ARP_OUT] = sizeof(struct arpt_standard), | ||
32 | [NF_ARP_FORWARD] = 2 * sizeof(struct arpt_standard), | ||
33 | }, | ||
34 | .underflow = { | ||
35 | [NF_ARP_IN] = 0, | ||
36 | [NF_ARP_OUT] = sizeof(struct arpt_standard), | ||
37 | [NF_ARP_FORWARD] = 2 * sizeof(struct arpt_standard), | ||
38 | }, | ||
39 | }, | ||
40 | .entries = { | ||
41 | ARPT_STANDARD_INIT(NF_ACCEPT), /* ARP_IN */ | ||
42 | ARPT_STANDARD_INIT(NF_ACCEPT), /* ARP_OUT */ | ||
43 | ARPT_STANDARD_INIT(NF_ACCEPT), /* ARP_FORWARD */ | ||
44 | }, | ||
45 | .term = ARPT_ERROR_INIT, | ||
46 | }; | ||
47 | |||
48 | static const struct xt_table packet_filter = { | 19 | static const struct xt_table packet_filter = { |
49 | .name = "filter", | 20 | .name = "filter", |
50 | .valid_hooks = FILTER_VALID_HOOKS, | 21 | .valid_hooks = FILTER_VALID_HOOKS, |
51 | .me = THIS_MODULE, | 22 | .me = THIS_MODULE, |
52 | .af = NFPROTO_ARP, | 23 | .af = NFPROTO_ARP, |
24 | .priority = NF_IP_PRI_FILTER, | ||
53 | }; | 25 | }; |
54 | 26 | ||
55 | /* The work comes in here from netfilter.c */ | 27 | /* The work comes in here from netfilter.c */ |
56 | static unsigned int arpt_in_hook(unsigned int hook, | 28 | static unsigned int |
57 | struct sk_buff *skb, | 29 | arptable_filter_hook(unsigned int hook, struct sk_buff *skb, |
58 | const struct net_device *in, | 30 | const struct net_device *in, const struct net_device *out, |
59 | const struct net_device *out, | 31 | int (*okfn)(struct sk_buff *)) |
60 | int (*okfn)(struct sk_buff *)) | ||
61 | { | 32 | { |
62 | return arpt_do_table(skb, hook, in, out, | 33 | const struct net *net = dev_net((in != NULL) ? in : out); |
63 | dev_net(in)->ipv4.arptable_filter); | ||
64 | } | ||
65 | 34 | ||
66 | static unsigned int arpt_out_hook(unsigned int hook, | 35 | return arpt_do_table(skb, hook, in, out, net->ipv4.arptable_filter); |
67 | struct sk_buff *skb, | ||
68 | const struct net_device *in, | ||
69 | const struct net_device *out, | ||
70 | int (*okfn)(struct sk_buff *)) | ||
71 | { | ||
72 | return arpt_do_table(skb, hook, in, out, | ||
73 | dev_net(out)->ipv4.arptable_filter); | ||
74 | } | 36 | } |
75 | 37 | ||
76 | static struct nf_hook_ops arpt_ops[] __read_mostly = { | 38 | static struct nf_hook_ops *arpfilter_ops __read_mostly; |
77 | { | ||
78 | .hook = arpt_in_hook, | ||
79 | .owner = THIS_MODULE, | ||
80 | .pf = NFPROTO_ARP, | ||
81 | .hooknum = NF_ARP_IN, | ||
82 | .priority = NF_IP_PRI_FILTER, | ||
83 | }, | ||
84 | { | ||
85 | .hook = arpt_out_hook, | ||
86 | .owner = THIS_MODULE, | ||
87 | .pf = NFPROTO_ARP, | ||
88 | .hooknum = NF_ARP_OUT, | ||
89 | .priority = NF_IP_PRI_FILTER, | ||
90 | }, | ||
91 | { | ||
92 | .hook = arpt_in_hook, | ||
93 | .owner = THIS_MODULE, | ||
94 | .pf = NFPROTO_ARP, | ||
95 | .hooknum = NF_ARP_FORWARD, | ||
96 | .priority = NF_IP_PRI_FILTER, | ||
97 | }, | ||
98 | }; | ||
99 | 39 | ||
100 | static int __net_init arptable_filter_net_init(struct net *net) | 40 | static int __net_init arptable_filter_net_init(struct net *net) |
101 | { | 41 | { |
102 | /* Register table */ | 42 | struct arpt_replace *repl; |
43 | |||
44 | repl = arpt_alloc_initial_table(&packet_filter); | ||
45 | if (repl == NULL) | ||
46 | return -ENOMEM; | ||
103 | net->ipv4.arptable_filter = | 47 | net->ipv4.arptable_filter = |
104 | arpt_register_table(net, &packet_filter, &initial_table.repl); | 48 | arpt_register_table(net, &packet_filter, repl); |
49 | kfree(repl); | ||
105 | if (IS_ERR(net->ipv4.arptable_filter)) | 50 | if (IS_ERR(net->ipv4.arptable_filter)) |
106 | return PTR_ERR(net->ipv4.arptable_filter); | 51 | return PTR_ERR(net->ipv4.arptable_filter); |
107 | return 0; | 52 | return 0; |
@@ -125,9 +70,11 @@ static int __init arptable_filter_init(void) | |||
125 | if (ret < 0) | 70 | if (ret < 0) |
126 | return ret; | 71 | return ret; |
127 | 72 | ||
128 | ret = nf_register_hooks(arpt_ops, ARRAY_SIZE(arpt_ops)); | 73 | arpfilter_ops = xt_hook_link(&packet_filter, arptable_filter_hook); |
129 | if (ret < 0) | 74 | if (IS_ERR(arpfilter_ops)) { |
75 | ret = PTR_ERR(arpfilter_ops); | ||
130 | goto cleanup_table; | 76 | goto cleanup_table; |
77 | } | ||
131 | return ret; | 78 | return ret; |
132 | 79 | ||
133 | cleanup_table: | 80 | cleanup_table: |
@@ -137,7 +84,7 @@ cleanup_table: | |||
137 | 84 | ||
138 | static void __exit arptable_filter_fini(void) | 85 | static void __exit arptable_filter_fini(void) |
139 | { | 86 | { |
140 | nf_unregister_hooks(arpt_ops, ARRAY_SIZE(arpt_ops)); | 87 | xt_hook_unlink(&packet_filter, arpfilter_ops); |
141 | unregister_pernet_subsys(&arptable_filter_net_ops); | 88 | unregister_pernet_subsys(&arptable_filter_net_ops); |
142 | } | 89 | } |
143 | 90 | ||
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index 3ce53cf13d5a..e94c18bdfc68 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c | |||
@@ -28,6 +28,7 @@ | |||
28 | #include <linux/netfilter/x_tables.h> | 28 | #include <linux/netfilter/x_tables.h> |
29 | #include <linux/netfilter_ipv4/ip_tables.h> | 29 | #include <linux/netfilter_ipv4/ip_tables.h> |
30 | #include <net/netfilter/nf_log.h> | 30 | #include <net/netfilter/nf_log.h> |
31 | #include "../../netfilter/xt_repldata.h" | ||
31 | 32 | ||
32 | MODULE_LICENSE("GPL"); | 33 | MODULE_LICENSE("GPL"); |
33 | MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); | 34 | MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); |
@@ -66,6 +67,12 @@ do { \ | |||
66 | #define inline | 67 | #define inline |
67 | #endif | 68 | #endif |
68 | 69 | ||
70 | void *ipt_alloc_initial_table(const struct xt_table *info) | ||
71 | { | ||
72 | return xt_alloc_initial_table(ipt, IPT); | ||
73 | } | ||
74 | EXPORT_SYMBOL_GPL(ipt_alloc_initial_table); | ||
75 | |||
69 | /* | 76 | /* |
70 | We keep a set of rules for each CPU, so we can avoid write-locking | 77 | We keep a set of rules for each CPU, so we can avoid write-locking |
71 | them in the softirq when updating the counters and therefore | 78 | them in the softirq when updating the counters and therefore |
@@ -169,7 +176,7 @@ ipt_error(struct sk_buff *skb, const struct xt_target_param *par) | |||
169 | 176 | ||
170 | /* Performance critical - called for every packet */ | 177 | /* Performance critical - called for every packet */ |
171 | static inline bool | 178 | static inline bool |
172 | do_match(struct ipt_entry_match *m, const struct sk_buff *skb, | 179 | do_match(const struct ipt_entry_match *m, const struct sk_buff *skb, |
173 | struct xt_match_param *par) | 180 | struct xt_match_param *par) |
174 | { | 181 | { |
175 | par->match = m->u.kernel.match; | 182 | par->match = m->u.kernel.match; |
@@ -184,7 +191,7 @@ do_match(struct ipt_entry_match *m, const struct sk_buff *skb, | |||
184 | 191 | ||
185 | /* Performance critical */ | 192 | /* Performance critical */ |
186 | static inline struct ipt_entry * | 193 | static inline struct ipt_entry * |
187 | get_entry(void *base, unsigned int offset) | 194 | get_entry(const void *base, unsigned int offset) |
188 | { | 195 | { |
189 | return (struct ipt_entry *)(base + offset); | 196 | return (struct ipt_entry *)(base + offset); |
190 | } | 197 | } |
@@ -199,6 +206,13 @@ static inline bool unconditional(const struct ipt_ip *ip) | |||
199 | #undef FWINV | 206 | #undef FWINV |
200 | } | 207 | } |
201 | 208 | ||
209 | /* for const-correctness */ | ||
210 | static inline const struct ipt_entry_target * | ||
211 | ipt_get_target_c(const struct ipt_entry *e) | ||
212 | { | ||
213 | return ipt_get_target((struct ipt_entry *)e); | ||
214 | } | ||
215 | |||
202 | #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ | 216 | #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ |
203 | defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE) | 217 | defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE) |
204 | static const char *const hooknames[] = { | 218 | static const char *const hooknames[] = { |
@@ -233,11 +247,11 @@ static struct nf_loginfo trace_loginfo = { | |||
233 | 247 | ||
234 | /* Mildly perf critical (only if packet tracing is on) */ | 248 | /* Mildly perf critical (only if packet tracing is on) */ |
235 | static inline int | 249 | static inline int |
236 | get_chainname_rulenum(struct ipt_entry *s, struct ipt_entry *e, | 250 | get_chainname_rulenum(const struct ipt_entry *s, const struct ipt_entry *e, |
237 | const char *hookname, const char **chainname, | 251 | const char *hookname, const char **chainname, |
238 | const char **comment, unsigned int *rulenum) | 252 | const char **comment, unsigned int *rulenum) |
239 | { | 253 | { |
240 | struct ipt_standard_target *t = (void *)ipt_get_target(s); | 254 | const struct ipt_standard_target *t = (void *)ipt_get_target_c(s); |
241 | 255 | ||
242 | if (strcmp(t->target.u.kernel.target->name, IPT_ERROR_TARGET) == 0) { | 256 | if (strcmp(t->target.u.kernel.target->name, IPT_ERROR_TARGET) == 0) { |
243 | /* Head of user chain: ERROR target with chainname */ | 257 | /* Head of user chain: ERROR target with chainname */ |
@@ -263,15 +277,15 @@ get_chainname_rulenum(struct ipt_entry *s, struct ipt_entry *e, | |||
263 | return 0; | 277 | return 0; |
264 | } | 278 | } |
265 | 279 | ||
266 | static void trace_packet(struct sk_buff *skb, | 280 | static void trace_packet(const struct sk_buff *skb, |
267 | unsigned int hook, | 281 | unsigned int hook, |
268 | const struct net_device *in, | 282 | const struct net_device *in, |
269 | const struct net_device *out, | 283 | const struct net_device *out, |
270 | const char *tablename, | 284 | const char *tablename, |
271 | struct xt_table_info *private, | 285 | const struct xt_table_info *private, |
272 | struct ipt_entry *e) | 286 | const struct ipt_entry *e) |
273 | { | 287 | { |
274 | void *table_base; | 288 | const void *table_base; |
275 | const struct ipt_entry *root; | 289 | const struct ipt_entry *root; |
276 | const char *hookname, *chainname, *comment; | 290 | const char *hookname, *chainname, *comment; |
277 | unsigned int rulenum = 0; | 291 | unsigned int rulenum = 0; |
@@ -315,9 +329,9 @@ ipt_do_table(struct sk_buff *skb, | |||
315 | /* Initializing verdict to NF_DROP keeps gcc happy. */ | 329 | /* Initializing verdict to NF_DROP keeps gcc happy. */ |
316 | unsigned int verdict = NF_DROP; | 330 | unsigned int verdict = NF_DROP; |
317 | const char *indev, *outdev; | 331 | const char *indev, *outdev; |
318 | void *table_base; | 332 | const void *table_base; |
319 | struct ipt_entry *e, *back; | 333 | struct ipt_entry *e, *back; |
320 | struct xt_table_info *private; | 334 | const struct xt_table_info *private; |
321 | struct xt_match_param mtpar; | 335 | struct xt_match_param mtpar; |
322 | struct xt_target_param tgpar; | 336 | struct xt_target_param tgpar; |
323 | 337 | ||
@@ -350,7 +364,7 @@ ipt_do_table(struct sk_buff *skb, | |||
350 | back = get_entry(table_base, private->underflow[hook]); | 364 | back = get_entry(table_base, private->underflow[hook]); |
351 | 365 | ||
352 | do { | 366 | do { |
353 | struct ipt_entry_target *t; | 367 | const struct ipt_entry_target *t; |
354 | 368 | ||
355 | IP_NF_ASSERT(e); | 369 | IP_NF_ASSERT(e); |
356 | IP_NF_ASSERT(back); | 370 | IP_NF_ASSERT(back); |
@@ -443,7 +457,7 @@ ipt_do_table(struct sk_buff *skb, | |||
443 | /* Figures out from what hook each rule can be called: returns 0 if | 457 | /* Figures out from what hook each rule can be called: returns 0 if |
444 | there are loops. Puts hook bitmask in comefrom. */ | 458 | there are loops. Puts hook bitmask in comefrom. */ |
445 | static int | 459 | static int |
446 | mark_source_chains(struct xt_table_info *newinfo, | 460 | mark_source_chains(const struct xt_table_info *newinfo, |
447 | unsigned int valid_hooks, void *entry0) | 461 | unsigned int valid_hooks, void *entry0) |
448 | { | 462 | { |
449 | unsigned int hook; | 463 | unsigned int hook; |
@@ -461,8 +475,8 @@ mark_source_chains(struct xt_table_info *newinfo, | |||
461 | e->counters.pcnt = pos; | 475 | e->counters.pcnt = pos; |
462 | 476 | ||
463 | for (;;) { | 477 | for (;;) { |
464 | struct ipt_standard_target *t | 478 | const struct ipt_standard_target *t |
465 | = (void *)ipt_get_target(e); | 479 | = (void *)ipt_get_target_c(e); |
466 | int visited = e->comefrom & (1 << hook); | 480 | int visited = e->comefrom & (1 << hook); |
467 | 481 | ||
468 | if (e->comefrom & (1 << NF_INET_NUMHOOKS)) { | 482 | if (e->comefrom & (1 << NF_INET_NUMHOOKS)) { |
@@ -553,13 +567,14 @@ mark_source_chains(struct xt_table_info *newinfo, | |||
553 | } | 567 | } |
554 | 568 | ||
555 | static int | 569 | static int |
556 | cleanup_match(struct ipt_entry_match *m, unsigned int *i) | 570 | cleanup_match(struct ipt_entry_match *m, struct net *net, unsigned int *i) |
557 | { | 571 | { |
558 | struct xt_mtdtor_param par; | 572 | struct xt_mtdtor_param par; |
559 | 573 | ||
560 | if (i && (*i)-- == 0) | 574 | if (i && (*i)-- == 0) |
561 | return 1; | 575 | return 1; |
562 | 576 | ||
577 | par.net = net; | ||
563 | par.match = m->u.kernel.match; | 578 | par.match = m->u.kernel.match; |
564 | par.matchinfo = m->data; | 579 | par.matchinfo = m->data; |
565 | par.family = NFPROTO_IPV4; | 580 | par.family = NFPROTO_IPV4; |
@@ -570,9 +585,9 @@ cleanup_match(struct ipt_entry_match *m, unsigned int *i) | |||
570 | } | 585 | } |
571 | 586 | ||
572 | static int | 587 | static int |
573 | check_entry(struct ipt_entry *e, const char *name) | 588 | check_entry(const struct ipt_entry *e, const char *name) |
574 | { | 589 | { |
575 | struct ipt_entry_target *t; | 590 | const struct ipt_entry_target *t; |
576 | 591 | ||
577 | if (!ip_checkentry(&e->ip)) { | 592 | if (!ip_checkentry(&e->ip)) { |
578 | duprintf("ip_tables: ip check failed %p %s.\n", e, name); | 593 | duprintf("ip_tables: ip check failed %p %s.\n", e, name); |
@@ -583,7 +598,7 @@ check_entry(struct ipt_entry *e, const char *name) | |||
583 | e->next_offset) | 598 | e->next_offset) |
584 | return -EINVAL; | 599 | return -EINVAL; |
585 | 600 | ||
586 | t = ipt_get_target(e); | 601 | t = ipt_get_target_c(e); |
587 | if (e->target_offset + t->u.target_size > e->next_offset) | 602 | if (e->target_offset + t->u.target_size > e->next_offset) |
588 | return -EINVAL; | 603 | return -EINVAL; |
589 | 604 | ||
@@ -637,10 +652,11 @@ err: | |||
637 | return ret; | 652 | return ret; |
638 | } | 653 | } |
639 | 654 | ||
640 | static int check_target(struct ipt_entry *e, const char *name) | 655 | static int check_target(struct ipt_entry *e, struct net *net, const char *name) |
641 | { | 656 | { |
642 | struct ipt_entry_target *t = ipt_get_target(e); | 657 | struct ipt_entry_target *t = ipt_get_target(e); |
643 | struct xt_tgchk_param par = { | 658 | struct xt_tgchk_param par = { |
659 | .net = net, | ||
644 | .table = name, | 660 | .table = name, |
645 | .entryinfo = e, | 661 | .entryinfo = e, |
646 | .target = t->u.kernel.target, | 662 | .target = t->u.kernel.target, |
@@ -661,8 +677,8 @@ static int check_target(struct ipt_entry *e, const char *name) | |||
661 | } | 677 | } |
662 | 678 | ||
663 | static int | 679 | static int |
664 | find_check_entry(struct ipt_entry *e, const char *name, unsigned int size, | 680 | find_check_entry(struct ipt_entry *e, struct net *net, const char *name, |
665 | unsigned int *i) | 681 | unsigned int size, unsigned int *i) |
666 | { | 682 | { |
667 | struct ipt_entry_target *t; | 683 | struct ipt_entry_target *t; |
668 | struct xt_target *target; | 684 | struct xt_target *target; |
@@ -675,6 +691,7 @@ find_check_entry(struct ipt_entry *e, const char *name, unsigned int size, | |||
675 | return ret; | 691 | return ret; |
676 | 692 | ||
677 | j = 0; | 693 | j = 0; |
694 | mtpar.net = net; | ||
678 | mtpar.table = name; | 695 | mtpar.table = name; |
679 | mtpar.entryinfo = &e->ip; | 696 | mtpar.entryinfo = &e->ip; |
680 | mtpar.hook_mask = e->comefrom; | 697 | mtpar.hook_mask = e->comefrom; |
@@ -695,7 +712,7 @@ find_check_entry(struct ipt_entry *e, const char *name, unsigned int size, | |||
695 | } | 712 | } |
696 | t->u.kernel.target = target; | 713 | t->u.kernel.target = target; |
697 | 714 | ||
698 | ret = check_target(e, name); | 715 | ret = check_target(e, net, name); |
699 | if (ret) | 716 | if (ret) |
700 | goto err; | 717 | goto err; |
701 | 718 | ||
@@ -704,18 +721,18 @@ find_check_entry(struct ipt_entry *e, const char *name, unsigned int size, | |||
704 | err: | 721 | err: |
705 | module_put(t->u.kernel.target->me); | 722 | module_put(t->u.kernel.target->me); |
706 | cleanup_matches: | 723 | cleanup_matches: |
707 | IPT_MATCH_ITERATE(e, cleanup_match, &j); | 724 | IPT_MATCH_ITERATE(e, cleanup_match, net, &j); |
708 | return ret; | 725 | return ret; |
709 | } | 726 | } |
710 | 727 | ||
711 | static bool check_underflow(struct ipt_entry *e) | 728 | static bool check_underflow(const struct ipt_entry *e) |
712 | { | 729 | { |
713 | const struct ipt_entry_target *t; | 730 | const struct ipt_entry_target *t; |
714 | unsigned int verdict; | 731 | unsigned int verdict; |
715 | 732 | ||
716 | if (!unconditional(&e->ip)) | 733 | if (!unconditional(&e->ip)) |
717 | return false; | 734 | return false; |
718 | t = ipt_get_target(e); | 735 | t = ipt_get_target_c(e); |
719 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) | 736 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) |
720 | return false; | 737 | return false; |
721 | verdict = ((struct ipt_standard_target *)t)->verdict; | 738 | verdict = ((struct ipt_standard_target *)t)->verdict; |
@@ -726,8 +743,8 @@ static bool check_underflow(struct ipt_entry *e) | |||
726 | static int | 743 | static int |
727 | check_entry_size_and_hooks(struct ipt_entry *e, | 744 | check_entry_size_and_hooks(struct ipt_entry *e, |
728 | struct xt_table_info *newinfo, | 745 | struct xt_table_info *newinfo, |
729 | unsigned char *base, | 746 | const unsigned char *base, |
730 | unsigned char *limit, | 747 | const unsigned char *limit, |
731 | const unsigned int *hook_entries, | 748 | const unsigned int *hook_entries, |
732 | const unsigned int *underflows, | 749 | const unsigned int *underflows, |
733 | unsigned int valid_hooks, | 750 | unsigned int valid_hooks, |
@@ -774,7 +791,7 @@ check_entry_size_and_hooks(struct ipt_entry *e, | |||
774 | } | 791 | } |
775 | 792 | ||
776 | static int | 793 | static int |
777 | cleanup_entry(struct ipt_entry *e, unsigned int *i) | 794 | cleanup_entry(struct ipt_entry *e, struct net *net, unsigned int *i) |
778 | { | 795 | { |
779 | struct xt_tgdtor_param par; | 796 | struct xt_tgdtor_param par; |
780 | struct ipt_entry_target *t; | 797 | struct ipt_entry_target *t; |
@@ -783,9 +800,10 @@ cleanup_entry(struct ipt_entry *e, unsigned int *i) | |||
783 | return 1; | 800 | return 1; |
784 | 801 | ||
785 | /* Cleanup all matches */ | 802 | /* Cleanup all matches */ |
786 | IPT_MATCH_ITERATE(e, cleanup_match, NULL); | 803 | IPT_MATCH_ITERATE(e, cleanup_match, net, NULL); |
787 | t = ipt_get_target(e); | 804 | t = ipt_get_target(e); |
788 | 805 | ||
806 | par.net = net; | ||
789 | par.target = t->u.kernel.target; | 807 | par.target = t->u.kernel.target; |
790 | par.targinfo = t->data; | 808 | par.targinfo = t->data; |
791 | par.family = NFPROTO_IPV4; | 809 | par.family = NFPROTO_IPV4; |
@@ -798,7 +816,8 @@ cleanup_entry(struct ipt_entry *e, unsigned int *i) | |||
798 | /* Checks and translates the user-supplied table segment (held in | 816 | /* Checks and translates the user-supplied table segment (held in |
799 | newinfo) */ | 817 | newinfo) */ |
800 | static int | 818 | static int |
801 | translate_table(const char *name, | 819 | translate_table(struct net *net, |
820 | const char *name, | ||
802 | unsigned int valid_hooks, | 821 | unsigned int valid_hooks, |
803 | struct xt_table_info *newinfo, | 822 | struct xt_table_info *newinfo, |
804 | void *entry0, | 823 | void *entry0, |
@@ -860,11 +879,11 @@ translate_table(const char *name, | |||
860 | /* Finally, each sanity check must pass */ | 879 | /* Finally, each sanity check must pass */ |
861 | i = 0; | 880 | i = 0; |
862 | ret = IPT_ENTRY_ITERATE(entry0, newinfo->size, | 881 | ret = IPT_ENTRY_ITERATE(entry0, newinfo->size, |
863 | find_check_entry, name, size, &i); | 882 | find_check_entry, net, name, size, &i); |
864 | 883 | ||
865 | if (ret != 0) { | 884 | if (ret != 0) { |
866 | IPT_ENTRY_ITERATE(entry0, newinfo->size, | 885 | IPT_ENTRY_ITERATE(entry0, newinfo->size, |
867 | cleanup_entry, &i); | 886 | cleanup_entry, net, &i); |
868 | return ret; | 887 | return ret; |
869 | } | 888 | } |
870 | 889 | ||
@@ -940,11 +959,11 @@ get_counters(const struct xt_table_info *t, | |||
940 | local_bh_enable(); | 959 | local_bh_enable(); |
941 | } | 960 | } |
942 | 961 | ||
943 | static struct xt_counters * alloc_counters(struct xt_table *table) | 962 | static struct xt_counters *alloc_counters(const struct xt_table *table) |
944 | { | 963 | { |
945 | unsigned int countersize; | 964 | unsigned int countersize; |
946 | struct xt_counters *counters; | 965 | struct xt_counters *counters; |
947 | struct xt_table_info *private = table->private; | 966 | const struct xt_table_info *private = table->private; |
948 | 967 | ||
949 | /* We need atomic snapshot of counters: rest doesn't change | 968 | /* We need atomic snapshot of counters: rest doesn't change |
950 | (other than comefrom, which userspace doesn't care | 969 | (other than comefrom, which userspace doesn't care |
@@ -962,11 +981,11 @@ static struct xt_counters * alloc_counters(struct xt_table *table) | |||
962 | 981 | ||
963 | static int | 982 | static int |
964 | copy_entries_to_user(unsigned int total_size, | 983 | copy_entries_to_user(unsigned int total_size, |
965 | struct xt_table *table, | 984 | const struct xt_table *table, |
966 | void __user *userptr) | 985 | void __user *userptr) |
967 | { | 986 | { |
968 | unsigned int off, num; | 987 | unsigned int off, num; |
969 | struct ipt_entry *e; | 988 | const struct ipt_entry *e; |
970 | struct xt_counters *counters; | 989 | struct xt_counters *counters; |
971 | const struct xt_table_info *private = table->private; | 990 | const struct xt_table_info *private = table->private; |
972 | int ret = 0; | 991 | int ret = 0; |
@@ -1018,7 +1037,7 @@ copy_entries_to_user(unsigned int total_size, | |||
1018 | } | 1037 | } |
1019 | } | 1038 | } |
1020 | 1039 | ||
1021 | t = ipt_get_target(e); | 1040 | t = ipt_get_target_c(e); |
1022 | if (copy_to_user(userptr + off + e->target_offset | 1041 | if (copy_to_user(userptr + off + e->target_offset |
1023 | + offsetof(struct ipt_entry_target, | 1042 | + offsetof(struct ipt_entry_target, |
1024 | u.user.name), | 1043 | u.user.name), |
@@ -1035,7 +1054,7 @@ copy_entries_to_user(unsigned int total_size, | |||
1035 | } | 1054 | } |
1036 | 1055 | ||
1037 | #ifdef CONFIG_COMPAT | 1056 | #ifdef CONFIG_COMPAT |
1038 | static void compat_standard_from_user(void *dst, void *src) | 1057 | static void compat_standard_from_user(void *dst, const void *src) |
1039 | { | 1058 | { |
1040 | int v = *(compat_int_t *)src; | 1059 | int v = *(compat_int_t *)src; |
1041 | 1060 | ||
@@ -1044,7 +1063,7 @@ static void compat_standard_from_user(void *dst, void *src) | |||
1044 | memcpy(dst, &v, sizeof(v)); | 1063 | memcpy(dst, &v, sizeof(v)); |
1045 | } | 1064 | } |
1046 | 1065 | ||
1047 | static int compat_standard_to_user(void __user *dst, void *src) | 1066 | static int compat_standard_to_user(void __user *dst, const void *src) |
1048 | { | 1067 | { |
1049 | compat_int_t cv = *(int *)src; | 1068 | compat_int_t cv = *(int *)src; |
1050 | 1069 | ||
@@ -1054,24 +1073,24 @@ static int compat_standard_to_user(void __user *dst, void *src) | |||
1054 | } | 1073 | } |
1055 | 1074 | ||
1056 | static inline int | 1075 | static inline int |
1057 | compat_calc_match(struct ipt_entry_match *m, int *size) | 1076 | compat_calc_match(const struct ipt_entry_match *m, int *size) |
1058 | { | 1077 | { |
1059 | *size += xt_compat_match_offset(m->u.kernel.match); | 1078 | *size += xt_compat_match_offset(m->u.kernel.match); |
1060 | return 0; | 1079 | return 0; |
1061 | } | 1080 | } |
1062 | 1081 | ||
1063 | static int compat_calc_entry(struct ipt_entry *e, | 1082 | static int compat_calc_entry(const struct ipt_entry *e, |
1064 | const struct xt_table_info *info, | 1083 | const struct xt_table_info *info, |
1065 | void *base, struct xt_table_info *newinfo) | 1084 | const void *base, struct xt_table_info *newinfo) |
1066 | { | 1085 | { |
1067 | struct ipt_entry_target *t; | 1086 | const struct ipt_entry_target *t; |
1068 | unsigned int entry_offset; | 1087 | unsigned int entry_offset; |
1069 | int off, i, ret; | 1088 | int off, i, ret; |
1070 | 1089 | ||
1071 | off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry); | 1090 | off = sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry); |
1072 | entry_offset = (void *)e - base; | 1091 | entry_offset = (void *)e - base; |
1073 | IPT_MATCH_ITERATE(e, compat_calc_match, &off); | 1092 | IPT_MATCH_ITERATE(e, compat_calc_match, &off); |
1074 | t = ipt_get_target(e); | 1093 | t = ipt_get_target_c(e); |
1075 | off += xt_compat_target_offset(t->u.kernel.target); | 1094 | off += xt_compat_target_offset(t->u.kernel.target); |
1076 | newinfo->size -= off; | 1095 | newinfo->size -= off; |
1077 | ret = xt_compat_add_offset(AF_INET, entry_offset, off); | 1096 | ret = xt_compat_add_offset(AF_INET, entry_offset, off); |
@@ -1107,7 +1126,8 @@ static int compat_table_info(const struct xt_table_info *info, | |||
1107 | } | 1126 | } |
1108 | #endif | 1127 | #endif |
1109 | 1128 | ||
1110 | static int get_info(struct net *net, void __user *user, int *len, int compat) | 1129 | static int get_info(struct net *net, void __user *user, |
1130 | const int *len, int compat) | ||
1111 | { | 1131 | { |
1112 | char name[IPT_TABLE_MAXNAMELEN]; | 1132 | char name[IPT_TABLE_MAXNAMELEN]; |
1113 | struct xt_table *t; | 1133 | struct xt_table *t; |
@@ -1167,7 +1187,8 @@ static int get_info(struct net *net, void __user *user, int *len, int compat) | |||
1167 | } | 1187 | } |
1168 | 1188 | ||
1169 | static int | 1189 | static int |
1170 | get_entries(struct net *net, struct ipt_get_entries __user *uptr, int *len) | 1190 | get_entries(struct net *net, struct ipt_get_entries __user *uptr, |
1191 | const int *len) | ||
1171 | { | 1192 | { |
1172 | int ret; | 1193 | int ret; |
1173 | struct ipt_get_entries get; | 1194 | struct ipt_get_entries get; |
@@ -1258,7 +1279,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks, | |||
1258 | /* Decrease module usage counts and free resource */ | 1279 | /* Decrease module usage counts and free resource */ |
1259 | loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()]; | 1280 | loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()]; |
1260 | IPT_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry, | 1281 | IPT_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry, |
1261 | NULL); | 1282 | net, NULL); |
1262 | xt_free_table_info(oldinfo); | 1283 | xt_free_table_info(oldinfo); |
1263 | if (copy_to_user(counters_ptr, counters, | 1284 | if (copy_to_user(counters_ptr, counters, |
1264 | sizeof(struct xt_counters) * num_counters) != 0) | 1285 | sizeof(struct xt_counters) * num_counters) != 0) |
@@ -1277,7 +1298,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks, | |||
1277 | } | 1298 | } |
1278 | 1299 | ||
1279 | static int | 1300 | static int |
1280 | do_replace(struct net *net, void __user *user, unsigned int len) | 1301 | do_replace(struct net *net, const void __user *user, unsigned int len) |
1281 | { | 1302 | { |
1282 | int ret; | 1303 | int ret; |
1283 | struct ipt_replace tmp; | 1304 | struct ipt_replace tmp; |
@@ -1303,7 +1324,7 @@ do_replace(struct net *net, void __user *user, unsigned int len) | |||
1303 | goto free_newinfo; | 1324 | goto free_newinfo; |
1304 | } | 1325 | } |
1305 | 1326 | ||
1306 | ret = translate_table(tmp.name, tmp.valid_hooks, | 1327 | ret = translate_table(net, tmp.name, tmp.valid_hooks, |
1307 | newinfo, loc_cpu_entry, tmp.size, tmp.num_entries, | 1328 | newinfo, loc_cpu_entry, tmp.size, tmp.num_entries, |
1308 | tmp.hook_entry, tmp.underflow); | 1329 | tmp.hook_entry, tmp.underflow); |
1309 | if (ret != 0) | 1330 | if (ret != 0) |
@@ -1318,7 +1339,7 @@ do_replace(struct net *net, void __user *user, unsigned int len) | |||
1318 | return 0; | 1339 | return 0; |
1319 | 1340 | ||
1320 | free_newinfo_untrans: | 1341 | free_newinfo_untrans: |
1321 | IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, NULL); | 1342 | IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, net, NULL); |
1322 | free_newinfo: | 1343 | free_newinfo: |
1323 | xt_free_table_info(newinfo); | 1344 | xt_free_table_info(newinfo); |
1324 | return ret; | 1345 | return ret; |
@@ -1338,7 +1359,8 @@ add_counter_to_entry(struct ipt_entry *e, | |||
1338 | } | 1359 | } |
1339 | 1360 | ||
1340 | static int | 1361 | static int |
1341 | do_add_counters(struct net *net, void __user *user, unsigned int len, int compat) | 1362 | do_add_counters(struct net *net, const void __user *user, |
1363 | unsigned int len, int compat) | ||
1342 | { | 1364 | { |
1343 | unsigned int i, curcpu; | 1365 | unsigned int i, curcpu; |
1344 | struct xt_counters_info tmp; | 1366 | struct xt_counters_info tmp; |
@@ -1534,10 +1556,10 @@ static int | |||
1534 | check_compat_entry_size_and_hooks(struct compat_ipt_entry *e, | 1556 | check_compat_entry_size_and_hooks(struct compat_ipt_entry *e, |
1535 | struct xt_table_info *newinfo, | 1557 | struct xt_table_info *newinfo, |
1536 | unsigned int *size, | 1558 | unsigned int *size, |
1537 | unsigned char *base, | 1559 | const unsigned char *base, |
1538 | unsigned char *limit, | 1560 | const unsigned char *limit, |
1539 | unsigned int *hook_entries, | 1561 | const unsigned int *hook_entries, |
1540 | unsigned int *underflows, | 1562 | const unsigned int *underflows, |
1541 | unsigned int *i, | 1563 | unsigned int *i, |
1542 | const char *name) | 1564 | const char *name) |
1543 | { | 1565 | { |
@@ -1655,7 +1677,7 @@ compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr, | |||
1655 | } | 1677 | } |
1656 | 1678 | ||
1657 | static int | 1679 | static int |
1658 | compat_check_entry(struct ipt_entry *e, const char *name, | 1680 | compat_check_entry(struct ipt_entry *e, struct net *net, const char *name, |
1659 | unsigned int *i) | 1681 | unsigned int *i) |
1660 | { | 1682 | { |
1661 | struct xt_mtchk_param mtpar; | 1683 | struct xt_mtchk_param mtpar; |
@@ -1663,6 +1685,7 @@ compat_check_entry(struct ipt_entry *e, const char *name, | |||
1663 | int ret; | 1685 | int ret; |
1664 | 1686 | ||
1665 | j = 0; | 1687 | j = 0; |
1688 | mtpar.net = net; | ||
1666 | mtpar.table = name; | 1689 | mtpar.table = name; |
1667 | mtpar.entryinfo = &e->ip; | 1690 | mtpar.entryinfo = &e->ip; |
1668 | mtpar.hook_mask = e->comefrom; | 1691 | mtpar.hook_mask = e->comefrom; |
@@ -1671,7 +1694,7 @@ compat_check_entry(struct ipt_entry *e, const char *name, | |||
1671 | if (ret) | 1694 | if (ret) |
1672 | goto cleanup_matches; | 1695 | goto cleanup_matches; |
1673 | 1696 | ||
1674 | ret = check_target(e, name); | 1697 | ret = check_target(e, net, name); |
1675 | if (ret) | 1698 | if (ret) |
1676 | goto cleanup_matches; | 1699 | goto cleanup_matches; |
1677 | 1700 | ||
@@ -1679,12 +1702,13 @@ compat_check_entry(struct ipt_entry *e, const char *name, | |||
1679 | return 0; | 1702 | return 0; |
1680 | 1703 | ||
1681 | cleanup_matches: | 1704 | cleanup_matches: |
1682 | IPT_MATCH_ITERATE(e, cleanup_match, &j); | 1705 | IPT_MATCH_ITERATE(e, cleanup_match, net, &j); |
1683 | return ret; | 1706 | return ret; |
1684 | } | 1707 | } |
1685 | 1708 | ||
1686 | static int | 1709 | static int |
1687 | translate_compat_table(const char *name, | 1710 | translate_compat_table(struct net *net, |
1711 | const char *name, | ||
1688 | unsigned int valid_hooks, | 1712 | unsigned int valid_hooks, |
1689 | struct xt_table_info **pinfo, | 1713 | struct xt_table_info **pinfo, |
1690 | void **pentry0, | 1714 | void **pentry0, |
@@ -1773,12 +1797,12 @@ translate_compat_table(const char *name, | |||
1773 | 1797 | ||
1774 | i = 0; | 1798 | i = 0; |
1775 | ret = IPT_ENTRY_ITERATE(entry1, newinfo->size, compat_check_entry, | 1799 | ret = IPT_ENTRY_ITERATE(entry1, newinfo->size, compat_check_entry, |
1776 | name, &i); | 1800 | net, name, &i); |
1777 | if (ret) { | 1801 | if (ret) { |
1778 | j -= i; | 1802 | j -= i; |
1779 | COMPAT_IPT_ENTRY_ITERATE_CONTINUE(entry0, newinfo->size, i, | 1803 | COMPAT_IPT_ENTRY_ITERATE_CONTINUE(entry0, newinfo->size, i, |
1780 | compat_release_entry, &j); | 1804 | compat_release_entry, &j); |
1781 | IPT_ENTRY_ITERATE(entry1, newinfo->size, cleanup_entry, &i); | 1805 | IPT_ENTRY_ITERATE(entry1, newinfo->size, cleanup_entry, net, &i); |
1782 | xt_free_table_info(newinfo); | 1806 | xt_free_table_info(newinfo); |
1783 | return ret; | 1807 | return ret; |
1784 | } | 1808 | } |
@@ -1833,7 +1857,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len) | |||
1833 | goto free_newinfo; | 1857 | goto free_newinfo; |
1834 | } | 1858 | } |
1835 | 1859 | ||
1836 | ret = translate_compat_table(tmp.name, tmp.valid_hooks, | 1860 | ret = translate_compat_table(net, tmp.name, tmp.valid_hooks, |
1837 | &newinfo, &loc_cpu_entry, tmp.size, | 1861 | &newinfo, &loc_cpu_entry, tmp.size, |
1838 | tmp.num_entries, tmp.hook_entry, | 1862 | tmp.num_entries, tmp.hook_entry, |
1839 | tmp.underflow); | 1863 | tmp.underflow); |
@@ -1849,7 +1873,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len) | |||
1849 | return 0; | 1873 | return 0; |
1850 | 1874 | ||
1851 | free_newinfo_untrans: | 1875 | free_newinfo_untrans: |
1852 | IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, NULL); | 1876 | IPT_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, net, NULL); |
1853 | free_newinfo: | 1877 | free_newinfo: |
1854 | xt_free_table_info(newinfo); | 1878 | xt_free_table_info(newinfo); |
1855 | return ret; | 1879 | return ret; |
@@ -2086,7 +2110,7 @@ struct xt_table *ipt_register_table(struct net *net, | |||
2086 | loc_cpu_entry = newinfo->entries[raw_smp_processor_id()]; | 2110 | loc_cpu_entry = newinfo->entries[raw_smp_processor_id()]; |
2087 | memcpy(loc_cpu_entry, repl->entries, repl->size); | 2111 | memcpy(loc_cpu_entry, repl->entries, repl->size); |
2088 | 2112 | ||
2089 | ret = translate_table(table->name, table->valid_hooks, | 2113 | ret = translate_table(net, table->name, table->valid_hooks, |
2090 | newinfo, loc_cpu_entry, repl->size, | 2114 | newinfo, loc_cpu_entry, repl->size, |
2091 | repl->num_entries, | 2115 | repl->num_entries, |
2092 | repl->hook_entry, | 2116 | repl->hook_entry, |
@@ -2108,7 +2132,7 @@ out: | |||
2108 | return ERR_PTR(ret); | 2132 | return ERR_PTR(ret); |
2109 | } | 2133 | } |
2110 | 2134 | ||
2111 | void ipt_unregister_table(struct xt_table *table) | 2135 | void ipt_unregister_table(struct net *net, struct xt_table *table) |
2112 | { | 2136 | { |
2113 | struct xt_table_info *private; | 2137 | struct xt_table_info *private; |
2114 | void *loc_cpu_entry; | 2138 | void *loc_cpu_entry; |
@@ -2118,7 +2142,7 @@ void ipt_unregister_table(struct xt_table *table) | |||
2118 | 2142 | ||
2119 | /* Decrease module usage counts and free resources */ | 2143 | /* Decrease module usage counts and free resources */ |
2120 | loc_cpu_entry = private->entries[raw_smp_processor_id()]; | 2144 | loc_cpu_entry = private->entries[raw_smp_processor_id()]; |
2121 | IPT_ENTRY_ITERATE(loc_cpu_entry, private->size, cleanup_entry, NULL); | 2145 | IPT_ENTRY_ITERATE(loc_cpu_entry, private->size, cleanup_entry, net, NULL); |
2122 | if (private->number > private->initial_entries) | 2146 | if (private->number > private->initial_entries) |
2123 | module_put(table_owner); | 2147 | module_put(table_owner); |
2124 | xt_free_table_info(private); | 2148 | xt_free_table_info(private); |
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 40ca2d240abb..0886f96c736b 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c | |||
@@ -560,8 +560,7 @@ struct clusterip_seq_position { | |||
560 | 560 | ||
561 | static void *clusterip_seq_start(struct seq_file *s, loff_t *pos) | 561 | static void *clusterip_seq_start(struct seq_file *s, loff_t *pos) |
562 | { | 562 | { |
563 | const struct proc_dir_entry *pde = s->private; | 563 | struct clusterip_config *c = s->private; |
564 | struct clusterip_config *c = pde->data; | ||
565 | unsigned int weight; | 564 | unsigned int weight; |
566 | u_int32_t local_nodes; | 565 | u_int32_t local_nodes; |
567 | struct clusterip_seq_position *idx; | 566 | struct clusterip_seq_position *idx; |
@@ -632,10 +631,9 @@ static int clusterip_proc_open(struct inode *inode, struct file *file) | |||
632 | 631 | ||
633 | if (!ret) { | 632 | if (!ret) { |
634 | struct seq_file *sf = file->private_data; | 633 | struct seq_file *sf = file->private_data; |
635 | struct proc_dir_entry *pde = PDE(inode); | 634 | struct clusterip_config *c = PDE(inode)->data; |
636 | struct clusterip_config *c = pde->data; | ||
637 | 635 | ||
638 | sf->private = pde; | 636 | sf->private = c; |
639 | 637 | ||
640 | clusterip_config_get(c); | 638 | clusterip_config_get(c); |
641 | } | 639 | } |
@@ -645,8 +643,7 @@ static int clusterip_proc_open(struct inode *inode, struct file *file) | |||
645 | 643 | ||
646 | static int clusterip_proc_release(struct inode *inode, struct file *file) | 644 | static int clusterip_proc_release(struct inode *inode, struct file *file) |
647 | { | 645 | { |
648 | struct proc_dir_entry *pde = PDE(inode); | 646 | struct clusterip_config *c = PDE(inode)->data; |
649 | struct clusterip_config *c = pde->data; | ||
650 | int ret; | 647 | int ret; |
651 | 648 | ||
652 | ret = seq_release(inode, file); | 649 | ret = seq_release(inode, file); |
@@ -660,10 +657,9 @@ static int clusterip_proc_release(struct inode *inode, struct file *file) | |||
660 | static ssize_t clusterip_proc_write(struct file *file, const char __user *input, | 657 | static ssize_t clusterip_proc_write(struct file *file, const char __user *input, |
661 | size_t size, loff_t *ofs) | 658 | size_t size, loff_t *ofs) |
662 | { | 659 | { |
660 | struct clusterip_config *c = PDE(file->f_path.dentry->d_inode)->data; | ||
663 | #define PROC_WRITELEN 10 | 661 | #define PROC_WRITELEN 10 |
664 | char buffer[PROC_WRITELEN+1]; | 662 | char buffer[PROC_WRITELEN+1]; |
665 | const struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode); | ||
666 | struct clusterip_config *c = pde->data; | ||
667 | unsigned long nodenum; | 663 | unsigned long nodenum; |
668 | 664 | ||
669 | if (copy_from_user(buffer, input, PROC_WRITELEN)) | 665 | if (copy_from_user(buffer, input, PROC_WRITELEN)) |
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c index 399061c3fd7d..09a5d3f7cc41 100644 --- a/net/ipv4/netfilter/ipt_ULOG.c +++ b/net/ipv4/netfilter/ipt_ULOG.c | |||
@@ -338,7 +338,7 @@ struct compat_ipt_ulog_info { | |||
338 | char prefix[ULOG_PREFIX_LEN]; | 338 | char prefix[ULOG_PREFIX_LEN]; |
339 | }; | 339 | }; |
340 | 340 | ||
341 | static void ulog_tg_compat_from_user(void *dst, void *src) | 341 | static void ulog_tg_compat_from_user(void *dst, const void *src) |
342 | { | 342 | { |
343 | const struct compat_ipt_ulog_info *cl = src; | 343 | const struct compat_ipt_ulog_info *cl = src; |
344 | struct ipt_ulog_info l = { | 344 | struct ipt_ulog_info l = { |
@@ -351,7 +351,7 @@ static void ulog_tg_compat_from_user(void *dst, void *src) | |||
351 | memcpy(dst, &l, sizeof(l)); | 351 | memcpy(dst, &l, sizeof(l)); |
352 | } | 352 | } |
353 | 353 | ||
354 | static int ulog_tg_compat_to_user(void __user *dst, void *src) | 354 | static int ulog_tg_compat_to_user(void __user *dst, const void *src) |
355 | { | 355 | { |
356 | const struct ipt_ulog_info *l = src; | 356 | const struct ipt_ulog_info *l = src; |
357 | struct compat_ipt_ulog_info cl = { | 357 | struct compat_ipt_ulog_info cl = { |
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c index df566cbd68e5..c8dc9800d620 100644 --- a/net/ipv4/netfilter/iptable_filter.c +++ b/net/ipv4/netfilter/iptable_filter.c | |||
@@ -23,104 +23,32 @@ MODULE_DESCRIPTION("iptables filter table"); | |||
23 | (1 << NF_INET_FORWARD) | \ | 23 | (1 << NF_INET_FORWARD) | \ |
24 | (1 << NF_INET_LOCAL_OUT)) | 24 | (1 << NF_INET_LOCAL_OUT)) |
25 | 25 | ||
26 | static struct | ||
27 | { | ||
28 | struct ipt_replace repl; | ||
29 | struct ipt_standard entries[3]; | ||
30 | struct ipt_error term; | ||
31 | } initial_table __net_initdata = { | ||
32 | .repl = { | ||
33 | .name = "filter", | ||
34 | .valid_hooks = FILTER_VALID_HOOKS, | ||
35 | .num_entries = 4, | ||
36 | .size = sizeof(struct ipt_standard) * 3 + sizeof(struct ipt_error), | ||
37 | .hook_entry = { | ||
38 | [NF_INET_LOCAL_IN] = 0, | ||
39 | [NF_INET_FORWARD] = sizeof(struct ipt_standard), | ||
40 | [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 2, | ||
41 | }, | ||
42 | .underflow = { | ||
43 | [NF_INET_LOCAL_IN] = 0, | ||
44 | [NF_INET_FORWARD] = sizeof(struct ipt_standard), | ||
45 | [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 2, | ||
46 | }, | ||
47 | }, | ||
48 | .entries = { | ||
49 | IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_IN */ | ||
50 | IPT_STANDARD_INIT(NF_ACCEPT), /* FORWARD */ | ||
51 | IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */ | ||
52 | }, | ||
53 | .term = IPT_ERROR_INIT, /* ERROR */ | ||
54 | }; | ||
55 | |||
56 | static const struct xt_table packet_filter = { | 26 | static const struct xt_table packet_filter = { |
57 | .name = "filter", | 27 | .name = "filter", |
58 | .valid_hooks = FILTER_VALID_HOOKS, | 28 | .valid_hooks = FILTER_VALID_HOOKS, |
59 | .me = THIS_MODULE, | 29 | .me = THIS_MODULE, |
60 | .af = NFPROTO_IPV4, | 30 | .af = NFPROTO_IPV4, |
31 | .priority = NF_IP_PRI_FILTER, | ||
61 | }; | 32 | }; |
62 | 33 | ||
63 | /* The work comes in here from netfilter.c. */ | ||
64 | static unsigned int | ||
65 | ipt_local_in_hook(unsigned int hook, | ||
66 | struct sk_buff *skb, | ||
67 | const struct net_device *in, | ||
68 | const struct net_device *out, | ||
69 | int (*okfn)(struct sk_buff *)) | ||
70 | { | ||
71 | return ipt_do_table(skb, hook, in, out, | ||
72 | dev_net(in)->ipv4.iptable_filter); | ||
73 | } | ||
74 | |||
75 | static unsigned int | 34 | static unsigned int |
76 | ipt_hook(unsigned int hook, | 35 | iptable_filter_hook(unsigned int hook, struct sk_buff *skb, |
77 | struct sk_buff *skb, | 36 | const struct net_device *in, const struct net_device *out, |
78 | const struct net_device *in, | 37 | int (*okfn)(struct sk_buff *)) |
79 | const struct net_device *out, | ||
80 | int (*okfn)(struct sk_buff *)) | ||
81 | { | 38 | { |
82 | return ipt_do_table(skb, hook, in, out, | 39 | const struct net *net; |
83 | dev_net(in)->ipv4.iptable_filter); | ||
84 | } | ||
85 | 40 | ||
86 | static unsigned int | 41 | if (hook == NF_INET_LOCAL_OUT && |
87 | ipt_local_out_hook(unsigned int hook, | 42 | (skb->len < sizeof(struct iphdr) || |
88 | struct sk_buff *skb, | 43 | ip_hdrlen(skb) < sizeof(struct iphdr))) |
89 | const struct net_device *in, | 44 | /* root is playing with raw sockets. */ |
90 | const struct net_device *out, | ||
91 | int (*okfn)(struct sk_buff *)) | ||
92 | { | ||
93 | /* root is playing with raw sockets. */ | ||
94 | if (skb->len < sizeof(struct iphdr) || | ||
95 | ip_hdrlen(skb) < sizeof(struct iphdr)) | ||
96 | return NF_ACCEPT; | 45 | return NF_ACCEPT; |
97 | return ipt_do_table(skb, hook, in, out, | 46 | |
98 | dev_net(out)->ipv4.iptable_filter); | 47 | net = dev_net((in != NULL) ? in : out); |
48 | return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_filter); | ||
99 | } | 49 | } |
100 | 50 | ||
101 | static struct nf_hook_ops ipt_ops[] __read_mostly = { | 51 | static struct nf_hook_ops *filter_ops __read_mostly; |
102 | { | ||
103 | .hook = ipt_local_in_hook, | ||
104 | .owner = THIS_MODULE, | ||
105 | .pf = NFPROTO_IPV4, | ||
106 | .hooknum = NF_INET_LOCAL_IN, | ||
107 | .priority = NF_IP_PRI_FILTER, | ||
108 | }, | ||
109 | { | ||
110 | .hook = ipt_hook, | ||
111 | .owner = THIS_MODULE, | ||
112 | .pf = NFPROTO_IPV4, | ||
113 | .hooknum = NF_INET_FORWARD, | ||
114 | .priority = NF_IP_PRI_FILTER, | ||
115 | }, | ||
116 | { | ||
117 | .hook = ipt_local_out_hook, | ||
118 | .owner = THIS_MODULE, | ||
119 | .pf = NFPROTO_IPV4, | ||
120 | .hooknum = NF_INET_LOCAL_OUT, | ||
121 | .priority = NF_IP_PRI_FILTER, | ||
122 | }, | ||
123 | }; | ||
124 | 52 | ||
125 | /* Default to forward because I got too much mail already. */ | 53 | /* Default to forward because I got too much mail already. */ |
126 | static int forward = NF_ACCEPT; | 54 | static int forward = NF_ACCEPT; |
@@ -128,9 +56,18 @@ module_param(forward, bool, 0000); | |||
128 | 56 | ||
129 | static int __net_init iptable_filter_net_init(struct net *net) | 57 | static int __net_init iptable_filter_net_init(struct net *net) |
130 | { | 58 | { |
131 | /* Register table */ | 59 | struct ipt_replace *repl; |
60 | |||
61 | repl = ipt_alloc_initial_table(&packet_filter); | ||
62 | if (repl == NULL) | ||
63 | return -ENOMEM; | ||
64 | /* Entry 1 is the FORWARD hook */ | ||
65 | ((struct ipt_standard *)repl->entries)[1].target.verdict = | ||
66 | -forward - 1; | ||
67 | |||
132 | net->ipv4.iptable_filter = | 68 | net->ipv4.iptable_filter = |
133 | ipt_register_table(net, &packet_filter, &initial_table.repl); | 69 | ipt_register_table(net, &packet_filter, repl); |
70 | kfree(repl); | ||
134 | if (IS_ERR(net->ipv4.iptable_filter)) | 71 | if (IS_ERR(net->ipv4.iptable_filter)) |
135 | return PTR_ERR(net->ipv4.iptable_filter); | 72 | return PTR_ERR(net->ipv4.iptable_filter); |
136 | return 0; | 73 | return 0; |
@@ -138,7 +75,7 @@ static int __net_init iptable_filter_net_init(struct net *net) | |||
138 | 75 | ||
139 | static void __net_exit iptable_filter_net_exit(struct net *net) | 76 | static void __net_exit iptable_filter_net_exit(struct net *net) |
140 | { | 77 | { |
141 | ipt_unregister_table(net->ipv4.iptable_filter); | 78 | ipt_unregister_table(net, net->ipv4.iptable_filter); |
142 | } | 79 | } |
143 | 80 | ||
144 | static struct pernet_operations iptable_filter_net_ops = { | 81 | static struct pernet_operations iptable_filter_net_ops = { |
@@ -155,17 +92,16 @@ static int __init iptable_filter_init(void) | |||
155 | return -EINVAL; | 92 | return -EINVAL; |
156 | } | 93 | } |
157 | 94 | ||
158 | /* Entry 1 is the FORWARD hook */ | ||
159 | initial_table.entries[1].target.verdict = -forward - 1; | ||
160 | |||
161 | ret = register_pernet_subsys(&iptable_filter_net_ops); | 95 | ret = register_pernet_subsys(&iptable_filter_net_ops); |
162 | if (ret < 0) | 96 | if (ret < 0) |
163 | return ret; | 97 | return ret; |
164 | 98 | ||
165 | /* Register hooks */ | 99 | /* Register hooks */ |
166 | ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops)); | 100 | filter_ops = xt_hook_link(&packet_filter, iptable_filter_hook); |
167 | if (ret < 0) | 101 | if (IS_ERR(filter_ops)) { |
102 | ret = PTR_ERR(filter_ops); | ||
168 | goto cleanup_table; | 103 | goto cleanup_table; |
104 | } | ||
169 | 105 | ||
170 | return ret; | 106 | return ret; |
171 | 107 | ||
@@ -176,7 +112,7 @@ static int __init iptable_filter_init(void) | |||
176 | 112 | ||
177 | static void __exit iptable_filter_fini(void) | 113 | static void __exit iptable_filter_fini(void) |
178 | { | 114 | { |
179 | nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops)); | 115 | xt_hook_unlink(&packet_filter, filter_ops); |
180 | unregister_pernet_subsys(&iptable_filter_net_ops); | 116 | unregister_pernet_subsys(&iptable_filter_net_ops); |
181 | } | 117 | } |
182 | 118 | ||
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c index fae78c3076c4..b9b83464cbf4 100644 --- a/net/ipv4/netfilter/iptable_mangle.c +++ b/net/ipv4/netfilter/iptable_mangle.c | |||
@@ -27,101 +27,16 @@ MODULE_DESCRIPTION("iptables mangle table"); | |||
27 | (1 << NF_INET_LOCAL_OUT) | \ | 27 | (1 << NF_INET_LOCAL_OUT) | \ |
28 | (1 << NF_INET_POST_ROUTING)) | 28 | (1 << NF_INET_POST_ROUTING)) |
29 | 29 | ||
30 | /* Ouch - five different hooks? Maybe this should be a config option..... -- BC */ | ||
31 | static const struct | ||
32 | { | ||
33 | struct ipt_replace repl; | ||
34 | struct ipt_standard entries[5]; | ||
35 | struct ipt_error term; | ||
36 | } initial_table __net_initdata = { | ||
37 | .repl = { | ||
38 | .name = "mangle", | ||
39 | .valid_hooks = MANGLE_VALID_HOOKS, | ||
40 | .num_entries = 6, | ||
41 | .size = sizeof(struct ipt_standard) * 5 + sizeof(struct ipt_error), | ||
42 | .hook_entry = { | ||
43 | [NF_INET_PRE_ROUTING] = 0, | ||
44 | [NF_INET_LOCAL_IN] = sizeof(struct ipt_standard), | ||
45 | [NF_INET_FORWARD] = sizeof(struct ipt_standard) * 2, | ||
46 | [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 3, | ||
47 | [NF_INET_POST_ROUTING] = sizeof(struct ipt_standard) * 4, | ||
48 | }, | ||
49 | .underflow = { | ||
50 | [NF_INET_PRE_ROUTING] = 0, | ||
51 | [NF_INET_LOCAL_IN] = sizeof(struct ipt_standard), | ||
52 | [NF_INET_FORWARD] = sizeof(struct ipt_standard) * 2, | ||
53 | [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 3, | ||
54 | [NF_INET_POST_ROUTING] = sizeof(struct ipt_standard) * 4, | ||
55 | }, | ||
56 | }, | ||
57 | .entries = { | ||
58 | IPT_STANDARD_INIT(NF_ACCEPT), /* PRE_ROUTING */ | ||
59 | IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_IN */ | ||
60 | IPT_STANDARD_INIT(NF_ACCEPT), /* FORWARD */ | ||
61 | IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */ | ||
62 | IPT_STANDARD_INIT(NF_ACCEPT), /* POST_ROUTING */ | ||
63 | }, | ||
64 | .term = IPT_ERROR_INIT, /* ERROR */ | ||
65 | }; | ||
66 | |||
67 | static const struct xt_table packet_mangler = { | 30 | static const struct xt_table packet_mangler = { |
68 | .name = "mangle", | 31 | .name = "mangle", |
69 | .valid_hooks = MANGLE_VALID_HOOKS, | 32 | .valid_hooks = MANGLE_VALID_HOOKS, |
70 | .me = THIS_MODULE, | 33 | .me = THIS_MODULE, |
71 | .af = NFPROTO_IPV4, | 34 | .af = NFPROTO_IPV4, |
35 | .priority = NF_IP_PRI_MANGLE, | ||
72 | }; | 36 | }; |
73 | 37 | ||
74 | /* The work comes in here from netfilter.c. */ | ||
75 | static unsigned int | ||
76 | ipt_pre_routing_hook(unsigned int hook, | ||
77 | struct sk_buff *skb, | ||
78 | const struct net_device *in, | ||
79 | const struct net_device *out, | ||
80 | int (*okfn)(struct sk_buff *)) | ||
81 | { | ||
82 | return ipt_do_table(skb, hook, in, out, | ||
83 | dev_net(in)->ipv4.iptable_mangle); | ||
84 | } | ||
85 | |||
86 | static unsigned int | ||
87 | ipt_post_routing_hook(unsigned int hook, | ||
88 | struct sk_buff *skb, | ||
89 | const struct net_device *in, | ||
90 | const struct net_device *out, | ||
91 | int (*okfn)(struct sk_buff *)) | ||
92 | { | ||
93 | return ipt_do_table(skb, hook, in, out, | ||
94 | dev_net(out)->ipv4.iptable_mangle); | ||
95 | } | ||
96 | |||
97 | static unsigned int | ||
98 | ipt_local_in_hook(unsigned int hook, | ||
99 | struct sk_buff *skb, | ||
100 | const struct net_device *in, | ||
101 | const struct net_device *out, | ||
102 | int (*okfn)(struct sk_buff *)) | ||
103 | { | ||
104 | return ipt_do_table(skb, hook, in, out, | ||
105 | dev_net(in)->ipv4.iptable_mangle); | ||
106 | } | ||
107 | |||
108 | static unsigned int | ||
109 | ipt_forward_hook(unsigned int hook, | ||
110 | struct sk_buff *skb, | ||
111 | const struct net_device *in, | ||
112 | const struct net_device *out, | ||
113 | int (*okfn)(struct sk_buff *)) | ||
114 | { | ||
115 | return ipt_do_table(skb, hook, in, out, | ||
116 | dev_net(in)->ipv4.iptable_mangle); | ||
117 | } | ||
118 | |||
119 | static unsigned int | 38 | static unsigned int |
120 | ipt_local_hook(unsigned int hook, | 39 | ipt_mangle_out(struct sk_buff *skb, const struct net_device *out) |
121 | struct sk_buff *skb, | ||
122 | const struct net_device *in, | ||
123 | const struct net_device *out, | ||
124 | int (*okfn)(struct sk_buff *)) | ||
125 | { | 40 | { |
126 | unsigned int ret; | 41 | unsigned int ret; |
127 | const struct iphdr *iph; | 42 | const struct iphdr *iph; |
@@ -141,7 +56,7 @@ ipt_local_hook(unsigned int hook, | |||
141 | daddr = iph->daddr; | 56 | daddr = iph->daddr; |
142 | tos = iph->tos; | 57 | tos = iph->tos; |
143 | 58 | ||
144 | ret = ipt_do_table(skb, hook, in, out, | 59 | ret = ipt_do_table(skb, NF_INET_LOCAL_OUT, NULL, out, |
145 | dev_net(out)->ipv4.iptable_mangle); | 60 | dev_net(out)->ipv4.iptable_mangle); |
146 | /* Reroute for ANY change. */ | 61 | /* Reroute for ANY change. */ |
147 | if (ret != NF_DROP && ret != NF_STOLEN && ret != NF_QUEUE) { | 62 | if (ret != NF_DROP && ret != NF_STOLEN && ret != NF_QUEUE) { |
@@ -158,49 +73,36 @@ ipt_local_hook(unsigned int hook, | |||
158 | return ret; | 73 | return ret; |
159 | } | 74 | } |
160 | 75 | ||
161 | static struct nf_hook_ops ipt_ops[] __read_mostly = { | 76 | /* The work comes in here from netfilter.c. */ |
162 | { | 77 | static unsigned int |
163 | .hook = ipt_pre_routing_hook, | 78 | iptable_mangle_hook(unsigned int hook, |
164 | .owner = THIS_MODULE, | 79 | struct sk_buff *skb, |
165 | .pf = NFPROTO_IPV4, | 80 | const struct net_device *in, |
166 | .hooknum = NF_INET_PRE_ROUTING, | 81 | const struct net_device *out, |
167 | .priority = NF_IP_PRI_MANGLE, | 82 | int (*okfn)(struct sk_buff *)) |
168 | }, | 83 | { |
169 | { | 84 | if (hook == NF_INET_LOCAL_OUT) |
170 | .hook = ipt_local_in_hook, | 85 | return ipt_mangle_out(skb, out); |
171 | .owner = THIS_MODULE, | 86 | if (hook == NF_INET_POST_ROUTING) |
172 | .pf = NFPROTO_IPV4, | 87 | return ipt_do_table(skb, hook, in, out, |
173 | .hooknum = NF_INET_LOCAL_IN, | 88 | dev_net(out)->ipv4.iptable_mangle); |
174 | .priority = NF_IP_PRI_MANGLE, | 89 | /* PREROUTING/INPUT/FORWARD: */ |
175 | }, | 90 | return ipt_do_table(skb, hook, in, out, |
176 | { | 91 | dev_net(in)->ipv4.iptable_mangle); |
177 | .hook = ipt_forward_hook, | 92 | } |
178 | .owner = THIS_MODULE, | 93 | |
179 | .pf = NFPROTO_IPV4, | 94 | static struct nf_hook_ops *mangle_ops __read_mostly; |
180 | .hooknum = NF_INET_FORWARD, | ||
181 | .priority = NF_IP_PRI_MANGLE, | ||
182 | }, | ||
183 | { | ||
184 | .hook = ipt_local_hook, | ||
185 | .owner = THIS_MODULE, | ||
186 | .pf = NFPROTO_IPV4, | ||
187 | .hooknum = NF_INET_LOCAL_OUT, | ||
188 | .priority = NF_IP_PRI_MANGLE, | ||
189 | }, | ||
190 | { | ||
191 | .hook = ipt_post_routing_hook, | ||
192 | .owner = THIS_MODULE, | ||
193 | .pf = NFPROTO_IPV4, | ||
194 | .hooknum = NF_INET_POST_ROUTING, | ||
195 | .priority = NF_IP_PRI_MANGLE, | ||
196 | }, | ||
197 | }; | ||
198 | 95 | ||
199 | static int __net_init iptable_mangle_net_init(struct net *net) | 96 | static int __net_init iptable_mangle_net_init(struct net *net) |
200 | { | 97 | { |
201 | /* Register table */ | 98 | struct ipt_replace *repl; |
99 | |||
100 | repl = ipt_alloc_initial_table(&packet_mangler); | ||
101 | if (repl == NULL) | ||
102 | return -ENOMEM; | ||
202 | net->ipv4.iptable_mangle = | 103 | net->ipv4.iptable_mangle = |
203 | ipt_register_table(net, &packet_mangler, &initial_table.repl); | 104 | ipt_register_table(net, &packet_mangler, repl); |
105 | kfree(repl); | ||
204 | if (IS_ERR(net->ipv4.iptable_mangle)) | 106 | if (IS_ERR(net->ipv4.iptable_mangle)) |
205 | return PTR_ERR(net->ipv4.iptable_mangle); | 107 | return PTR_ERR(net->ipv4.iptable_mangle); |
206 | return 0; | 108 | return 0; |
@@ -208,7 +110,7 @@ static int __net_init iptable_mangle_net_init(struct net *net) | |||
208 | 110 | ||
209 | static void __net_exit iptable_mangle_net_exit(struct net *net) | 111 | static void __net_exit iptable_mangle_net_exit(struct net *net) |
210 | { | 112 | { |
211 | ipt_unregister_table(net->ipv4.iptable_mangle); | 113 | ipt_unregister_table(net, net->ipv4.iptable_mangle); |
212 | } | 114 | } |
213 | 115 | ||
214 | static struct pernet_operations iptable_mangle_net_ops = { | 116 | static struct pernet_operations iptable_mangle_net_ops = { |
@@ -225,9 +127,11 @@ static int __init iptable_mangle_init(void) | |||
225 | return ret; | 127 | return ret; |
226 | 128 | ||
227 | /* Register hooks */ | 129 | /* Register hooks */ |
228 | ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops)); | 130 | mangle_ops = xt_hook_link(&packet_mangler, iptable_mangle_hook); |
229 | if (ret < 0) | 131 | if (IS_ERR(mangle_ops)) { |
132 | ret = PTR_ERR(mangle_ops); | ||
230 | goto cleanup_table; | 133 | goto cleanup_table; |
134 | } | ||
231 | 135 | ||
232 | return ret; | 136 | return ret; |
233 | 137 | ||
@@ -238,7 +142,7 @@ static int __init iptable_mangle_init(void) | |||
238 | 142 | ||
239 | static void __exit iptable_mangle_fini(void) | 143 | static void __exit iptable_mangle_fini(void) |
240 | { | 144 | { |
241 | nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops)); | 145 | xt_hook_unlink(&packet_mangler, mangle_ops); |
242 | unregister_pernet_subsys(&iptable_mangle_net_ops); | 146 | unregister_pernet_subsys(&iptable_mangle_net_ops); |
243 | } | 147 | } |
244 | 148 | ||
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c index 993edc23be09..06fb9d11953c 100644 --- a/net/ipv4/netfilter/iptable_raw.c +++ b/net/ipv4/netfilter/iptable_raw.c | |||
@@ -9,90 +9,44 @@ | |||
9 | 9 | ||
10 | #define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT)) | 10 | #define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT)) |
11 | 11 | ||
12 | static const struct | ||
13 | { | ||
14 | struct ipt_replace repl; | ||
15 | struct ipt_standard entries[2]; | ||
16 | struct ipt_error term; | ||
17 | } initial_table __net_initdata = { | ||
18 | .repl = { | ||
19 | .name = "raw", | ||
20 | .valid_hooks = RAW_VALID_HOOKS, | ||
21 | .num_entries = 3, | ||
22 | .size = sizeof(struct ipt_standard) * 2 + sizeof(struct ipt_error), | ||
23 | .hook_entry = { | ||
24 | [NF_INET_PRE_ROUTING] = 0, | ||
25 | [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) | ||
26 | }, | ||
27 | .underflow = { | ||
28 | [NF_INET_PRE_ROUTING] = 0, | ||
29 | [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) | ||
30 | }, | ||
31 | }, | ||
32 | .entries = { | ||
33 | IPT_STANDARD_INIT(NF_ACCEPT), /* PRE_ROUTING */ | ||
34 | IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */ | ||
35 | }, | ||
36 | .term = IPT_ERROR_INIT, /* ERROR */ | ||
37 | }; | ||
38 | |||
39 | static const struct xt_table packet_raw = { | 12 | static const struct xt_table packet_raw = { |
40 | .name = "raw", | 13 | .name = "raw", |
41 | .valid_hooks = RAW_VALID_HOOKS, | 14 | .valid_hooks = RAW_VALID_HOOKS, |
42 | .me = THIS_MODULE, | 15 | .me = THIS_MODULE, |
43 | .af = NFPROTO_IPV4, | 16 | .af = NFPROTO_IPV4, |
17 | .priority = NF_IP_PRI_RAW, | ||
44 | }; | 18 | }; |
45 | 19 | ||
46 | /* The work comes in here from netfilter.c. */ | 20 | /* The work comes in here from netfilter.c. */ |
47 | static unsigned int | 21 | static unsigned int |
48 | ipt_hook(unsigned int hook, | 22 | iptable_raw_hook(unsigned int hook, struct sk_buff *skb, |
49 | struct sk_buff *skb, | 23 | const struct net_device *in, const struct net_device *out, |
50 | const struct net_device *in, | 24 | int (*okfn)(struct sk_buff *)) |
51 | const struct net_device *out, | ||
52 | int (*okfn)(struct sk_buff *)) | ||
53 | { | 25 | { |
54 | return ipt_do_table(skb, hook, in, out, | 26 | const struct net *net; |
55 | dev_net(in)->ipv4.iptable_raw); | ||
56 | } | ||
57 | 27 | ||
58 | static unsigned int | 28 | if (hook == NF_INET_LOCAL_OUT && |
59 | ipt_local_hook(unsigned int hook, | 29 | (skb->len < sizeof(struct iphdr) || |
60 | struct sk_buff *skb, | 30 | ip_hdrlen(skb) < sizeof(struct iphdr))) |
61 | const struct net_device *in, | 31 | /* root is playing with raw sockets. */ |
62 | const struct net_device *out, | ||
63 | int (*okfn)(struct sk_buff *)) | ||
64 | { | ||
65 | /* root is playing with raw sockets. */ | ||
66 | if (skb->len < sizeof(struct iphdr) || | ||
67 | ip_hdrlen(skb) < sizeof(struct iphdr)) | ||
68 | return NF_ACCEPT; | 32 | return NF_ACCEPT; |
69 | return ipt_do_table(skb, hook, in, out, | 33 | |
70 | dev_net(out)->ipv4.iptable_raw); | 34 | net = dev_net((in != NULL) ? in : out); |
35 | return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_raw); | ||
71 | } | 36 | } |
72 | 37 | ||
73 | /* 'raw' is the very first table. */ | 38 | static struct nf_hook_ops *rawtable_ops __read_mostly; |
74 | static struct nf_hook_ops ipt_ops[] __read_mostly = { | ||
75 | { | ||
76 | .hook = ipt_hook, | ||
77 | .pf = NFPROTO_IPV4, | ||
78 | .hooknum = NF_INET_PRE_ROUTING, | ||
79 | .priority = NF_IP_PRI_RAW, | ||
80 | .owner = THIS_MODULE, | ||
81 | }, | ||
82 | { | ||
83 | .hook = ipt_local_hook, | ||
84 | .pf = NFPROTO_IPV4, | ||
85 | .hooknum = NF_INET_LOCAL_OUT, | ||
86 | .priority = NF_IP_PRI_RAW, | ||
87 | .owner = THIS_MODULE, | ||
88 | }, | ||
89 | }; | ||
90 | 39 | ||
91 | static int __net_init iptable_raw_net_init(struct net *net) | 40 | static int __net_init iptable_raw_net_init(struct net *net) |
92 | { | 41 | { |
93 | /* Register table */ | 42 | struct ipt_replace *repl; |
43 | |||
44 | repl = ipt_alloc_initial_table(&packet_raw); | ||
45 | if (repl == NULL) | ||
46 | return -ENOMEM; | ||
94 | net->ipv4.iptable_raw = | 47 | net->ipv4.iptable_raw = |
95 | ipt_register_table(net, &packet_raw, &initial_table.repl); | 48 | ipt_register_table(net, &packet_raw, repl); |
49 | kfree(repl); | ||
96 | if (IS_ERR(net->ipv4.iptable_raw)) | 50 | if (IS_ERR(net->ipv4.iptable_raw)) |
97 | return PTR_ERR(net->ipv4.iptable_raw); | 51 | return PTR_ERR(net->ipv4.iptable_raw); |
98 | return 0; | 52 | return 0; |
@@ -100,7 +54,7 @@ static int __net_init iptable_raw_net_init(struct net *net) | |||
100 | 54 | ||
101 | static void __net_exit iptable_raw_net_exit(struct net *net) | 55 | static void __net_exit iptable_raw_net_exit(struct net *net) |
102 | { | 56 | { |
103 | ipt_unregister_table(net->ipv4.iptable_raw); | 57 | ipt_unregister_table(net, net->ipv4.iptable_raw); |
104 | } | 58 | } |
105 | 59 | ||
106 | static struct pernet_operations iptable_raw_net_ops = { | 60 | static struct pernet_operations iptable_raw_net_ops = { |
@@ -117,9 +71,11 @@ static int __init iptable_raw_init(void) | |||
117 | return ret; | 71 | return ret; |
118 | 72 | ||
119 | /* Register hooks */ | 73 | /* Register hooks */ |
120 | ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops)); | 74 | rawtable_ops = xt_hook_link(&packet_raw, iptable_raw_hook); |
121 | if (ret < 0) | 75 | if (IS_ERR(rawtable_ops)) { |
76 | ret = PTR_ERR(rawtable_ops); | ||
122 | goto cleanup_table; | 77 | goto cleanup_table; |
78 | } | ||
123 | 79 | ||
124 | return ret; | 80 | return ret; |
125 | 81 | ||
@@ -130,7 +86,7 @@ static int __init iptable_raw_init(void) | |||
130 | 86 | ||
131 | static void __exit iptable_raw_fini(void) | 87 | static void __exit iptable_raw_fini(void) |
132 | { | 88 | { |
133 | nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops)); | 89 | xt_hook_unlink(&packet_raw, rawtable_ops); |
134 | unregister_pernet_subsys(&iptable_raw_net_ops); | 90 | unregister_pernet_subsys(&iptable_raw_net_ops); |
135 | } | 91 | } |
136 | 92 | ||
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c index 3bd3d6388da5..cce2f64e6f21 100644 --- a/net/ipv4/netfilter/iptable_security.c +++ b/net/ipv4/netfilter/iptable_security.c | |||
@@ -27,109 +27,44 @@ MODULE_DESCRIPTION("iptables security table, for MAC rules"); | |||
27 | (1 << NF_INET_FORWARD) | \ | 27 | (1 << NF_INET_FORWARD) | \ |
28 | (1 << NF_INET_LOCAL_OUT) | 28 | (1 << NF_INET_LOCAL_OUT) |
29 | 29 | ||
30 | static const struct | ||
31 | { | ||
32 | struct ipt_replace repl; | ||
33 | struct ipt_standard entries[3]; | ||
34 | struct ipt_error term; | ||
35 | } initial_table __net_initdata = { | ||
36 | .repl = { | ||
37 | .name = "security", | ||
38 | .valid_hooks = SECURITY_VALID_HOOKS, | ||
39 | .num_entries = 4, | ||
40 | .size = sizeof(struct ipt_standard) * 3 + sizeof(struct ipt_error), | ||
41 | .hook_entry = { | ||
42 | [NF_INET_LOCAL_IN] = 0, | ||
43 | [NF_INET_FORWARD] = sizeof(struct ipt_standard), | ||
44 | [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 2, | ||
45 | }, | ||
46 | .underflow = { | ||
47 | [NF_INET_LOCAL_IN] = 0, | ||
48 | [NF_INET_FORWARD] = sizeof(struct ipt_standard), | ||
49 | [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 2, | ||
50 | }, | ||
51 | }, | ||
52 | .entries = { | ||
53 | IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_IN */ | ||
54 | IPT_STANDARD_INIT(NF_ACCEPT), /* FORWARD */ | ||
55 | IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */ | ||
56 | }, | ||
57 | .term = IPT_ERROR_INIT, /* ERROR */ | ||
58 | }; | ||
59 | |||
60 | static const struct xt_table security_table = { | 30 | static const struct xt_table security_table = { |
61 | .name = "security", | 31 | .name = "security", |
62 | .valid_hooks = SECURITY_VALID_HOOKS, | 32 | .valid_hooks = SECURITY_VALID_HOOKS, |
63 | .me = THIS_MODULE, | 33 | .me = THIS_MODULE, |
64 | .af = NFPROTO_IPV4, | 34 | .af = NFPROTO_IPV4, |
35 | .priority = NF_IP_PRI_SECURITY, | ||
65 | }; | 36 | }; |
66 | 37 | ||
67 | static unsigned int | 38 | static unsigned int |
68 | ipt_local_in_hook(unsigned int hook, | 39 | iptable_security_hook(unsigned int hook, struct sk_buff *skb, |
69 | struct sk_buff *skb, | 40 | const struct net_device *in, |
70 | const struct net_device *in, | 41 | const struct net_device *out, |
71 | const struct net_device *out, | 42 | int (*okfn)(struct sk_buff *)) |
72 | int (*okfn)(struct sk_buff *)) | ||
73 | { | ||
74 | return ipt_do_table(skb, hook, in, out, | ||
75 | dev_net(in)->ipv4.iptable_security); | ||
76 | } | ||
77 | |||
78 | static unsigned int | ||
79 | ipt_forward_hook(unsigned int hook, | ||
80 | struct sk_buff *skb, | ||
81 | const struct net_device *in, | ||
82 | const struct net_device *out, | ||
83 | int (*okfn)(struct sk_buff *)) | ||
84 | { | 43 | { |
85 | return ipt_do_table(skb, hook, in, out, | 44 | const struct net *net; |
86 | dev_net(in)->ipv4.iptable_security); | ||
87 | } | ||
88 | 45 | ||
89 | static unsigned int | 46 | if (hook == NF_INET_LOCAL_OUT && |
90 | ipt_local_out_hook(unsigned int hook, | 47 | (skb->len < sizeof(struct iphdr) || |
91 | struct sk_buff *skb, | 48 | ip_hdrlen(skb) < sizeof(struct iphdr))) |
92 | const struct net_device *in, | 49 | /* Somebody is playing with raw sockets. */ |
93 | const struct net_device *out, | ||
94 | int (*okfn)(struct sk_buff *)) | ||
95 | { | ||
96 | /* Somebody is playing with raw sockets. */ | ||
97 | if (skb->len < sizeof(struct iphdr) || | ||
98 | ip_hdrlen(skb) < sizeof(struct iphdr)) | ||
99 | return NF_ACCEPT; | 50 | return NF_ACCEPT; |
100 | return ipt_do_table(skb, hook, in, out, | 51 | |
101 | dev_net(out)->ipv4.iptable_security); | 52 | net = dev_net((in != NULL) ? in : out); |
53 | return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_security); | ||
102 | } | 54 | } |
103 | 55 | ||
104 | static struct nf_hook_ops ipt_ops[] __read_mostly = { | 56 | static struct nf_hook_ops *sectbl_ops __read_mostly; |
105 | { | ||
106 | .hook = ipt_local_in_hook, | ||
107 | .owner = THIS_MODULE, | ||
108 | .pf = NFPROTO_IPV4, | ||
109 | .hooknum = NF_INET_LOCAL_IN, | ||
110 | .priority = NF_IP_PRI_SECURITY, | ||
111 | }, | ||
112 | { | ||
113 | .hook = ipt_forward_hook, | ||
114 | .owner = THIS_MODULE, | ||
115 | .pf = NFPROTO_IPV4, | ||
116 | .hooknum = NF_INET_FORWARD, | ||
117 | .priority = NF_IP_PRI_SECURITY, | ||
118 | }, | ||
119 | { | ||
120 | .hook = ipt_local_out_hook, | ||
121 | .owner = THIS_MODULE, | ||
122 | .pf = NFPROTO_IPV4, | ||
123 | .hooknum = NF_INET_LOCAL_OUT, | ||
124 | .priority = NF_IP_PRI_SECURITY, | ||
125 | }, | ||
126 | }; | ||
127 | 57 | ||
128 | static int __net_init iptable_security_net_init(struct net *net) | 58 | static int __net_init iptable_security_net_init(struct net *net) |
129 | { | 59 | { |
130 | net->ipv4.iptable_security = | 60 | struct ipt_replace *repl; |
131 | ipt_register_table(net, &security_table, &initial_table.repl); | ||
132 | 61 | ||
62 | repl = ipt_alloc_initial_table(&security_table); | ||
63 | if (repl == NULL) | ||
64 | return -ENOMEM; | ||
65 | net->ipv4.iptable_security = | ||
66 | ipt_register_table(net, &security_table, repl); | ||
67 | kfree(repl); | ||
133 | if (IS_ERR(net->ipv4.iptable_security)) | 68 | if (IS_ERR(net->ipv4.iptable_security)) |
134 | return PTR_ERR(net->ipv4.iptable_security); | 69 | return PTR_ERR(net->ipv4.iptable_security); |
135 | 70 | ||
@@ -138,7 +73,7 @@ static int __net_init iptable_security_net_init(struct net *net) | |||
138 | 73 | ||
139 | static void __net_exit iptable_security_net_exit(struct net *net) | 74 | static void __net_exit iptable_security_net_exit(struct net *net) |
140 | { | 75 | { |
141 | ipt_unregister_table(net->ipv4.iptable_security); | 76 | ipt_unregister_table(net, net->ipv4.iptable_security); |
142 | } | 77 | } |
143 | 78 | ||
144 | static struct pernet_operations iptable_security_net_ops = { | 79 | static struct pernet_operations iptable_security_net_ops = { |
@@ -154,9 +89,11 @@ static int __init iptable_security_init(void) | |||
154 | if (ret < 0) | 89 | if (ret < 0) |
155 | return ret; | 90 | return ret; |
156 | 91 | ||
157 | ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops)); | 92 | sectbl_ops = xt_hook_link(&security_table, iptable_security_hook); |
158 | if (ret < 0) | 93 | if (IS_ERR(sectbl_ops)) { |
94 | ret = PTR_ERR(sectbl_ops); | ||
159 | goto cleanup_table; | 95 | goto cleanup_table; |
96 | } | ||
160 | 97 | ||
161 | return ret; | 98 | return ret; |
162 | 99 | ||
@@ -167,7 +104,7 @@ cleanup_table: | |||
167 | 104 | ||
168 | static void __exit iptable_security_fini(void) | 105 | static void __exit iptable_security_fini(void) |
169 | { | 106 | { |
170 | nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops)); | 107 | xt_hook_unlink(&security_table, sectbl_ops); |
171 | unregister_pernet_subsys(&iptable_security_net_ops); | 108 | unregister_pernet_subsys(&iptable_security_net_ops); |
172 | } | 109 | } |
173 | 110 | ||
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c index d1ea38a7c490..2bb1f87051c4 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | |||
@@ -22,6 +22,7 @@ | |||
22 | #include <net/netfilter/nf_conntrack_helper.h> | 22 | #include <net/netfilter/nf_conntrack_helper.h> |
23 | #include <net/netfilter/nf_conntrack_l4proto.h> | 23 | #include <net/netfilter/nf_conntrack_l4proto.h> |
24 | #include <net/netfilter/nf_conntrack_l3proto.h> | 24 | #include <net/netfilter/nf_conntrack_l3proto.h> |
25 | #include <net/netfilter/nf_conntrack_zones.h> | ||
25 | #include <net/netfilter/nf_conntrack_core.h> | 26 | #include <net/netfilter/nf_conntrack_core.h> |
26 | #include <net/netfilter/ipv4/nf_conntrack_ipv4.h> | 27 | #include <net/netfilter/ipv4/nf_conntrack_ipv4.h> |
27 | #include <net/netfilter/nf_nat_helper.h> | 28 | #include <net/netfilter/nf_nat_helper.h> |
@@ -266,7 +267,7 @@ getorigdst(struct sock *sk, int optval, void __user *user, int *len) | |||
266 | return -EINVAL; | 267 | return -EINVAL; |
267 | } | 268 | } |
268 | 269 | ||
269 | h = nf_conntrack_find_get(sock_net(sk), &tuple); | 270 | h = nf_conntrack_find_get(sock_net(sk), NF_CT_DEFAULT_ZONE, &tuple); |
270 | if (h) { | 271 | if (h) { |
271 | struct sockaddr_in sin; | 272 | struct sockaddr_in sin; |
272 | struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h); | 273 | struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h); |
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c index 7afd39b5b781..7404bde95994 100644 --- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c +++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c | |||
@@ -18,6 +18,7 @@ | |||
18 | #include <net/netfilter/nf_conntrack_tuple.h> | 18 | #include <net/netfilter/nf_conntrack_tuple.h> |
19 | #include <net/netfilter/nf_conntrack_l4proto.h> | 19 | #include <net/netfilter/nf_conntrack_l4proto.h> |
20 | #include <net/netfilter/nf_conntrack_core.h> | 20 | #include <net/netfilter/nf_conntrack_core.h> |
21 | #include <net/netfilter/nf_conntrack_zones.h> | ||
21 | #include <net/netfilter/nf_log.h> | 22 | #include <net/netfilter/nf_log.h> |
22 | 23 | ||
23 | static unsigned int nf_ct_icmp_timeout __read_mostly = 30*HZ; | 24 | static unsigned int nf_ct_icmp_timeout __read_mostly = 30*HZ; |
@@ -114,13 +115,14 @@ static bool icmp_new(struct nf_conn *ct, const struct sk_buff *skb, | |||
114 | 115 | ||
115 | /* Returns conntrack if it dealt with ICMP, and filled in skb fields */ | 116 | /* Returns conntrack if it dealt with ICMP, and filled in skb fields */ |
116 | static int | 117 | static int |
117 | icmp_error_message(struct net *net, struct sk_buff *skb, | 118 | icmp_error_message(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb, |
118 | enum ip_conntrack_info *ctinfo, | 119 | enum ip_conntrack_info *ctinfo, |
119 | unsigned int hooknum) | 120 | unsigned int hooknum) |
120 | { | 121 | { |
121 | struct nf_conntrack_tuple innertuple, origtuple; | 122 | struct nf_conntrack_tuple innertuple, origtuple; |
122 | const struct nf_conntrack_l4proto *innerproto; | 123 | const struct nf_conntrack_l4proto *innerproto; |
123 | const struct nf_conntrack_tuple_hash *h; | 124 | const struct nf_conntrack_tuple_hash *h; |
125 | u16 zone = tmpl ? nf_ct_zone(tmpl) : NF_CT_DEFAULT_ZONE; | ||
124 | 126 | ||
125 | NF_CT_ASSERT(skb->nfct == NULL); | 127 | NF_CT_ASSERT(skb->nfct == NULL); |
126 | 128 | ||
@@ -146,7 +148,7 @@ icmp_error_message(struct net *net, struct sk_buff *skb, | |||
146 | 148 | ||
147 | *ctinfo = IP_CT_RELATED; | 149 | *ctinfo = IP_CT_RELATED; |
148 | 150 | ||
149 | h = nf_conntrack_find_get(net, &innertuple); | 151 | h = nf_conntrack_find_get(net, zone, &innertuple); |
150 | if (!h) { | 152 | if (!h) { |
151 | pr_debug("icmp_error_message: no match\n"); | 153 | pr_debug("icmp_error_message: no match\n"); |
152 | return -NF_ACCEPT; | 154 | return -NF_ACCEPT; |
@@ -163,7 +165,8 @@ icmp_error_message(struct net *net, struct sk_buff *skb, | |||
163 | 165 | ||
164 | /* Small and modified version of icmp_rcv */ | 166 | /* Small and modified version of icmp_rcv */ |
165 | static int | 167 | static int |
166 | icmp_error(struct net *net, struct sk_buff *skb, unsigned int dataoff, | 168 | icmp_error(struct net *net, struct nf_conn *tmpl, |
169 | struct sk_buff *skb, unsigned int dataoff, | ||
167 | enum ip_conntrack_info *ctinfo, u_int8_t pf, unsigned int hooknum) | 170 | enum ip_conntrack_info *ctinfo, u_int8_t pf, unsigned int hooknum) |
168 | { | 171 | { |
169 | const struct icmphdr *icmph; | 172 | const struct icmphdr *icmph; |
@@ -208,7 +211,7 @@ icmp_error(struct net *net, struct sk_buff *skb, unsigned int dataoff, | |||
208 | icmph->type != ICMP_REDIRECT) | 211 | icmph->type != ICMP_REDIRECT) |
209 | return NF_ACCEPT; | 212 | return NF_ACCEPT; |
210 | 213 | ||
211 | return icmp_error_message(net, skb, ctinfo, hooknum); | 214 | return icmp_error_message(net, tmpl, skb, ctinfo, hooknum); |
212 | } | 215 | } |
213 | 216 | ||
214 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) | 217 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) |
diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c index 331ead3ebd1b..d498a704d456 100644 --- a/net/ipv4/netfilter/nf_defrag_ipv4.c +++ b/net/ipv4/netfilter/nf_defrag_ipv4.c | |||
@@ -16,7 +16,9 @@ | |||
16 | 16 | ||
17 | #include <linux/netfilter_bridge.h> | 17 | #include <linux/netfilter_bridge.h> |
18 | #include <linux/netfilter_ipv4.h> | 18 | #include <linux/netfilter_ipv4.h> |
19 | #include <net/netfilter/nf_conntrack_zones.h> | ||
19 | #include <net/netfilter/ipv4/nf_defrag_ipv4.h> | 20 | #include <net/netfilter/ipv4/nf_defrag_ipv4.h> |
21 | #include <net/netfilter/nf_conntrack.h> | ||
20 | 22 | ||
21 | /* Returns new sk_buff, or NULL */ | 23 | /* Returns new sk_buff, or NULL */ |
22 | static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user) | 24 | static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user) |
@@ -38,15 +40,20 @@ static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user) | |||
38 | static enum ip_defrag_users nf_ct_defrag_user(unsigned int hooknum, | 40 | static enum ip_defrag_users nf_ct_defrag_user(unsigned int hooknum, |
39 | struct sk_buff *skb) | 41 | struct sk_buff *skb) |
40 | { | 42 | { |
43 | u16 zone = NF_CT_DEFAULT_ZONE; | ||
44 | |||
45 | if (skb->nfct) | ||
46 | zone = nf_ct_zone((struct nf_conn *)skb->nfct); | ||
47 | |||
41 | #ifdef CONFIG_BRIDGE_NETFILTER | 48 | #ifdef CONFIG_BRIDGE_NETFILTER |
42 | if (skb->nf_bridge && | 49 | if (skb->nf_bridge && |
43 | skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING) | 50 | skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING) |
44 | return IP_DEFRAG_CONNTRACK_BRIDGE_IN; | 51 | return IP_DEFRAG_CONNTRACK_BRIDGE_IN + zone; |
45 | #endif | 52 | #endif |
46 | if (hooknum == NF_INET_PRE_ROUTING) | 53 | if (hooknum == NF_INET_PRE_ROUTING) |
47 | return IP_DEFRAG_CONNTRACK_IN; | 54 | return IP_DEFRAG_CONNTRACK_IN + zone; |
48 | else | 55 | else |
49 | return IP_DEFRAG_CONNTRACK_OUT; | 56 | return IP_DEFRAG_CONNTRACK_OUT + zone; |
50 | } | 57 | } |
51 | 58 | ||
52 | static unsigned int ipv4_conntrack_defrag(unsigned int hooknum, | 59 | static unsigned int ipv4_conntrack_defrag(unsigned int hooknum, |
@@ -59,7 +66,7 @@ static unsigned int ipv4_conntrack_defrag(unsigned int hooknum, | |||
59 | #if !defined(CONFIG_NF_NAT) && !defined(CONFIG_NF_NAT_MODULE) | 66 | #if !defined(CONFIG_NF_NAT) && !defined(CONFIG_NF_NAT_MODULE) |
60 | /* Previously seen (loopback)? Ignore. Do this before | 67 | /* Previously seen (loopback)? Ignore. Do this before |
61 | fragment check. */ | 68 | fragment check. */ |
62 | if (skb->nfct) | 69 | if (skb->nfct && !nf_ct_is_template((struct nf_conn *)skb->nfct)) |
63 | return NF_ACCEPT; | 70 | return NF_ACCEPT; |
64 | #endif | 71 | #endif |
65 | #endif | 72 | #endif |
diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c index 26066a2327ad..4595281c2863 100644 --- a/net/ipv4/netfilter/nf_nat_core.c +++ b/net/ipv4/netfilter/nf_nat_core.c | |||
@@ -30,6 +30,7 @@ | |||
30 | #include <net/netfilter/nf_conntrack_helper.h> | 30 | #include <net/netfilter/nf_conntrack_helper.h> |
31 | #include <net/netfilter/nf_conntrack_l3proto.h> | 31 | #include <net/netfilter/nf_conntrack_l3proto.h> |
32 | #include <net/netfilter/nf_conntrack_l4proto.h> | 32 | #include <net/netfilter/nf_conntrack_l4proto.h> |
33 | #include <net/netfilter/nf_conntrack_zones.h> | ||
33 | 34 | ||
34 | static DEFINE_SPINLOCK(nf_nat_lock); | 35 | static DEFINE_SPINLOCK(nf_nat_lock); |
35 | 36 | ||
@@ -69,13 +70,14 @@ EXPORT_SYMBOL_GPL(nf_nat_proto_put); | |||
69 | 70 | ||
70 | /* We keep an extra hash for each conntrack, for fast searching. */ | 71 | /* We keep an extra hash for each conntrack, for fast searching. */ |
71 | static inline unsigned int | 72 | static inline unsigned int |
72 | hash_by_src(const struct net *net, const struct nf_conntrack_tuple *tuple) | 73 | hash_by_src(const struct net *net, u16 zone, |
74 | const struct nf_conntrack_tuple *tuple) | ||
73 | { | 75 | { |
74 | unsigned int hash; | 76 | unsigned int hash; |
75 | 77 | ||
76 | /* Original src, to ensure we map it consistently if poss. */ | 78 | /* Original src, to ensure we map it consistently if poss. */ |
77 | hash = jhash_3words((__force u32)tuple->src.u3.ip, | 79 | hash = jhash_3words((__force u32)tuple->src.u3.ip, |
78 | (__force u32)tuple->src.u.all, | 80 | (__force u32)tuple->src.u.all ^ zone, |
79 | tuple->dst.protonum, 0); | 81 | tuple->dst.protonum, 0); |
80 | return ((u64)hash * net->ipv4.nat_htable_size) >> 32; | 82 | return ((u64)hash * net->ipv4.nat_htable_size) >> 32; |
81 | } | 83 | } |
@@ -139,12 +141,12 @@ same_src(const struct nf_conn *ct, | |||
139 | 141 | ||
140 | /* Only called for SRC manip */ | 142 | /* Only called for SRC manip */ |
141 | static int | 143 | static int |
142 | find_appropriate_src(struct net *net, | 144 | find_appropriate_src(struct net *net, u16 zone, |
143 | const struct nf_conntrack_tuple *tuple, | 145 | const struct nf_conntrack_tuple *tuple, |
144 | struct nf_conntrack_tuple *result, | 146 | struct nf_conntrack_tuple *result, |
145 | const struct nf_nat_range *range) | 147 | const struct nf_nat_range *range) |
146 | { | 148 | { |
147 | unsigned int h = hash_by_src(net, tuple); | 149 | unsigned int h = hash_by_src(net, zone, tuple); |
148 | const struct nf_conn_nat *nat; | 150 | const struct nf_conn_nat *nat; |
149 | const struct nf_conn *ct; | 151 | const struct nf_conn *ct; |
150 | const struct hlist_node *n; | 152 | const struct hlist_node *n; |
@@ -152,7 +154,7 @@ find_appropriate_src(struct net *net, | |||
152 | rcu_read_lock(); | 154 | rcu_read_lock(); |
153 | hlist_for_each_entry_rcu(nat, n, &net->ipv4.nat_bysource[h], bysource) { | 155 | hlist_for_each_entry_rcu(nat, n, &net->ipv4.nat_bysource[h], bysource) { |
154 | ct = nat->ct; | 156 | ct = nat->ct; |
155 | if (same_src(ct, tuple)) { | 157 | if (same_src(ct, tuple) && nf_ct_zone(ct) == zone) { |
156 | /* Copy source part from reply tuple. */ | 158 | /* Copy source part from reply tuple. */ |
157 | nf_ct_invert_tuplepr(result, | 159 | nf_ct_invert_tuplepr(result, |
158 | &ct->tuplehash[IP_CT_DIR_REPLY].tuple); | 160 | &ct->tuplehash[IP_CT_DIR_REPLY].tuple); |
@@ -175,7 +177,7 @@ find_appropriate_src(struct net *net, | |||
175 | the ip with the lowest src-ip/dst-ip/proto usage. | 177 | the ip with the lowest src-ip/dst-ip/proto usage. |
176 | */ | 178 | */ |
177 | static void | 179 | static void |
178 | find_best_ips_proto(struct nf_conntrack_tuple *tuple, | 180 | find_best_ips_proto(u16 zone, struct nf_conntrack_tuple *tuple, |
179 | const struct nf_nat_range *range, | 181 | const struct nf_nat_range *range, |
180 | const struct nf_conn *ct, | 182 | const struct nf_conn *ct, |
181 | enum nf_nat_manip_type maniptype) | 183 | enum nf_nat_manip_type maniptype) |
@@ -209,7 +211,7 @@ find_best_ips_proto(struct nf_conntrack_tuple *tuple, | |||
209 | maxip = ntohl(range->max_ip); | 211 | maxip = ntohl(range->max_ip); |
210 | j = jhash_2words((__force u32)tuple->src.u3.ip, | 212 | j = jhash_2words((__force u32)tuple->src.u3.ip, |
211 | range->flags & IP_NAT_RANGE_PERSISTENT ? | 213 | range->flags & IP_NAT_RANGE_PERSISTENT ? |
212 | 0 : (__force u32)tuple->dst.u3.ip, 0); | 214 | 0 : (__force u32)tuple->dst.u3.ip ^ zone, 0); |
213 | j = ((u64)j * (maxip - minip + 1)) >> 32; | 215 | j = ((u64)j * (maxip - minip + 1)) >> 32; |
214 | *var_ipp = htonl(minip + j); | 216 | *var_ipp = htonl(minip + j); |
215 | } | 217 | } |
@@ -229,6 +231,7 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple, | |||
229 | { | 231 | { |
230 | struct net *net = nf_ct_net(ct); | 232 | struct net *net = nf_ct_net(ct); |
231 | const struct nf_nat_protocol *proto; | 233 | const struct nf_nat_protocol *proto; |
234 | u16 zone = nf_ct_zone(ct); | ||
232 | 235 | ||
233 | /* 1) If this srcip/proto/src-proto-part is currently mapped, | 236 | /* 1) If this srcip/proto/src-proto-part is currently mapped, |
234 | and that same mapping gives a unique tuple within the given | 237 | and that same mapping gives a unique tuple within the given |
@@ -239,7 +242,7 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple, | |||
239 | manips not an issue. */ | 242 | manips not an issue. */ |
240 | if (maniptype == IP_NAT_MANIP_SRC && | 243 | if (maniptype == IP_NAT_MANIP_SRC && |
241 | !(range->flags & IP_NAT_RANGE_PROTO_RANDOM)) { | 244 | !(range->flags & IP_NAT_RANGE_PROTO_RANDOM)) { |
242 | if (find_appropriate_src(net, orig_tuple, tuple, range)) { | 245 | if (find_appropriate_src(net, zone, orig_tuple, tuple, range)) { |
243 | pr_debug("get_unique_tuple: Found current src map\n"); | 246 | pr_debug("get_unique_tuple: Found current src map\n"); |
244 | if (!nf_nat_used_tuple(tuple, ct)) | 247 | if (!nf_nat_used_tuple(tuple, ct)) |
245 | return; | 248 | return; |
@@ -249,7 +252,7 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple, | |||
249 | /* 2) Select the least-used IP/proto combination in the given | 252 | /* 2) Select the least-used IP/proto combination in the given |
250 | range. */ | 253 | range. */ |
251 | *tuple = *orig_tuple; | 254 | *tuple = *orig_tuple; |
252 | find_best_ips_proto(tuple, range, ct, maniptype); | 255 | find_best_ips_proto(zone, tuple, range, ct, maniptype); |
253 | 256 | ||
254 | /* 3) The per-protocol part of the manip is made to map into | 257 | /* 3) The per-protocol part of the manip is made to map into |
255 | the range to make a unique tuple. */ | 258 | the range to make a unique tuple. */ |
@@ -327,7 +330,8 @@ nf_nat_setup_info(struct nf_conn *ct, | |||
327 | if (have_to_hash) { | 330 | if (have_to_hash) { |
328 | unsigned int srchash; | 331 | unsigned int srchash; |
329 | 332 | ||
330 | srchash = hash_by_src(net, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); | 333 | srchash = hash_by_src(net, nf_ct_zone(ct), |
334 | &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); | ||
331 | spin_lock_bh(&nf_nat_lock); | 335 | spin_lock_bh(&nf_nat_lock); |
332 | /* nf_conntrack_alter_reply might re-allocate exntension aera */ | 336 | /* nf_conntrack_alter_reply might re-allocate exntension aera */ |
333 | nat = nfct_nat(ct); | 337 | nat = nfct_nat(ct); |
diff --git a/net/ipv4/netfilter/nf_nat_ftp.c b/net/ipv4/netfilter/nf_nat_ftp.c index a1d5d58a58bf..86e0e84ff0a0 100644 --- a/net/ipv4/netfilter/nf_nat_ftp.c +++ b/net/ipv4/netfilter/nf_nat_ftp.c | |||
@@ -27,76 +27,29 @@ MODULE_ALIAS("ip_nat_ftp"); | |||
27 | 27 | ||
28 | /* FIXME: Time out? --RR */ | 28 | /* FIXME: Time out? --RR */ |
29 | 29 | ||
30 | static int | 30 | static int nf_nat_ftp_fmt_cmd(enum nf_ct_ftp_type type, |
31 | mangle_rfc959_packet(struct sk_buff *skb, | 31 | char *buffer, size_t buflen, |
32 | __be32 newip, | 32 | __be32 addr, u16 port) |
33 | u_int16_t port, | ||
34 | unsigned int matchoff, | ||
35 | unsigned int matchlen, | ||
36 | struct nf_conn *ct, | ||
37 | enum ip_conntrack_info ctinfo) | ||
38 | { | 33 | { |
39 | char buffer[sizeof("nnn,nnn,nnn,nnn,nnn,nnn")]; | 34 | switch (type) { |
40 | 35 | case NF_CT_FTP_PORT: | |
41 | sprintf(buffer, "%u,%u,%u,%u,%u,%u", | 36 | case NF_CT_FTP_PASV: |
42 | NIPQUAD(newip), port>>8, port&0xFF); | 37 | return snprintf(buffer, buflen, "%u,%u,%u,%u,%u,%u", |
43 | 38 | ((unsigned char *)&addr)[0], | |
44 | pr_debug("calling nf_nat_mangle_tcp_packet\n"); | 39 | ((unsigned char *)&addr)[1], |
45 | 40 | ((unsigned char *)&addr)[2], | |
46 | return nf_nat_mangle_tcp_packet(skb, ct, ctinfo, matchoff, | 41 | ((unsigned char *)&addr)[3], |
47 | matchlen, buffer, strlen(buffer)); | 42 | port >> 8, |
48 | } | 43 | port & 0xFF); |
49 | 44 | case NF_CT_FTP_EPRT: | |
50 | /* |1|132.235.1.2|6275| */ | 45 | return snprintf(buffer, buflen, "|1|%pI4|%u|", &addr, port); |
51 | static int | 46 | case NF_CT_FTP_EPSV: |
52 | mangle_eprt_packet(struct sk_buff *skb, | 47 | return snprintf(buffer, buflen, "|||%u|", port); |
53 | __be32 newip, | 48 | } |
54 | u_int16_t port, | ||
55 | unsigned int matchoff, | ||
56 | unsigned int matchlen, | ||
57 | struct nf_conn *ct, | ||
58 | enum ip_conntrack_info ctinfo) | ||
59 | { | ||
60 | char buffer[sizeof("|1|255.255.255.255|65535|")]; | ||
61 | |||
62 | sprintf(buffer, "|1|%u.%u.%u.%u|%u|", NIPQUAD(newip), port); | ||
63 | |||
64 | pr_debug("calling nf_nat_mangle_tcp_packet\n"); | ||
65 | |||
66 | return nf_nat_mangle_tcp_packet(skb, ct, ctinfo, matchoff, | ||
67 | matchlen, buffer, strlen(buffer)); | ||
68 | } | ||
69 | |||
70 | /* |1|132.235.1.2|6275| */ | ||
71 | static int | ||
72 | mangle_epsv_packet(struct sk_buff *skb, | ||
73 | __be32 newip, | ||
74 | u_int16_t port, | ||
75 | unsigned int matchoff, | ||
76 | unsigned int matchlen, | ||
77 | struct nf_conn *ct, | ||
78 | enum ip_conntrack_info ctinfo) | ||
79 | { | ||
80 | char buffer[sizeof("|||65535|")]; | ||
81 | |||
82 | sprintf(buffer, "|||%u|", port); | ||
83 | |||
84 | pr_debug("calling nf_nat_mangle_tcp_packet\n"); | ||
85 | 49 | ||
86 | return nf_nat_mangle_tcp_packet(skb, ct, ctinfo, matchoff, | 50 | return 0; |
87 | matchlen, buffer, strlen(buffer)); | ||
88 | } | 51 | } |
89 | 52 | ||
90 | static int (*mangle[])(struct sk_buff *, __be32, u_int16_t, | ||
91 | unsigned int, unsigned int, struct nf_conn *, | ||
92 | enum ip_conntrack_info) | ||
93 | = { | ||
94 | [NF_CT_FTP_PORT] = mangle_rfc959_packet, | ||
95 | [NF_CT_FTP_PASV] = mangle_rfc959_packet, | ||
96 | [NF_CT_FTP_EPRT] = mangle_eprt_packet, | ||
97 | [NF_CT_FTP_EPSV] = mangle_epsv_packet | ||
98 | }; | ||
99 | |||
100 | /* So, this packet has hit the connection tracking matching code. | 53 | /* So, this packet has hit the connection tracking matching code. |
101 | Mangle it, and change the expectation to match the new version. */ | 54 | Mangle it, and change the expectation to match the new version. */ |
102 | static unsigned int nf_nat_ftp(struct sk_buff *skb, | 55 | static unsigned int nf_nat_ftp(struct sk_buff *skb, |
@@ -110,6 +63,8 @@ static unsigned int nf_nat_ftp(struct sk_buff *skb, | |||
110 | u_int16_t port; | 63 | u_int16_t port; |
111 | int dir = CTINFO2DIR(ctinfo); | 64 | int dir = CTINFO2DIR(ctinfo); |
112 | struct nf_conn *ct = exp->master; | 65 | struct nf_conn *ct = exp->master; |
66 | char buffer[sizeof("|1|255.255.255.255|65535|")]; | ||
67 | unsigned int buflen; | ||
113 | 68 | ||
114 | pr_debug("FTP_NAT: type %i, off %u len %u\n", type, matchoff, matchlen); | 69 | pr_debug("FTP_NAT: type %i, off %u len %u\n", type, matchoff, matchlen); |
115 | 70 | ||
@@ -132,11 +87,21 @@ static unsigned int nf_nat_ftp(struct sk_buff *skb, | |||
132 | if (port == 0) | 87 | if (port == 0) |
133 | return NF_DROP; | 88 | return NF_DROP; |
134 | 89 | ||
135 | if (!mangle[type](skb, newip, port, matchoff, matchlen, ct, ctinfo)) { | 90 | buflen = nf_nat_ftp_fmt_cmd(type, buffer, sizeof(buffer), newip, port); |
136 | nf_ct_unexpect_related(exp); | 91 | if (!buflen) |
137 | return NF_DROP; | 92 | goto out; |
138 | } | 93 | |
94 | pr_debug("calling nf_nat_mangle_tcp_packet\n"); | ||
95 | |||
96 | if (!nf_nat_mangle_tcp_packet(skb, ct, ctinfo, matchoff, | ||
97 | matchlen, buffer, buflen)) | ||
98 | goto out; | ||
99 | |||
139 | return NF_ACCEPT; | 100 | return NF_ACCEPT; |
101 | |||
102 | out: | ||
103 | nf_ct_unexpect_related(exp); | ||
104 | return NF_DROP; | ||
140 | } | 105 | } |
141 | 106 | ||
142 | static void __exit nf_nat_ftp_fini(void) | 107 | static void __exit nf_nat_ftp_fini(void) |
diff --git a/net/ipv4/netfilter/nf_nat_helper.c b/net/ipv4/netfilter/nf_nat_helper.c index 7f10a6be0191..4b6af4bb1f50 100644 --- a/net/ipv4/netfilter/nf_nat_helper.c +++ b/net/ipv4/netfilter/nf_nat_helper.c | |||
@@ -141,6 +141,17 @@ static int enlarge_skb(struct sk_buff *skb, unsigned int extra) | |||
141 | return 1; | 141 | return 1; |
142 | } | 142 | } |
143 | 143 | ||
144 | void nf_nat_set_seq_adjust(struct nf_conn *ct, enum ip_conntrack_info ctinfo, | ||
145 | __be32 seq, s16 off) | ||
146 | { | ||
147 | if (!off) | ||
148 | return; | ||
149 | set_bit(IPS_SEQ_ADJUST_BIT, &ct->status); | ||
150 | adjust_tcp_sequence(ntohl(seq), off, ct, ctinfo); | ||
151 | nf_conntrack_event_cache(IPCT_NATSEQADJ, ct); | ||
152 | } | ||
153 | EXPORT_SYMBOL_GPL(nf_nat_set_seq_adjust); | ||
154 | |||
144 | /* Generic function for mangling variable-length address changes inside | 155 | /* Generic function for mangling variable-length address changes inside |
145 | * NATed TCP connections (like the PORT XXX,XXX,XXX,XXX,XXX,XXX | 156 | * NATed TCP connections (like the PORT XXX,XXX,XXX,XXX,XXX,XXX |
146 | * command in FTP). | 157 | * command in FTP). |
@@ -149,14 +160,13 @@ static int enlarge_skb(struct sk_buff *skb, unsigned int extra) | |||
149 | * skb enlargement, ... | 160 | * skb enlargement, ... |
150 | * | 161 | * |
151 | * */ | 162 | * */ |
152 | int | 163 | int __nf_nat_mangle_tcp_packet(struct sk_buff *skb, |
153 | nf_nat_mangle_tcp_packet(struct sk_buff *skb, | 164 | struct nf_conn *ct, |
154 | struct nf_conn *ct, | 165 | enum ip_conntrack_info ctinfo, |
155 | enum ip_conntrack_info ctinfo, | 166 | unsigned int match_offset, |
156 | unsigned int match_offset, | 167 | unsigned int match_len, |
157 | unsigned int match_len, | 168 | const char *rep_buffer, |
158 | const char *rep_buffer, | 169 | unsigned int rep_len, bool adjust) |
159 | unsigned int rep_len) | ||
160 | { | 170 | { |
161 | struct rtable *rt = skb_rtable(skb); | 171 | struct rtable *rt = skb_rtable(skb); |
162 | struct iphdr *iph; | 172 | struct iphdr *iph; |
@@ -202,16 +212,13 @@ nf_nat_mangle_tcp_packet(struct sk_buff *skb, | |||
202 | inet_proto_csum_replace2(&tcph->check, skb, | 212 | inet_proto_csum_replace2(&tcph->check, skb, |
203 | htons(oldlen), htons(datalen), 1); | 213 | htons(oldlen), htons(datalen), 1); |
204 | 214 | ||
205 | if (rep_len != match_len) { | 215 | if (adjust && rep_len != match_len) |
206 | set_bit(IPS_SEQ_ADJUST_BIT, &ct->status); | 216 | nf_nat_set_seq_adjust(ct, ctinfo, tcph->seq, |
207 | adjust_tcp_sequence(ntohl(tcph->seq), | 217 | (int)rep_len - (int)match_len); |
208 | (int)rep_len - (int)match_len, | 218 | |
209 | ct, ctinfo); | ||
210 | nf_conntrack_event_cache(IPCT_NATSEQADJ, ct); | ||
211 | } | ||
212 | return 1; | 219 | return 1; |
213 | } | 220 | } |
214 | EXPORT_SYMBOL(nf_nat_mangle_tcp_packet); | 221 | EXPORT_SYMBOL(__nf_nat_mangle_tcp_packet); |
215 | 222 | ||
216 | /* Generic function for mangling variable-length address changes inside | 223 | /* Generic function for mangling variable-length address changes inside |
217 | * NATed UDP connections (like the CONNECT DATA XXXXX MESG XXXXX INDEX XXXXX | 224 | * NATed UDP connections (like the CONNECT DATA XXXXX MESG XXXXX INDEX XXXXX |
diff --git a/net/ipv4/netfilter/nf_nat_pptp.c b/net/ipv4/netfilter/nf_nat_pptp.c index 9eb171056c63..4c060038d29f 100644 --- a/net/ipv4/netfilter/nf_nat_pptp.c +++ b/net/ipv4/netfilter/nf_nat_pptp.c | |||
@@ -25,6 +25,7 @@ | |||
25 | #include <net/netfilter/nf_nat_rule.h> | 25 | #include <net/netfilter/nf_nat_rule.h> |
26 | #include <net/netfilter/nf_conntrack_helper.h> | 26 | #include <net/netfilter/nf_conntrack_helper.h> |
27 | #include <net/netfilter/nf_conntrack_expect.h> | 27 | #include <net/netfilter/nf_conntrack_expect.h> |
28 | #include <net/netfilter/nf_conntrack_zones.h> | ||
28 | #include <linux/netfilter/nf_conntrack_proto_gre.h> | 29 | #include <linux/netfilter/nf_conntrack_proto_gre.h> |
29 | #include <linux/netfilter/nf_conntrack_pptp.h> | 30 | #include <linux/netfilter/nf_conntrack_pptp.h> |
30 | 31 | ||
@@ -74,7 +75,7 @@ static void pptp_nat_expected(struct nf_conn *ct, | |||
74 | 75 | ||
75 | pr_debug("trying to unexpect other dir: "); | 76 | pr_debug("trying to unexpect other dir: "); |
76 | nf_ct_dump_tuple_ip(&t); | 77 | nf_ct_dump_tuple_ip(&t); |
77 | other_exp = nf_ct_expect_find_get(net, &t); | 78 | other_exp = nf_ct_expect_find_get(net, nf_ct_zone(ct), &t); |
78 | if (other_exp) { | 79 | if (other_exp) { |
79 | nf_ct_unexpect_related(other_exp); | 80 | nf_ct_unexpect_related(other_exp); |
80 | nf_ct_expect_put(other_exp); | 81 | nf_ct_expect_put(other_exp); |
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c index 9e81e0dfb4ec..ab74cc0535e2 100644 --- a/net/ipv4/netfilter/nf_nat_rule.c +++ b/net/ipv4/netfilter/nf_nat_rule.c | |||
@@ -28,36 +28,6 @@ | |||
28 | (1 << NF_INET_POST_ROUTING) | \ | 28 | (1 << NF_INET_POST_ROUTING) | \ |
29 | (1 << NF_INET_LOCAL_OUT)) | 29 | (1 << NF_INET_LOCAL_OUT)) |
30 | 30 | ||
31 | static const struct | ||
32 | { | ||
33 | struct ipt_replace repl; | ||
34 | struct ipt_standard entries[3]; | ||
35 | struct ipt_error term; | ||
36 | } nat_initial_table __net_initdata = { | ||
37 | .repl = { | ||
38 | .name = "nat", | ||
39 | .valid_hooks = NAT_VALID_HOOKS, | ||
40 | .num_entries = 4, | ||
41 | .size = sizeof(struct ipt_standard) * 3 + sizeof(struct ipt_error), | ||
42 | .hook_entry = { | ||
43 | [NF_INET_PRE_ROUTING] = 0, | ||
44 | [NF_INET_POST_ROUTING] = sizeof(struct ipt_standard), | ||
45 | [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 2 | ||
46 | }, | ||
47 | .underflow = { | ||
48 | [NF_INET_PRE_ROUTING] = 0, | ||
49 | [NF_INET_POST_ROUTING] = sizeof(struct ipt_standard), | ||
50 | [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 2 | ||
51 | }, | ||
52 | }, | ||
53 | .entries = { | ||
54 | IPT_STANDARD_INIT(NF_ACCEPT), /* PRE_ROUTING */ | ||
55 | IPT_STANDARD_INIT(NF_ACCEPT), /* POST_ROUTING */ | ||
56 | IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */ | ||
57 | }, | ||
58 | .term = IPT_ERROR_INIT, /* ERROR */ | ||
59 | }; | ||
60 | |||
61 | static const struct xt_table nat_table = { | 31 | static const struct xt_table nat_table = { |
62 | .name = "nat", | 32 | .name = "nat", |
63 | .valid_hooks = NAT_VALID_HOOKS, | 33 | .valid_hooks = NAT_VALID_HOOKS, |
@@ -186,8 +156,13 @@ static struct xt_target ipt_dnat_reg __read_mostly = { | |||
186 | 156 | ||
187 | static int __net_init nf_nat_rule_net_init(struct net *net) | 157 | static int __net_init nf_nat_rule_net_init(struct net *net) |
188 | { | 158 | { |
189 | net->ipv4.nat_table = ipt_register_table(net, &nat_table, | 159 | struct ipt_replace *repl; |
190 | &nat_initial_table.repl); | 160 | |
161 | repl = ipt_alloc_initial_table(&nat_table); | ||
162 | if (repl == NULL) | ||
163 | return -ENOMEM; | ||
164 | net->ipv4.nat_table = ipt_register_table(net, &nat_table, repl); | ||
165 | kfree(repl); | ||
191 | if (IS_ERR(net->ipv4.nat_table)) | 166 | if (IS_ERR(net->ipv4.nat_table)) |
192 | return PTR_ERR(net->ipv4.nat_table); | 167 | return PTR_ERR(net->ipv4.nat_table); |
193 | return 0; | 168 | return 0; |
@@ -195,7 +170,7 @@ static int __net_init nf_nat_rule_net_init(struct net *net) | |||
195 | 170 | ||
196 | static void __net_exit nf_nat_rule_net_exit(struct net *net) | 171 | static void __net_exit nf_nat_rule_net_exit(struct net *net) |
197 | { | 172 | { |
198 | ipt_unregister_table(net->ipv4.nat_table); | 173 | ipt_unregister_table(net, net->ipv4.nat_table); |
199 | } | 174 | } |
200 | 175 | ||
201 | static struct pernet_operations nf_nat_rule_net_ops = { | 176 | static struct pernet_operations nf_nat_rule_net_ops = { |
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c index 07d61a57613c..11b538deaaec 100644 --- a/net/ipv4/netfilter/nf_nat_sip.c +++ b/net/ipv4/netfilter/nf_nat_sip.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* SIP extension for UDP NAT alteration. | 1 | /* SIP extension for NAT alteration. |
2 | * | 2 | * |
3 | * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar> | 3 | * (C) 2005 by Christian Hentschel <chentschel@arnet.com.ar> |
4 | * based on RR's ip_nat_ftp.c and other modules. | 4 | * based on RR's ip_nat_ftp.c and other modules. |
@@ -15,6 +15,7 @@ | |||
15 | #include <linux/ip.h> | 15 | #include <linux/ip.h> |
16 | #include <net/ip.h> | 16 | #include <net/ip.h> |
17 | #include <linux/udp.h> | 17 | #include <linux/udp.h> |
18 | #include <linux/tcp.h> | ||
18 | 19 | ||
19 | #include <net/netfilter/nf_nat.h> | 20 | #include <net/netfilter/nf_nat.h> |
20 | #include <net/netfilter/nf_nat_helper.h> | 21 | #include <net/netfilter/nf_nat_helper.h> |
@@ -29,25 +30,42 @@ MODULE_DESCRIPTION("SIP NAT helper"); | |||
29 | MODULE_ALIAS("ip_nat_sip"); | 30 | MODULE_ALIAS("ip_nat_sip"); |
30 | 31 | ||
31 | 32 | ||
32 | static unsigned int mangle_packet(struct sk_buff *skb, | 33 | static unsigned int mangle_packet(struct sk_buff *skb, unsigned int dataoff, |
33 | const char **dptr, unsigned int *datalen, | 34 | const char **dptr, unsigned int *datalen, |
34 | unsigned int matchoff, unsigned int matchlen, | 35 | unsigned int matchoff, unsigned int matchlen, |
35 | const char *buffer, unsigned int buflen) | 36 | const char *buffer, unsigned int buflen) |
36 | { | 37 | { |
37 | enum ip_conntrack_info ctinfo; | 38 | enum ip_conntrack_info ctinfo; |
38 | struct nf_conn *ct = nf_ct_get(skb, &ctinfo); | 39 | struct nf_conn *ct = nf_ct_get(skb, &ctinfo); |
39 | 40 | struct tcphdr *th; | |
40 | if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo, matchoff, matchlen, | 41 | unsigned int baseoff; |
41 | buffer, buflen)) | 42 | |
42 | return 0; | 43 | if (nf_ct_protonum(ct) == IPPROTO_TCP) { |
44 | th = (struct tcphdr *)(skb->data + ip_hdrlen(skb)); | ||
45 | baseoff = ip_hdrlen(skb) + th->doff * 4; | ||
46 | matchoff += dataoff - baseoff; | ||
47 | |||
48 | if (!__nf_nat_mangle_tcp_packet(skb, ct, ctinfo, | ||
49 | matchoff, matchlen, | ||
50 | buffer, buflen, false)) | ||
51 | return 0; | ||
52 | } else { | ||
53 | baseoff = ip_hdrlen(skb) + sizeof(struct udphdr); | ||
54 | matchoff += dataoff - baseoff; | ||
55 | |||
56 | if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo, | ||
57 | matchoff, matchlen, | ||
58 | buffer, buflen)) | ||
59 | return 0; | ||
60 | } | ||
43 | 61 | ||
44 | /* Reload data pointer and adjust datalen value */ | 62 | /* Reload data pointer and adjust datalen value */ |
45 | *dptr = skb->data + ip_hdrlen(skb) + sizeof(struct udphdr); | 63 | *dptr = skb->data + dataoff; |
46 | *datalen += buflen - matchlen; | 64 | *datalen += buflen - matchlen; |
47 | return 1; | 65 | return 1; |
48 | } | 66 | } |
49 | 67 | ||
50 | static int map_addr(struct sk_buff *skb, | 68 | static int map_addr(struct sk_buff *skb, unsigned int dataoff, |
51 | const char **dptr, unsigned int *datalen, | 69 | const char **dptr, unsigned int *datalen, |
52 | unsigned int matchoff, unsigned int matchlen, | 70 | unsigned int matchoff, unsigned int matchlen, |
53 | union nf_inet_addr *addr, __be16 port) | 71 | union nf_inet_addr *addr, __be16 port) |
@@ -76,11 +94,11 @@ static int map_addr(struct sk_buff *skb, | |||
76 | 94 | ||
77 | buflen = sprintf(buffer, "%pI4:%u", &newaddr, ntohs(newport)); | 95 | buflen = sprintf(buffer, "%pI4:%u", &newaddr, ntohs(newport)); |
78 | 96 | ||
79 | return mangle_packet(skb, dptr, datalen, matchoff, matchlen, | 97 | return mangle_packet(skb, dataoff, dptr, datalen, matchoff, matchlen, |
80 | buffer, buflen); | 98 | buffer, buflen); |
81 | } | 99 | } |
82 | 100 | ||
83 | static int map_sip_addr(struct sk_buff *skb, | 101 | static int map_sip_addr(struct sk_buff *skb, unsigned int dataoff, |
84 | const char **dptr, unsigned int *datalen, | 102 | const char **dptr, unsigned int *datalen, |
85 | enum sip_header_types type) | 103 | enum sip_header_types type) |
86 | { | 104 | { |
@@ -93,16 +111,18 @@ static int map_sip_addr(struct sk_buff *skb, | |||
93 | if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen, type, NULL, | 111 | if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen, type, NULL, |
94 | &matchoff, &matchlen, &addr, &port) <= 0) | 112 | &matchoff, &matchlen, &addr, &port) <= 0) |
95 | return 1; | 113 | return 1; |
96 | return map_addr(skb, dptr, datalen, matchoff, matchlen, &addr, port); | 114 | return map_addr(skb, dataoff, dptr, datalen, matchoff, matchlen, |
115 | &addr, port); | ||
97 | } | 116 | } |
98 | 117 | ||
99 | static unsigned int ip_nat_sip(struct sk_buff *skb, | 118 | static unsigned int ip_nat_sip(struct sk_buff *skb, unsigned int dataoff, |
100 | const char **dptr, unsigned int *datalen) | 119 | const char **dptr, unsigned int *datalen) |
101 | { | 120 | { |
102 | enum ip_conntrack_info ctinfo; | 121 | enum ip_conntrack_info ctinfo; |
103 | struct nf_conn *ct = nf_ct_get(skb, &ctinfo); | 122 | struct nf_conn *ct = nf_ct_get(skb, &ctinfo); |
104 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); | 123 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); |
105 | unsigned int dataoff, matchoff, matchlen; | 124 | unsigned int coff, matchoff, matchlen; |
125 | enum sip_header_types hdr; | ||
106 | union nf_inet_addr addr; | 126 | union nf_inet_addr addr; |
107 | __be16 port; | 127 | __be16 port; |
108 | int request, in_header; | 128 | int request, in_header; |
@@ -112,16 +132,21 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, | |||
112 | if (ct_sip_parse_request(ct, *dptr, *datalen, | 132 | if (ct_sip_parse_request(ct, *dptr, *datalen, |
113 | &matchoff, &matchlen, | 133 | &matchoff, &matchlen, |
114 | &addr, &port) > 0 && | 134 | &addr, &port) > 0 && |
115 | !map_addr(skb, dptr, datalen, matchoff, matchlen, | 135 | !map_addr(skb, dataoff, dptr, datalen, matchoff, matchlen, |
116 | &addr, port)) | 136 | &addr, port)) |
117 | return NF_DROP; | 137 | return NF_DROP; |
118 | request = 1; | 138 | request = 1; |
119 | } else | 139 | } else |
120 | request = 0; | 140 | request = 0; |
121 | 141 | ||
142 | if (nf_ct_protonum(ct) == IPPROTO_TCP) | ||
143 | hdr = SIP_HDR_VIA_TCP; | ||
144 | else | ||
145 | hdr = SIP_HDR_VIA_UDP; | ||
146 | |||
122 | /* Translate topmost Via header and parameters */ | 147 | /* Translate topmost Via header and parameters */ |
123 | if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen, | 148 | if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen, |
124 | SIP_HDR_VIA, NULL, &matchoff, &matchlen, | 149 | hdr, NULL, &matchoff, &matchlen, |
125 | &addr, &port) > 0) { | 150 | &addr, &port) > 0) { |
126 | unsigned int matchend, poff, plen, buflen, n; | 151 | unsigned int matchend, poff, plen, buflen, n; |
127 | char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")]; | 152 | char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")]; |
@@ -138,7 +163,7 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, | |||
138 | goto next; | 163 | goto next; |
139 | } | 164 | } |
140 | 165 | ||
141 | if (!map_addr(skb, dptr, datalen, matchoff, matchlen, | 166 | if (!map_addr(skb, dataoff, dptr, datalen, matchoff, matchlen, |
142 | &addr, port)) | 167 | &addr, port)) |
143 | return NF_DROP; | 168 | return NF_DROP; |
144 | 169 | ||
@@ -153,8 +178,8 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, | |||
153 | addr.ip != ct->tuplehash[!dir].tuple.dst.u3.ip) { | 178 | addr.ip != ct->tuplehash[!dir].tuple.dst.u3.ip) { |
154 | buflen = sprintf(buffer, "%pI4", | 179 | buflen = sprintf(buffer, "%pI4", |
155 | &ct->tuplehash[!dir].tuple.dst.u3.ip); | 180 | &ct->tuplehash[!dir].tuple.dst.u3.ip); |
156 | if (!mangle_packet(skb, dptr, datalen, poff, plen, | 181 | if (!mangle_packet(skb, dataoff, dptr, datalen, |
157 | buffer, buflen)) | 182 | poff, plen, buffer, buflen)) |
158 | return NF_DROP; | 183 | return NF_DROP; |
159 | } | 184 | } |
160 | 185 | ||
@@ -167,8 +192,8 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, | |||
167 | addr.ip != ct->tuplehash[!dir].tuple.src.u3.ip) { | 192 | addr.ip != ct->tuplehash[!dir].tuple.src.u3.ip) { |
168 | buflen = sprintf(buffer, "%pI4", | 193 | buflen = sprintf(buffer, "%pI4", |
169 | &ct->tuplehash[!dir].tuple.src.u3.ip); | 194 | &ct->tuplehash[!dir].tuple.src.u3.ip); |
170 | if (!mangle_packet(skb, dptr, datalen, poff, plen, | 195 | if (!mangle_packet(skb, dataoff, dptr, datalen, |
171 | buffer, buflen)) | 196 | poff, plen, buffer, buflen)) |
172 | return NF_DROP; | 197 | return NF_DROP; |
173 | } | 198 | } |
174 | 199 | ||
@@ -181,31 +206,45 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, | |||
181 | htons(n) != ct->tuplehash[!dir].tuple.src.u.udp.port) { | 206 | htons(n) != ct->tuplehash[!dir].tuple.src.u.udp.port) { |
182 | __be16 p = ct->tuplehash[!dir].tuple.src.u.udp.port; | 207 | __be16 p = ct->tuplehash[!dir].tuple.src.u.udp.port; |
183 | buflen = sprintf(buffer, "%u", ntohs(p)); | 208 | buflen = sprintf(buffer, "%u", ntohs(p)); |
184 | if (!mangle_packet(skb, dptr, datalen, poff, plen, | 209 | if (!mangle_packet(skb, dataoff, dptr, datalen, |
185 | buffer, buflen)) | 210 | poff, plen, buffer, buflen)) |
186 | return NF_DROP; | 211 | return NF_DROP; |
187 | } | 212 | } |
188 | } | 213 | } |
189 | 214 | ||
190 | next: | 215 | next: |
191 | /* Translate Contact headers */ | 216 | /* Translate Contact headers */ |
192 | dataoff = 0; | 217 | coff = 0; |
193 | in_header = 0; | 218 | in_header = 0; |
194 | while (ct_sip_parse_header_uri(ct, *dptr, &dataoff, *datalen, | 219 | while (ct_sip_parse_header_uri(ct, *dptr, &coff, *datalen, |
195 | SIP_HDR_CONTACT, &in_header, | 220 | SIP_HDR_CONTACT, &in_header, |
196 | &matchoff, &matchlen, | 221 | &matchoff, &matchlen, |
197 | &addr, &port) > 0) { | 222 | &addr, &port) > 0) { |
198 | if (!map_addr(skb, dptr, datalen, matchoff, matchlen, | 223 | if (!map_addr(skb, dataoff, dptr, datalen, matchoff, matchlen, |
199 | &addr, port)) | 224 | &addr, port)) |
200 | return NF_DROP; | 225 | return NF_DROP; |
201 | } | 226 | } |
202 | 227 | ||
203 | if (!map_sip_addr(skb, dptr, datalen, SIP_HDR_FROM) || | 228 | if (!map_sip_addr(skb, dataoff, dptr, datalen, SIP_HDR_FROM) || |
204 | !map_sip_addr(skb, dptr, datalen, SIP_HDR_TO)) | 229 | !map_sip_addr(skb, dataoff, dptr, datalen, SIP_HDR_TO)) |
205 | return NF_DROP; | 230 | return NF_DROP; |
231 | |||
206 | return NF_ACCEPT; | 232 | return NF_ACCEPT; |
207 | } | 233 | } |
208 | 234 | ||
235 | static void ip_nat_sip_seq_adjust(struct sk_buff *skb, s16 off) | ||
236 | { | ||
237 | enum ip_conntrack_info ctinfo; | ||
238 | struct nf_conn *ct = nf_ct_get(skb, &ctinfo); | ||
239 | const struct tcphdr *th; | ||
240 | |||
241 | if (nf_ct_protonum(ct) != IPPROTO_TCP || off == 0) | ||
242 | return; | ||
243 | |||
244 | th = (struct tcphdr *)(skb->data + ip_hdrlen(skb)); | ||
245 | nf_nat_set_seq_adjust(ct, ctinfo, th->seq, off); | ||
246 | } | ||
247 | |||
209 | /* Handles expected signalling connections and media streams */ | 248 | /* Handles expected signalling connections and media streams */ |
210 | static void ip_nat_sip_expected(struct nf_conn *ct, | 249 | static void ip_nat_sip_expected(struct nf_conn *ct, |
211 | struct nf_conntrack_expect *exp) | 250 | struct nf_conntrack_expect *exp) |
@@ -232,7 +271,7 @@ static void ip_nat_sip_expected(struct nf_conn *ct, | |||
232 | } | 271 | } |
233 | } | 272 | } |
234 | 273 | ||
235 | static unsigned int ip_nat_sip_expect(struct sk_buff *skb, | 274 | static unsigned int ip_nat_sip_expect(struct sk_buff *skb, unsigned int dataoff, |
236 | const char **dptr, unsigned int *datalen, | 275 | const char **dptr, unsigned int *datalen, |
237 | struct nf_conntrack_expect *exp, | 276 | struct nf_conntrack_expect *exp, |
238 | unsigned int matchoff, | 277 | unsigned int matchoff, |
@@ -279,8 +318,8 @@ static unsigned int ip_nat_sip_expect(struct sk_buff *skb, | |||
279 | if (exp->tuple.dst.u3.ip != exp->saved_ip || | 318 | if (exp->tuple.dst.u3.ip != exp->saved_ip || |
280 | exp->tuple.dst.u.udp.port != exp->saved_proto.udp.port) { | 319 | exp->tuple.dst.u.udp.port != exp->saved_proto.udp.port) { |
281 | buflen = sprintf(buffer, "%pI4:%u", &newip, port); | 320 | buflen = sprintf(buffer, "%pI4:%u", &newip, port); |
282 | if (!mangle_packet(skb, dptr, datalen, matchoff, matchlen, | 321 | if (!mangle_packet(skb, dataoff, dptr, datalen, |
283 | buffer, buflen)) | 322 | matchoff, matchlen, buffer, buflen)) |
284 | goto err; | 323 | goto err; |
285 | } | 324 | } |
286 | return NF_ACCEPT; | 325 | return NF_ACCEPT; |
@@ -290,7 +329,7 @@ err: | |||
290 | return NF_DROP; | 329 | return NF_DROP; |
291 | } | 330 | } |
292 | 331 | ||
293 | static int mangle_content_len(struct sk_buff *skb, | 332 | static int mangle_content_len(struct sk_buff *skb, unsigned int dataoff, |
294 | const char **dptr, unsigned int *datalen) | 333 | const char **dptr, unsigned int *datalen) |
295 | { | 334 | { |
296 | enum ip_conntrack_info ctinfo; | 335 | enum ip_conntrack_info ctinfo; |
@@ -312,12 +351,13 @@ static int mangle_content_len(struct sk_buff *skb, | |||
312 | return 0; | 351 | return 0; |
313 | 352 | ||
314 | buflen = sprintf(buffer, "%u", c_len); | 353 | buflen = sprintf(buffer, "%u", c_len); |
315 | return mangle_packet(skb, dptr, datalen, matchoff, matchlen, | 354 | return mangle_packet(skb, dataoff, dptr, datalen, matchoff, matchlen, |
316 | buffer, buflen); | 355 | buffer, buflen); |
317 | } | 356 | } |
318 | 357 | ||
319 | static int mangle_sdp_packet(struct sk_buff *skb, const char **dptr, | 358 | static int mangle_sdp_packet(struct sk_buff *skb, unsigned int dataoff, |
320 | unsigned int dataoff, unsigned int *datalen, | 359 | const char **dptr, unsigned int *datalen, |
360 | unsigned int sdpoff, | ||
321 | enum sdp_header_types type, | 361 | enum sdp_header_types type, |
322 | enum sdp_header_types term, | 362 | enum sdp_header_types term, |
323 | char *buffer, int buflen) | 363 | char *buffer, int buflen) |
@@ -326,16 +366,16 @@ static int mangle_sdp_packet(struct sk_buff *skb, const char **dptr, | |||
326 | struct nf_conn *ct = nf_ct_get(skb, &ctinfo); | 366 | struct nf_conn *ct = nf_ct_get(skb, &ctinfo); |
327 | unsigned int matchlen, matchoff; | 367 | unsigned int matchlen, matchoff; |
328 | 368 | ||
329 | if (ct_sip_get_sdp_header(ct, *dptr, dataoff, *datalen, type, term, | 369 | if (ct_sip_get_sdp_header(ct, *dptr, sdpoff, *datalen, type, term, |
330 | &matchoff, &matchlen) <= 0) | 370 | &matchoff, &matchlen) <= 0) |
331 | return -ENOENT; | 371 | return -ENOENT; |
332 | return mangle_packet(skb, dptr, datalen, matchoff, matchlen, | 372 | return mangle_packet(skb, dataoff, dptr, datalen, matchoff, matchlen, |
333 | buffer, buflen) ? 0 : -EINVAL; | 373 | buffer, buflen) ? 0 : -EINVAL; |
334 | } | 374 | } |
335 | 375 | ||
336 | static unsigned int ip_nat_sdp_addr(struct sk_buff *skb, const char **dptr, | 376 | static unsigned int ip_nat_sdp_addr(struct sk_buff *skb, unsigned int dataoff, |
337 | unsigned int dataoff, | 377 | const char **dptr, unsigned int *datalen, |
338 | unsigned int *datalen, | 378 | unsigned int sdpoff, |
339 | enum sdp_header_types type, | 379 | enum sdp_header_types type, |
340 | enum sdp_header_types term, | 380 | enum sdp_header_types term, |
341 | const union nf_inet_addr *addr) | 381 | const union nf_inet_addr *addr) |
@@ -344,16 +384,15 @@ static unsigned int ip_nat_sdp_addr(struct sk_buff *skb, const char **dptr, | |||
344 | unsigned int buflen; | 384 | unsigned int buflen; |
345 | 385 | ||
346 | buflen = sprintf(buffer, "%pI4", &addr->ip); | 386 | buflen = sprintf(buffer, "%pI4", &addr->ip); |
347 | if (mangle_sdp_packet(skb, dptr, dataoff, datalen, type, term, | 387 | if (mangle_sdp_packet(skb, dataoff, dptr, datalen, sdpoff, type, term, |
348 | buffer, buflen)) | 388 | buffer, buflen)) |
349 | return 0; | 389 | return 0; |
350 | 390 | ||
351 | return mangle_content_len(skb, dptr, datalen); | 391 | return mangle_content_len(skb, dataoff, dptr, datalen); |
352 | } | 392 | } |
353 | 393 | ||
354 | static unsigned int ip_nat_sdp_port(struct sk_buff *skb, | 394 | static unsigned int ip_nat_sdp_port(struct sk_buff *skb, unsigned int dataoff, |
355 | const char **dptr, | 395 | const char **dptr, unsigned int *datalen, |
356 | unsigned int *datalen, | ||
357 | unsigned int matchoff, | 396 | unsigned int matchoff, |
358 | unsigned int matchlen, | 397 | unsigned int matchlen, |
359 | u_int16_t port) | 398 | u_int16_t port) |
@@ -362,16 +401,16 @@ static unsigned int ip_nat_sdp_port(struct sk_buff *skb, | |||
362 | unsigned int buflen; | 401 | unsigned int buflen; |
363 | 402 | ||
364 | buflen = sprintf(buffer, "%u", port); | 403 | buflen = sprintf(buffer, "%u", port); |
365 | if (!mangle_packet(skb, dptr, datalen, matchoff, matchlen, | 404 | if (!mangle_packet(skb, dataoff, dptr, datalen, matchoff, matchlen, |
366 | buffer, buflen)) | 405 | buffer, buflen)) |
367 | return 0; | 406 | return 0; |
368 | 407 | ||
369 | return mangle_content_len(skb, dptr, datalen); | 408 | return mangle_content_len(skb, dataoff, dptr, datalen); |
370 | } | 409 | } |
371 | 410 | ||
372 | static unsigned int ip_nat_sdp_session(struct sk_buff *skb, const char **dptr, | 411 | static unsigned int ip_nat_sdp_session(struct sk_buff *skb, unsigned int dataoff, |
373 | unsigned int dataoff, | 412 | const char **dptr, unsigned int *datalen, |
374 | unsigned int *datalen, | 413 | unsigned int sdpoff, |
375 | const union nf_inet_addr *addr) | 414 | const union nf_inet_addr *addr) |
376 | { | 415 | { |
377 | char buffer[sizeof("nnn.nnn.nnn.nnn")]; | 416 | char buffer[sizeof("nnn.nnn.nnn.nnn")]; |
@@ -379,12 +418,12 @@ static unsigned int ip_nat_sdp_session(struct sk_buff *skb, const char **dptr, | |||
379 | 418 | ||
380 | /* Mangle session description owner and contact addresses */ | 419 | /* Mangle session description owner and contact addresses */ |
381 | buflen = sprintf(buffer, "%pI4", &addr->ip); | 420 | buflen = sprintf(buffer, "%pI4", &addr->ip); |
382 | if (mangle_sdp_packet(skb, dptr, dataoff, datalen, | 421 | if (mangle_sdp_packet(skb, dataoff, dptr, datalen, sdpoff, |
383 | SDP_HDR_OWNER_IP4, SDP_HDR_MEDIA, | 422 | SDP_HDR_OWNER_IP4, SDP_HDR_MEDIA, |
384 | buffer, buflen)) | 423 | buffer, buflen)) |
385 | return 0; | 424 | return 0; |
386 | 425 | ||
387 | switch (mangle_sdp_packet(skb, dptr, dataoff, datalen, | 426 | switch (mangle_sdp_packet(skb, dataoff, dptr, datalen, sdpoff, |
388 | SDP_HDR_CONNECTION_IP4, SDP_HDR_MEDIA, | 427 | SDP_HDR_CONNECTION_IP4, SDP_HDR_MEDIA, |
389 | buffer, buflen)) { | 428 | buffer, buflen)) { |
390 | case 0: | 429 | case 0: |
@@ -401,14 +440,13 @@ static unsigned int ip_nat_sdp_session(struct sk_buff *skb, const char **dptr, | |||
401 | return 0; | 440 | return 0; |
402 | } | 441 | } |
403 | 442 | ||
404 | return mangle_content_len(skb, dptr, datalen); | 443 | return mangle_content_len(skb, dataoff, dptr, datalen); |
405 | } | 444 | } |
406 | 445 | ||
407 | /* So, this packet has hit the connection tracking matching code. | 446 | /* So, this packet has hit the connection tracking matching code. |
408 | Mangle it, and change the expectation to match the new version. */ | 447 | Mangle it, and change the expectation to match the new version. */ |
409 | static unsigned int ip_nat_sdp_media(struct sk_buff *skb, | 448 | static unsigned int ip_nat_sdp_media(struct sk_buff *skb, unsigned int dataoff, |
410 | const char **dptr, | 449 | const char **dptr, unsigned int *datalen, |
411 | unsigned int *datalen, | ||
412 | struct nf_conntrack_expect *rtp_exp, | 450 | struct nf_conntrack_expect *rtp_exp, |
413 | struct nf_conntrack_expect *rtcp_exp, | 451 | struct nf_conntrack_expect *rtcp_exp, |
414 | unsigned int mediaoff, | 452 | unsigned int mediaoff, |
@@ -456,7 +494,8 @@ static unsigned int ip_nat_sdp_media(struct sk_buff *skb, | |||
456 | 494 | ||
457 | /* Update media port. */ | 495 | /* Update media port. */ |
458 | if (rtp_exp->tuple.dst.u.udp.port != rtp_exp->saved_proto.udp.port && | 496 | if (rtp_exp->tuple.dst.u.udp.port != rtp_exp->saved_proto.udp.port && |
459 | !ip_nat_sdp_port(skb, dptr, datalen, mediaoff, medialen, port)) | 497 | !ip_nat_sdp_port(skb, dataoff, dptr, datalen, |
498 | mediaoff, medialen, port)) | ||
460 | goto err2; | 499 | goto err2; |
461 | 500 | ||
462 | return NF_ACCEPT; | 501 | return NF_ACCEPT; |
@@ -471,6 +510,7 @@ err1: | |||
471 | static void __exit nf_nat_sip_fini(void) | 510 | static void __exit nf_nat_sip_fini(void) |
472 | { | 511 | { |
473 | rcu_assign_pointer(nf_nat_sip_hook, NULL); | 512 | rcu_assign_pointer(nf_nat_sip_hook, NULL); |
513 | rcu_assign_pointer(nf_nat_sip_seq_adjust_hook, NULL); | ||
474 | rcu_assign_pointer(nf_nat_sip_expect_hook, NULL); | 514 | rcu_assign_pointer(nf_nat_sip_expect_hook, NULL); |
475 | rcu_assign_pointer(nf_nat_sdp_addr_hook, NULL); | 515 | rcu_assign_pointer(nf_nat_sdp_addr_hook, NULL); |
476 | rcu_assign_pointer(nf_nat_sdp_port_hook, NULL); | 516 | rcu_assign_pointer(nf_nat_sdp_port_hook, NULL); |
@@ -482,12 +522,14 @@ static void __exit nf_nat_sip_fini(void) | |||
482 | static int __init nf_nat_sip_init(void) | 522 | static int __init nf_nat_sip_init(void) |
483 | { | 523 | { |
484 | BUG_ON(nf_nat_sip_hook != NULL); | 524 | BUG_ON(nf_nat_sip_hook != NULL); |
525 | BUG_ON(nf_nat_sip_seq_adjust_hook != NULL); | ||
485 | BUG_ON(nf_nat_sip_expect_hook != NULL); | 526 | BUG_ON(nf_nat_sip_expect_hook != NULL); |
486 | BUG_ON(nf_nat_sdp_addr_hook != NULL); | 527 | BUG_ON(nf_nat_sdp_addr_hook != NULL); |
487 | BUG_ON(nf_nat_sdp_port_hook != NULL); | 528 | BUG_ON(nf_nat_sdp_port_hook != NULL); |
488 | BUG_ON(nf_nat_sdp_session_hook != NULL); | 529 | BUG_ON(nf_nat_sdp_session_hook != NULL); |
489 | BUG_ON(nf_nat_sdp_media_hook != NULL); | 530 | BUG_ON(nf_nat_sdp_media_hook != NULL); |
490 | rcu_assign_pointer(nf_nat_sip_hook, ip_nat_sip); | 531 | rcu_assign_pointer(nf_nat_sip_hook, ip_nat_sip); |
532 | rcu_assign_pointer(nf_nat_sip_seq_adjust_hook, ip_nat_sip_seq_adjust); | ||
491 | rcu_assign_pointer(nf_nat_sip_expect_hook, ip_nat_sip_expect); | 533 | rcu_assign_pointer(nf_nat_sip_expect_hook, ip_nat_sip_expect); |
492 | rcu_assign_pointer(nf_nat_sdp_addr_hook, ip_nat_sdp_addr); | 534 | rcu_assign_pointer(nf_nat_sdp_addr_hook, ip_nat_sdp_addr); |
493 | rcu_assign_pointer(nf_nat_sdp_port_hook, ip_nat_sdp_port); | 535 | rcu_assign_pointer(nf_nat_sdp_port_hook, ip_nat_sdp_port); |
diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c index d9521f6f9ed0..0b9c7ce3d6c5 100644 --- a/net/ipv4/netfilter/nf_nat_snmp_basic.c +++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c | |||
@@ -1038,7 +1038,7 @@ static int snmp_parse_mangle(unsigned char *msg, | |||
1038 | unsigned int cls, con, tag, vers, pdutype; | 1038 | unsigned int cls, con, tag, vers, pdutype; |
1039 | struct asn1_ctx ctx; | 1039 | struct asn1_ctx ctx; |
1040 | struct asn1_octstr comm; | 1040 | struct asn1_octstr comm; |
1041 | struct snmp_object **obj; | 1041 | struct snmp_object *obj; |
1042 | 1042 | ||
1043 | if (debug > 1) | 1043 | if (debug > 1) |
1044 | hex_dump(msg, len); | 1044 | hex_dump(msg, len); |
@@ -1148,43 +1148,34 @@ static int snmp_parse_mangle(unsigned char *msg, | |||
1148 | if (cls != ASN1_UNI || con != ASN1_CON || tag != ASN1_SEQ) | 1148 | if (cls != ASN1_UNI || con != ASN1_CON || tag != ASN1_SEQ) |
1149 | return 0; | 1149 | return 0; |
1150 | 1150 | ||
1151 | obj = kmalloc(sizeof(struct snmp_object), GFP_ATOMIC); | ||
1152 | if (obj == NULL) { | ||
1153 | if (net_ratelimit()) | ||
1154 | printk(KERN_WARNING "OOM in bsalg(%d)\n", __LINE__); | ||
1155 | return 0; | ||
1156 | } | ||
1157 | |||
1158 | while (!asn1_eoc_decode(&ctx, eoc)) { | 1151 | while (!asn1_eoc_decode(&ctx, eoc)) { |
1159 | unsigned int i; | 1152 | unsigned int i; |
1160 | 1153 | ||
1161 | if (!snmp_object_decode(&ctx, obj)) { | 1154 | if (!snmp_object_decode(&ctx, &obj)) { |
1162 | if (*obj) { | 1155 | if (obj) { |
1163 | kfree((*obj)->id); | 1156 | kfree(obj->id); |
1164 | kfree(*obj); | 1157 | kfree(obj); |
1165 | } | 1158 | } |
1166 | kfree(obj); | ||
1167 | return 0; | 1159 | return 0; |
1168 | } | 1160 | } |
1169 | 1161 | ||
1170 | if (debug > 1) { | 1162 | if (debug > 1) { |
1171 | printk(KERN_DEBUG "bsalg: object: "); | 1163 | printk(KERN_DEBUG "bsalg: object: "); |
1172 | for (i = 0; i < (*obj)->id_len; i++) { | 1164 | for (i = 0; i < obj->id_len; i++) { |
1173 | if (i > 0) | 1165 | if (i > 0) |
1174 | printk("."); | 1166 | printk("."); |
1175 | printk("%lu", (*obj)->id[i]); | 1167 | printk("%lu", obj->id[i]); |
1176 | } | 1168 | } |
1177 | printk(": type=%u\n", (*obj)->type); | 1169 | printk(": type=%u\n", obj->type); |
1178 | 1170 | ||
1179 | } | 1171 | } |
1180 | 1172 | ||
1181 | if ((*obj)->type == SNMP_IPADDR) | 1173 | if (obj->type == SNMP_IPADDR) |
1182 | mangle_address(ctx.begin, ctx.pointer - 4 , map, check); | 1174 | mangle_address(ctx.begin, ctx.pointer - 4 , map, check); |
1183 | 1175 | ||
1184 | kfree((*obj)->id); | 1176 | kfree(obj->id); |
1185 | kfree(*obj); | 1177 | kfree(obj); |
1186 | } | 1178 | } |
1187 | kfree(obj); | ||
1188 | 1179 | ||
1189 | if (!asn1_eoc_decode(&ctx, eoc)) | 1180 | if (!asn1_eoc_decode(&ctx, eoc)) |
1190 | return 0; | 1181 | return 0; |
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 8a7e0f52e177..4185099c2943 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c | |||
@@ -29,6 +29,7 @@ | |||
29 | #include <linux/netfilter_ipv6/ip6_tables.h> | 29 | #include <linux/netfilter_ipv6/ip6_tables.h> |
30 | #include <linux/netfilter/x_tables.h> | 30 | #include <linux/netfilter/x_tables.h> |
31 | #include <net/netfilter/nf_log.h> | 31 | #include <net/netfilter/nf_log.h> |
32 | #include "../../netfilter/xt_repldata.h" | ||
32 | 33 | ||
33 | MODULE_LICENSE("GPL"); | 34 | MODULE_LICENSE("GPL"); |
34 | MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); | 35 | MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); |
@@ -67,6 +68,12 @@ do { \ | |||
67 | #define inline | 68 | #define inline |
68 | #endif | 69 | #endif |
69 | 70 | ||
71 | void *ip6t_alloc_initial_table(const struct xt_table *info) | ||
72 | { | ||
73 | return xt_alloc_initial_table(ip6t, IP6T); | ||
74 | } | ||
75 | EXPORT_SYMBOL_GPL(ip6t_alloc_initial_table); | ||
76 | |||
70 | /* | 77 | /* |
71 | We keep a set of rules for each CPU, so we can avoid write-locking | 78 | We keep a set of rules for each CPU, so we can avoid write-locking |
72 | them in the softirq when updating the counters and therefore | 79 | them in the softirq when updating the counters and therefore |
@@ -201,7 +208,7 @@ ip6t_error(struct sk_buff *skb, const struct xt_target_param *par) | |||
201 | 208 | ||
202 | /* Performance critical - called for every packet */ | 209 | /* Performance critical - called for every packet */ |
203 | static inline bool | 210 | static inline bool |
204 | do_match(struct ip6t_entry_match *m, const struct sk_buff *skb, | 211 | do_match(const struct ip6t_entry_match *m, const struct sk_buff *skb, |
205 | struct xt_match_param *par) | 212 | struct xt_match_param *par) |
206 | { | 213 | { |
207 | par->match = m->u.kernel.match; | 214 | par->match = m->u.kernel.match; |
@@ -215,7 +222,7 @@ do_match(struct ip6t_entry_match *m, const struct sk_buff *skb, | |||
215 | } | 222 | } |
216 | 223 | ||
217 | static inline struct ip6t_entry * | 224 | static inline struct ip6t_entry * |
218 | get_entry(void *base, unsigned int offset) | 225 | get_entry(const void *base, unsigned int offset) |
219 | { | 226 | { |
220 | return (struct ip6t_entry *)(base + offset); | 227 | return (struct ip6t_entry *)(base + offset); |
221 | } | 228 | } |
@@ -229,6 +236,12 @@ static inline bool unconditional(const struct ip6t_ip6 *ipv6) | |||
229 | return memcmp(ipv6, &uncond, sizeof(uncond)) == 0; | 236 | return memcmp(ipv6, &uncond, sizeof(uncond)) == 0; |
230 | } | 237 | } |
231 | 238 | ||
239 | static inline const struct ip6t_entry_target * | ||
240 | ip6t_get_target_c(const struct ip6t_entry *e) | ||
241 | { | ||
242 | return ip6t_get_target((struct ip6t_entry *)e); | ||
243 | } | ||
244 | |||
232 | #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ | 245 | #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ |
233 | defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE) | 246 | defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE) |
234 | /* This cries for unification! */ | 247 | /* This cries for unification! */ |
@@ -264,11 +277,11 @@ static struct nf_loginfo trace_loginfo = { | |||
264 | 277 | ||
265 | /* Mildly perf critical (only if packet tracing is on) */ | 278 | /* Mildly perf critical (only if packet tracing is on) */ |
266 | static inline int | 279 | static inline int |
267 | get_chainname_rulenum(struct ip6t_entry *s, struct ip6t_entry *e, | 280 | get_chainname_rulenum(const struct ip6t_entry *s, const struct ip6t_entry *e, |
268 | const char *hookname, const char **chainname, | 281 | const char *hookname, const char **chainname, |
269 | const char **comment, unsigned int *rulenum) | 282 | const char **comment, unsigned int *rulenum) |
270 | { | 283 | { |
271 | struct ip6t_standard_target *t = (void *)ip6t_get_target(s); | 284 | const struct ip6t_standard_target *t = (void *)ip6t_get_target_c(s); |
272 | 285 | ||
273 | if (strcmp(t->target.u.kernel.target->name, IP6T_ERROR_TARGET) == 0) { | 286 | if (strcmp(t->target.u.kernel.target->name, IP6T_ERROR_TARGET) == 0) { |
274 | /* Head of user chain: ERROR target with chainname */ | 287 | /* Head of user chain: ERROR target with chainname */ |
@@ -294,15 +307,15 @@ get_chainname_rulenum(struct ip6t_entry *s, struct ip6t_entry *e, | |||
294 | return 0; | 307 | return 0; |
295 | } | 308 | } |
296 | 309 | ||
297 | static void trace_packet(struct sk_buff *skb, | 310 | static void trace_packet(const struct sk_buff *skb, |
298 | unsigned int hook, | 311 | unsigned int hook, |
299 | const struct net_device *in, | 312 | const struct net_device *in, |
300 | const struct net_device *out, | 313 | const struct net_device *out, |
301 | const char *tablename, | 314 | const char *tablename, |
302 | struct xt_table_info *private, | 315 | const struct xt_table_info *private, |
303 | struct ip6t_entry *e) | 316 | const struct ip6t_entry *e) |
304 | { | 317 | { |
305 | void *table_base; | 318 | const void *table_base; |
306 | const struct ip6t_entry *root; | 319 | const struct ip6t_entry *root; |
307 | const char *hookname, *chainname, *comment; | 320 | const char *hookname, *chainname, *comment; |
308 | unsigned int rulenum = 0; | 321 | unsigned int rulenum = 0; |
@@ -345,9 +358,9 @@ ip6t_do_table(struct sk_buff *skb, | |||
345 | /* Initializing verdict to NF_DROP keeps gcc happy. */ | 358 | /* Initializing verdict to NF_DROP keeps gcc happy. */ |
346 | unsigned int verdict = NF_DROP; | 359 | unsigned int verdict = NF_DROP; |
347 | const char *indev, *outdev; | 360 | const char *indev, *outdev; |
348 | void *table_base; | 361 | const void *table_base; |
349 | struct ip6t_entry *e, *back; | 362 | struct ip6t_entry *e, *back; |
350 | struct xt_table_info *private; | 363 | const struct xt_table_info *private; |
351 | struct xt_match_param mtpar; | 364 | struct xt_match_param mtpar; |
352 | struct xt_target_param tgpar; | 365 | struct xt_target_param tgpar; |
353 | 366 | ||
@@ -378,7 +391,7 @@ ip6t_do_table(struct sk_buff *skb, | |||
378 | back = get_entry(table_base, private->underflow[hook]); | 391 | back = get_entry(table_base, private->underflow[hook]); |
379 | 392 | ||
380 | do { | 393 | do { |
381 | struct ip6t_entry_target *t; | 394 | const struct ip6t_entry_target *t; |
382 | 395 | ||
383 | IP_NF_ASSERT(e); | 396 | IP_NF_ASSERT(e); |
384 | IP_NF_ASSERT(back); | 397 | IP_NF_ASSERT(back); |
@@ -393,7 +406,7 @@ ip6t_do_table(struct sk_buff *skb, | |||
393 | ntohs(ipv6_hdr(skb)->payload_len) + | 406 | ntohs(ipv6_hdr(skb)->payload_len) + |
394 | sizeof(struct ipv6hdr), 1); | 407 | sizeof(struct ipv6hdr), 1); |
395 | 408 | ||
396 | t = ip6t_get_target(e); | 409 | t = ip6t_get_target_c(e); |
397 | IP_NF_ASSERT(t->u.kernel.target); | 410 | IP_NF_ASSERT(t->u.kernel.target); |
398 | 411 | ||
399 | #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ | 412 | #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ |
@@ -475,7 +488,7 @@ ip6t_do_table(struct sk_buff *skb, | |||
475 | /* Figures out from what hook each rule can be called: returns 0 if | 488 | /* Figures out from what hook each rule can be called: returns 0 if |
476 | there are loops. Puts hook bitmask in comefrom. */ | 489 | there are loops. Puts hook bitmask in comefrom. */ |
477 | static int | 490 | static int |
478 | mark_source_chains(struct xt_table_info *newinfo, | 491 | mark_source_chains(const struct xt_table_info *newinfo, |
479 | unsigned int valid_hooks, void *entry0) | 492 | unsigned int valid_hooks, void *entry0) |
480 | { | 493 | { |
481 | unsigned int hook; | 494 | unsigned int hook; |
@@ -493,8 +506,8 @@ mark_source_chains(struct xt_table_info *newinfo, | |||
493 | e->counters.pcnt = pos; | 506 | e->counters.pcnt = pos; |
494 | 507 | ||
495 | for (;;) { | 508 | for (;;) { |
496 | struct ip6t_standard_target *t | 509 | const struct ip6t_standard_target *t |
497 | = (void *)ip6t_get_target(e); | 510 | = (void *)ip6t_get_target_c(e); |
498 | int visited = e->comefrom & (1 << hook); | 511 | int visited = e->comefrom & (1 << hook); |
499 | 512 | ||
500 | if (e->comefrom & (1 << NF_INET_NUMHOOKS)) { | 513 | if (e->comefrom & (1 << NF_INET_NUMHOOKS)) { |
@@ -585,13 +598,14 @@ mark_source_chains(struct xt_table_info *newinfo, | |||
585 | } | 598 | } |
586 | 599 | ||
587 | static int | 600 | static int |
588 | cleanup_match(struct ip6t_entry_match *m, unsigned int *i) | 601 | cleanup_match(struct ip6t_entry_match *m, struct net *net, unsigned int *i) |
589 | { | 602 | { |
590 | struct xt_mtdtor_param par; | 603 | struct xt_mtdtor_param par; |
591 | 604 | ||
592 | if (i && (*i)-- == 0) | 605 | if (i && (*i)-- == 0) |
593 | return 1; | 606 | return 1; |
594 | 607 | ||
608 | par.net = net; | ||
595 | par.match = m->u.kernel.match; | 609 | par.match = m->u.kernel.match; |
596 | par.matchinfo = m->data; | 610 | par.matchinfo = m->data; |
597 | par.family = NFPROTO_IPV6; | 611 | par.family = NFPROTO_IPV6; |
@@ -602,9 +616,9 @@ cleanup_match(struct ip6t_entry_match *m, unsigned int *i) | |||
602 | } | 616 | } |
603 | 617 | ||
604 | static int | 618 | static int |
605 | check_entry(struct ip6t_entry *e, const char *name) | 619 | check_entry(const struct ip6t_entry *e, const char *name) |
606 | { | 620 | { |
607 | struct ip6t_entry_target *t; | 621 | const struct ip6t_entry_target *t; |
608 | 622 | ||
609 | if (!ip6_checkentry(&e->ipv6)) { | 623 | if (!ip6_checkentry(&e->ipv6)) { |
610 | duprintf("ip_tables: ip check failed %p %s.\n", e, name); | 624 | duprintf("ip_tables: ip check failed %p %s.\n", e, name); |
@@ -615,7 +629,7 @@ check_entry(struct ip6t_entry *e, const char *name) | |||
615 | e->next_offset) | 629 | e->next_offset) |
616 | return -EINVAL; | 630 | return -EINVAL; |
617 | 631 | ||
618 | t = ip6t_get_target(e); | 632 | t = ip6t_get_target_c(e); |
619 | if (e->target_offset + t->u.target_size > e->next_offset) | 633 | if (e->target_offset + t->u.target_size > e->next_offset) |
620 | return -EINVAL; | 634 | return -EINVAL; |
621 | 635 | ||
@@ -668,10 +682,11 @@ err: | |||
668 | return ret; | 682 | return ret; |
669 | } | 683 | } |
670 | 684 | ||
671 | static int check_target(struct ip6t_entry *e, const char *name) | 685 | static int check_target(struct ip6t_entry *e, struct net *net, const char *name) |
672 | { | 686 | { |
673 | struct ip6t_entry_target *t = ip6t_get_target(e); | 687 | struct ip6t_entry_target *t = ip6t_get_target(e); |
674 | struct xt_tgchk_param par = { | 688 | struct xt_tgchk_param par = { |
689 | .net = net, | ||
675 | .table = name, | 690 | .table = name, |
676 | .entryinfo = e, | 691 | .entryinfo = e, |
677 | .target = t->u.kernel.target, | 692 | .target = t->u.kernel.target, |
@@ -693,8 +708,8 @@ static int check_target(struct ip6t_entry *e, const char *name) | |||
693 | } | 708 | } |
694 | 709 | ||
695 | static int | 710 | static int |
696 | find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size, | 711 | find_check_entry(struct ip6t_entry *e, struct net *net, const char *name, |
697 | unsigned int *i) | 712 | unsigned int size, unsigned int *i) |
698 | { | 713 | { |
699 | struct ip6t_entry_target *t; | 714 | struct ip6t_entry_target *t; |
700 | struct xt_target *target; | 715 | struct xt_target *target; |
@@ -707,6 +722,7 @@ find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size, | |||
707 | return ret; | 722 | return ret; |
708 | 723 | ||
709 | j = 0; | 724 | j = 0; |
725 | mtpar.net = net; | ||
710 | mtpar.table = name; | 726 | mtpar.table = name; |
711 | mtpar.entryinfo = &e->ipv6; | 727 | mtpar.entryinfo = &e->ipv6; |
712 | mtpar.hook_mask = e->comefrom; | 728 | mtpar.hook_mask = e->comefrom; |
@@ -727,7 +743,7 @@ find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size, | |||
727 | } | 743 | } |
728 | t->u.kernel.target = target; | 744 | t->u.kernel.target = target; |
729 | 745 | ||
730 | ret = check_target(e, name); | 746 | ret = check_target(e, net, name); |
731 | if (ret) | 747 | if (ret) |
732 | goto err; | 748 | goto err; |
733 | 749 | ||
@@ -736,18 +752,18 @@ find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size, | |||
736 | err: | 752 | err: |
737 | module_put(t->u.kernel.target->me); | 753 | module_put(t->u.kernel.target->me); |
738 | cleanup_matches: | 754 | cleanup_matches: |
739 | IP6T_MATCH_ITERATE(e, cleanup_match, &j); | 755 | IP6T_MATCH_ITERATE(e, cleanup_match, net, &j); |
740 | return ret; | 756 | return ret; |
741 | } | 757 | } |
742 | 758 | ||
743 | static bool check_underflow(struct ip6t_entry *e) | 759 | static bool check_underflow(const struct ip6t_entry *e) |
744 | { | 760 | { |
745 | const struct ip6t_entry_target *t; | 761 | const struct ip6t_entry_target *t; |
746 | unsigned int verdict; | 762 | unsigned int verdict; |
747 | 763 | ||
748 | if (!unconditional(&e->ipv6)) | 764 | if (!unconditional(&e->ipv6)) |
749 | return false; | 765 | return false; |
750 | t = ip6t_get_target(e); | 766 | t = ip6t_get_target_c(e); |
751 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) | 767 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) |
752 | return false; | 768 | return false; |
753 | verdict = ((struct ip6t_standard_target *)t)->verdict; | 769 | verdict = ((struct ip6t_standard_target *)t)->verdict; |
@@ -758,8 +774,8 @@ static bool check_underflow(struct ip6t_entry *e) | |||
758 | static int | 774 | static int |
759 | check_entry_size_and_hooks(struct ip6t_entry *e, | 775 | check_entry_size_and_hooks(struct ip6t_entry *e, |
760 | struct xt_table_info *newinfo, | 776 | struct xt_table_info *newinfo, |
761 | unsigned char *base, | 777 | const unsigned char *base, |
762 | unsigned char *limit, | 778 | const unsigned char *limit, |
763 | const unsigned int *hook_entries, | 779 | const unsigned int *hook_entries, |
764 | const unsigned int *underflows, | 780 | const unsigned int *underflows, |
765 | unsigned int valid_hooks, | 781 | unsigned int valid_hooks, |
@@ -806,7 +822,7 @@ check_entry_size_and_hooks(struct ip6t_entry *e, | |||
806 | } | 822 | } |
807 | 823 | ||
808 | static int | 824 | static int |
809 | cleanup_entry(struct ip6t_entry *e, unsigned int *i) | 825 | cleanup_entry(struct ip6t_entry *e, struct net *net, unsigned int *i) |
810 | { | 826 | { |
811 | struct xt_tgdtor_param par; | 827 | struct xt_tgdtor_param par; |
812 | struct ip6t_entry_target *t; | 828 | struct ip6t_entry_target *t; |
@@ -815,9 +831,10 @@ cleanup_entry(struct ip6t_entry *e, unsigned int *i) | |||
815 | return 1; | 831 | return 1; |
816 | 832 | ||
817 | /* Cleanup all matches */ | 833 | /* Cleanup all matches */ |
818 | IP6T_MATCH_ITERATE(e, cleanup_match, NULL); | 834 | IP6T_MATCH_ITERATE(e, cleanup_match, net, NULL); |
819 | t = ip6t_get_target(e); | 835 | t = ip6t_get_target(e); |
820 | 836 | ||
837 | par.net = net; | ||
821 | par.target = t->u.kernel.target; | 838 | par.target = t->u.kernel.target; |
822 | par.targinfo = t->data; | 839 | par.targinfo = t->data; |
823 | par.family = NFPROTO_IPV6; | 840 | par.family = NFPROTO_IPV6; |
@@ -830,7 +847,8 @@ cleanup_entry(struct ip6t_entry *e, unsigned int *i) | |||
830 | /* Checks and translates the user-supplied table segment (held in | 847 | /* Checks and translates the user-supplied table segment (held in |
831 | newinfo) */ | 848 | newinfo) */ |
832 | static int | 849 | static int |
833 | translate_table(const char *name, | 850 | translate_table(struct net *net, |
851 | const char *name, | ||
834 | unsigned int valid_hooks, | 852 | unsigned int valid_hooks, |
835 | struct xt_table_info *newinfo, | 853 | struct xt_table_info *newinfo, |
836 | void *entry0, | 854 | void *entry0, |
@@ -892,11 +910,11 @@ translate_table(const char *name, | |||
892 | /* Finally, each sanity check must pass */ | 910 | /* Finally, each sanity check must pass */ |
893 | i = 0; | 911 | i = 0; |
894 | ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size, | 912 | ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size, |
895 | find_check_entry, name, size, &i); | 913 | find_check_entry, net, name, size, &i); |
896 | 914 | ||
897 | if (ret != 0) { | 915 | if (ret != 0) { |
898 | IP6T_ENTRY_ITERATE(entry0, newinfo->size, | 916 | IP6T_ENTRY_ITERATE(entry0, newinfo->size, |
899 | cleanup_entry, &i); | 917 | cleanup_entry, net, &i); |
900 | return ret; | 918 | return ret; |
901 | } | 919 | } |
902 | 920 | ||
@@ -972,11 +990,11 @@ get_counters(const struct xt_table_info *t, | |||
972 | local_bh_enable(); | 990 | local_bh_enable(); |
973 | } | 991 | } |
974 | 992 | ||
975 | static struct xt_counters *alloc_counters(struct xt_table *table) | 993 | static struct xt_counters *alloc_counters(const struct xt_table *table) |
976 | { | 994 | { |
977 | unsigned int countersize; | 995 | unsigned int countersize; |
978 | struct xt_counters *counters; | 996 | struct xt_counters *counters; |
979 | struct xt_table_info *private = table->private; | 997 | const struct xt_table_info *private = table->private; |
980 | 998 | ||
981 | /* We need atomic snapshot of counters: rest doesn't change | 999 | /* We need atomic snapshot of counters: rest doesn't change |
982 | (other than comefrom, which userspace doesn't care | 1000 | (other than comefrom, which userspace doesn't care |
@@ -994,11 +1012,11 @@ static struct xt_counters *alloc_counters(struct xt_table *table) | |||
994 | 1012 | ||
995 | static int | 1013 | static int |
996 | copy_entries_to_user(unsigned int total_size, | 1014 | copy_entries_to_user(unsigned int total_size, |
997 | struct xt_table *table, | 1015 | const struct xt_table *table, |
998 | void __user *userptr) | 1016 | void __user *userptr) |
999 | { | 1017 | { |
1000 | unsigned int off, num; | 1018 | unsigned int off, num; |
1001 | struct ip6t_entry *e; | 1019 | const struct ip6t_entry *e; |
1002 | struct xt_counters *counters; | 1020 | struct xt_counters *counters; |
1003 | const struct xt_table_info *private = table->private; | 1021 | const struct xt_table_info *private = table->private; |
1004 | int ret = 0; | 1022 | int ret = 0; |
@@ -1050,7 +1068,7 @@ copy_entries_to_user(unsigned int total_size, | |||
1050 | } | 1068 | } |
1051 | } | 1069 | } |
1052 | 1070 | ||
1053 | t = ip6t_get_target(e); | 1071 | t = ip6t_get_target_c(e); |
1054 | if (copy_to_user(userptr + off + e->target_offset | 1072 | if (copy_to_user(userptr + off + e->target_offset |
1055 | + offsetof(struct ip6t_entry_target, | 1073 | + offsetof(struct ip6t_entry_target, |
1056 | u.user.name), | 1074 | u.user.name), |
@@ -1067,7 +1085,7 @@ copy_entries_to_user(unsigned int total_size, | |||
1067 | } | 1085 | } |
1068 | 1086 | ||
1069 | #ifdef CONFIG_COMPAT | 1087 | #ifdef CONFIG_COMPAT |
1070 | static void compat_standard_from_user(void *dst, void *src) | 1088 | static void compat_standard_from_user(void *dst, const void *src) |
1071 | { | 1089 | { |
1072 | int v = *(compat_int_t *)src; | 1090 | int v = *(compat_int_t *)src; |
1073 | 1091 | ||
@@ -1076,7 +1094,7 @@ static void compat_standard_from_user(void *dst, void *src) | |||
1076 | memcpy(dst, &v, sizeof(v)); | 1094 | memcpy(dst, &v, sizeof(v)); |
1077 | } | 1095 | } |
1078 | 1096 | ||
1079 | static int compat_standard_to_user(void __user *dst, void *src) | 1097 | static int compat_standard_to_user(void __user *dst, const void *src) |
1080 | { | 1098 | { |
1081 | compat_int_t cv = *(int *)src; | 1099 | compat_int_t cv = *(int *)src; |
1082 | 1100 | ||
@@ -1086,24 +1104,24 @@ static int compat_standard_to_user(void __user *dst, void *src) | |||
1086 | } | 1104 | } |
1087 | 1105 | ||
1088 | static inline int | 1106 | static inline int |
1089 | compat_calc_match(struct ip6t_entry_match *m, int *size) | 1107 | compat_calc_match(const struct ip6t_entry_match *m, int *size) |
1090 | { | 1108 | { |
1091 | *size += xt_compat_match_offset(m->u.kernel.match); | 1109 | *size += xt_compat_match_offset(m->u.kernel.match); |
1092 | return 0; | 1110 | return 0; |
1093 | } | 1111 | } |
1094 | 1112 | ||
1095 | static int compat_calc_entry(struct ip6t_entry *e, | 1113 | static int compat_calc_entry(const struct ip6t_entry *e, |
1096 | const struct xt_table_info *info, | 1114 | const struct xt_table_info *info, |
1097 | void *base, struct xt_table_info *newinfo) | 1115 | const void *base, struct xt_table_info *newinfo) |
1098 | { | 1116 | { |
1099 | struct ip6t_entry_target *t; | 1117 | const struct ip6t_entry_target *t; |
1100 | unsigned int entry_offset; | 1118 | unsigned int entry_offset; |
1101 | int off, i, ret; | 1119 | int off, i, ret; |
1102 | 1120 | ||
1103 | off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry); | 1121 | off = sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry); |
1104 | entry_offset = (void *)e - base; | 1122 | entry_offset = (void *)e - base; |
1105 | IP6T_MATCH_ITERATE(e, compat_calc_match, &off); | 1123 | IP6T_MATCH_ITERATE(e, compat_calc_match, &off); |
1106 | t = ip6t_get_target(e); | 1124 | t = ip6t_get_target_c(e); |
1107 | off += xt_compat_target_offset(t->u.kernel.target); | 1125 | off += xt_compat_target_offset(t->u.kernel.target); |
1108 | newinfo->size -= off; | 1126 | newinfo->size -= off; |
1109 | ret = xt_compat_add_offset(AF_INET6, entry_offset, off); | 1127 | ret = xt_compat_add_offset(AF_INET6, entry_offset, off); |
@@ -1139,7 +1157,8 @@ static int compat_table_info(const struct xt_table_info *info, | |||
1139 | } | 1157 | } |
1140 | #endif | 1158 | #endif |
1141 | 1159 | ||
1142 | static int get_info(struct net *net, void __user *user, int *len, int compat) | 1160 | static int get_info(struct net *net, void __user *user, |
1161 | const int *len, int compat) | ||
1143 | { | 1162 | { |
1144 | char name[IP6T_TABLE_MAXNAMELEN]; | 1163 | char name[IP6T_TABLE_MAXNAMELEN]; |
1145 | struct xt_table *t; | 1164 | struct xt_table *t; |
@@ -1199,7 +1218,8 @@ static int get_info(struct net *net, void __user *user, int *len, int compat) | |||
1199 | } | 1218 | } |
1200 | 1219 | ||
1201 | static int | 1220 | static int |
1202 | get_entries(struct net *net, struct ip6t_get_entries __user *uptr, int *len) | 1221 | get_entries(struct net *net, struct ip6t_get_entries __user *uptr, |
1222 | const int *len) | ||
1203 | { | 1223 | { |
1204 | int ret; | 1224 | int ret; |
1205 | struct ip6t_get_entries get; | 1225 | struct ip6t_get_entries get; |
@@ -1291,7 +1311,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks, | |||
1291 | /* Decrease module usage counts and free resource */ | 1311 | /* Decrease module usage counts and free resource */ |
1292 | loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()]; | 1312 | loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()]; |
1293 | IP6T_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry, | 1313 | IP6T_ENTRY_ITERATE(loc_cpu_old_entry, oldinfo->size, cleanup_entry, |
1294 | NULL); | 1314 | net, NULL); |
1295 | xt_free_table_info(oldinfo); | 1315 | xt_free_table_info(oldinfo); |
1296 | if (copy_to_user(counters_ptr, counters, | 1316 | if (copy_to_user(counters_ptr, counters, |
1297 | sizeof(struct xt_counters) * num_counters) != 0) | 1317 | sizeof(struct xt_counters) * num_counters) != 0) |
@@ -1310,7 +1330,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks, | |||
1310 | } | 1330 | } |
1311 | 1331 | ||
1312 | static int | 1332 | static int |
1313 | do_replace(struct net *net, void __user *user, unsigned int len) | 1333 | do_replace(struct net *net, const void __user *user, unsigned int len) |
1314 | { | 1334 | { |
1315 | int ret; | 1335 | int ret; |
1316 | struct ip6t_replace tmp; | 1336 | struct ip6t_replace tmp; |
@@ -1336,7 +1356,7 @@ do_replace(struct net *net, void __user *user, unsigned int len) | |||
1336 | goto free_newinfo; | 1356 | goto free_newinfo; |
1337 | } | 1357 | } |
1338 | 1358 | ||
1339 | ret = translate_table(tmp.name, tmp.valid_hooks, | 1359 | ret = translate_table(net, tmp.name, tmp.valid_hooks, |
1340 | newinfo, loc_cpu_entry, tmp.size, tmp.num_entries, | 1360 | newinfo, loc_cpu_entry, tmp.size, tmp.num_entries, |
1341 | tmp.hook_entry, tmp.underflow); | 1361 | tmp.hook_entry, tmp.underflow); |
1342 | if (ret != 0) | 1362 | if (ret != 0) |
@@ -1351,7 +1371,7 @@ do_replace(struct net *net, void __user *user, unsigned int len) | |||
1351 | return 0; | 1371 | return 0; |
1352 | 1372 | ||
1353 | free_newinfo_untrans: | 1373 | free_newinfo_untrans: |
1354 | IP6T_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, NULL); | 1374 | IP6T_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, net, NULL); |
1355 | free_newinfo: | 1375 | free_newinfo: |
1356 | xt_free_table_info(newinfo); | 1376 | xt_free_table_info(newinfo); |
1357 | return ret; | 1377 | return ret; |
@@ -1371,7 +1391,7 @@ add_counter_to_entry(struct ip6t_entry *e, | |||
1371 | } | 1391 | } |
1372 | 1392 | ||
1373 | static int | 1393 | static int |
1374 | do_add_counters(struct net *net, void __user *user, unsigned int len, | 1394 | do_add_counters(struct net *net, const void __user *user, unsigned int len, |
1375 | int compat) | 1395 | int compat) |
1376 | { | 1396 | { |
1377 | unsigned int i, curcpu; | 1397 | unsigned int i, curcpu; |
@@ -1570,10 +1590,10 @@ static int | |||
1570 | check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e, | 1590 | check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e, |
1571 | struct xt_table_info *newinfo, | 1591 | struct xt_table_info *newinfo, |
1572 | unsigned int *size, | 1592 | unsigned int *size, |
1573 | unsigned char *base, | 1593 | const unsigned char *base, |
1574 | unsigned char *limit, | 1594 | const unsigned char *limit, |
1575 | unsigned int *hook_entries, | 1595 | const unsigned int *hook_entries, |
1576 | unsigned int *underflows, | 1596 | const unsigned int *underflows, |
1577 | unsigned int *i, | 1597 | unsigned int *i, |
1578 | const char *name) | 1598 | const char *name) |
1579 | { | 1599 | { |
@@ -1690,14 +1710,15 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr, | |||
1690 | return ret; | 1710 | return ret; |
1691 | } | 1711 | } |
1692 | 1712 | ||
1693 | static int compat_check_entry(struct ip6t_entry *e, const char *name, | 1713 | static int compat_check_entry(struct ip6t_entry *e, struct net *net, |
1694 | unsigned int *i) | 1714 | const char *name, unsigned int *i) |
1695 | { | 1715 | { |
1696 | unsigned int j; | 1716 | unsigned int j; |
1697 | int ret; | 1717 | int ret; |
1698 | struct xt_mtchk_param mtpar; | 1718 | struct xt_mtchk_param mtpar; |
1699 | 1719 | ||
1700 | j = 0; | 1720 | j = 0; |
1721 | mtpar.net = net; | ||
1701 | mtpar.table = name; | 1722 | mtpar.table = name; |
1702 | mtpar.entryinfo = &e->ipv6; | 1723 | mtpar.entryinfo = &e->ipv6; |
1703 | mtpar.hook_mask = e->comefrom; | 1724 | mtpar.hook_mask = e->comefrom; |
@@ -1706,7 +1727,7 @@ static int compat_check_entry(struct ip6t_entry *e, const char *name, | |||
1706 | if (ret) | 1727 | if (ret) |
1707 | goto cleanup_matches; | 1728 | goto cleanup_matches; |
1708 | 1729 | ||
1709 | ret = check_target(e, name); | 1730 | ret = check_target(e, net, name); |
1710 | if (ret) | 1731 | if (ret) |
1711 | goto cleanup_matches; | 1732 | goto cleanup_matches; |
1712 | 1733 | ||
@@ -1714,12 +1735,13 @@ static int compat_check_entry(struct ip6t_entry *e, const char *name, | |||
1714 | return 0; | 1735 | return 0; |
1715 | 1736 | ||
1716 | cleanup_matches: | 1737 | cleanup_matches: |
1717 | IP6T_MATCH_ITERATE(e, cleanup_match, &j); | 1738 | IP6T_MATCH_ITERATE(e, cleanup_match, net, &j); |
1718 | return ret; | 1739 | return ret; |
1719 | } | 1740 | } |
1720 | 1741 | ||
1721 | static int | 1742 | static int |
1722 | translate_compat_table(const char *name, | 1743 | translate_compat_table(struct net *net, |
1744 | const char *name, | ||
1723 | unsigned int valid_hooks, | 1745 | unsigned int valid_hooks, |
1724 | struct xt_table_info **pinfo, | 1746 | struct xt_table_info **pinfo, |
1725 | void **pentry0, | 1747 | void **pentry0, |
@@ -1808,12 +1830,12 @@ translate_compat_table(const char *name, | |||
1808 | 1830 | ||
1809 | i = 0; | 1831 | i = 0; |
1810 | ret = IP6T_ENTRY_ITERATE(entry1, newinfo->size, compat_check_entry, | 1832 | ret = IP6T_ENTRY_ITERATE(entry1, newinfo->size, compat_check_entry, |
1811 | name, &i); | 1833 | net, name, &i); |
1812 | if (ret) { | 1834 | if (ret) { |
1813 | j -= i; | 1835 | j -= i; |
1814 | COMPAT_IP6T_ENTRY_ITERATE_CONTINUE(entry0, newinfo->size, i, | 1836 | COMPAT_IP6T_ENTRY_ITERATE_CONTINUE(entry0, newinfo->size, i, |
1815 | compat_release_entry, &j); | 1837 | compat_release_entry, &j); |
1816 | IP6T_ENTRY_ITERATE(entry1, newinfo->size, cleanup_entry, &i); | 1838 | IP6T_ENTRY_ITERATE(entry1, newinfo->size, cleanup_entry, net, &i); |
1817 | xt_free_table_info(newinfo); | 1839 | xt_free_table_info(newinfo); |
1818 | return ret; | 1840 | return ret; |
1819 | } | 1841 | } |
@@ -1868,7 +1890,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len) | |||
1868 | goto free_newinfo; | 1890 | goto free_newinfo; |
1869 | } | 1891 | } |
1870 | 1892 | ||
1871 | ret = translate_compat_table(tmp.name, tmp.valid_hooks, | 1893 | ret = translate_compat_table(net, tmp.name, tmp.valid_hooks, |
1872 | &newinfo, &loc_cpu_entry, tmp.size, | 1894 | &newinfo, &loc_cpu_entry, tmp.size, |
1873 | tmp.num_entries, tmp.hook_entry, | 1895 | tmp.num_entries, tmp.hook_entry, |
1874 | tmp.underflow); | 1896 | tmp.underflow); |
@@ -1884,7 +1906,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len) | |||
1884 | return 0; | 1906 | return 0; |
1885 | 1907 | ||
1886 | free_newinfo_untrans: | 1908 | free_newinfo_untrans: |
1887 | IP6T_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, NULL); | 1909 | IP6T_ENTRY_ITERATE(loc_cpu_entry, newinfo->size, cleanup_entry, net, NULL); |
1888 | free_newinfo: | 1910 | free_newinfo: |
1889 | xt_free_table_info(newinfo); | 1911 | xt_free_table_info(newinfo); |
1890 | return ret; | 1912 | return ret; |
@@ -2121,7 +2143,7 @@ struct xt_table *ip6t_register_table(struct net *net, | |||
2121 | loc_cpu_entry = newinfo->entries[raw_smp_processor_id()]; | 2143 | loc_cpu_entry = newinfo->entries[raw_smp_processor_id()]; |
2122 | memcpy(loc_cpu_entry, repl->entries, repl->size); | 2144 | memcpy(loc_cpu_entry, repl->entries, repl->size); |
2123 | 2145 | ||
2124 | ret = translate_table(table->name, table->valid_hooks, | 2146 | ret = translate_table(net, table->name, table->valid_hooks, |
2125 | newinfo, loc_cpu_entry, repl->size, | 2147 | newinfo, loc_cpu_entry, repl->size, |
2126 | repl->num_entries, | 2148 | repl->num_entries, |
2127 | repl->hook_entry, | 2149 | repl->hook_entry, |
@@ -2142,7 +2164,7 @@ out: | |||
2142 | return ERR_PTR(ret); | 2164 | return ERR_PTR(ret); |
2143 | } | 2165 | } |
2144 | 2166 | ||
2145 | void ip6t_unregister_table(struct xt_table *table) | 2167 | void ip6t_unregister_table(struct net *net, struct xt_table *table) |
2146 | { | 2168 | { |
2147 | struct xt_table_info *private; | 2169 | struct xt_table_info *private; |
2148 | void *loc_cpu_entry; | 2170 | void *loc_cpu_entry; |
@@ -2152,7 +2174,7 @@ void ip6t_unregister_table(struct xt_table *table) | |||
2152 | 2174 | ||
2153 | /* Decrease module usage counts and free resources */ | 2175 | /* Decrease module usage counts and free resources */ |
2154 | loc_cpu_entry = private->entries[raw_smp_processor_id()]; | 2176 | loc_cpu_entry = private->entries[raw_smp_processor_id()]; |
2155 | IP6T_ENTRY_ITERATE(loc_cpu_entry, private->size, cleanup_entry, NULL); | 2177 | IP6T_ENTRY_ITERATE(loc_cpu_entry, private->size, cleanup_entry, net, NULL); |
2156 | if (private->number > private->initial_entries) | 2178 | if (private->number > private->initial_entries) |
2157 | module_put(table_owner); | 2179 | module_put(table_owner); |
2158 | xt_free_table_info(private); | 2180 | xt_free_table_info(private); |
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c index ad378efd0eb8..36b72cafc227 100644 --- a/net/ipv6/netfilter/ip6table_filter.c +++ b/net/ipv6/netfilter/ip6table_filter.c | |||
@@ -21,99 +21,26 @@ MODULE_DESCRIPTION("ip6tables filter table"); | |||
21 | (1 << NF_INET_FORWARD) | \ | 21 | (1 << NF_INET_FORWARD) | \ |
22 | (1 << NF_INET_LOCAL_OUT)) | 22 | (1 << NF_INET_LOCAL_OUT)) |
23 | 23 | ||
24 | static struct | ||
25 | { | ||
26 | struct ip6t_replace repl; | ||
27 | struct ip6t_standard entries[3]; | ||
28 | struct ip6t_error term; | ||
29 | } initial_table __net_initdata = { | ||
30 | .repl = { | ||
31 | .name = "filter", | ||
32 | .valid_hooks = FILTER_VALID_HOOKS, | ||
33 | .num_entries = 4, | ||
34 | .size = sizeof(struct ip6t_standard) * 3 + sizeof(struct ip6t_error), | ||
35 | .hook_entry = { | ||
36 | [NF_INET_LOCAL_IN] = 0, | ||
37 | [NF_INET_FORWARD] = sizeof(struct ip6t_standard), | ||
38 | [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 2 | ||
39 | }, | ||
40 | .underflow = { | ||
41 | [NF_INET_LOCAL_IN] = 0, | ||
42 | [NF_INET_FORWARD] = sizeof(struct ip6t_standard), | ||
43 | [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 2 | ||
44 | }, | ||
45 | }, | ||
46 | .entries = { | ||
47 | IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_IN */ | ||
48 | IP6T_STANDARD_INIT(NF_ACCEPT), /* FORWARD */ | ||
49 | IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */ | ||
50 | }, | ||
51 | .term = IP6T_ERROR_INIT, /* ERROR */ | ||
52 | }; | ||
53 | |||
54 | static const struct xt_table packet_filter = { | 24 | static const struct xt_table packet_filter = { |
55 | .name = "filter", | 25 | .name = "filter", |
56 | .valid_hooks = FILTER_VALID_HOOKS, | 26 | .valid_hooks = FILTER_VALID_HOOKS, |
57 | .me = THIS_MODULE, | 27 | .me = THIS_MODULE, |
58 | .af = NFPROTO_IPV6, | 28 | .af = NFPROTO_IPV6, |
29 | .priority = NF_IP6_PRI_FILTER, | ||
59 | }; | 30 | }; |
60 | 31 | ||
61 | /* The work comes in here from netfilter.c. */ | 32 | /* The work comes in here from netfilter.c. */ |
62 | static unsigned int | 33 | static unsigned int |
63 | ip6t_in_hook(unsigned int hook, | 34 | ip6table_filter_hook(unsigned int hook, struct sk_buff *skb, |
64 | struct sk_buff *skb, | 35 | const struct net_device *in, const struct net_device *out, |
65 | const struct net_device *in, | 36 | int (*okfn)(struct sk_buff *)) |
66 | const struct net_device *out, | ||
67 | int (*okfn)(struct sk_buff *)) | ||
68 | { | ||
69 | return ip6t_do_table(skb, hook, in, out, | ||
70 | dev_net(in)->ipv6.ip6table_filter); | ||
71 | } | ||
72 | |||
73 | static unsigned int | ||
74 | ip6t_local_out_hook(unsigned int hook, | ||
75 | struct sk_buff *skb, | ||
76 | const struct net_device *in, | ||
77 | const struct net_device *out, | ||
78 | int (*okfn)(struct sk_buff *)) | ||
79 | { | 37 | { |
80 | #if 0 | 38 | const struct net *net = dev_net((in != NULL) ? in : out); |
81 | /* root is playing with raw sockets. */ | ||
82 | if (skb->len < sizeof(struct iphdr) || | ||
83 | ip_hdrlen(skb) < sizeof(struct iphdr)) { | ||
84 | if (net_ratelimit()) | ||
85 | printk("ip6t_hook: happy cracking.\n"); | ||
86 | return NF_ACCEPT; | ||
87 | } | ||
88 | #endif | ||
89 | 39 | ||
90 | return ip6t_do_table(skb, hook, in, out, | 40 | return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_filter); |
91 | dev_net(out)->ipv6.ip6table_filter); | ||
92 | } | 41 | } |
93 | 42 | ||
94 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { | 43 | static struct nf_hook_ops *filter_ops __read_mostly; |
95 | { | ||
96 | .hook = ip6t_in_hook, | ||
97 | .owner = THIS_MODULE, | ||
98 | .pf = NFPROTO_IPV6, | ||
99 | .hooknum = NF_INET_LOCAL_IN, | ||
100 | .priority = NF_IP6_PRI_FILTER, | ||
101 | }, | ||
102 | { | ||
103 | .hook = ip6t_in_hook, | ||
104 | .owner = THIS_MODULE, | ||
105 | .pf = NFPROTO_IPV6, | ||
106 | .hooknum = NF_INET_FORWARD, | ||
107 | .priority = NF_IP6_PRI_FILTER, | ||
108 | }, | ||
109 | { | ||
110 | .hook = ip6t_local_out_hook, | ||
111 | .owner = THIS_MODULE, | ||
112 | .pf = NFPROTO_IPV6, | ||
113 | .hooknum = NF_INET_LOCAL_OUT, | ||
114 | .priority = NF_IP6_PRI_FILTER, | ||
115 | }, | ||
116 | }; | ||
117 | 44 | ||
118 | /* Default to forward because I got too much mail already. */ | 45 | /* Default to forward because I got too much mail already. */ |
119 | static int forward = NF_ACCEPT; | 46 | static int forward = NF_ACCEPT; |
@@ -121,9 +48,18 @@ module_param(forward, bool, 0000); | |||
121 | 48 | ||
122 | static int __net_init ip6table_filter_net_init(struct net *net) | 49 | static int __net_init ip6table_filter_net_init(struct net *net) |
123 | { | 50 | { |
124 | /* Register table */ | 51 | struct ip6t_replace *repl; |
52 | |||
53 | repl = ip6t_alloc_initial_table(&packet_filter); | ||
54 | if (repl == NULL) | ||
55 | return -ENOMEM; | ||
56 | /* Entry 1 is the FORWARD hook */ | ||
57 | ((struct ip6t_standard *)repl->entries)[1].target.verdict = | ||
58 | -forward - 1; | ||
59 | |||
125 | net->ipv6.ip6table_filter = | 60 | net->ipv6.ip6table_filter = |
126 | ip6t_register_table(net, &packet_filter, &initial_table.repl); | 61 | ip6t_register_table(net, &packet_filter, repl); |
62 | kfree(repl); | ||
127 | if (IS_ERR(net->ipv6.ip6table_filter)) | 63 | if (IS_ERR(net->ipv6.ip6table_filter)) |
128 | return PTR_ERR(net->ipv6.ip6table_filter); | 64 | return PTR_ERR(net->ipv6.ip6table_filter); |
129 | return 0; | 65 | return 0; |
@@ -131,7 +67,7 @@ static int __net_init ip6table_filter_net_init(struct net *net) | |||
131 | 67 | ||
132 | static void __net_exit ip6table_filter_net_exit(struct net *net) | 68 | static void __net_exit ip6table_filter_net_exit(struct net *net) |
133 | { | 69 | { |
134 | ip6t_unregister_table(net->ipv6.ip6table_filter); | 70 | ip6t_unregister_table(net, net->ipv6.ip6table_filter); |
135 | } | 71 | } |
136 | 72 | ||
137 | static struct pernet_operations ip6table_filter_net_ops = { | 73 | static struct pernet_operations ip6table_filter_net_ops = { |
@@ -148,17 +84,16 @@ static int __init ip6table_filter_init(void) | |||
148 | return -EINVAL; | 84 | return -EINVAL; |
149 | } | 85 | } |
150 | 86 | ||
151 | /* Entry 1 is the FORWARD hook */ | ||
152 | initial_table.entries[1].target.verdict = -forward - 1; | ||
153 | |||
154 | ret = register_pernet_subsys(&ip6table_filter_net_ops); | 87 | ret = register_pernet_subsys(&ip6table_filter_net_ops); |
155 | if (ret < 0) | 88 | if (ret < 0) |
156 | return ret; | 89 | return ret; |
157 | 90 | ||
158 | /* Register hooks */ | 91 | /* Register hooks */ |
159 | ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops)); | 92 | filter_ops = xt_hook_link(&packet_filter, ip6table_filter_hook); |
160 | if (ret < 0) | 93 | if (IS_ERR(filter_ops)) { |
94 | ret = PTR_ERR(filter_ops); | ||
161 | goto cleanup_table; | 95 | goto cleanup_table; |
96 | } | ||
162 | 97 | ||
163 | return ret; | 98 | return ret; |
164 | 99 | ||
@@ -169,7 +104,7 @@ static int __init ip6table_filter_init(void) | |||
169 | 104 | ||
170 | static void __exit ip6table_filter_fini(void) | 105 | static void __exit ip6table_filter_fini(void) |
171 | { | 106 | { |
172 | nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops)); | 107 | xt_hook_unlink(&packet_filter, filter_ops); |
173 | unregister_pernet_subsys(&ip6table_filter_net_ops); | 108 | unregister_pernet_subsys(&ip6table_filter_net_ops); |
174 | } | 109 | } |
175 | 110 | ||
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c index a929c19d30e3..7844e557c0ec 100644 --- a/net/ipv6/netfilter/ip6table_mangle.c +++ b/net/ipv6/netfilter/ip6table_mangle.c | |||
@@ -21,80 +21,17 @@ MODULE_DESCRIPTION("ip6tables mangle table"); | |||
21 | (1 << NF_INET_LOCAL_OUT) | \ | 21 | (1 << NF_INET_LOCAL_OUT) | \ |
22 | (1 << NF_INET_POST_ROUTING)) | 22 | (1 << NF_INET_POST_ROUTING)) |
23 | 23 | ||
24 | static const struct | ||
25 | { | ||
26 | struct ip6t_replace repl; | ||
27 | struct ip6t_standard entries[5]; | ||
28 | struct ip6t_error term; | ||
29 | } initial_table __net_initdata = { | ||
30 | .repl = { | ||
31 | .name = "mangle", | ||
32 | .valid_hooks = MANGLE_VALID_HOOKS, | ||
33 | .num_entries = 6, | ||
34 | .size = sizeof(struct ip6t_standard) * 5 + sizeof(struct ip6t_error), | ||
35 | .hook_entry = { | ||
36 | [NF_INET_PRE_ROUTING] = 0, | ||
37 | [NF_INET_LOCAL_IN] = sizeof(struct ip6t_standard), | ||
38 | [NF_INET_FORWARD] = sizeof(struct ip6t_standard) * 2, | ||
39 | [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 3, | ||
40 | [NF_INET_POST_ROUTING] = sizeof(struct ip6t_standard) * 4, | ||
41 | }, | ||
42 | .underflow = { | ||
43 | [NF_INET_PRE_ROUTING] = 0, | ||
44 | [NF_INET_LOCAL_IN] = sizeof(struct ip6t_standard), | ||
45 | [NF_INET_FORWARD] = sizeof(struct ip6t_standard) * 2, | ||
46 | [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 3, | ||
47 | [NF_INET_POST_ROUTING] = sizeof(struct ip6t_standard) * 4, | ||
48 | }, | ||
49 | }, | ||
50 | .entries = { | ||
51 | IP6T_STANDARD_INIT(NF_ACCEPT), /* PRE_ROUTING */ | ||
52 | IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_IN */ | ||
53 | IP6T_STANDARD_INIT(NF_ACCEPT), /* FORWARD */ | ||
54 | IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */ | ||
55 | IP6T_STANDARD_INIT(NF_ACCEPT), /* POST_ROUTING */ | ||
56 | }, | ||
57 | .term = IP6T_ERROR_INIT, /* ERROR */ | ||
58 | }; | ||
59 | |||
60 | static const struct xt_table packet_mangler = { | 24 | static const struct xt_table packet_mangler = { |
61 | .name = "mangle", | 25 | .name = "mangle", |
62 | .valid_hooks = MANGLE_VALID_HOOKS, | 26 | .valid_hooks = MANGLE_VALID_HOOKS, |
63 | .me = THIS_MODULE, | 27 | .me = THIS_MODULE, |
64 | .af = NFPROTO_IPV6, | 28 | .af = NFPROTO_IPV6, |
29 | .priority = NF_IP6_PRI_MANGLE, | ||
65 | }; | 30 | }; |
66 | 31 | ||
67 | /* The work comes in here from netfilter.c. */ | ||
68 | static unsigned int | ||
69 | ip6t_in_hook(unsigned int hook, | ||
70 | struct sk_buff *skb, | ||
71 | const struct net_device *in, | ||
72 | const struct net_device *out, | ||
73 | int (*okfn)(struct sk_buff *)) | ||
74 | { | ||
75 | return ip6t_do_table(skb, hook, in, out, | ||
76 | dev_net(in)->ipv6.ip6table_mangle); | ||
77 | } | ||
78 | |||
79 | static unsigned int | ||
80 | ip6t_post_routing_hook(unsigned int hook, | ||
81 | struct sk_buff *skb, | ||
82 | const struct net_device *in, | ||
83 | const struct net_device *out, | ||
84 | int (*okfn)(struct sk_buff *)) | ||
85 | { | ||
86 | return ip6t_do_table(skb, hook, in, out, | ||
87 | dev_net(out)->ipv6.ip6table_mangle); | ||
88 | } | ||
89 | |||
90 | static unsigned int | 32 | static unsigned int |
91 | ip6t_local_out_hook(unsigned int hook, | 33 | ip6t_mangle_out(struct sk_buff *skb, const struct net_device *out) |
92 | struct sk_buff *skb, | ||
93 | const struct net_device *in, | ||
94 | const struct net_device *out, | ||
95 | int (*okfn)(struct sk_buff *)) | ||
96 | { | 34 | { |
97 | |||
98 | unsigned int ret; | 35 | unsigned int ret; |
99 | struct in6_addr saddr, daddr; | 36 | struct in6_addr saddr, daddr; |
100 | u_int8_t hop_limit; | 37 | u_int8_t hop_limit; |
@@ -119,7 +56,7 @@ ip6t_local_out_hook(unsigned int hook, | |||
119 | /* flowlabel and prio (includes version, which shouldn't change either */ | 56 | /* flowlabel and prio (includes version, which shouldn't change either */ |
120 | flowlabel = *((u_int32_t *)ipv6_hdr(skb)); | 57 | flowlabel = *((u_int32_t *)ipv6_hdr(skb)); |
121 | 58 | ||
122 | ret = ip6t_do_table(skb, hook, in, out, | 59 | ret = ip6t_do_table(skb, NF_INET_LOCAL_OUT, NULL, out, |
123 | dev_net(out)->ipv6.ip6table_mangle); | 60 | dev_net(out)->ipv6.ip6table_mangle); |
124 | 61 | ||
125 | if (ret != NF_DROP && ret != NF_STOLEN && | 62 | if (ret != NF_DROP && ret != NF_STOLEN && |
@@ -132,49 +69,33 @@ ip6t_local_out_hook(unsigned int hook, | |||
132 | return ret; | 69 | return ret; |
133 | } | 70 | } |
134 | 71 | ||
135 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { | 72 | /* The work comes in here from netfilter.c. */ |
136 | { | 73 | static unsigned int |
137 | .hook = ip6t_in_hook, | 74 | ip6table_mangle_hook(unsigned int hook, struct sk_buff *skb, |
138 | .owner = THIS_MODULE, | 75 | const struct net_device *in, const struct net_device *out, |
139 | .pf = NFPROTO_IPV6, | 76 | int (*okfn)(struct sk_buff *)) |
140 | .hooknum = NF_INET_PRE_ROUTING, | 77 | { |
141 | .priority = NF_IP6_PRI_MANGLE, | 78 | if (hook == NF_INET_LOCAL_OUT) |
142 | }, | 79 | return ip6t_mangle_out(skb, out); |
143 | { | 80 | if (hook == NF_INET_POST_ROUTING) |
144 | .hook = ip6t_in_hook, | 81 | return ip6t_do_table(skb, hook, in, out, |
145 | .owner = THIS_MODULE, | 82 | dev_net(out)->ipv6.ip6table_mangle); |
146 | .pf = NFPROTO_IPV6, | 83 | /* INPUT/FORWARD */ |
147 | .hooknum = NF_INET_LOCAL_IN, | 84 | return ip6t_do_table(skb, hook, in, out, |
148 | .priority = NF_IP6_PRI_MANGLE, | 85 | dev_net(in)->ipv6.ip6table_mangle); |
149 | }, | 86 | } |
150 | { | ||
151 | .hook = ip6t_in_hook, | ||
152 | .owner = THIS_MODULE, | ||
153 | .pf = NFPROTO_IPV6, | ||
154 | .hooknum = NF_INET_FORWARD, | ||
155 | .priority = NF_IP6_PRI_MANGLE, | ||
156 | }, | ||
157 | { | ||
158 | .hook = ip6t_local_out_hook, | ||
159 | .owner = THIS_MODULE, | ||
160 | .pf = NFPROTO_IPV6, | ||
161 | .hooknum = NF_INET_LOCAL_OUT, | ||
162 | .priority = NF_IP6_PRI_MANGLE, | ||
163 | }, | ||
164 | { | ||
165 | .hook = ip6t_post_routing_hook, | ||
166 | .owner = THIS_MODULE, | ||
167 | .pf = NFPROTO_IPV6, | ||
168 | .hooknum = NF_INET_POST_ROUTING, | ||
169 | .priority = NF_IP6_PRI_MANGLE, | ||
170 | }, | ||
171 | }; | ||
172 | 87 | ||
88 | static struct nf_hook_ops *mangle_ops __read_mostly; | ||
173 | static int __net_init ip6table_mangle_net_init(struct net *net) | 89 | static int __net_init ip6table_mangle_net_init(struct net *net) |
174 | { | 90 | { |
175 | /* Register table */ | 91 | struct ip6t_replace *repl; |
92 | |||
93 | repl = ip6t_alloc_initial_table(&packet_mangler); | ||
94 | if (repl == NULL) | ||
95 | return -ENOMEM; | ||
176 | net->ipv6.ip6table_mangle = | 96 | net->ipv6.ip6table_mangle = |
177 | ip6t_register_table(net, &packet_mangler, &initial_table.repl); | 97 | ip6t_register_table(net, &packet_mangler, repl); |
98 | kfree(repl); | ||
178 | if (IS_ERR(net->ipv6.ip6table_mangle)) | 99 | if (IS_ERR(net->ipv6.ip6table_mangle)) |
179 | return PTR_ERR(net->ipv6.ip6table_mangle); | 100 | return PTR_ERR(net->ipv6.ip6table_mangle); |
180 | return 0; | 101 | return 0; |
@@ -182,7 +103,7 @@ static int __net_init ip6table_mangle_net_init(struct net *net) | |||
182 | 103 | ||
183 | static void __net_exit ip6table_mangle_net_exit(struct net *net) | 104 | static void __net_exit ip6table_mangle_net_exit(struct net *net) |
184 | { | 105 | { |
185 | ip6t_unregister_table(net->ipv6.ip6table_mangle); | 106 | ip6t_unregister_table(net, net->ipv6.ip6table_mangle); |
186 | } | 107 | } |
187 | 108 | ||
188 | static struct pernet_operations ip6table_mangle_net_ops = { | 109 | static struct pernet_operations ip6table_mangle_net_ops = { |
@@ -199,9 +120,11 @@ static int __init ip6table_mangle_init(void) | |||
199 | return ret; | 120 | return ret; |
200 | 121 | ||
201 | /* Register hooks */ | 122 | /* Register hooks */ |
202 | ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops)); | 123 | mangle_ops = xt_hook_link(&packet_mangler, ip6table_mangle_hook); |
203 | if (ret < 0) | 124 | if (IS_ERR(mangle_ops)) { |
125 | ret = PTR_ERR(mangle_ops); | ||
204 | goto cleanup_table; | 126 | goto cleanup_table; |
127 | } | ||
205 | 128 | ||
206 | return ret; | 129 | return ret; |
207 | 130 | ||
@@ -212,7 +135,7 @@ static int __init ip6table_mangle_init(void) | |||
212 | 135 | ||
213 | static void __exit ip6table_mangle_fini(void) | 136 | static void __exit ip6table_mangle_fini(void) |
214 | { | 137 | { |
215 | nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops)); | 138 | xt_hook_unlink(&packet_mangler, mangle_ops); |
216 | unregister_pernet_subsys(&ip6table_mangle_net_ops); | 139 | unregister_pernet_subsys(&ip6table_mangle_net_ops); |
217 | } | 140 | } |
218 | 141 | ||
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c index ed1a1180f3b3..aef31a29de9e 100644 --- a/net/ipv6/netfilter/ip6table_raw.c +++ b/net/ipv6/netfilter/ip6table_raw.c | |||
@@ -8,85 +8,37 @@ | |||
8 | 8 | ||
9 | #define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT)) | 9 | #define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT)) |
10 | 10 | ||
11 | static const struct | ||
12 | { | ||
13 | struct ip6t_replace repl; | ||
14 | struct ip6t_standard entries[2]; | ||
15 | struct ip6t_error term; | ||
16 | } initial_table __net_initdata = { | ||
17 | .repl = { | ||
18 | .name = "raw", | ||
19 | .valid_hooks = RAW_VALID_HOOKS, | ||
20 | .num_entries = 3, | ||
21 | .size = sizeof(struct ip6t_standard) * 2 + sizeof(struct ip6t_error), | ||
22 | .hook_entry = { | ||
23 | [NF_INET_PRE_ROUTING] = 0, | ||
24 | [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) | ||
25 | }, | ||
26 | .underflow = { | ||
27 | [NF_INET_PRE_ROUTING] = 0, | ||
28 | [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) | ||
29 | }, | ||
30 | }, | ||
31 | .entries = { | ||
32 | IP6T_STANDARD_INIT(NF_ACCEPT), /* PRE_ROUTING */ | ||
33 | IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */ | ||
34 | }, | ||
35 | .term = IP6T_ERROR_INIT, /* ERROR */ | ||
36 | }; | ||
37 | |||
38 | static const struct xt_table packet_raw = { | 11 | static const struct xt_table packet_raw = { |
39 | .name = "raw", | 12 | .name = "raw", |
40 | .valid_hooks = RAW_VALID_HOOKS, | 13 | .valid_hooks = RAW_VALID_HOOKS, |
41 | .me = THIS_MODULE, | 14 | .me = THIS_MODULE, |
42 | .af = NFPROTO_IPV6, | 15 | .af = NFPROTO_IPV6, |
16 | .priority = NF_IP6_PRI_FIRST, | ||
43 | }; | 17 | }; |
44 | 18 | ||
45 | /* The work comes in here from netfilter.c. */ | 19 | /* The work comes in here from netfilter.c. */ |
46 | static unsigned int | 20 | static unsigned int |
47 | ip6t_pre_routing_hook(unsigned int hook, | 21 | ip6table_raw_hook(unsigned int hook, struct sk_buff *skb, |
48 | struct sk_buff *skb, | 22 | const struct net_device *in, const struct net_device *out, |
49 | const struct net_device *in, | 23 | int (*okfn)(struct sk_buff *)) |
50 | const struct net_device *out, | ||
51 | int (*okfn)(struct sk_buff *)) | ||
52 | { | 24 | { |
53 | return ip6t_do_table(skb, hook, in, out, | 25 | const struct net *net = dev_net((in != NULL) ? in : out); |
54 | dev_net(in)->ipv6.ip6table_raw); | ||
55 | } | ||
56 | 26 | ||
57 | static unsigned int | 27 | return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_raw); |
58 | ip6t_local_out_hook(unsigned int hook, | ||
59 | struct sk_buff *skb, | ||
60 | const struct net_device *in, | ||
61 | const struct net_device *out, | ||
62 | int (*okfn)(struct sk_buff *)) | ||
63 | { | ||
64 | return ip6t_do_table(skb, hook, in, out, | ||
65 | dev_net(out)->ipv6.ip6table_raw); | ||
66 | } | 28 | } |
67 | 29 | ||
68 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { | 30 | static struct nf_hook_ops *rawtable_ops __read_mostly; |
69 | { | ||
70 | .hook = ip6t_pre_routing_hook, | ||
71 | .pf = NFPROTO_IPV6, | ||
72 | .hooknum = NF_INET_PRE_ROUTING, | ||
73 | .priority = NF_IP6_PRI_FIRST, | ||
74 | .owner = THIS_MODULE, | ||
75 | }, | ||
76 | { | ||
77 | .hook = ip6t_local_out_hook, | ||
78 | .pf = NFPROTO_IPV6, | ||
79 | .hooknum = NF_INET_LOCAL_OUT, | ||
80 | .priority = NF_IP6_PRI_FIRST, | ||
81 | .owner = THIS_MODULE, | ||
82 | }, | ||
83 | }; | ||
84 | 31 | ||
85 | static int __net_init ip6table_raw_net_init(struct net *net) | 32 | static int __net_init ip6table_raw_net_init(struct net *net) |
86 | { | 33 | { |
87 | /* Register table */ | 34 | struct ip6t_replace *repl; |
35 | |||
36 | repl = ip6t_alloc_initial_table(&packet_raw); | ||
37 | if (repl == NULL) | ||
38 | return -ENOMEM; | ||
88 | net->ipv6.ip6table_raw = | 39 | net->ipv6.ip6table_raw = |
89 | ip6t_register_table(net, &packet_raw, &initial_table.repl); | 40 | ip6t_register_table(net, &packet_raw, repl); |
41 | kfree(repl); | ||
90 | if (IS_ERR(net->ipv6.ip6table_raw)) | 42 | if (IS_ERR(net->ipv6.ip6table_raw)) |
91 | return PTR_ERR(net->ipv6.ip6table_raw); | 43 | return PTR_ERR(net->ipv6.ip6table_raw); |
92 | return 0; | 44 | return 0; |
@@ -94,7 +46,7 @@ static int __net_init ip6table_raw_net_init(struct net *net) | |||
94 | 46 | ||
95 | static void __net_exit ip6table_raw_net_exit(struct net *net) | 47 | static void __net_exit ip6table_raw_net_exit(struct net *net) |
96 | { | 48 | { |
97 | ip6t_unregister_table(net->ipv6.ip6table_raw); | 49 | ip6t_unregister_table(net, net->ipv6.ip6table_raw); |
98 | } | 50 | } |
99 | 51 | ||
100 | static struct pernet_operations ip6table_raw_net_ops = { | 52 | static struct pernet_operations ip6table_raw_net_ops = { |
@@ -111,9 +63,11 @@ static int __init ip6table_raw_init(void) | |||
111 | return ret; | 63 | return ret; |
112 | 64 | ||
113 | /* Register hooks */ | 65 | /* Register hooks */ |
114 | ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops)); | 66 | rawtable_ops = xt_hook_link(&packet_raw, ip6table_raw_hook); |
115 | if (ret < 0) | 67 | if (IS_ERR(rawtable_ops)) { |
68 | ret = PTR_ERR(rawtable_ops); | ||
116 | goto cleanup_table; | 69 | goto cleanup_table; |
70 | } | ||
117 | 71 | ||
118 | return ret; | 72 | return ret; |
119 | 73 | ||
@@ -124,7 +78,7 @@ static int __init ip6table_raw_init(void) | |||
124 | 78 | ||
125 | static void __exit ip6table_raw_fini(void) | 79 | static void __exit ip6table_raw_fini(void) |
126 | { | 80 | { |
127 | nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops)); | 81 | xt_hook_unlink(&packet_raw, rawtable_ops); |
128 | unregister_pernet_subsys(&ip6table_raw_net_ops); | 82 | unregister_pernet_subsys(&ip6table_raw_net_ops); |
129 | } | 83 | } |
130 | 84 | ||
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c index 41b444c60934..0824d865aa9b 100644 --- a/net/ipv6/netfilter/ip6table_security.c +++ b/net/ipv6/netfilter/ip6table_security.c | |||
@@ -26,106 +26,37 @@ MODULE_DESCRIPTION("ip6tables security table, for MAC rules"); | |||
26 | (1 << NF_INET_FORWARD) | \ | 26 | (1 << NF_INET_FORWARD) | \ |
27 | (1 << NF_INET_LOCAL_OUT) | 27 | (1 << NF_INET_LOCAL_OUT) |
28 | 28 | ||
29 | static const struct | ||
30 | { | ||
31 | struct ip6t_replace repl; | ||
32 | struct ip6t_standard entries[3]; | ||
33 | struct ip6t_error term; | ||
34 | } initial_table __net_initdata = { | ||
35 | .repl = { | ||
36 | .name = "security", | ||
37 | .valid_hooks = SECURITY_VALID_HOOKS, | ||
38 | .num_entries = 4, | ||
39 | .size = sizeof(struct ip6t_standard) * 3 + sizeof(struct ip6t_error), | ||
40 | .hook_entry = { | ||
41 | [NF_INET_LOCAL_IN] = 0, | ||
42 | [NF_INET_FORWARD] = sizeof(struct ip6t_standard), | ||
43 | [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 2, | ||
44 | }, | ||
45 | .underflow = { | ||
46 | [NF_INET_LOCAL_IN] = 0, | ||
47 | [NF_INET_FORWARD] = sizeof(struct ip6t_standard), | ||
48 | [NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard) * 2, | ||
49 | }, | ||
50 | }, | ||
51 | .entries = { | ||
52 | IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_IN */ | ||
53 | IP6T_STANDARD_INIT(NF_ACCEPT), /* FORWARD */ | ||
54 | IP6T_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */ | ||
55 | }, | ||
56 | .term = IP6T_ERROR_INIT, /* ERROR */ | ||
57 | }; | ||
58 | |||
59 | static const struct xt_table security_table = { | 29 | static const struct xt_table security_table = { |
60 | .name = "security", | 30 | .name = "security", |
61 | .valid_hooks = SECURITY_VALID_HOOKS, | 31 | .valid_hooks = SECURITY_VALID_HOOKS, |
62 | .me = THIS_MODULE, | 32 | .me = THIS_MODULE, |
63 | .af = NFPROTO_IPV6, | 33 | .af = NFPROTO_IPV6, |
34 | .priority = NF_IP6_PRI_SECURITY, | ||
64 | }; | 35 | }; |
65 | 36 | ||
66 | static unsigned int | 37 | static unsigned int |
67 | ip6t_local_in_hook(unsigned int hook, | 38 | ip6table_security_hook(unsigned int hook, struct sk_buff *skb, |
68 | struct sk_buff *skb, | 39 | const struct net_device *in, |
69 | const struct net_device *in, | 40 | const struct net_device *out, |
70 | const struct net_device *out, | 41 | int (*okfn)(struct sk_buff *)) |
71 | int (*okfn)(struct sk_buff *)) | ||
72 | { | ||
73 | return ip6t_do_table(skb, hook, in, out, | ||
74 | dev_net(in)->ipv6.ip6table_security); | ||
75 | } | ||
76 | |||
77 | static unsigned int | ||
78 | ip6t_forward_hook(unsigned int hook, | ||
79 | struct sk_buff *skb, | ||
80 | const struct net_device *in, | ||
81 | const struct net_device *out, | ||
82 | int (*okfn)(struct sk_buff *)) | ||
83 | { | 42 | { |
84 | return ip6t_do_table(skb, hook, in, out, | 43 | const struct net *net = dev_net((in != NULL) ? in : out); |
85 | dev_net(in)->ipv6.ip6table_security); | ||
86 | } | ||
87 | 44 | ||
88 | static unsigned int | 45 | return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_security); |
89 | ip6t_local_out_hook(unsigned int hook, | ||
90 | struct sk_buff *skb, | ||
91 | const struct net_device *in, | ||
92 | const struct net_device *out, | ||
93 | int (*okfn)(struct sk_buff *)) | ||
94 | { | ||
95 | /* TBD: handle short packets via raw socket */ | ||
96 | return ip6t_do_table(skb, hook, in, out, | ||
97 | dev_net(out)->ipv6.ip6table_security); | ||
98 | } | 46 | } |
99 | 47 | ||
100 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { | 48 | static struct nf_hook_ops *sectbl_ops __read_mostly; |
101 | { | ||
102 | .hook = ip6t_local_in_hook, | ||
103 | .owner = THIS_MODULE, | ||
104 | .pf = NFPROTO_IPV6, | ||
105 | .hooknum = NF_INET_LOCAL_IN, | ||
106 | .priority = NF_IP6_PRI_SECURITY, | ||
107 | }, | ||
108 | { | ||
109 | .hook = ip6t_forward_hook, | ||
110 | .owner = THIS_MODULE, | ||
111 | .pf = NFPROTO_IPV6, | ||
112 | .hooknum = NF_INET_FORWARD, | ||
113 | .priority = NF_IP6_PRI_SECURITY, | ||
114 | }, | ||
115 | { | ||
116 | .hook = ip6t_local_out_hook, | ||
117 | .owner = THIS_MODULE, | ||
118 | .pf = NFPROTO_IPV6, | ||
119 | .hooknum = NF_INET_LOCAL_OUT, | ||
120 | .priority = NF_IP6_PRI_SECURITY, | ||
121 | }, | ||
122 | }; | ||
123 | 49 | ||
124 | static int __net_init ip6table_security_net_init(struct net *net) | 50 | static int __net_init ip6table_security_net_init(struct net *net) |
125 | { | 51 | { |
126 | net->ipv6.ip6table_security = | 52 | struct ip6t_replace *repl; |
127 | ip6t_register_table(net, &security_table, &initial_table.repl); | ||
128 | 53 | ||
54 | repl = ip6t_alloc_initial_table(&security_table); | ||
55 | if (repl == NULL) | ||
56 | return -ENOMEM; | ||
57 | net->ipv6.ip6table_security = | ||
58 | ip6t_register_table(net, &security_table, repl); | ||
59 | kfree(repl); | ||
129 | if (IS_ERR(net->ipv6.ip6table_security)) | 60 | if (IS_ERR(net->ipv6.ip6table_security)) |
130 | return PTR_ERR(net->ipv6.ip6table_security); | 61 | return PTR_ERR(net->ipv6.ip6table_security); |
131 | 62 | ||
@@ -134,7 +65,7 @@ static int __net_init ip6table_security_net_init(struct net *net) | |||
134 | 65 | ||
135 | static void __net_exit ip6table_security_net_exit(struct net *net) | 66 | static void __net_exit ip6table_security_net_exit(struct net *net) |
136 | { | 67 | { |
137 | ip6t_unregister_table(net->ipv6.ip6table_security); | 68 | ip6t_unregister_table(net, net->ipv6.ip6table_security); |
138 | } | 69 | } |
139 | 70 | ||
140 | static struct pernet_operations ip6table_security_net_ops = { | 71 | static struct pernet_operations ip6table_security_net_ops = { |
@@ -150,9 +81,11 @@ static int __init ip6table_security_init(void) | |||
150 | if (ret < 0) | 81 | if (ret < 0) |
151 | return ret; | 82 | return ret; |
152 | 83 | ||
153 | ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops)); | 84 | sectbl_ops = xt_hook_link(&security_table, ip6table_security_hook); |
154 | if (ret < 0) | 85 | if (IS_ERR(sectbl_ops)) { |
86 | ret = PTR_ERR(sectbl_ops); | ||
155 | goto cleanup_table; | 87 | goto cleanup_table; |
88 | } | ||
156 | 89 | ||
157 | return ret; | 90 | return ret; |
158 | 91 | ||
@@ -163,7 +96,7 @@ cleanup_table: | |||
163 | 96 | ||
164 | static void __exit ip6table_security_fini(void) | 97 | static void __exit ip6table_security_fini(void) |
165 | { | 98 | { |
166 | nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops)); | 99 | xt_hook_unlink(&security_table, sectbl_ops); |
167 | unregister_pernet_subsys(&ip6table_security_net_ops); | 100 | unregister_pernet_subsys(&ip6table_security_net_ops); |
168 | } | 101 | } |
169 | 102 | ||
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c index 0956ebabbff2..996c3f41fecd 100644 --- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c +++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | |||
@@ -27,6 +27,7 @@ | |||
27 | #include <net/netfilter/nf_conntrack_l4proto.h> | 27 | #include <net/netfilter/nf_conntrack_l4proto.h> |
28 | #include <net/netfilter/nf_conntrack_l3proto.h> | 28 | #include <net/netfilter/nf_conntrack_l3proto.h> |
29 | #include <net/netfilter/nf_conntrack_core.h> | 29 | #include <net/netfilter/nf_conntrack_core.h> |
30 | #include <net/netfilter/nf_conntrack_zones.h> | ||
30 | #include <net/netfilter/ipv6/nf_conntrack_ipv6.h> | 31 | #include <net/netfilter/ipv6/nf_conntrack_ipv6.h> |
31 | #include <net/netfilter/nf_log.h> | 32 | #include <net/netfilter/nf_log.h> |
32 | 33 | ||
@@ -191,15 +192,20 @@ out: | |||
191 | static enum ip6_defrag_users nf_ct6_defrag_user(unsigned int hooknum, | 192 | static enum ip6_defrag_users nf_ct6_defrag_user(unsigned int hooknum, |
192 | struct sk_buff *skb) | 193 | struct sk_buff *skb) |
193 | { | 194 | { |
195 | u16 zone = NF_CT_DEFAULT_ZONE; | ||
196 | |||
197 | if (skb->nfct) | ||
198 | zone = nf_ct_zone((struct nf_conn *)skb->nfct); | ||
199 | |||
194 | #ifdef CONFIG_BRIDGE_NETFILTER | 200 | #ifdef CONFIG_BRIDGE_NETFILTER |
195 | if (skb->nf_bridge && | 201 | if (skb->nf_bridge && |
196 | skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING) | 202 | skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING) |
197 | return IP6_DEFRAG_CONNTRACK_BRIDGE_IN; | 203 | return IP6_DEFRAG_CONNTRACK_BRIDGE_IN + zone; |
198 | #endif | 204 | #endif |
199 | if (hooknum == NF_INET_PRE_ROUTING) | 205 | if (hooknum == NF_INET_PRE_ROUTING) |
200 | return IP6_DEFRAG_CONNTRACK_IN; | 206 | return IP6_DEFRAG_CONNTRACK_IN + zone; |
201 | else | 207 | else |
202 | return IP6_DEFRAG_CONNTRACK_OUT; | 208 | return IP6_DEFRAG_CONNTRACK_OUT + zone; |
203 | 209 | ||
204 | } | 210 | } |
205 | 211 | ||
@@ -212,7 +218,7 @@ static unsigned int ipv6_defrag(unsigned int hooknum, | |||
212 | struct sk_buff *reasm; | 218 | struct sk_buff *reasm; |
213 | 219 | ||
214 | /* Previously seen (loopback)? */ | 220 | /* Previously seen (loopback)? */ |
215 | if (skb->nfct) | 221 | if (skb->nfct && !nf_ct_is_template((struct nf_conn *)skb->nfct)) |
216 | return NF_ACCEPT; | 222 | return NF_ACCEPT; |
217 | 223 | ||
218 | reasm = nf_ct_frag6_gather(skb, nf_ct6_defrag_user(hooknum, skb)); | 224 | reasm = nf_ct_frag6_gather(skb, nf_ct6_defrag_user(hooknum, skb)); |
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c index c7b8bd1d7984..9be81776415e 100644 --- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c +++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | |||
@@ -23,6 +23,7 @@ | |||
23 | #include <net/netfilter/nf_conntrack_tuple.h> | 23 | #include <net/netfilter/nf_conntrack_tuple.h> |
24 | #include <net/netfilter/nf_conntrack_l4proto.h> | 24 | #include <net/netfilter/nf_conntrack_l4proto.h> |
25 | #include <net/netfilter/nf_conntrack_core.h> | 25 | #include <net/netfilter/nf_conntrack_core.h> |
26 | #include <net/netfilter/nf_conntrack_zones.h> | ||
26 | #include <net/netfilter/ipv6/nf_conntrack_icmpv6.h> | 27 | #include <net/netfilter/ipv6/nf_conntrack_icmpv6.h> |
27 | #include <net/netfilter/nf_log.h> | 28 | #include <net/netfilter/nf_log.h> |
28 | 29 | ||
@@ -128,7 +129,7 @@ static bool icmpv6_new(struct nf_conn *ct, const struct sk_buff *skb, | |||
128 | } | 129 | } |
129 | 130 | ||
130 | static int | 131 | static int |
131 | icmpv6_error_message(struct net *net, | 132 | icmpv6_error_message(struct net *net, struct nf_conn *tmpl, |
132 | struct sk_buff *skb, | 133 | struct sk_buff *skb, |
133 | unsigned int icmp6off, | 134 | unsigned int icmp6off, |
134 | enum ip_conntrack_info *ctinfo, | 135 | enum ip_conntrack_info *ctinfo, |
@@ -137,6 +138,7 @@ icmpv6_error_message(struct net *net, | |||
137 | struct nf_conntrack_tuple intuple, origtuple; | 138 | struct nf_conntrack_tuple intuple, origtuple; |
138 | const struct nf_conntrack_tuple_hash *h; | 139 | const struct nf_conntrack_tuple_hash *h; |
139 | const struct nf_conntrack_l4proto *inproto; | 140 | const struct nf_conntrack_l4proto *inproto; |
141 | u16 zone = tmpl ? nf_ct_zone(tmpl) : NF_CT_DEFAULT_ZONE; | ||
140 | 142 | ||
141 | NF_CT_ASSERT(skb->nfct == NULL); | 143 | NF_CT_ASSERT(skb->nfct == NULL); |
142 | 144 | ||
@@ -163,7 +165,7 @@ icmpv6_error_message(struct net *net, | |||
163 | 165 | ||
164 | *ctinfo = IP_CT_RELATED; | 166 | *ctinfo = IP_CT_RELATED; |
165 | 167 | ||
166 | h = nf_conntrack_find_get(net, &intuple); | 168 | h = nf_conntrack_find_get(net, zone, &intuple); |
167 | if (!h) { | 169 | if (!h) { |
168 | pr_debug("icmpv6_error: no match\n"); | 170 | pr_debug("icmpv6_error: no match\n"); |
169 | return -NF_ACCEPT; | 171 | return -NF_ACCEPT; |
@@ -179,7 +181,8 @@ icmpv6_error_message(struct net *net, | |||
179 | } | 181 | } |
180 | 182 | ||
181 | static int | 183 | static int |
182 | icmpv6_error(struct net *net, struct sk_buff *skb, unsigned int dataoff, | 184 | icmpv6_error(struct net *net, struct nf_conn *tmpl, |
185 | struct sk_buff *skb, unsigned int dataoff, | ||
183 | enum ip_conntrack_info *ctinfo, u_int8_t pf, unsigned int hooknum) | 186 | enum ip_conntrack_info *ctinfo, u_int8_t pf, unsigned int hooknum) |
184 | { | 187 | { |
185 | const struct icmp6hdr *icmp6h; | 188 | const struct icmp6hdr *icmp6h; |
@@ -215,7 +218,7 @@ icmpv6_error(struct net *net, struct sk_buff *skb, unsigned int dataoff, | |||
215 | if (icmp6h->icmp6_type >= 128) | 218 | if (icmp6h->icmp6_type >= 128) |
216 | return NF_ACCEPT; | 219 | return NF_ACCEPT; |
217 | 220 | ||
218 | return icmpv6_error_message(net, skb, dataoff, ctinfo, hooknum); | 221 | return icmpv6_error_message(net, tmpl, skb, dataoff, ctinfo, hooknum); |
219 | } | 222 | } |
220 | 223 | ||
221 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) | 224 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) |
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c index 624a54832a7c..ad1fcda6898b 100644 --- a/net/ipv6/netfilter/nf_conntrack_reasm.c +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c | |||
@@ -45,9 +45,6 @@ | |||
45 | #include <linux/kernel.h> | 45 | #include <linux/kernel.h> |
46 | #include <linux/module.h> | 46 | #include <linux/module.h> |
47 | 47 | ||
48 | #define NF_CT_FRAG6_HIGH_THRESH 262144 /* == 256*1024 */ | ||
49 | #define NF_CT_FRAG6_LOW_THRESH 196608 /* == 192*1024 */ | ||
50 | #define NF_CT_FRAG6_TIMEOUT IPV6_FRAG_TIMEOUT | ||
51 | 48 | ||
52 | struct nf_ct_frag6_skb_cb | 49 | struct nf_ct_frag6_skb_cb |
53 | { | 50 | { |
@@ -670,8 +667,8 @@ int nf_ct_frag6_init(void) | |||
670 | nf_frags.frag_expire = nf_ct_frag6_expire; | 667 | nf_frags.frag_expire = nf_ct_frag6_expire; |
671 | nf_frags.secret_interval = 10 * 60 * HZ; | 668 | nf_frags.secret_interval = 10 * 60 * HZ; |
672 | nf_init_frags.timeout = IPV6_FRAG_TIMEOUT; | 669 | nf_init_frags.timeout = IPV6_FRAG_TIMEOUT; |
673 | nf_init_frags.high_thresh = 256 * 1024; | 670 | nf_init_frags.high_thresh = IPV6_FRAG_HIGH_THRESH; |
674 | nf_init_frags.low_thresh = 192 * 1024; | 671 | nf_init_frags.low_thresh = IPV6_FRAG_LOW_THRESH; |
675 | inet_frags_init_net(&nf_init_frags); | 672 | inet_frags_init_net(&nf_init_frags); |
676 | inet_frags_init(&nf_frags); | 673 | inet_frags_init(&nf_frags); |
677 | 674 | ||
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c index fe27eb4264d6..b2847ed6a7d9 100644 --- a/net/ipv6/reassembly.c +++ b/net/ipv6/reassembly.c | |||
@@ -742,8 +742,8 @@ static inline void ip6_frags_sysctl_unregister(void) | |||
742 | 742 | ||
743 | static int __net_init ipv6_frags_init_net(struct net *net) | 743 | static int __net_init ipv6_frags_init_net(struct net *net) |
744 | { | 744 | { |
745 | net->ipv6.frags.high_thresh = 256 * 1024; | 745 | net->ipv6.frags.high_thresh = IPV6_FRAG_HIGH_THRESH; |
746 | net->ipv6.frags.low_thresh = 192 * 1024; | 746 | net->ipv6.frags.low_thresh = IPV6_FRAG_LOW_THRESH; |
747 | net->ipv6.frags.timeout = IPV6_FRAG_TIMEOUT; | 747 | net->ipv6.frags.timeout = IPV6_FRAG_TIMEOUT; |
748 | 748 | ||
749 | inet_frags_init_net(&net->ipv6.frags); | 749 | inet_frags_init_net(&net->ipv6.frags); |
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 634d14affc8d..18d77b5c351a 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig | |||
@@ -83,6 +83,19 @@ config NF_CONNTRACK_SECMARK | |||
83 | 83 | ||
84 | If unsure, say 'N'. | 84 | If unsure, say 'N'. |
85 | 85 | ||
86 | config NF_CONNTRACK_ZONES | ||
87 | bool 'Connection tracking zones' | ||
88 | depends on NETFILTER_ADVANCED | ||
89 | depends on NETFILTER_XT_TARGET_CT | ||
90 | help | ||
91 | This option enables support for connection tracking zones. | ||
92 | Normally, each connection needs to have a unique system wide | ||
93 | identity. Connection tracking zones allow to have multiple | ||
94 | connections using the same identity, as long as they are | ||
95 | contained in different zones. | ||
96 | |||
97 | If unsure, say `N'. | ||
98 | |||
86 | config NF_CONNTRACK_EVENTS | 99 | config NF_CONNTRACK_EVENTS |
87 | bool "Connection tracking events" | 100 | bool "Connection tracking events" |
88 | depends on NETFILTER_ADVANCED | 101 | depends on NETFILTER_ADVANCED |
@@ -341,6 +354,18 @@ config NETFILTER_XT_TARGET_CONNSECMARK | |||
341 | 354 | ||
342 | To compile it as a module, choose M here. If unsure, say N. | 355 | To compile it as a module, choose M here. If unsure, say N. |
343 | 356 | ||
357 | config NETFILTER_XT_TARGET_CT | ||
358 | tristate '"CT" target support' | ||
359 | depends on NF_CONNTRACK | ||
360 | depends on IP_NF_RAW || IP6_NF_RAW | ||
361 | depends on NETFILTER_ADVANCED | ||
362 | help | ||
363 | This options adds a `CT' target, which allows to specify initial | ||
364 | connection tracking parameters like events to be delivered and | ||
365 | the helper to be used. | ||
366 | |||
367 | To compile it as a module, choose M here. If unsure, say N. | ||
368 | |||
344 | config NETFILTER_XT_TARGET_DSCP | 369 | config NETFILTER_XT_TARGET_DSCP |
345 | tristate '"DSCP" and "TOS" target support' | 370 | tristate '"DSCP" and "TOS" target support' |
346 | depends on IP_NF_MANGLE || IP6_NF_MANGLE | 371 | depends on IP_NF_MANGLE || IP6_NF_MANGLE |
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index 49f62ee4e9ff..f873644f02f6 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile | |||
@@ -44,6 +44,7 @@ obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o | |||
44 | obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o | 44 | obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o |
45 | obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o | 45 | obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o |
46 | obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o | 46 | obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o |
47 | obj-$(CONFIG_NETFILTER_XT_TARGET_CT) += xt_CT.o | ||
47 | obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o | 48 | obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o |
48 | obj-$(CONFIG_NETFILTER_XT_TARGET_HL) += xt_HL.o | 49 | obj-$(CONFIG_NETFILTER_XT_TARGET_HL) += xt_HL.o |
49 | obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o | 50 | obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o |
diff --git a/net/netfilter/ipvs/Kconfig b/net/netfilter/ipvs/Kconfig index f2d76238b9b5..817a8898203b 100644 --- a/net/netfilter/ipvs/Kconfig +++ b/net/netfilter/ipvs/Kconfig | |||
@@ -68,6 +68,10 @@ config IP_VS_TAB_BITS | |||
68 | each hash entry uses 8 bytes, so you can estimate how much memory is | 68 | each hash entry uses 8 bytes, so you can estimate how much memory is |
69 | needed for your box. | 69 | needed for your box. |
70 | 70 | ||
71 | You can overwrite this number setting conn_tab_bits module parameter | ||
72 | or by appending ip_vs.conn_tab_bits=? to the kernel command line | ||
73 | if IP VS was compiled built-in. | ||
74 | |||
71 | comment "IPVS transport protocol load balancing support" | 75 | comment "IPVS transport protocol load balancing support" |
72 | 76 | ||
73 | config IP_VS_PROTO_TCP | 77 | config IP_VS_PROTO_TCP |
diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c index 27c30cf933da..60bb41a8d8d4 100644 --- a/net/netfilter/ipvs/ip_vs_conn.c +++ b/net/netfilter/ipvs/ip_vs_conn.c | |||
@@ -40,6 +40,21 @@ | |||
40 | #include <net/ip_vs.h> | 40 | #include <net/ip_vs.h> |
41 | 41 | ||
42 | 42 | ||
43 | #ifndef CONFIG_IP_VS_TAB_BITS | ||
44 | #define CONFIG_IP_VS_TAB_BITS 12 | ||
45 | #endif | ||
46 | |||
47 | /* | ||
48 | * Connection hash size. Default is what was selected at compile time. | ||
49 | */ | ||
50 | int ip_vs_conn_tab_bits = CONFIG_IP_VS_TAB_BITS; | ||
51 | module_param_named(conn_tab_bits, ip_vs_conn_tab_bits, int, 0444); | ||
52 | MODULE_PARM_DESC(conn_tab_bits, "Set connections' hash size"); | ||
53 | |||
54 | /* size and mask values */ | ||
55 | int ip_vs_conn_tab_size; | ||
56 | int ip_vs_conn_tab_mask; | ||
57 | |||
43 | /* | 58 | /* |
44 | * Connection hash table: for input and output packets lookups of IPVS | 59 | * Connection hash table: for input and output packets lookups of IPVS |
45 | */ | 60 | */ |
@@ -125,11 +140,11 @@ static unsigned int ip_vs_conn_hashkey(int af, unsigned proto, | |||
125 | if (af == AF_INET6) | 140 | if (af == AF_INET6) |
126 | return jhash_3words(jhash(addr, 16, ip_vs_conn_rnd), | 141 | return jhash_3words(jhash(addr, 16, ip_vs_conn_rnd), |
127 | (__force u32)port, proto, ip_vs_conn_rnd) | 142 | (__force u32)port, proto, ip_vs_conn_rnd) |
128 | & IP_VS_CONN_TAB_MASK; | 143 | & ip_vs_conn_tab_mask; |
129 | #endif | 144 | #endif |
130 | return jhash_3words((__force u32)addr->ip, (__force u32)port, proto, | 145 | return jhash_3words((__force u32)addr->ip, (__force u32)port, proto, |
131 | ip_vs_conn_rnd) | 146 | ip_vs_conn_rnd) |
132 | & IP_VS_CONN_TAB_MASK; | 147 | & ip_vs_conn_tab_mask; |
133 | } | 148 | } |
134 | 149 | ||
135 | 150 | ||
@@ -760,7 +775,7 @@ static void *ip_vs_conn_array(struct seq_file *seq, loff_t pos) | |||
760 | int idx; | 775 | int idx; |
761 | struct ip_vs_conn *cp; | 776 | struct ip_vs_conn *cp; |
762 | 777 | ||
763 | for(idx = 0; idx < IP_VS_CONN_TAB_SIZE; idx++) { | 778 | for (idx = 0; idx < ip_vs_conn_tab_size; idx++) { |
764 | ct_read_lock_bh(idx); | 779 | ct_read_lock_bh(idx); |
765 | list_for_each_entry(cp, &ip_vs_conn_tab[idx], c_list) { | 780 | list_for_each_entry(cp, &ip_vs_conn_tab[idx], c_list) { |
766 | if (pos-- == 0) { | 781 | if (pos-- == 0) { |
@@ -797,7 +812,7 @@ static void *ip_vs_conn_seq_next(struct seq_file *seq, void *v, loff_t *pos) | |||
797 | idx = l - ip_vs_conn_tab; | 812 | idx = l - ip_vs_conn_tab; |
798 | ct_read_unlock_bh(idx); | 813 | ct_read_unlock_bh(idx); |
799 | 814 | ||
800 | while (++idx < IP_VS_CONN_TAB_SIZE) { | 815 | while (++idx < ip_vs_conn_tab_size) { |
801 | ct_read_lock_bh(idx); | 816 | ct_read_lock_bh(idx); |
802 | list_for_each_entry(cp, &ip_vs_conn_tab[idx], c_list) { | 817 | list_for_each_entry(cp, &ip_vs_conn_tab[idx], c_list) { |
803 | seq->private = &ip_vs_conn_tab[idx]; | 818 | seq->private = &ip_vs_conn_tab[idx]; |
@@ -976,8 +991,8 @@ void ip_vs_random_dropentry(void) | |||
976 | /* | 991 | /* |
977 | * Randomly scan 1/32 of the whole table every second | 992 | * Randomly scan 1/32 of the whole table every second |
978 | */ | 993 | */ |
979 | for (idx = 0; idx < (IP_VS_CONN_TAB_SIZE>>5); idx++) { | 994 | for (idx = 0; idx < (ip_vs_conn_tab_size>>5); idx++) { |
980 | unsigned hash = net_random() & IP_VS_CONN_TAB_MASK; | 995 | unsigned hash = net_random() & ip_vs_conn_tab_mask; |
981 | 996 | ||
982 | /* | 997 | /* |
983 | * Lock is actually needed in this loop. | 998 | * Lock is actually needed in this loop. |
@@ -1029,7 +1044,7 @@ static void ip_vs_conn_flush(void) | |||
1029 | struct ip_vs_conn *cp; | 1044 | struct ip_vs_conn *cp; |
1030 | 1045 | ||
1031 | flush_again: | 1046 | flush_again: |
1032 | for (idx=0; idx<IP_VS_CONN_TAB_SIZE; idx++) { | 1047 | for (idx = 0; idx < ip_vs_conn_tab_size; idx++) { |
1033 | /* | 1048 | /* |
1034 | * Lock is actually needed in this loop. | 1049 | * Lock is actually needed in this loop. |
1035 | */ | 1050 | */ |
@@ -1060,10 +1075,15 @@ int __init ip_vs_conn_init(void) | |||
1060 | { | 1075 | { |
1061 | int idx; | 1076 | int idx; |
1062 | 1077 | ||
1078 | /* Compute size and mask */ | ||
1079 | ip_vs_conn_tab_size = 1 << ip_vs_conn_tab_bits; | ||
1080 | ip_vs_conn_tab_mask = ip_vs_conn_tab_size - 1; | ||
1081 | |||
1063 | /* | 1082 | /* |
1064 | * Allocate the connection hash table and initialize its list heads | 1083 | * Allocate the connection hash table and initialize its list heads |
1065 | */ | 1084 | */ |
1066 | ip_vs_conn_tab = vmalloc(IP_VS_CONN_TAB_SIZE*sizeof(struct list_head)); | 1085 | ip_vs_conn_tab = vmalloc(ip_vs_conn_tab_size * |
1086 | sizeof(struct list_head)); | ||
1067 | if (!ip_vs_conn_tab) | 1087 | if (!ip_vs_conn_tab) |
1068 | return -ENOMEM; | 1088 | return -ENOMEM; |
1069 | 1089 | ||
@@ -1078,12 +1098,12 @@ int __init ip_vs_conn_init(void) | |||
1078 | 1098 | ||
1079 | pr_info("Connection hash table configured " | 1099 | pr_info("Connection hash table configured " |
1080 | "(size=%d, memory=%ldKbytes)\n", | 1100 | "(size=%d, memory=%ldKbytes)\n", |
1081 | IP_VS_CONN_TAB_SIZE, | 1101 | ip_vs_conn_tab_size, |
1082 | (long)(IP_VS_CONN_TAB_SIZE*sizeof(struct list_head))/1024); | 1102 | (long)(ip_vs_conn_tab_size*sizeof(struct list_head))/1024); |
1083 | IP_VS_DBG(0, "Each connection entry needs %Zd bytes at least\n", | 1103 | IP_VS_DBG(0, "Each connection entry needs %Zd bytes at least\n", |
1084 | sizeof(struct ip_vs_conn)); | 1104 | sizeof(struct ip_vs_conn)); |
1085 | 1105 | ||
1086 | for (idx = 0; idx < IP_VS_CONN_TAB_SIZE; idx++) { | 1106 | for (idx = 0; idx < ip_vs_conn_tab_size; idx++) { |
1087 | INIT_LIST_HEAD(&ip_vs_conn_tab[idx]); | 1107 | INIT_LIST_HEAD(&ip_vs_conn_tab[idx]); |
1088 | } | 1108 | } |
1089 | 1109 | ||
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c index c37ac2d7bec4..00d0b152db39 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c | |||
@@ -1843,7 +1843,7 @@ static int ip_vs_info_seq_show(struct seq_file *seq, void *v) | |||
1843 | if (v == SEQ_START_TOKEN) { | 1843 | if (v == SEQ_START_TOKEN) { |
1844 | seq_printf(seq, | 1844 | seq_printf(seq, |
1845 | "IP Virtual Server version %d.%d.%d (size=%d)\n", | 1845 | "IP Virtual Server version %d.%d.%d (size=%d)\n", |
1846 | NVERSION(IP_VS_VERSION_CODE), IP_VS_CONN_TAB_SIZE); | 1846 | NVERSION(IP_VS_VERSION_CODE), ip_vs_conn_tab_size); |
1847 | seq_puts(seq, | 1847 | seq_puts(seq, |
1848 | "Prot LocalAddress:Port Scheduler Flags\n"); | 1848 | "Prot LocalAddress:Port Scheduler Flags\n"); |
1849 | seq_puts(seq, | 1849 | seq_puts(seq, |
@@ -2386,7 +2386,7 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) | |||
2386 | char buf[64]; | 2386 | char buf[64]; |
2387 | 2387 | ||
2388 | sprintf(buf, "IP Virtual Server version %d.%d.%d (size=%d)", | 2388 | sprintf(buf, "IP Virtual Server version %d.%d.%d (size=%d)", |
2389 | NVERSION(IP_VS_VERSION_CODE), IP_VS_CONN_TAB_SIZE); | 2389 | NVERSION(IP_VS_VERSION_CODE), ip_vs_conn_tab_size); |
2390 | if (copy_to_user(user, buf, strlen(buf)+1) != 0) { | 2390 | if (copy_to_user(user, buf, strlen(buf)+1) != 0) { |
2391 | ret = -EFAULT; | 2391 | ret = -EFAULT; |
2392 | goto out; | 2392 | goto out; |
@@ -2399,7 +2399,7 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) | |||
2399 | { | 2399 | { |
2400 | struct ip_vs_getinfo info; | 2400 | struct ip_vs_getinfo info; |
2401 | info.version = IP_VS_VERSION_CODE; | 2401 | info.version = IP_VS_VERSION_CODE; |
2402 | info.size = IP_VS_CONN_TAB_SIZE; | 2402 | info.size = ip_vs_conn_tab_size; |
2403 | info.num_services = ip_vs_num_services; | 2403 | info.num_services = ip_vs_num_services; |
2404 | if (copy_to_user(user, &info, sizeof(info)) != 0) | 2404 | if (copy_to_user(user, &info, sizeof(info)) != 0) |
2405 | ret = -EFAULT; | 2405 | ret = -EFAULT; |
@@ -3243,7 +3243,7 @@ static int ip_vs_genl_get_cmd(struct sk_buff *skb, struct genl_info *info) | |||
3243 | case IPVS_CMD_GET_INFO: | 3243 | case IPVS_CMD_GET_INFO: |
3244 | NLA_PUT_U32(msg, IPVS_INFO_ATTR_VERSION, IP_VS_VERSION_CODE); | 3244 | NLA_PUT_U32(msg, IPVS_INFO_ATTR_VERSION, IP_VS_VERSION_CODE); |
3245 | NLA_PUT_U32(msg, IPVS_INFO_ATTR_CONN_TAB_SIZE, | 3245 | NLA_PUT_U32(msg, IPVS_INFO_ATTR_CONN_TAB_SIZE, |
3246 | IP_VS_CONN_TAB_SIZE); | 3246 | ip_vs_conn_tab_size); |
3247 | break; | 3247 | break; |
3248 | } | 3248 | } |
3249 | 3249 | ||
diff --git a/net/netfilter/ipvs/ip_vs_ftp.c b/net/netfilter/ipvs/ip_vs_ftp.c index 33e2c799cba7..73f38ea98f25 100644 --- a/net/netfilter/ipvs/ip_vs_ftp.c +++ b/net/netfilter/ipvs/ip_vs_ftp.c | |||
@@ -208,7 +208,7 @@ static int ip_vs_ftp_out(struct ip_vs_app *app, struct ip_vs_conn *cp, | |||
208 | */ | 208 | */ |
209 | from.ip = n_cp->vaddr.ip; | 209 | from.ip = n_cp->vaddr.ip; |
210 | port = n_cp->vport; | 210 | port = n_cp->vport; |
211 | sprintf(buf, "%d,%d,%d,%d,%d,%d", NIPQUAD(from.ip), | 211 | sprintf(buf, "%u,%u,%u,%u,%u,%u", NIPQUAD(from.ip), |
212 | (ntohs(port)>>8)&255, ntohs(port)&255); | 212 | (ntohs(port)>>8)&255, ntohs(port)&255); |
213 | buf_len = strlen(buf); | 213 | buf_len = strlen(buf); |
214 | 214 | ||
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 4d79e3c1616c..0c9bbe93cc16 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c | |||
@@ -42,6 +42,7 @@ | |||
42 | #include <net/netfilter/nf_conntrack_extend.h> | 42 | #include <net/netfilter/nf_conntrack_extend.h> |
43 | #include <net/netfilter/nf_conntrack_acct.h> | 43 | #include <net/netfilter/nf_conntrack_acct.h> |
44 | #include <net/netfilter/nf_conntrack_ecache.h> | 44 | #include <net/netfilter/nf_conntrack_ecache.h> |
45 | #include <net/netfilter/nf_conntrack_zones.h> | ||
45 | #include <net/netfilter/nf_nat.h> | 46 | #include <net/netfilter/nf_nat.h> |
46 | #include <net/netfilter/nf_nat_core.h> | 47 | #include <net/netfilter/nf_nat_core.h> |
47 | 48 | ||
@@ -68,7 +69,7 @@ static int nf_conntrack_hash_rnd_initted; | |||
68 | static unsigned int nf_conntrack_hash_rnd; | 69 | static unsigned int nf_conntrack_hash_rnd; |
69 | 70 | ||
70 | static u_int32_t __hash_conntrack(const struct nf_conntrack_tuple *tuple, | 71 | static u_int32_t __hash_conntrack(const struct nf_conntrack_tuple *tuple, |
71 | unsigned int size, unsigned int rnd) | 72 | u16 zone, unsigned int size, unsigned int rnd) |
72 | { | 73 | { |
73 | unsigned int n; | 74 | unsigned int n; |
74 | u_int32_t h; | 75 | u_int32_t h; |
@@ -79,16 +80,16 @@ static u_int32_t __hash_conntrack(const struct nf_conntrack_tuple *tuple, | |||
79 | */ | 80 | */ |
80 | n = (sizeof(tuple->src) + sizeof(tuple->dst.u3)) / sizeof(u32); | 81 | n = (sizeof(tuple->src) + sizeof(tuple->dst.u3)) / sizeof(u32); |
81 | h = jhash2((u32 *)tuple, n, | 82 | h = jhash2((u32 *)tuple, n, |
82 | rnd ^ (((__force __u16)tuple->dst.u.all << 16) | | 83 | zone ^ rnd ^ (((__force __u16)tuple->dst.u.all << 16) | |
83 | tuple->dst.protonum)); | 84 | tuple->dst.protonum)); |
84 | 85 | ||
85 | return ((u64)h * size) >> 32; | 86 | return ((u64)h * size) >> 32; |
86 | } | 87 | } |
87 | 88 | ||
88 | static inline u_int32_t hash_conntrack(const struct net *net, | 89 | static inline u_int32_t hash_conntrack(const struct net *net, u16 zone, |
89 | const struct nf_conntrack_tuple *tuple) | 90 | const struct nf_conntrack_tuple *tuple) |
90 | { | 91 | { |
91 | return __hash_conntrack(tuple, net->ct.htable_size, | 92 | return __hash_conntrack(tuple, zone, net->ct.htable_size, |
92 | nf_conntrack_hash_rnd); | 93 | nf_conntrack_hash_rnd); |
93 | } | 94 | } |
94 | 95 | ||
@@ -292,11 +293,12 @@ static void death_by_timeout(unsigned long ul_conntrack) | |||
292 | * - Caller must lock nf_conntrack_lock before calling this function | 293 | * - Caller must lock nf_conntrack_lock before calling this function |
293 | */ | 294 | */ |
294 | struct nf_conntrack_tuple_hash * | 295 | struct nf_conntrack_tuple_hash * |
295 | __nf_conntrack_find(struct net *net, const struct nf_conntrack_tuple *tuple) | 296 | __nf_conntrack_find(struct net *net, u16 zone, |
297 | const struct nf_conntrack_tuple *tuple) | ||
296 | { | 298 | { |
297 | struct nf_conntrack_tuple_hash *h; | 299 | struct nf_conntrack_tuple_hash *h; |
298 | struct hlist_nulls_node *n; | 300 | struct hlist_nulls_node *n; |
299 | unsigned int hash = hash_conntrack(net, tuple); | 301 | unsigned int hash = hash_conntrack(net, zone, tuple); |
300 | 302 | ||
301 | /* Disable BHs the entire time since we normally need to disable them | 303 | /* Disable BHs the entire time since we normally need to disable them |
302 | * at least once for the stats anyway. | 304 | * at least once for the stats anyway. |
@@ -304,7 +306,8 @@ __nf_conntrack_find(struct net *net, const struct nf_conntrack_tuple *tuple) | |||
304 | local_bh_disable(); | 306 | local_bh_disable(); |
305 | begin: | 307 | begin: |
306 | hlist_nulls_for_each_entry_rcu(h, n, &net->ct.hash[hash], hnnode) { | 308 | hlist_nulls_for_each_entry_rcu(h, n, &net->ct.hash[hash], hnnode) { |
307 | if (nf_ct_tuple_equal(tuple, &h->tuple)) { | 309 | if (nf_ct_tuple_equal(tuple, &h->tuple) && |
310 | nf_ct_zone(nf_ct_tuplehash_to_ctrack(h)) == zone) { | ||
308 | NF_CT_STAT_INC(net, found); | 311 | NF_CT_STAT_INC(net, found); |
309 | local_bh_enable(); | 312 | local_bh_enable(); |
310 | return h; | 313 | return h; |
@@ -326,21 +329,23 @@ EXPORT_SYMBOL_GPL(__nf_conntrack_find); | |||
326 | 329 | ||
327 | /* Find a connection corresponding to a tuple. */ | 330 | /* Find a connection corresponding to a tuple. */ |
328 | struct nf_conntrack_tuple_hash * | 331 | struct nf_conntrack_tuple_hash * |
329 | nf_conntrack_find_get(struct net *net, const struct nf_conntrack_tuple *tuple) | 332 | nf_conntrack_find_get(struct net *net, u16 zone, |
333 | const struct nf_conntrack_tuple *tuple) | ||
330 | { | 334 | { |
331 | struct nf_conntrack_tuple_hash *h; | 335 | struct nf_conntrack_tuple_hash *h; |
332 | struct nf_conn *ct; | 336 | struct nf_conn *ct; |
333 | 337 | ||
334 | rcu_read_lock(); | 338 | rcu_read_lock(); |
335 | begin: | 339 | begin: |
336 | h = __nf_conntrack_find(net, tuple); | 340 | h = __nf_conntrack_find(net, zone, tuple); |
337 | if (h) { | 341 | if (h) { |
338 | ct = nf_ct_tuplehash_to_ctrack(h); | 342 | ct = nf_ct_tuplehash_to_ctrack(h); |
339 | if (unlikely(nf_ct_is_dying(ct) || | 343 | if (unlikely(nf_ct_is_dying(ct) || |
340 | !atomic_inc_not_zero(&ct->ct_general.use))) | 344 | !atomic_inc_not_zero(&ct->ct_general.use))) |
341 | h = NULL; | 345 | h = NULL; |
342 | else { | 346 | else { |
343 | if (unlikely(!nf_ct_tuple_equal(tuple, &h->tuple))) { | 347 | if (unlikely(!nf_ct_tuple_equal(tuple, &h->tuple) || |
348 | nf_ct_zone(ct) != zone)) { | ||
344 | nf_ct_put(ct); | 349 | nf_ct_put(ct); |
345 | goto begin; | 350 | goto begin; |
346 | } | 351 | } |
@@ -368,9 +373,11 @@ void nf_conntrack_hash_insert(struct nf_conn *ct) | |||
368 | { | 373 | { |
369 | struct net *net = nf_ct_net(ct); | 374 | struct net *net = nf_ct_net(ct); |
370 | unsigned int hash, repl_hash; | 375 | unsigned int hash, repl_hash; |
376 | u16 zone; | ||
371 | 377 | ||
372 | hash = hash_conntrack(net, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); | 378 | zone = nf_ct_zone(ct); |
373 | repl_hash = hash_conntrack(net, &ct->tuplehash[IP_CT_DIR_REPLY].tuple); | 379 | hash = hash_conntrack(net, zone, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); |
380 | repl_hash = hash_conntrack(net, zone, &ct->tuplehash[IP_CT_DIR_REPLY].tuple); | ||
374 | 381 | ||
375 | __nf_conntrack_hash_insert(ct, hash, repl_hash); | 382 | __nf_conntrack_hash_insert(ct, hash, repl_hash); |
376 | } | 383 | } |
@@ -387,6 +394,7 @@ __nf_conntrack_confirm(struct sk_buff *skb) | |||
387 | struct hlist_nulls_node *n; | 394 | struct hlist_nulls_node *n; |
388 | enum ip_conntrack_info ctinfo; | 395 | enum ip_conntrack_info ctinfo; |
389 | struct net *net; | 396 | struct net *net; |
397 | u16 zone; | ||
390 | 398 | ||
391 | ct = nf_ct_get(skb, &ctinfo); | 399 | ct = nf_ct_get(skb, &ctinfo); |
392 | net = nf_ct_net(ct); | 400 | net = nf_ct_net(ct); |
@@ -398,8 +406,9 @@ __nf_conntrack_confirm(struct sk_buff *skb) | |||
398 | if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) | 406 | if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) |
399 | return NF_ACCEPT; | 407 | return NF_ACCEPT; |
400 | 408 | ||
401 | hash = hash_conntrack(net, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); | 409 | zone = nf_ct_zone(ct); |
402 | repl_hash = hash_conntrack(net, &ct->tuplehash[IP_CT_DIR_REPLY].tuple); | 410 | hash = hash_conntrack(net, zone, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); |
411 | repl_hash = hash_conntrack(net, zone, &ct->tuplehash[IP_CT_DIR_REPLY].tuple); | ||
403 | 412 | ||
404 | /* We're not in hash table, and we refuse to set up related | 413 | /* We're not in hash table, and we refuse to set up related |
405 | connections for unconfirmed conns. But packet copies and | 414 | connections for unconfirmed conns. But packet copies and |
@@ -418,11 +427,13 @@ __nf_conntrack_confirm(struct sk_buff *skb) | |||
418 | not in the hash. If there is, we lost race. */ | 427 | not in the hash. If there is, we lost race. */ |
419 | hlist_nulls_for_each_entry(h, n, &net->ct.hash[hash], hnnode) | 428 | hlist_nulls_for_each_entry(h, n, &net->ct.hash[hash], hnnode) |
420 | if (nf_ct_tuple_equal(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple, | 429 | if (nf_ct_tuple_equal(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple, |
421 | &h->tuple)) | 430 | &h->tuple) && |
431 | zone == nf_ct_zone(nf_ct_tuplehash_to_ctrack(h))) | ||
422 | goto out; | 432 | goto out; |
423 | hlist_nulls_for_each_entry(h, n, &net->ct.hash[repl_hash], hnnode) | 433 | hlist_nulls_for_each_entry(h, n, &net->ct.hash[repl_hash], hnnode) |
424 | if (nf_ct_tuple_equal(&ct->tuplehash[IP_CT_DIR_REPLY].tuple, | 434 | if (nf_ct_tuple_equal(&ct->tuplehash[IP_CT_DIR_REPLY].tuple, |
425 | &h->tuple)) | 435 | &h->tuple) && |
436 | zone == nf_ct_zone(nf_ct_tuplehash_to_ctrack(h))) | ||
426 | goto out; | 437 | goto out; |
427 | 438 | ||
428 | /* Remove from unconfirmed list */ | 439 | /* Remove from unconfirmed list */ |
@@ -469,15 +480,19 @@ nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple, | |||
469 | struct net *net = nf_ct_net(ignored_conntrack); | 480 | struct net *net = nf_ct_net(ignored_conntrack); |
470 | struct nf_conntrack_tuple_hash *h; | 481 | struct nf_conntrack_tuple_hash *h; |
471 | struct hlist_nulls_node *n; | 482 | struct hlist_nulls_node *n; |
472 | unsigned int hash = hash_conntrack(net, tuple); | 483 | struct nf_conn *ct; |
484 | u16 zone = nf_ct_zone(ignored_conntrack); | ||
485 | unsigned int hash = hash_conntrack(net, zone, tuple); | ||
473 | 486 | ||
474 | /* Disable BHs the entire time since we need to disable them at | 487 | /* Disable BHs the entire time since we need to disable them at |
475 | * least once for the stats anyway. | 488 | * least once for the stats anyway. |
476 | */ | 489 | */ |
477 | rcu_read_lock_bh(); | 490 | rcu_read_lock_bh(); |
478 | hlist_nulls_for_each_entry_rcu(h, n, &net->ct.hash[hash], hnnode) { | 491 | hlist_nulls_for_each_entry_rcu(h, n, &net->ct.hash[hash], hnnode) { |
479 | if (nf_ct_tuplehash_to_ctrack(h) != ignored_conntrack && | 492 | ct = nf_ct_tuplehash_to_ctrack(h); |
480 | nf_ct_tuple_equal(tuple, &h->tuple)) { | 493 | if (ct != ignored_conntrack && |
494 | nf_ct_tuple_equal(tuple, &h->tuple) && | ||
495 | nf_ct_zone(ct) == zone) { | ||
481 | NF_CT_STAT_INC(net, found); | 496 | NF_CT_STAT_INC(net, found); |
482 | rcu_read_unlock_bh(); | 497 | rcu_read_unlock_bh(); |
483 | return 1; | 498 | return 1; |
@@ -540,7 +555,7 @@ static noinline int early_drop(struct net *net, unsigned int hash) | |||
540 | return dropped; | 555 | return dropped; |
541 | } | 556 | } |
542 | 557 | ||
543 | struct nf_conn *nf_conntrack_alloc(struct net *net, | 558 | struct nf_conn *nf_conntrack_alloc(struct net *net, u16 zone, |
544 | const struct nf_conntrack_tuple *orig, | 559 | const struct nf_conntrack_tuple *orig, |
545 | const struct nf_conntrack_tuple *repl, | 560 | const struct nf_conntrack_tuple *repl, |
546 | gfp_t gfp) | 561 | gfp_t gfp) |
@@ -558,7 +573,7 @@ struct nf_conn *nf_conntrack_alloc(struct net *net, | |||
558 | 573 | ||
559 | if (nf_conntrack_max && | 574 | if (nf_conntrack_max && |
560 | unlikely(atomic_read(&net->ct.count) > nf_conntrack_max)) { | 575 | unlikely(atomic_read(&net->ct.count) > nf_conntrack_max)) { |
561 | unsigned int hash = hash_conntrack(net, orig); | 576 | unsigned int hash = hash_conntrack(net, zone, orig); |
562 | if (!early_drop(net, hash)) { | 577 | if (!early_drop(net, hash)) { |
563 | atomic_dec(&net->ct.count); | 578 | atomic_dec(&net->ct.count); |
564 | if (net_ratelimit()) | 579 | if (net_ratelimit()) |
@@ -595,13 +610,28 @@ struct nf_conn *nf_conntrack_alloc(struct net *net, | |||
595 | #ifdef CONFIG_NET_NS | 610 | #ifdef CONFIG_NET_NS |
596 | ct->ct_net = net; | 611 | ct->ct_net = net; |
597 | #endif | 612 | #endif |
598 | 613 | #ifdef CONFIG_NF_CONNTRACK_ZONES | |
614 | if (zone) { | ||
615 | struct nf_conntrack_zone *nf_ct_zone; | ||
616 | |||
617 | nf_ct_zone = nf_ct_ext_add(ct, NF_CT_EXT_ZONE, GFP_ATOMIC); | ||
618 | if (!nf_ct_zone) | ||
619 | goto out_free; | ||
620 | nf_ct_zone->id = zone; | ||
621 | } | ||
622 | #endif | ||
599 | /* | 623 | /* |
600 | * changes to lookup keys must be done before setting refcnt to 1 | 624 | * changes to lookup keys must be done before setting refcnt to 1 |
601 | */ | 625 | */ |
602 | smp_wmb(); | 626 | smp_wmb(); |
603 | atomic_set(&ct->ct_general.use, 1); | 627 | atomic_set(&ct->ct_general.use, 1); |
604 | return ct; | 628 | return ct; |
629 | |||
630 | #ifdef CONFIG_NF_CONNTRACK_ZONES | ||
631 | out_free: | ||
632 | kmem_cache_free(net->ct.nf_conntrack_cachep, ct); | ||
633 | return ERR_PTR(-ENOMEM); | ||
634 | #endif | ||
605 | } | 635 | } |
606 | EXPORT_SYMBOL_GPL(nf_conntrack_alloc); | 636 | EXPORT_SYMBOL_GPL(nf_conntrack_alloc); |
607 | 637 | ||
@@ -619,7 +649,7 @@ EXPORT_SYMBOL_GPL(nf_conntrack_free); | |||
619 | /* Allocate a new conntrack: we return -ENOMEM if classification | 649 | /* Allocate a new conntrack: we return -ENOMEM if classification |
620 | failed due to stress. Otherwise it really is unclassifiable. */ | 650 | failed due to stress. Otherwise it really is unclassifiable. */ |
621 | static struct nf_conntrack_tuple_hash * | 651 | static struct nf_conntrack_tuple_hash * |
622 | init_conntrack(struct net *net, | 652 | init_conntrack(struct net *net, struct nf_conn *tmpl, |
623 | const struct nf_conntrack_tuple *tuple, | 653 | const struct nf_conntrack_tuple *tuple, |
624 | struct nf_conntrack_l3proto *l3proto, | 654 | struct nf_conntrack_l3proto *l3proto, |
625 | struct nf_conntrack_l4proto *l4proto, | 655 | struct nf_conntrack_l4proto *l4proto, |
@@ -629,14 +659,16 @@ init_conntrack(struct net *net, | |||
629 | struct nf_conn *ct; | 659 | struct nf_conn *ct; |
630 | struct nf_conn_help *help; | 660 | struct nf_conn_help *help; |
631 | struct nf_conntrack_tuple repl_tuple; | 661 | struct nf_conntrack_tuple repl_tuple; |
662 | struct nf_conntrack_ecache *ecache; | ||
632 | struct nf_conntrack_expect *exp; | 663 | struct nf_conntrack_expect *exp; |
664 | u16 zone = tmpl ? nf_ct_zone(tmpl) : NF_CT_DEFAULT_ZONE; | ||
633 | 665 | ||
634 | if (!nf_ct_invert_tuple(&repl_tuple, tuple, l3proto, l4proto)) { | 666 | if (!nf_ct_invert_tuple(&repl_tuple, tuple, l3proto, l4proto)) { |
635 | pr_debug("Can't invert tuple.\n"); | 667 | pr_debug("Can't invert tuple.\n"); |
636 | return NULL; | 668 | return NULL; |
637 | } | 669 | } |
638 | 670 | ||
639 | ct = nf_conntrack_alloc(net, tuple, &repl_tuple, GFP_ATOMIC); | 671 | ct = nf_conntrack_alloc(net, zone, tuple, &repl_tuple, GFP_ATOMIC); |
640 | if (IS_ERR(ct)) { | 672 | if (IS_ERR(ct)) { |
641 | pr_debug("Can't allocate conntrack.\n"); | 673 | pr_debug("Can't allocate conntrack.\n"); |
642 | return (struct nf_conntrack_tuple_hash *)ct; | 674 | return (struct nf_conntrack_tuple_hash *)ct; |
@@ -649,10 +681,14 @@ init_conntrack(struct net *net, | |||
649 | } | 681 | } |
650 | 682 | ||
651 | nf_ct_acct_ext_add(ct, GFP_ATOMIC); | 683 | nf_ct_acct_ext_add(ct, GFP_ATOMIC); |
652 | nf_ct_ecache_ext_add(ct, GFP_ATOMIC); | 684 | |
685 | ecache = tmpl ? nf_ct_ecache_find(tmpl) : NULL; | ||
686 | nf_ct_ecache_ext_add(ct, ecache ? ecache->ctmask : 0, | ||
687 | ecache ? ecache->expmask : 0, | ||
688 | GFP_ATOMIC); | ||
653 | 689 | ||
654 | spin_lock_bh(&nf_conntrack_lock); | 690 | spin_lock_bh(&nf_conntrack_lock); |
655 | exp = nf_ct_find_expectation(net, tuple); | 691 | exp = nf_ct_find_expectation(net, zone, tuple); |
656 | if (exp) { | 692 | if (exp) { |
657 | pr_debug("conntrack: expectation arrives ct=%p exp=%p\n", | 693 | pr_debug("conntrack: expectation arrives ct=%p exp=%p\n", |
658 | ct, exp); | 694 | ct, exp); |
@@ -674,7 +710,7 @@ init_conntrack(struct net *net, | |||
674 | nf_conntrack_get(&ct->master->ct_general); | 710 | nf_conntrack_get(&ct->master->ct_general); |
675 | NF_CT_STAT_INC(net, expect_new); | 711 | NF_CT_STAT_INC(net, expect_new); |
676 | } else { | 712 | } else { |
677 | __nf_ct_try_assign_helper(ct, GFP_ATOMIC); | 713 | __nf_ct_try_assign_helper(ct, tmpl, GFP_ATOMIC); |
678 | NF_CT_STAT_INC(net, new); | 714 | NF_CT_STAT_INC(net, new); |
679 | } | 715 | } |
680 | 716 | ||
@@ -695,7 +731,7 @@ init_conntrack(struct net *net, | |||
695 | 731 | ||
696 | /* On success, returns conntrack ptr, sets skb->nfct and ctinfo */ | 732 | /* On success, returns conntrack ptr, sets skb->nfct and ctinfo */ |
697 | static inline struct nf_conn * | 733 | static inline struct nf_conn * |
698 | resolve_normal_ct(struct net *net, | 734 | resolve_normal_ct(struct net *net, struct nf_conn *tmpl, |
699 | struct sk_buff *skb, | 735 | struct sk_buff *skb, |
700 | unsigned int dataoff, | 736 | unsigned int dataoff, |
701 | u_int16_t l3num, | 737 | u_int16_t l3num, |
@@ -708,6 +744,7 @@ resolve_normal_ct(struct net *net, | |||
708 | struct nf_conntrack_tuple tuple; | 744 | struct nf_conntrack_tuple tuple; |
709 | struct nf_conntrack_tuple_hash *h; | 745 | struct nf_conntrack_tuple_hash *h; |
710 | struct nf_conn *ct; | 746 | struct nf_conn *ct; |
747 | u16 zone = tmpl ? nf_ct_zone(tmpl) : NF_CT_DEFAULT_ZONE; | ||
711 | 748 | ||
712 | if (!nf_ct_get_tuple(skb, skb_network_offset(skb), | 749 | if (!nf_ct_get_tuple(skb, skb_network_offset(skb), |
713 | dataoff, l3num, protonum, &tuple, l3proto, | 750 | dataoff, l3num, protonum, &tuple, l3proto, |
@@ -717,9 +754,10 @@ resolve_normal_ct(struct net *net, | |||
717 | } | 754 | } |
718 | 755 | ||
719 | /* look for tuple match */ | 756 | /* look for tuple match */ |
720 | h = nf_conntrack_find_get(net, &tuple); | 757 | h = nf_conntrack_find_get(net, zone, &tuple); |
721 | if (!h) { | 758 | if (!h) { |
722 | h = init_conntrack(net, &tuple, l3proto, l4proto, skb, dataoff); | 759 | h = init_conntrack(net, tmpl, &tuple, l3proto, l4proto, |
760 | skb, dataoff); | ||
723 | if (!h) | 761 | if (!h) |
724 | return NULL; | 762 | return NULL; |
725 | if (IS_ERR(h)) | 763 | if (IS_ERR(h)) |
@@ -756,7 +794,7 @@ unsigned int | |||
756 | nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum, | 794 | nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum, |
757 | struct sk_buff *skb) | 795 | struct sk_buff *skb) |
758 | { | 796 | { |
759 | struct nf_conn *ct; | 797 | struct nf_conn *ct, *tmpl = NULL; |
760 | enum ip_conntrack_info ctinfo; | 798 | enum ip_conntrack_info ctinfo; |
761 | struct nf_conntrack_l3proto *l3proto; | 799 | struct nf_conntrack_l3proto *l3proto; |
762 | struct nf_conntrack_l4proto *l4proto; | 800 | struct nf_conntrack_l4proto *l4proto; |
@@ -765,10 +803,14 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum, | |||
765 | int set_reply = 0; | 803 | int set_reply = 0; |
766 | int ret; | 804 | int ret; |
767 | 805 | ||
768 | /* Previously seen (loopback or untracked)? Ignore. */ | ||
769 | if (skb->nfct) { | 806 | if (skb->nfct) { |
770 | NF_CT_STAT_INC_ATOMIC(net, ignore); | 807 | /* Previously seen (loopback or untracked)? Ignore. */ |
771 | return NF_ACCEPT; | 808 | tmpl = (struct nf_conn *)skb->nfct; |
809 | if (!nf_ct_is_template(tmpl)) { | ||
810 | NF_CT_STAT_INC_ATOMIC(net, ignore); | ||
811 | return NF_ACCEPT; | ||
812 | } | ||
813 | skb->nfct = NULL; | ||
772 | } | 814 | } |
773 | 815 | ||
774 | /* rcu_read_lock()ed by nf_hook_slow */ | 816 | /* rcu_read_lock()ed by nf_hook_slow */ |
@@ -779,7 +821,8 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum, | |||
779 | pr_debug("not prepared to track yet or error occured\n"); | 821 | pr_debug("not prepared to track yet or error occured\n"); |
780 | NF_CT_STAT_INC_ATOMIC(net, error); | 822 | NF_CT_STAT_INC_ATOMIC(net, error); |
781 | NF_CT_STAT_INC_ATOMIC(net, invalid); | 823 | NF_CT_STAT_INC_ATOMIC(net, invalid); |
782 | return -ret; | 824 | ret = -ret; |
825 | goto out; | ||
783 | } | 826 | } |
784 | 827 | ||
785 | l4proto = __nf_ct_l4proto_find(pf, protonum); | 828 | l4proto = __nf_ct_l4proto_find(pf, protonum); |
@@ -788,26 +831,30 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum, | |||
788 | * inverse of the return code tells to the netfilter | 831 | * inverse of the return code tells to the netfilter |
789 | * core what to do with the packet. */ | 832 | * core what to do with the packet. */ |
790 | if (l4proto->error != NULL) { | 833 | if (l4proto->error != NULL) { |
791 | ret = l4proto->error(net, skb, dataoff, &ctinfo, pf, hooknum); | 834 | ret = l4proto->error(net, tmpl, skb, dataoff, &ctinfo, |
835 | pf, hooknum); | ||
792 | if (ret <= 0) { | 836 | if (ret <= 0) { |
793 | NF_CT_STAT_INC_ATOMIC(net, error); | 837 | NF_CT_STAT_INC_ATOMIC(net, error); |
794 | NF_CT_STAT_INC_ATOMIC(net, invalid); | 838 | NF_CT_STAT_INC_ATOMIC(net, invalid); |
795 | return -ret; | 839 | ret = -ret; |
840 | goto out; | ||
796 | } | 841 | } |
797 | } | 842 | } |
798 | 843 | ||
799 | ct = resolve_normal_ct(net, skb, dataoff, pf, protonum, | 844 | ct = resolve_normal_ct(net, tmpl, skb, dataoff, pf, protonum, |
800 | l3proto, l4proto, &set_reply, &ctinfo); | 845 | l3proto, l4proto, &set_reply, &ctinfo); |
801 | if (!ct) { | 846 | if (!ct) { |
802 | /* Not valid part of a connection */ | 847 | /* Not valid part of a connection */ |
803 | NF_CT_STAT_INC_ATOMIC(net, invalid); | 848 | NF_CT_STAT_INC_ATOMIC(net, invalid); |
804 | return NF_ACCEPT; | 849 | ret = NF_ACCEPT; |
850 | goto out; | ||
805 | } | 851 | } |
806 | 852 | ||
807 | if (IS_ERR(ct)) { | 853 | if (IS_ERR(ct)) { |
808 | /* Too stressed to deal. */ | 854 | /* Too stressed to deal. */ |
809 | NF_CT_STAT_INC_ATOMIC(net, drop); | 855 | NF_CT_STAT_INC_ATOMIC(net, drop); |
810 | return NF_DROP; | 856 | ret = NF_DROP; |
857 | goto out; | ||
811 | } | 858 | } |
812 | 859 | ||
813 | NF_CT_ASSERT(skb->nfct); | 860 | NF_CT_ASSERT(skb->nfct); |
@@ -822,11 +869,15 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum, | |||
822 | NF_CT_STAT_INC_ATOMIC(net, invalid); | 869 | NF_CT_STAT_INC_ATOMIC(net, invalid); |
823 | if (ret == -NF_DROP) | 870 | if (ret == -NF_DROP) |
824 | NF_CT_STAT_INC_ATOMIC(net, drop); | 871 | NF_CT_STAT_INC_ATOMIC(net, drop); |
825 | return -ret; | 872 | ret = -ret; |
873 | goto out; | ||
826 | } | 874 | } |
827 | 875 | ||
828 | if (set_reply && !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status)) | 876 | if (set_reply && !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status)) |
829 | nf_conntrack_event_cache(IPCT_STATUS, ct); | 877 | nf_conntrack_event_cache(IPCT_REPLY, ct); |
878 | out: | ||
879 | if (tmpl) | ||
880 | nf_ct_put(tmpl); | ||
830 | 881 | ||
831 | return ret; | 882 | return ret; |
832 | } | 883 | } |
@@ -865,7 +916,7 @@ void nf_conntrack_alter_reply(struct nf_conn *ct, | |||
865 | return; | 916 | return; |
866 | 917 | ||
867 | rcu_read_lock(); | 918 | rcu_read_lock(); |
868 | __nf_ct_try_assign_helper(ct, GFP_ATOMIC); | 919 | __nf_ct_try_assign_helper(ct, NULL, GFP_ATOMIC); |
869 | rcu_read_unlock(); | 920 | rcu_read_unlock(); |
870 | } | 921 | } |
871 | EXPORT_SYMBOL_GPL(nf_conntrack_alter_reply); | 922 | EXPORT_SYMBOL_GPL(nf_conntrack_alter_reply); |
@@ -939,6 +990,14 @@ bool __nf_ct_kill_acct(struct nf_conn *ct, | |||
939 | } | 990 | } |
940 | EXPORT_SYMBOL_GPL(__nf_ct_kill_acct); | 991 | EXPORT_SYMBOL_GPL(__nf_ct_kill_acct); |
941 | 992 | ||
993 | #ifdef CONFIG_NF_CONNTRACK_ZONES | ||
994 | static struct nf_ct_ext_type nf_ct_zone_extend __read_mostly = { | ||
995 | .len = sizeof(struct nf_conntrack_zone), | ||
996 | .align = __alignof__(struct nf_conntrack_zone), | ||
997 | .id = NF_CT_EXT_ZONE, | ||
998 | }; | ||
999 | #endif | ||
1000 | |||
942 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) | 1001 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) |
943 | 1002 | ||
944 | #include <linux/netfilter/nfnetlink.h> | 1003 | #include <linux/netfilter/nfnetlink.h> |
@@ -1120,6 +1179,9 @@ static void nf_conntrack_cleanup_init_net(void) | |||
1120 | 1179 | ||
1121 | nf_conntrack_helper_fini(); | 1180 | nf_conntrack_helper_fini(); |
1122 | nf_conntrack_proto_fini(); | 1181 | nf_conntrack_proto_fini(); |
1182 | #ifdef CONFIG_NF_CONNTRACK_ZONES | ||
1183 | nf_ct_extend_unregister(&nf_ct_zone_extend); | ||
1184 | #endif | ||
1123 | } | 1185 | } |
1124 | 1186 | ||
1125 | static void nf_conntrack_cleanup_net(struct net *net) | 1187 | static void nf_conntrack_cleanup_net(struct net *net) |
@@ -1195,6 +1257,7 @@ int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp) | |||
1195 | unsigned int hashsize, old_size; | 1257 | unsigned int hashsize, old_size; |
1196 | struct hlist_nulls_head *hash, *old_hash; | 1258 | struct hlist_nulls_head *hash, *old_hash; |
1197 | struct nf_conntrack_tuple_hash *h; | 1259 | struct nf_conntrack_tuple_hash *h; |
1260 | struct nf_conn *ct; | ||
1198 | 1261 | ||
1199 | if (current->nsproxy->net_ns != &init_net) | 1262 | if (current->nsproxy->net_ns != &init_net) |
1200 | return -EOPNOTSUPP; | 1263 | return -EOPNOTSUPP; |
@@ -1221,8 +1284,10 @@ int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp) | |||
1221 | while (!hlist_nulls_empty(&init_net.ct.hash[i])) { | 1284 | while (!hlist_nulls_empty(&init_net.ct.hash[i])) { |
1222 | h = hlist_nulls_entry(init_net.ct.hash[i].first, | 1285 | h = hlist_nulls_entry(init_net.ct.hash[i].first, |
1223 | struct nf_conntrack_tuple_hash, hnnode); | 1286 | struct nf_conntrack_tuple_hash, hnnode); |
1287 | ct = nf_ct_tuplehash_to_ctrack(h); | ||
1224 | hlist_nulls_del_rcu(&h->hnnode); | 1288 | hlist_nulls_del_rcu(&h->hnnode); |
1225 | bucket = __hash_conntrack(&h->tuple, hashsize, | 1289 | bucket = __hash_conntrack(&h->tuple, nf_ct_zone(ct), |
1290 | hashsize, | ||
1226 | nf_conntrack_hash_rnd); | 1291 | nf_conntrack_hash_rnd); |
1227 | hlist_nulls_add_head_rcu(&h->hnnode, &hash[bucket]); | 1292 | hlist_nulls_add_head_rcu(&h->hnnode, &hash[bucket]); |
1228 | } | 1293 | } |
@@ -1280,6 +1345,11 @@ static int nf_conntrack_init_init_net(void) | |||
1280 | if (ret < 0) | 1345 | if (ret < 0) |
1281 | goto err_helper; | 1346 | goto err_helper; |
1282 | 1347 | ||
1348 | #ifdef CONFIG_NF_CONNTRACK_ZONES | ||
1349 | ret = nf_ct_extend_register(&nf_ct_zone_extend); | ||
1350 | if (ret < 0) | ||
1351 | goto err_extend; | ||
1352 | #endif | ||
1283 | /* Set up fake conntrack: to never be deleted, not in any hashes */ | 1353 | /* Set up fake conntrack: to never be deleted, not in any hashes */ |
1284 | #ifdef CONFIG_NET_NS | 1354 | #ifdef CONFIG_NET_NS |
1285 | nf_conntrack_untracked.ct_net = &init_net; | 1355 | nf_conntrack_untracked.ct_net = &init_net; |
@@ -1290,6 +1360,10 @@ static int nf_conntrack_init_init_net(void) | |||
1290 | 1360 | ||
1291 | return 0; | 1361 | return 0; |
1292 | 1362 | ||
1363 | #ifdef CONFIG_NF_CONNTRACK_ZONES | ||
1364 | err_extend: | ||
1365 | nf_conntrack_helper_fini(); | ||
1366 | #endif | ||
1293 | err_helper: | 1367 | err_helper: |
1294 | nf_conntrack_proto_fini(); | 1368 | nf_conntrack_proto_fini(); |
1295 | err_proto: | 1369 | err_proto: |
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c index 2f25ff610982..acb29ccaa41f 100644 --- a/net/netfilter/nf_conntrack_expect.c +++ b/net/netfilter/nf_conntrack_expect.c | |||
@@ -27,6 +27,7 @@ | |||
27 | #include <net/netfilter/nf_conntrack_expect.h> | 27 | #include <net/netfilter/nf_conntrack_expect.h> |
28 | #include <net/netfilter/nf_conntrack_helper.h> | 28 | #include <net/netfilter/nf_conntrack_helper.h> |
29 | #include <net/netfilter/nf_conntrack_tuple.h> | 29 | #include <net/netfilter/nf_conntrack_tuple.h> |
30 | #include <net/netfilter/nf_conntrack_zones.h> | ||
30 | 31 | ||
31 | unsigned int nf_ct_expect_hsize __read_mostly; | 32 | unsigned int nf_ct_expect_hsize __read_mostly; |
32 | EXPORT_SYMBOL_GPL(nf_ct_expect_hsize); | 33 | EXPORT_SYMBOL_GPL(nf_ct_expect_hsize); |
@@ -84,7 +85,8 @@ static unsigned int nf_ct_expect_dst_hash(const struct nf_conntrack_tuple *tuple | |||
84 | } | 85 | } |
85 | 86 | ||
86 | struct nf_conntrack_expect * | 87 | struct nf_conntrack_expect * |
87 | __nf_ct_expect_find(struct net *net, const struct nf_conntrack_tuple *tuple) | 88 | __nf_ct_expect_find(struct net *net, u16 zone, |
89 | const struct nf_conntrack_tuple *tuple) | ||
88 | { | 90 | { |
89 | struct nf_conntrack_expect *i; | 91 | struct nf_conntrack_expect *i; |
90 | struct hlist_node *n; | 92 | struct hlist_node *n; |
@@ -95,7 +97,8 @@ __nf_ct_expect_find(struct net *net, const struct nf_conntrack_tuple *tuple) | |||
95 | 97 | ||
96 | h = nf_ct_expect_dst_hash(tuple); | 98 | h = nf_ct_expect_dst_hash(tuple); |
97 | hlist_for_each_entry_rcu(i, n, &net->ct.expect_hash[h], hnode) { | 99 | hlist_for_each_entry_rcu(i, n, &net->ct.expect_hash[h], hnode) { |
98 | if (nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)) | 100 | if (nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask) && |
101 | nf_ct_zone(i->master) == zone) | ||
99 | return i; | 102 | return i; |
100 | } | 103 | } |
101 | return NULL; | 104 | return NULL; |
@@ -104,12 +107,13 @@ EXPORT_SYMBOL_GPL(__nf_ct_expect_find); | |||
104 | 107 | ||
105 | /* Just find a expectation corresponding to a tuple. */ | 108 | /* Just find a expectation corresponding to a tuple. */ |
106 | struct nf_conntrack_expect * | 109 | struct nf_conntrack_expect * |
107 | nf_ct_expect_find_get(struct net *net, const struct nf_conntrack_tuple *tuple) | 110 | nf_ct_expect_find_get(struct net *net, u16 zone, |
111 | const struct nf_conntrack_tuple *tuple) | ||
108 | { | 112 | { |
109 | struct nf_conntrack_expect *i; | 113 | struct nf_conntrack_expect *i; |
110 | 114 | ||
111 | rcu_read_lock(); | 115 | rcu_read_lock(); |
112 | i = __nf_ct_expect_find(net, tuple); | 116 | i = __nf_ct_expect_find(net, zone, tuple); |
113 | if (i && !atomic_inc_not_zero(&i->use)) | 117 | if (i && !atomic_inc_not_zero(&i->use)) |
114 | i = NULL; | 118 | i = NULL; |
115 | rcu_read_unlock(); | 119 | rcu_read_unlock(); |
@@ -121,7 +125,8 @@ EXPORT_SYMBOL_GPL(nf_ct_expect_find_get); | |||
121 | /* If an expectation for this connection is found, it gets delete from | 125 | /* If an expectation for this connection is found, it gets delete from |
122 | * global list then returned. */ | 126 | * global list then returned. */ |
123 | struct nf_conntrack_expect * | 127 | struct nf_conntrack_expect * |
124 | nf_ct_find_expectation(struct net *net, const struct nf_conntrack_tuple *tuple) | 128 | nf_ct_find_expectation(struct net *net, u16 zone, |
129 | const struct nf_conntrack_tuple *tuple) | ||
125 | { | 130 | { |
126 | struct nf_conntrack_expect *i, *exp = NULL; | 131 | struct nf_conntrack_expect *i, *exp = NULL; |
127 | struct hlist_node *n; | 132 | struct hlist_node *n; |
@@ -133,7 +138,8 @@ nf_ct_find_expectation(struct net *net, const struct nf_conntrack_tuple *tuple) | |||
133 | h = nf_ct_expect_dst_hash(tuple); | 138 | h = nf_ct_expect_dst_hash(tuple); |
134 | hlist_for_each_entry(i, n, &net->ct.expect_hash[h], hnode) { | 139 | hlist_for_each_entry(i, n, &net->ct.expect_hash[h], hnode) { |
135 | if (!(i->flags & NF_CT_EXPECT_INACTIVE) && | 140 | if (!(i->flags & NF_CT_EXPECT_INACTIVE) && |
136 | nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)) { | 141 | nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask) && |
142 | nf_ct_zone(i->master) == zone) { | ||
137 | exp = i; | 143 | exp = i; |
138 | break; | 144 | break; |
139 | } | 145 | } |
@@ -204,7 +210,8 @@ static inline int expect_matches(const struct nf_conntrack_expect *a, | |||
204 | { | 210 | { |
205 | return a->master == b->master && a->class == b->class && | 211 | return a->master == b->master && a->class == b->class && |
206 | nf_ct_tuple_equal(&a->tuple, &b->tuple) && | 212 | nf_ct_tuple_equal(&a->tuple, &b->tuple) && |
207 | nf_ct_tuple_mask_equal(&a->mask, &b->mask); | 213 | nf_ct_tuple_mask_equal(&a->mask, &b->mask) && |
214 | nf_ct_zone(a->master) == nf_ct_zone(b->master); | ||
208 | } | 215 | } |
209 | 216 | ||
210 | /* Generally a bad idea to call this: could have matched already. */ | 217 | /* Generally a bad idea to call this: could have matched already. */ |
@@ -232,7 +239,6 @@ struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me) | |||
232 | 239 | ||
233 | new->master = me; | 240 | new->master = me; |
234 | atomic_set(&new->use, 1); | 241 | atomic_set(&new->use, 1); |
235 | INIT_RCU_HEAD(&new->rcu); | ||
236 | return new; | 242 | return new; |
237 | } | 243 | } |
238 | EXPORT_SYMBOL_GPL(nf_ct_expect_alloc); | 244 | EXPORT_SYMBOL_GPL(nf_ct_expect_alloc); |
@@ -500,6 +506,7 @@ static void exp_seq_stop(struct seq_file *seq, void *v) | |||
500 | static int exp_seq_show(struct seq_file *s, void *v) | 506 | static int exp_seq_show(struct seq_file *s, void *v) |
501 | { | 507 | { |
502 | struct nf_conntrack_expect *expect; | 508 | struct nf_conntrack_expect *expect; |
509 | struct nf_conntrack_helper *helper; | ||
503 | struct hlist_node *n = v; | 510 | struct hlist_node *n = v; |
504 | char *delim = ""; | 511 | char *delim = ""; |
505 | 512 | ||
@@ -525,6 +532,14 @@ static int exp_seq_show(struct seq_file *s, void *v) | |||
525 | if (expect->flags & NF_CT_EXPECT_INACTIVE) | 532 | if (expect->flags & NF_CT_EXPECT_INACTIVE) |
526 | seq_printf(s, "%sINACTIVE", delim); | 533 | seq_printf(s, "%sINACTIVE", delim); |
527 | 534 | ||
535 | helper = rcu_dereference(nfct_help(expect->master)->helper); | ||
536 | if (helper) { | ||
537 | seq_printf(s, "%s%s", expect->flags ? " " : "", helper->name); | ||
538 | if (helper->expect_policy[expect->class].name) | ||
539 | seq_printf(s, "/%s", | ||
540 | helper->expect_policy[expect->class].name); | ||
541 | } | ||
542 | |||
528 | return seq_putc(s, '\n'); | 543 | return seq_putc(s, '\n'); |
529 | } | 544 | } |
530 | 545 | ||
diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c index fef95be334bd..fdc8fb4ae10f 100644 --- a/net/netfilter/nf_conntrack_extend.c +++ b/net/netfilter/nf_conntrack_extend.c | |||
@@ -59,7 +59,6 @@ nf_ct_ext_create(struct nf_ct_ext **ext, enum nf_ct_ext_id id, gfp_t gfp) | |||
59 | if (!*ext) | 59 | if (!*ext) |
60 | return NULL; | 60 | return NULL; |
61 | 61 | ||
62 | INIT_RCU_HEAD(&(*ext)->rcu); | ||
63 | (*ext)->offset[id] = off; | 62 | (*ext)->offset[id] = off; |
64 | (*ext)->len = len; | 63 | (*ext)->len = len; |
65 | 64 | ||
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c index 66369490230e..a1c8dd917e12 100644 --- a/net/netfilter/nf_conntrack_h323_main.c +++ b/net/netfilter/nf_conntrack_h323_main.c | |||
@@ -29,6 +29,7 @@ | |||
29 | #include <net/netfilter/nf_conntrack_expect.h> | 29 | #include <net/netfilter/nf_conntrack_expect.h> |
30 | #include <net/netfilter/nf_conntrack_ecache.h> | 30 | #include <net/netfilter/nf_conntrack_ecache.h> |
31 | #include <net/netfilter/nf_conntrack_helper.h> | 31 | #include <net/netfilter/nf_conntrack_helper.h> |
32 | #include <net/netfilter/nf_conntrack_zones.h> | ||
32 | #include <linux/netfilter/nf_conntrack_h323.h> | 33 | #include <linux/netfilter/nf_conntrack_h323.h> |
33 | 34 | ||
34 | /* Parameters */ | 35 | /* Parameters */ |
@@ -1216,7 +1217,7 @@ static struct nf_conntrack_expect *find_expect(struct nf_conn *ct, | |||
1216 | tuple.dst.u.tcp.port = port; | 1217 | tuple.dst.u.tcp.port = port; |
1217 | tuple.dst.protonum = IPPROTO_TCP; | 1218 | tuple.dst.protonum = IPPROTO_TCP; |
1218 | 1219 | ||
1219 | exp = __nf_ct_expect_find(net, &tuple); | 1220 | exp = __nf_ct_expect_find(net, nf_ct_zone(ct), &tuple); |
1220 | if (exp && exp->master == ct) | 1221 | if (exp && exp->master == ct) |
1221 | return exp; | 1222 | return exp; |
1222 | return NULL; | 1223 | return NULL; |
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c index 4b1a56bd074c..4509fa6726f8 100644 --- a/net/netfilter/nf_conntrack_helper.c +++ b/net/netfilter/nf_conntrack_helper.c | |||
@@ -65,7 +65,7 @@ __nf_ct_helper_find(const struct nf_conntrack_tuple *tuple) | |||
65 | } | 65 | } |
66 | 66 | ||
67 | struct nf_conntrack_helper * | 67 | struct nf_conntrack_helper * |
68 | __nf_conntrack_helper_find_byname(const char *name) | 68 | __nf_conntrack_helper_find(const char *name, u16 l3num, u8 protonum) |
69 | { | 69 | { |
70 | struct nf_conntrack_helper *h; | 70 | struct nf_conntrack_helper *h; |
71 | struct hlist_node *n; | 71 | struct hlist_node *n; |
@@ -73,13 +73,34 @@ __nf_conntrack_helper_find_byname(const char *name) | |||
73 | 73 | ||
74 | for (i = 0; i < nf_ct_helper_hsize; i++) { | 74 | for (i = 0; i < nf_ct_helper_hsize; i++) { |
75 | hlist_for_each_entry_rcu(h, n, &nf_ct_helper_hash[i], hnode) { | 75 | hlist_for_each_entry_rcu(h, n, &nf_ct_helper_hash[i], hnode) { |
76 | if (!strcmp(h->name, name)) | 76 | if (!strcmp(h->name, name) && |
77 | h->tuple.src.l3num == l3num && | ||
78 | h->tuple.dst.protonum == protonum) | ||
77 | return h; | 79 | return h; |
78 | } | 80 | } |
79 | } | 81 | } |
80 | return NULL; | 82 | return NULL; |
81 | } | 83 | } |
82 | EXPORT_SYMBOL_GPL(__nf_conntrack_helper_find_byname); | 84 | EXPORT_SYMBOL_GPL(__nf_conntrack_helper_find); |
85 | |||
86 | struct nf_conntrack_helper * | ||
87 | nf_conntrack_helper_try_module_get(const char *name, u16 l3num, u8 protonum) | ||
88 | { | ||
89 | struct nf_conntrack_helper *h; | ||
90 | |||
91 | h = __nf_conntrack_helper_find(name, l3num, protonum); | ||
92 | #ifdef CONFIG_MODULES | ||
93 | if (h == NULL) { | ||
94 | if (request_module("nfct-helper-%s", name) == 0) | ||
95 | h = __nf_conntrack_helper_find(name, l3num, protonum); | ||
96 | } | ||
97 | #endif | ||
98 | if (h != NULL && !try_module_get(h->me)) | ||
99 | h = NULL; | ||
100 | |||
101 | return h; | ||
102 | } | ||
103 | EXPORT_SYMBOL_GPL(nf_conntrack_helper_try_module_get); | ||
83 | 104 | ||
84 | struct nf_conn_help *nf_ct_helper_ext_add(struct nf_conn *ct, gfp_t gfp) | 105 | struct nf_conn_help *nf_ct_helper_ext_add(struct nf_conn *ct, gfp_t gfp) |
85 | { | 106 | { |
@@ -94,13 +115,22 @@ struct nf_conn_help *nf_ct_helper_ext_add(struct nf_conn *ct, gfp_t gfp) | |||
94 | } | 115 | } |
95 | EXPORT_SYMBOL_GPL(nf_ct_helper_ext_add); | 116 | EXPORT_SYMBOL_GPL(nf_ct_helper_ext_add); |
96 | 117 | ||
97 | int __nf_ct_try_assign_helper(struct nf_conn *ct, gfp_t flags) | 118 | int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl, |
119 | gfp_t flags) | ||
98 | { | 120 | { |
121 | struct nf_conntrack_helper *helper = NULL; | ||
122 | struct nf_conn_help *help; | ||
99 | int ret = 0; | 123 | int ret = 0; |
100 | struct nf_conntrack_helper *helper; | ||
101 | struct nf_conn_help *help = nfct_help(ct); | ||
102 | 124 | ||
103 | helper = __nf_ct_helper_find(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); | 125 | if (tmpl != NULL) { |
126 | help = nfct_help(tmpl); | ||
127 | if (help != NULL) | ||
128 | helper = help->helper; | ||
129 | } | ||
130 | |||
131 | help = nfct_help(ct); | ||
132 | if (helper == NULL) | ||
133 | helper = __nf_ct_helper_find(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); | ||
104 | if (helper == NULL) { | 134 | if (helper == NULL) { |
105 | if (help) | 135 | if (help) |
106 | rcu_assign_pointer(help->helper, NULL); | 136 | rcu_assign_pointer(help->helper, NULL); |
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 0ffe689dfe97..8b05f364b2f2 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c | |||
@@ -30,6 +30,7 @@ | |||
30 | 30 | ||
31 | #include <linux/netfilter.h> | 31 | #include <linux/netfilter.h> |
32 | #include <net/netlink.h> | 32 | #include <net/netlink.h> |
33 | #include <net/sock.h> | ||
33 | #include <net/netfilter/nf_conntrack.h> | 34 | #include <net/netfilter/nf_conntrack.h> |
34 | #include <net/netfilter/nf_conntrack_core.h> | 35 | #include <net/netfilter/nf_conntrack_core.h> |
35 | #include <net/netfilter/nf_conntrack_expect.h> | 36 | #include <net/netfilter/nf_conntrack_expect.h> |
@@ -38,6 +39,7 @@ | |||
38 | #include <net/netfilter/nf_conntrack_l4proto.h> | 39 | #include <net/netfilter/nf_conntrack_l4proto.h> |
39 | #include <net/netfilter/nf_conntrack_tuple.h> | 40 | #include <net/netfilter/nf_conntrack_tuple.h> |
40 | #include <net/netfilter/nf_conntrack_acct.h> | 41 | #include <net/netfilter/nf_conntrack_acct.h> |
42 | #include <net/netfilter/nf_conntrack_zones.h> | ||
41 | #ifdef CONFIG_NF_NAT_NEEDED | 43 | #ifdef CONFIG_NF_NAT_NEEDED |
42 | #include <net/netfilter/nf_nat_core.h> | 44 | #include <net/netfilter/nf_nat_core.h> |
43 | #include <net/netfilter/nf_nat_protocol.h> | 45 | #include <net/netfilter/nf_nat_protocol.h> |
@@ -378,6 +380,9 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq, | |||
378 | goto nla_put_failure; | 380 | goto nla_put_failure; |
379 | nla_nest_end(skb, nest_parms); | 381 | nla_nest_end(skb, nest_parms); |
380 | 382 | ||
383 | if (nf_ct_zone(ct)) | ||
384 | NLA_PUT_BE16(skb, CTA_ZONE, htons(nf_ct_zone(ct))); | ||
385 | |||
381 | if (ctnetlink_dump_status(skb, ct) < 0 || | 386 | if (ctnetlink_dump_status(skb, ct) < 0 || |
382 | ctnetlink_dump_timeout(skb, ct) < 0 || | 387 | ctnetlink_dump_timeout(skb, ct) < 0 || |
383 | ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 || | 388 | ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 || |
@@ -456,6 +461,7 @@ ctnetlink_nlmsg_size(const struct nf_conn *ct) | |||
456 | static int | 461 | static int |
457 | ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item) | 462 | ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item) |
458 | { | 463 | { |
464 | struct net *net; | ||
459 | struct nlmsghdr *nlh; | 465 | struct nlmsghdr *nlh; |
460 | struct nfgenmsg *nfmsg; | 466 | struct nfgenmsg *nfmsg; |
461 | struct nlattr *nest_parms; | 467 | struct nlattr *nest_parms; |
@@ -482,7 +488,8 @@ ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item) | |||
482 | } else | 488 | } else |
483 | return 0; | 489 | return 0; |
484 | 490 | ||
485 | if (!item->report && !nfnetlink_has_listeners(group)) | 491 | net = nf_ct_net(ct); |
492 | if (!item->report && !nfnetlink_has_listeners(net, group)) | ||
486 | return 0; | 493 | return 0; |
487 | 494 | ||
488 | skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC); | 495 | skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC); |
@@ -514,6 +521,9 @@ ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item) | |||
514 | goto nla_put_failure; | 521 | goto nla_put_failure; |
515 | nla_nest_end(skb, nest_parms); | 522 | nla_nest_end(skb, nest_parms); |
516 | 523 | ||
524 | if (nf_ct_zone(ct)) | ||
525 | NLA_PUT_BE16(skb, CTA_ZONE, htons(nf_ct_zone(ct))); | ||
526 | |||
517 | if (ctnetlink_dump_id(skb, ct) < 0) | 527 | if (ctnetlink_dump_id(skb, ct) < 0) |
518 | goto nla_put_failure; | 528 | goto nla_put_failure; |
519 | 529 | ||
@@ -559,7 +569,8 @@ ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item) | |||
559 | rcu_read_unlock(); | 569 | rcu_read_unlock(); |
560 | 570 | ||
561 | nlmsg_end(skb, nlh); | 571 | nlmsg_end(skb, nlh); |
562 | err = nfnetlink_send(skb, item->pid, group, item->report, GFP_ATOMIC); | 572 | err = nfnetlink_send(skb, net, item->pid, group, item->report, |
573 | GFP_ATOMIC); | ||
563 | if (err == -ENOBUFS || err == -EAGAIN) | 574 | if (err == -ENOBUFS || err == -EAGAIN) |
564 | return -ENOBUFS; | 575 | return -ENOBUFS; |
565 | 576 | ||
@@ -571,7 +582,7 @@ nla_put_failure: | |||
571 | nlmsg_failure: | 582 | nlmsg_failure: |
572 | kfree_skb(skb); | 583 | kfree_skb(skb); |
573 | errout: | 584 | errout: |
574 | nfnetlink_set_err(0, group, -ENOBUFS); | 585 | nfnetlink_set_err(net, 0, group, -ENOBUFS); |
575 | return 0; | 586 | return 0; |
576 | } | 587 | } |
577 | #endif /* CONFIG_NF_CONNTRACK_EVENTS */ | 588 | #endif /* CONFIG_NF_CONNTRACK_EVENTS */ |
@@ -586,6 +597,7 @@ static int ctnetlink_done(struct netlink_callback *cb) | |||
586 | static int | 597 | static int |
587 | ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb) | 598 | ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb) |
588 | { | 599 | { |
600 | struct net *net = sock_net(skb->sk); | ||
589 | struct nf_conn *ct, *last; | 601 | struct nf_conn *ct, *last; |
590 | struct nf_conntrack_tuple_hash *h; | 602 | struct nf_conntrack_tuple_hash *h; |
591 | struct hlist_nulls_node *n; | 603 | struct hlist_nulls_node *n; |
@@ -594,9 +606,9 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb) | |||
594 | 606 | ||
595 | rcu_read_lock(); | 607 | rcu_read_lock(); |
596 | last = (struct nf_conn *)cb->args[1]; | 608 | last = (struct nf_conn *)cb->args[1]; |
597 | for (; cb->args[0] < init_net.ct.htable_size; cb->args[0]++) { | 609 | for (; cb->args[0] < net->ct.htable_size; cb->args[0]++) { |
598 | restart: | 610 | restart: |
599 | hlist_nulls_for_each_entry_rcu(h, n, &init_net.ct.hash[cb->args[0]], | 611 | hlist_nulls_for_each_entry_rcu(h, n, &net->ct.hash[cb->args[0]], |
600 | hnnode) { | 612 | hnnode) { |
601 | if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL) | 613 | if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL) |
602 | continue; | 614 | continue; |
@@ -703,6 +715,11 @@ ctnetlink_parse_tuple_proto(struct nlattr *attr, | |||
703 | return ret; | 715 | return ret; |
704 | } | 716 | } |
705 | 717 | ||
718 | static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = { | ||
719 | [CTA_TUPLE_IP] = { .type = NLA_NESTED }, | ||
720 | [CTA_TUPLE_PROTO] = { .type = NLA_NESTED }, | ||
721 | }; | ||
722 | |||
706 | static int | 723 | static int |
707 | ctnetlink_parse_tuple(const struct nlattr * const cda[], | 724 | ctnetlink_parse_tuple(const struct nlattr * const cda[], |
708 | struct nf_conntrack_tuple *tuple, | 725 | struct nf_conntrack_tuple *tuple, |
@@ -713,7 +730,7 @@ ctnetlink_parse_tuple(const struct nlattr * const cda[], | |||
713 | 730 | ||
714 | memset(tuple, 0, sizeof(*tuple)); | 731 | memset(tuple, 0, sizeof(*tuple)); |
715 | 732 | ||
716 | nla_parse_nested(tb, CTA_TUPLE_MAX, cda[type], NULL); | 733 | nla_parse_nested(tb, CTA_TUPLE_MAX, cda[type], tuple_nla_policy); |
717 | 734 | ||
718 | if (!tb[CTA_TUPLE_IP]) | 735 | if (!tb[CTA_TUPLE_IP]) |
719 | return -EINVAL; | 736 | return -EINVAL; |
@@ -740,12 +757,31 @@ ctnetlink_parse_tuple(const struct nlattr * const cda[], | |||
740 | return 0; | 757 | return 0; |
741 | } | 758 | } |
742 | 759 | ||
760 | static int | ||
761 | ctnetlink_parse_zone(const struct nlattr *attr, u16 *zone) | ||
762 | { | ||
763 | if (attr) | ||
764 | #ifdef CONFIG_NF_CONNTRACK_ZONES | ||
765 | *zone = ntohs(nla_get_be16(attr)); | ||
766 | #else | ||
767 | return -EOPNOTSUPP; | ||
768 | #endif | ||
769 | else | ||
770 | *zone = 0; | ||
771 | |||
772 | return 0; | ||
773 | } | ||
774 | |||
775 | static const struct nla_policy help_nla_policy[CTA_HELP_MAX+1] = { | ||
776 | [CTA_HELP_NAME] = { .type = NLA_NUL_STRING }, | ||
777 | }; | ||
778 | |||
743 | static inline int | 779 | static inline int |
744 | ctnetlink_parse_help(const struct nlattr *attr, char **helper_name) | 780 | ctnetlink_parse_help(const struct nlattr *attr, char **helper_name) |
745 | { | 781 | { |
746 | struct nlattr *tb[CTA_HELP_MAX+1]; | 782 | struct nlattr *tb[CTA_HELP_MAX+1]; |
747 | 783 | ||
748 | nla_parse_nested(tb, CTA_HELP_MAX, attr, NULL); | 784 | nla_parse_nested(tb, CTA_HELP_MAX, attr, help_nla_policy); |
749 | 785 | ||
750 | if (!tb[CTA_HELP_NAME]) | 786 | if (!tb[CTA_HELP_NAME]) |
751 | return -EINVAL; | 787 | return -EINVAL; |
@@ -756,11 +792,18 @@ ctnetlink_parse_help(const struct nlattr *attr, char **helper_name) | |||
756 | } | 792 | } |
757 | 793 | ||
758 | static const struct nla_policy ct_nla_policy[CTA_MAX+1] = { | 794 | static const struct nla_policy ct_nla_policy[CTA_MAX+1] = { |
795 | [CTA_TUPLE_ORIG] = { .type = NLA_NESTED }, | ||
796 | [CTA_TUPLE_REPLY] = { .type = NLA_NESTED }, | ||
759 | [CTA_STATUS] = { .type = NLA_U32 }, | 797 | [CTA_STATUS] = { .type = NLA_U32 }, |
798 | [CTA_PROTOINFO] = { .type = NLA_NESTED }, | ||
799 | [CTA_HELP] = { .type = NLA_NESTED }, | ||
800 | [CTA_NAT_SRC] = { .type = NLA_NESTED }, | ||
760 | [CTA_TIMEOUT] = { .type = NLA_U32 }, | 801 | [CTA_TIMEOUT] = { .type = NLA_U32 }, |
761 | [CTA_MARK] = { .type = NLA_U32 }, | 802 | [CTA_MARK] = { .type = NLA_U32 }, |
762 | [CTA_USE] = { .type = NLA_U32 }, | ||
763 | [CTA_ID] = { .type = NLA_U32 }, | 803 | [CTA_ID] = { .type = NLA_U32 }, |
804 | [CTA_NAT_DST] = { .type = NLA_NESTED }, | ||
805 | [CTA_TUPLE_MASTER] = { .type = NLA_NESTED }, | ||
806 | [CTA_ZONE] = { .type = NLA_U16 }, | ||
764 | }; | 807 | }; |
765 | 808 | ||
766 | static int | 809 | static int |
@@ -768,12 +811,18 @@ ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb, | |||
768 | const struct nlmsghdr *nlh, | 811 | const struct nlmsghdr *nlh, |
769 | const struct nlattr * const cda[]) | 812 | const struct nlattr * const cda[]) |
770 | { | 813 | { |
814 | struct net *net = sock_net(ctnl); | ||
771 | struct nf_conntrack_tuple_hash *h; | 815 | struct nf_conntrack_tuple_hash *h; |
772 | struct nf_conntrack_tuple tuple; | 816 | struct nf_conntrack_tuple tuple; |
773 | struct nf_conn *ct; | 817 | struct nf_conn *ct; |
774 | struct nfgenmsg *nfmsg = nlmsg_data(nlh); | 818 | struct nfgenmsg *nfmsg = nlmsg_data(nlh); |
775 | u_int8_t u3 = nfmsg->nfgen_family; | 819 | u_int8_t u3 = nfmsg->nfgen_family; |
776 | int err = 0; | 820 | u16 zone; |
821 | int err; | ||
822 | |||
823 | err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone); | ||
824 | if (err < 0) | ||
825 | return err; | ||
777 | 826 | ||
778 | if (cda[CTA_TUPLE_ORIG]) | 827 | if (cda[CTA_TUPLE_ORIG]) |
779 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3); | 828 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3); |
@@ -781,7 +830,7 @@ ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb, | |||
781 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3); | 830 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3); |
782 | else { | 831 | else { |
783 | /* Flush the whole table */ | 832 | /* Flush the whole table */ |
784 | nf_conntrack_flush_report(&init_net, | 833 | nf_conntrack_flush_report(net, |
785 | NETLINK_CB(skb).pid, | 834 | NETLINK_CB(skb).pid, |
786 | nlmsg_report(nlh)); | 835 | nlmsg_report(nlh)); |
787 | return 0; | 836 | return 0; |
@@ -790,7 +839,7 @@ ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb, | |||
790 | if (err < 0) | 839 | if (err < 0) |
791 | return err; | 840 | return err; |
792 | 841 | ||
793 | h = nf_conntrack_find_get(&init_net, &tuple); | 842 | h = nf_conntrack_find_get(net, zone, &tuple); |
794 | if (!h) | 843 | if (!h) |
795 | return -ENOENT; | 844 | return -ENOENT; |
796 | 845 | ||
@@ -828,18 +877,24 @@ ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb, | |||
828 | const struct nlmsghdr *nlh, | 877 | const struct nlmsghdr *nlh, |
829 | const struct nlattr * const cda[]) | 878 | const struct nlattr * const cda[]) |
830 | { | 879 | { |
880 | struct net *net = sock_net(ctnl); | ||
831 | struct nf_conntrack_tuple_hash *h; | 881 | struct nf_conntrack_tuple_hash *h; |
832 | struct nf_conntrack_tuple tuple; | 882 | struct nf_conntrack_tuple tuple; |
833 | struct nf_conn *ct; | 883 | struct nf_conn *ct; |
834 | struct sk_buff *skb2 = NULL; | 884 | struct sk_buff *skb2 = NULL; |
835 | struct nfgenmsg *nfmsg = nlmsg_data(nlh); | 885 | struct nfgenmsg *nfmsg = nlmsg_data(nlh); |
836 | u_int8_t u3 = nfmsg->nfgen_family; | 886 | u_int8_t u3 = nfmsg->nfgen_family; |
837 | int err = 0; | 887 | u16 zone; |
888 | int err; | ||
838 | 889 | ||
839 | if (nlh->nlmsg_flags & NLM_F_DUMP) | 890 | if (nlh->nlmsg_flags & NLM_F_DUMP) |
840 | return netlink_dump_start(ctnl, skb, nlh, ctnetlink_dump_table, | 891 | return netlink_dump_start(ctnl, skb, nlh, ctnetlink_dump_table, |
841 | ctnetlink_done); | 892 | ctnetlink_done); |
842 | 893 | ||
894 | err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone); | ||
895 | if (err < 0) | ||
896 | return err; | ||
897 | |||
843 | if (cda[CTA_TUPLE_ORIG]) | 898 | if (cda[CTA_TUPLE_ORIG]) |
844 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3); | 899 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3); |
845 | else if (cda[CTA_TUPLE_REPLY]) | 900 | else if (cda[CTA_TUPLE_REPLY]) |
@@ -850,7 +905,7 @@ ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb, | |||
850 | if (err < 0) | 905 | if (err < 0) |
851 | return err; | 906 | return err; |
852 | 907 | ||
853 | h = nf_conntrack_find_get(&init_net, &tuple); | 908 | h = nf_conntrack_find_get(net, zone, &tuple); |
854 | if (!h) | 909 | if (!h) |
855 | return -ENOENT; | 910 | return -ENOENT; |
856 | 911 | ||
@@ -994,7 +1049,8 @@ ctnetlink_change_helper(struct nf_conn *ct, const struct nlattr * const cda[]) | |||
994 | return 0; | 1049 | return 0; |
995 | } | 1050 | } |
996 | 1051 | ||
997 | helper = __nf_conntrack_helper_find_byname(helpname); | 1052 | helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), |
1053 | nf_ct_protonum(ct)); | ||
998 | if (helper == NULL) { | 1054 | if (helper == NULL) { |
999 | #ifdef CONFIG_MODULES | 1055 | #ifdef CONFIG_MODULES |
1000 | spin_unlock_bh(&nf_conntrack_lock); | 1056 | spin_unlock_bh(&nf_conntrack_lock); |
@@ -1005,7 +1061,8 @@ ctnetlink_change_helper(struct nf_conn *ct, const struct nlattr * const cda[]) | |||
1005 | } | 1061 | } |
1006 | 1062 | ||
1007 | spin_lock_bh(&nf_conntrack_lock); | 1063 | spin_lock_bh(&nf_conntrack_lock); |
1008 | helper = __nf_conntrack_helper_find_byname(helpname); | 1064 | helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), |
1065 | nf_ct_protonum(ct)); | ||
1009 | if (helper) | 1066 | if (helper) |
1010 | return -EAGAIN; | 1067 | return -EAGAIN; |
1011 | #endif | 1068 | #endif |
@@ -1044,6 +1101,12 @@ ctnetlink_change_timeout(struct nf_conn *ct, const struct nlattr * const cda[]) | |||
1044 | return 0; | 1101 | return 0; |
1045 | } | 1102 | } |
1046 | 1103 | ||
1104 | static const struct nla_policy protoinfo_policy[CTA_PROTOINFO_MAX+1] = { | ||
1105 | [CTA_PROTOINFO_TCP] = { .type = NLA_NESTED }, | ||
1106 | [CTA_PROTOINFO_DCCP] = { .type = NLA_NESTED }, | ||
1107 | [CTA_PROTOINFO_SCTP] = { .type = NLA_NESTED }, | ||
1108 | }; | ||
1109 | |||
1047 | static inline int | 1110 | static inline int |
1048 | ctnetlink_change_protoinfo(struct nf_conn *ct, const struct nlattr * const cda[]) | 1111 | ctnetlink_change_protoinfo(struct nf_conn *ct, const struct nlattr * const cda[]) |
1049 | { | 1112 | { |
@@ -1052,7 +1115,7 @@ ctnetlink_change_protoinfo(struct nf_conn *ct, const struct nlattr * const cda[] | |||
1052 | struct nf_conntrack_l4proto *l4proto; | 1115 | struct nf_conntrack_l4proto *l4proto; |
1053 | int err = 0; | 1116 | int err = 0; |
1054 | 1117 | ||
1055 | nla_parse_nested(tb, CTA_PROTOINFO_MAX, attr, NULL); | 1118 | nla_parse_nested(tb, CTA_PROTOINFO_MAX, attr, protoinfo_policy); |
1056 | 1119 | ||
1057 | rcu_read_lock(); | 1120 | rcu_read_lock(); |
1058 | l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct)); | 1121 | l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct)); |
@@ -1064,12 +1127,18 @@ ctnetlink_change_protoinfo(struct nf_conn *ct, const struct nlattr * const cda[] | |||
1064 | } | 1127 | } |
1065 | 1128 | ||
1066 | #ifdef CONFIG_NF_NAT_NEEDED | 1129 | #ifdef CONFIG_NF_NAT_NEEDED |
1130 | static const struct nla_policy nat_seq_policy[CTA_NAT_SEQ_MAX+1] = { | ||
1131 | [CTA_NAT_SEQ_CORRECTION_POS] = { .type = NLA_U32 }, | ||
1132 | [CTA_NAT_SEQ_OFFSET_BEFORE] = { .type = NLA_U32 }, | ||
1133 | [CTA_NAT_SEQ_OFFSET_AFTER] = { .type = NLA_U32 }, | ||
1134 | }; | ||
1135 | |||
1067 | static inline int | 1136 | static inline int |
1068 | change_nat_seq_adj(struct nf_nat_seq *natseq, const struct nlattr * const attr) | 1137 | change_nat_seq_adj(struct nf_nat_seq *natseq, const struct nlattr * const attr) |
1069 | { | 1138 | { |
1070 | struct nlattr *cda[CTA_NAT_SEQ_MAX+1]; | 1139 | struct nlattr *cda[CTA_NAT_SEQ_MAX+1]; |
1071 | 1140 | ||
1072 | nla_parse_nested(cda, CTA_NAT_SEQ_MAX, attr, NULL); | 1141 | nla_parse_nested(cda, CTA_NAT_SEQ_MAX, attr, nat_seq_policy); |
1073 | 1142 | ||
1074 | if (!cda[CTA_NAT_SEQ_CORRECTION_POS]) | 1143 | if (!cda[CTA_NAT_SEQ_CORRECTION_POS]) |
1075 | return -EINVAL; | 1144 | return -EINVAL; |
@@ -1175,7 +1244,8 @@ ctnetlink_change_conntrack(struct nf_conn *ct, | |||
1175 | } | 1244 | } |
1176 | 1245 | ||
1177 | static struct nf_conn * | 1246 | static struct nf_conn * |
1178 | ctnetlink_create_conntrack(const struct nlattr * const cda[], | 1247 | ctnetlink_create_conntrack(struct net *net, u16 zone, |
1248 | const struct nlattr * const cda[], | ||
1179 | struct nf_conntrack_tuple *otuple, | 1249 | struct nf_conntrack_tuple *otuple, |
1180 | struct nf_conntrack_tuple *rtuple, | 1250 | struct nf_conntrack_tuple *rtuple, |
1181 | u8 u3) | 1251 | u8 u3) |
@@ -1184,7 +1254,7 @@ ctnetlink_create_conntrack(const struct nlattr * const cda[], | |||
1184 | int err = -EINVAL; | 1254 | int err = -EINVAL; |
1185 | struct nf_conntrack_helper *helper; | 1255 | struct nf_conntrack_helper *helper; |
1186 | 1256 | ||
1187 | ct = nf_conntrack_alloc(&init_net, otuple, rtuple, GFP_ATOMIC); | 1257 | ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC); |
1188 | if (IS_ERR(ct)) | 1258 | if (IS_ERR(ct)) |
1189 | return ERR_PTR(-ENOMEM); | 1259 | return ERR_PTR(-ENOMEM); |
1190 | 1260 | ||
@@ -1203,7 +1273,8 @@ ctnetlink_create_conntrack(const struct nlattr * const cda[], | |||
1203 | if (err < 0) | 1273 | if (err < 0) |
1204 | goto err2; | 1274 | goto err2; |
1205 | 1275 | ||
1206 | helper = __nf_conntrack_helper_find_byname(helpname); | 1276 | helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), |
1277 | nf_ct_protonum(ct)); | ||
1207 | if (helper == NULL) { | 1278 | if (helper == NULL) { |
1208 | rcu_read_unlock(); | 1279 | rcu_read_unlock(); |
1209 | #ifdef CONFIG_MODULES | 1280 | #ifdef CONFIG_MODULES |
@@ -1213,7 +1284,9 @@ ctnetlink_create_conntrack(const struct nlattr * const cda[], | |||
1213 | } | 1284 | } |
1214 | 1285 | ||
1215 | rcu_read_lock(); | 1286 | rcu_read_lock(); |
1216 | helper = __nf_conntrack_helper_find_byname(helpname); | 1287 | helper = __nf_conntrack_helper_find(helpname, |
1288 | nf_ct_l3num(ct), | ||
1289 | nf_ct_protonum(ct)); | ||
1217 | if (helper) { | 1290 | if (helper) { |
1218 | err = -EAGAIN; | 1291 | err = -EAGAIN; |
1219 | goto err2; | 1292 | goto err2; |
@@ -1236,7 +1309,7 @@ ctnetlink_create_conntrack(const struct nlattr * const cda[], | |||
1236 | } | 1309 | } |
1237 | } else { | 1310 | } else { |
1238 | /* try an implicit helper assignation */ | 1311 | /* try an implicit helper assignation */ |
1239 | err = __nf_ct_try_assign_helper(ct, GFP_ATOMIC); | 1312 | err = __nf_ct_try_assign_helper(ct, NULL, GFP_ATOMIC); |
1240 | if (err < 0) | 1313 | if (err < 0) |
1241 | goto err2; | 1314 | goto err2; |
1242 | } | 1315 | } |
@@ -1268,7 +1341,7 @@ ctnetlink_create_conntrack(const struct nlattr * const cda[], | |||
1268 | } | 1341 | } |
1269 | 1342 | ||
1270 | nf_ct_acct_ext_add(ct, GFP_ATOMIC); | 1343 | nf_ct_acct_ext_add(ct, GFP_ATOMIC); |
1271 | nf_ct_ecache_ext_add(ct, GFP_ATOMIC); | 1344 | nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC); |
1272 | 1345 | ||
1273 | #if defined(CONFIG_NF_CONNTRACK_MARK) | 1346 | #if defined(CONFIG_NF_CONNTRACK_MARK) |
1274 | if (cda[CTA_MARK]) | 1347 | if (cda[CTA_MARK]) |
@@ -1285,7 +1358,7 @@ ctnetlink_create_conntrack(const struct nlattr * const cda[], | |||
1285 | if (err < 0) | 1358 | if (err < 0) |
1286 | goto err2; | 1359 | goto err2; |
1287 | 1360 | ||
1288 | master_h = nf_conntrack_find_get(&init_net, &master); | 1361 | master_h = nf_conntrack_find_get(net, zone, &master); |
1289 | if (master_h == NULL) { | 1362 | if (master_h == NULL) { |
1290 | err = -ENOENT; | 1363 | err = -ENOENT; |
1291 | goto err2; | 1364 | goto err2; |
@@ -1313,11 +1386,17 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, | |||
1313 | const struct nlmsghdr *nlh, | 1386 | const struct nlmsghdr *nlh, |
1314 | const struct nlattr * const cda[]) | 1387 | const struct nlattr * const cda[]) |
1315 | { | 1388 | { |
1389 | struct net *net = sock_net(ctnl); | ||
1316 | struct nf_conntrack_tuple otuple, rtuple; | 1390 | struct nf_conntrack_tuple otuple, rtuple; |
1317 | struct nf_conntrack_tuple_hash *h = NULL; | 1391 | struct nf_conntrack_tuple_hash *h = NULL; |
1318 | struct nfgenmsg *nfmsg = nlmsg_data(nlh); | 1392 | struct nfgenmsg *nfmsg = nlmsg_data(nlh); |
1319 | u_int8_t u3 = nfmsg->nfgen_family; | 1393 | u_int8_t u3 = nfmsg->nfgen_family; |
1320 | int err = 0; | 1394 | u16 zone; |
1395 | int err; | ||
1396 | |||
1397 | err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone); | ||
1398 | if (err < 0) | ||
1399 | return err; | ||
1321 | 1400 | ||
1322 | if (cda[CTA_TUPLE_ORIG]) { | 1401 | if (cda[CTA_TUPLE_ORIG]) { |
1323 | err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG, u3); | 1402 | err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG, u3); |
@@ -1333,9 +1412,9 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, | |||
1333 | 1412 | ||
1334 | spin_lock_bh(&nf_conntrack_lock); | 1413 | spin_lock_bh(&nf_conntrack_lock); |
1335 | if (cda[CTA_TUPLE_ORIG]) | 1414 | if (cda[CTA_TUPLE_ORIG]) |
1336 | h = __nf_conntrack_find(&init_net, &otuple); | 1415 | h = __nf_conntrack_find(net, zone, &otuple); |
1337 | else if (cda[CTA_TUPLE_REPLY]) | 1416 | else if (cda[CTA_TUPLE_REPLY]) |
1338 | h = __nf_conntrack_find(&init_net, &rtuple); | 1417 | h = __nf_conntrack_find(net, zone, &rtuple); |
1339 | 1418 | ||
1340 | if (h == NULL) { | 1419 | if (h == NULL) { |
1341 | err = -ENOENT; | 1420 | err = -ENOENT; |
@@ -1343,7 +1422,7 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, | |||
1343 | struct nf_conn *ct; | 1422 | struct nf_conn *ct; |
1344 | enum ip_conntrack_events events; | 1423 | enum ip_conntrack_events events; |
1345 | 1424 | ||
1346 | ct = ctnetlink_create_conntrack(cda, &otuple, | 1425 | ct = ctnetlink_create_conntrack(net, zone, cda, &otuple, |
1347 | &rtuple, u3); | 1426 | &rtuple, u3); |
1348 | if (IS_ERR(ct)) { | 1427 | if (IS_ERR(ct)) { |
1349 | err = PTR_ERR(ct); | 1428 | err = PTR_ERR(ct); |
@@ -1357,7 +1436,8 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, | |||
1357 | else | 1436 | else |
1358 | events = IPCT_NEW; | 1437 | events = IPCT_NEW; |
1359 | 1438 | ||
1360 | nf_conntrack_eventmask_report((1 << IPCT_STATUS) | | 1439 | nf_conntrack_eventmask_report((1 << IPCT_REPLY) | |
1440 | (1 << IPCT_ASSURED) | | ||
1361 | (1 << IPCT_HELPER) | | 1441 | (1 << IPCT_HELPER) | |
1362 | (1 << IPCT_PROTOINFO) | | 1442 | (1 << IPCT_PROTOINFO) | |
1363 | (1 << IPCT_NATSEQADJ) | | 1443 | (1 << IPCT_NATSEQADJ) | |
@@ -1382,7 +1462,8 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, | |||
1382 | if (err == 0) { | 1462 | if (err == 0) { |
1383 | nf_conntrack_get(&ct->ct_general); | 1463 | nf_conntrack_get(&ct->ct_general); |
1384 | spin_unlock_bh(&nf_conntrack_lock); | 1464 | spin_unlock_bh(&nf_conntrack_lock); |
1385 | nf_conntrack_eventmask_report((1 << IPCT_STATUS) | | 1465 | nf_conntrack_eventmask_report((1 << IPCT_REPLY) | |
1466 | (1 << IPCT_ASSURED) | | ||
1386 | (1 << IPCT_HELPER) | | 1467 | (1 << IPCT_HELPER) | |
1387 | (1 << IPCT_PROTOINFO) | | 1468 | (1 << IPCT_PROTOINFO) | |
1388 | (1 << IPCT_NATSEQADJ) | | 1469 | (1 << IPCT_NATSEQADJ) | |
@@ -1469,6 +1550,7 @@ ctnetlink_exp_dump_expect(struct sk_buff *skb, | |||
1469 | const struct nf_conntrack_expect *exp) | 1550 | const struct nf_conntrack_expect *exp) |
1470 | { | 1551 | { |
1471 | struct nf_conn *master = exp->master; | 1552 | struct nf_conn *master = exp->master; |
1553 | struct nf_conntrack_helper *helper; | ||
1472 | long timeout = (exp->timeout.expires - jiffies) / HZ; | 1554 | long timeout = (exp->timeout.expires - jiffies) / HZ; |
1473 | 1555 | ||
1474 | if (timeout < 0) | 1556 | if (timeout < 0) |
@@ -1485,6 +1567,9 @@ ctnetlink_exp_dump_expect(struct sk_buff *skb, | |||
1485 | 1567 | ||
1486 | NLA_PUT_BE32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)); | 1568 | NLA_PUT_BE32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)); |
1487 | NLA_PUT_BE32(skb, CTA_EXPECT_ID, htonl((unsigned long)exp)); | 1569 | NLA_PUT_BE32(skb, CTA_EXPECT_ID, htonl((unsigned long)exp)); |
1570 | helper = rcu_dereference(nfct_help(master)->helper); | ||
1571 | if (helper) | ||
1572 | NLA_PUT_STRING(skb, CTA_EXPECT_HELP_NAME, helper->name); | ||
1488 | 1573 | ||
1489 | return 0; | 1574 | return 0; |
1490 | 1575 | ||
@@ -1526,9 +1611,10 @@ nla_put_failure: | |||
1526 | static int | 1611 | static int |
1527 | ctnetlink_expect_event(unsigned int events, struct nf_exp_event *item) | 1612 | ctnetlink_expect_event(unsigned int events, struct nf_exp_event *item) |
1528 | { | 1613 | { |
1614 | struct nf_conntrack_expect *exp = item->exp; | ||
1615 | struct net *net = nf_ct_exp_net(exp); | ||
1529 | struct nlmsghdr *nlh; | 1616 | struct nlmsghdr *nlh; |
1530 | struct nfgenmsg *nfmsg; | 1617 | struct nfgenmsg *nfmsg; |
1531 | struct nf_conntrack_expect *exp = item->exp; | ||
1532 | struct sk_buff *skb; | 1618 | struct sk_buff *skb; |
1533 | unsigned int type; | 1619 | unsigned int type; |
1534 | int flags = 0; | 1620 | int flags = 0; |
@@ -1540,7 +1626,7 @@ ctnetlink_expect_event(unsigned int events, struct nf_exp_event *item) | |||
1540 | return 0; | 1626 | return 0; |
1541 | 1627 | ||
1542 | if (!item->report && | 1628 | if (!item->report && |
1543 | !nfnetlink_has_listeners(NFNLGRP_CONNTRACK_EXP_NEW)) | 1629 | !nfnetlink_has_listeners(net, NFNLGRP_CONNTRACK_EXP_NEW)) |
1544 | return 0; | 1630 | return 0; |
1545 | 1631 | ||
1546 | skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); | 1632 | skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); |
@@ -1563,7 +1649,7 @@ ctnetlink_expect_event(unsigned int events, struct nf_exp_event *item) | |||
1563 | rcu_read_unlock(); | 1649 | rcu_read_unlock(); |
1564 | 1650 | ||
1565 | nlmsg_end(skb, nlh); | 1651 | nlmsg_end(skb, nlh); |
1566 | nfnetlink_send(skb, item->pid, NFNLGRP_CONNTRACK_EXP_NEW, | 1652 | nfnetlink_send(skb, net, item->pid, NFNLGRP_CONNTRACK_EXP_NEW, |
1567 | item->report, GFP_ATOMIC); | 1653 | item->report, GFP_ATOMIC); |
1568 | return 0; | 1654 | return 0; |
1569 | 1655 | ||
@@ -1573,7 +1659,7 @@ nla_put_failure: | |||
1573 | nlmsg_failure: | 1659 | nlmsg_failure: |
1574 | kfree_skb(skb); | 1660 | kfree_skb(skb); |
1575 | errout: | 1661 | errout: |
1576 | nfnetlink_set_err(0, 0, -ENOBUFS); | 1662 | nfnetlink_set_err(net, 0, 0, -ENOBUFS); |
1577 | return 0; | 1663 | return 0; |
1578 | } | 1664 | } |
1579 | #endif | 1665 | #endif |
@@ -1587,7 +1673,7 @@ static int ctnetlink_exp_done(struct netlink_callback *cb) | |||
1587 | static int | 1673 | static int |
1588 | ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) | 1674 | ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) |
1589 | { | 1675 | { |
1590 | struct net *net = &init_net; | 1676 | struct net *net = sock_net(skb->sk); |
1591 | struct nf_conntrack_expect *exp, *last; | 1677 | struct nf_conntrack_expect *exp, *last; |
1592 | struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); | 1678 | struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); |
1593 | struct hlist_node *n; | 1679 | struct hlist_node *n; |
@@ -1631,8 +1717,12 @@ out: | |||
1631 | } | 1717 | } |
1632 | 1718 | ||
1633 | static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = { | 1719 | static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = { |
1720 | [CTA_EXPECT_MASTER] = { .type = NLA_NESTED }, | ||
1721 | [CTA_EXPECT_TUPLE] = { .type = NLA_NESTED }, | ||
1722 | [CTA_EXPECT_MASK] = { .type = NLA_NESTED }, | ||
1634 | [CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 }, | 1723 | [CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 }, |
1635 | [CTA_EXPECT_ID] = { .type = NLA_U32 }, | 1724 | [CTA_EXPECT_ID] = { .type = NLA_U32 }, |
1725 | [CTA_EXPECT_HELP_NAME] = { .type = NLA_NUL_STRING }, | ||
1636 | }; | 1726 | }; |
1637 | 1727 | ||
1638 | static int | 1728 | static int |
@@ -1640,12 +1730,14 @@ ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb, | |||
1640 | const struct nlmsghdr *nlh, | 1730 | const struct nlmsghdr *nlh, |
1641 | const struct nlattr * const cda[]) | 1731 | const struct nlattr * const cda[]) |
1642 | { | 1732 | { |
1733 | struct net *net = sock_net(ctnl); | ||
1643 | struct nf_conntrack_tuple tuple; | 1734 | struct nf_conntrack_tuple tuple; |
1644 | struct nf_conntrack_expect *exp; | 1735 | struct nf_conntrack_expect *exp; |
1645 | struct sk_buff *skb2; | 1736 | struct sk_buff *skb2; |
1646 | struct nfgenmsg *nfmsg = nlmsg_data(nlh); | 1737 | struct nfgenmsg *nfmsg = nlmsg_data(nlh); |
1647 | u_int8_t u3 = nfmsg->nfgen_family; | 1738 | u_int8_t u3 = nfmsg->nfgen_family; |
1648 | int err = 0; | 1739 | u16 zone; |
1740 | int err; | ||
1649 | 1741 | ||
1650 | if (nlh->nlmsg_flags & NLM_F_DUMP) { | 1742 | if (nlh->nlmsg_flags & NLM_F_DUMP) { |
1651 | return netlink_dump_start(ctnl, skb, nlh, | 1743 | return netlink_dump_start(ctnl, skb, nlh, |
@@ -1653,6 +1745,10 @@ ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb, | |||
1653 | ctnetlink_exp_done); | 1745 | ctnetlink_exp_done); |
1654 | } | 1746 | } |
1655 | 1747 | ||
1748 | err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); | ||
1749 | if (err < 0) | ||
1750 | return err; | ||
1751 | |||
1656 | if (cda[CTA_EXPECT_MASTER]) | 1752 | if (cda[CTA_EXPECT_MASTER]) |
1657 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, u3); | 1753 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, u3); |
1658 | else | 1754 | else |
@@ -1661,7 +1757,7 @@ ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb, | |||
1661 | if (err < 0) | 1757 | if (err < 0) |
1662 | return err; | 1758 | return err; |
1663 | 1759 | ||
1664 | exp = nf_ct_expect_find_get(&init_net, &tuple); | 1760 | exp = nf_ct_expect_find_get(net, zone, &tuple); |
1665 | if (!exp) | 1761 | if (!exp) |
1666 | return -ENOENT; | 1762 | return -ENOENT; |
1667 | 1763 | ||
@@ -1701,23 +1797,28 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb, | |||
1701 | const struct nlmsghdr *nlh, | 1797 | const struct nlmsghdr *nlh, |
1702 | const struct nlattr * const cda[]) | 1798 | const struct nlattr * const cda[]) |
1703 | { | 1799 | { |
1800 | struct net *net = sock_net(ctnl); | ||
1704 | struct nf_conntrack_expect *exp; | 1801 | struct nf_conntrack_expect *exp; |
1705 | struct nf_conntrack_tuple tuple; | 1802 | struct nf_conntrack_tuple tuple; |
1706 | struct nf_conntrack_helper *h; | ||
1707 | struct nfgenmsg *nfmsg = nlmsg_data(nlh); | 1803 | struct nfgenmsg *nfmsg = nlmsg_data(nlh); |
1708 | struct hlist_node *n, *next; | 1804 | struct hlist_node *n, *next; |
1709 | u_int8_t u3 = nfmsg->nfgen_family; | 1805 | u_int8_t u3 = nfmsg->nfgen_family; |
1710 | unsigned int i; | 1806 | unsigned int i; |
1807 | u16 zone; | ||
1711 | int err; | 1808 | int err; |
1712 | 1809 | ||
1713 | if (cda[CTA_EXPECT_TUPLE]) { | 1810 | if (cda[CTA_EXPECT_TUPLE]) { |
1714 | /* delete a single expect by tuple */ | 1811 | /* delete a single expect by tuple */ |
1812 | err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); | ||
1813 | if (err < 0) | ||
1814 | return err; | ||
1815 | |||
1715 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3); | 1816 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3); |
1716 | if (err < 0) | 1817 | if (err < 0) |
1717 | return err; | 1818 | return err; |
1718 | 1819 | ||
1719 | /* bump usage count to 2 */ | 1820 | /* bump usage count to 2 */ |
1720 | exp = nf_ct_expect_find_get(&init_net, &tuple); | 1821 | exp = nf_ct_expect_find_get(net, zone, &tuple); |
1721 | if (!exp) | 1822 | if (!exp) |
1722 | return -ENOENT; | 1823 | return -ENOENT; |
1723 | 1824 | ||
@@ -1740,18 +1841,13 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb, | |||
1740 | 1841 | ||
1741 | /* delete all expectations for this helper */ | 1842 | /* delete all expectations for this helper */ |
1742 | spin_lock_bh(&nf_conntrack_lock); | 1843 | spin_lock_bh(&nf_conntrack_lock); |
1743 | h = __nf_conntrack_helper_find_byname(name); | ||
1744 | if (!h) { | ||
1745 | spin_unlock_bh(&nf_conntrack_lock); | ||
1746 | return -EOPNOTSUPP; | ||
1747 | } | ||
1748 | for (i = 0; i < nf_ct_expect_hsize; i++) { | 1844 | for (i = 0; i < nf_ct_expect_hsize; i++) { |
1749 | hlist_for_each_entry_safe(exp, n, next, | 1845 | hlist_for_each_entry_safe(exp, n, next, |
1750 | &init_net.ct.expect_hash[i], | 1846 | &net->ct.expect_hash[i], |
1751 | hnode) { | 1847 | hnode) { |
1752 | m_help = nfct_help(exp->master); | 1848 | m_help = nfct_help(exp->master); |
1753 | if (m_help->helper == h | 1849 | if (!strcmp(m_help->helper->name, name) && |
1754 | && del_timer(&exp->timeout)) { | 1850 | del_timer(&exp->timeout)) { |
1755 | nf_ct_unlink_expect(exp); | 1851 | nf_ct_unlink_expect(exp); |
1756 | nf_ct_expect_put(exp); | 1852 | nf_ct_expect_put(exp); |
1757 | } | 1853 | } |
@@ -1763,7 +1859,7 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb, | |||
1763 | spin_lock_bh(&nf_conntrack_lock); | 1859 | spin_lock_bh(&nf_conntrack_lock); |
1764 | for (i = 0; i < nf_ct_expect_hsize; i++) { | 1860 | for (i = 0; i < nf_ct_expect_hsize; i++) { |
1765 | hlist_for_each_entry_safe(exp, n, next, | 1861 | hlist_for_each_entry_safe(exp, n, next, |
1766 | &init_net.ct.expect_hash[i], | 1862 | &net->ct.expect_hash[i], |
1767 | hnode) { | 1863 | hnode) { |
1768 | if (del_timer(&exp->timeout)) { | 1864 | if (del_timer(&exp->timeout)) { |
1769 | nf_ct_unlink_expect(exp); | 1865 | nf_ct_unlink_expect(exp); |
@@ -1784,7 +1880,9 @@ ctnetlink_change_expect(struct nf_conntrack_expect *x, | |||
1784 | } | 1880 | } |
1785 | 1881 | ||
1786 | static int | 1882 | static int |
1787 | ctnetlink_create_expect(const struct nlattr * const cda[], u_int8_t u3, | 1883 | ctnetlink_create_expect(struct net *net, u16 zone, |
1884 | const struct nlattr * const cda[], | ||
1885 | u_int8_t u3, | ||
1788 | u32 pid, int report) | 1886 | u32 pid, int report) |
1789 | { | 1887 | { |
1790 | struct nf_conntrack_tuple tuple, mask, master_tuple; | 1888 | struct nf_conntrack_tuple tuple, mask, master_tuple; |
@@ -1806,7 +1904,7 @@ ctnetlink_create_expect(const struct nlattr * const cda[], u_int8_t u3, | |||
1806 | return err; | 1904 | return err; |
1807 | 1905 | ||
1808 | /* Look for master conntrack of this expectation */ | 1906 | /* Look for master conntrack of this expectation */ |
1809 | h = nf_conntrack_find_get(&init_net, &master_tuple); | 1907 | h = nf_conntrack_find_get(net, zone, &master_tuple); |
1810 | if (!h) | 1908 | if (!h) |
1811 | return -ENOENT; | 1909 | return -ENOENT; |
1812 | ct = nf_ct_tuplehash_to_ctrack(h); | 1910 | ct = nf_ct_tuplehash_to_ctrack(h); |
@@ -1846,29 +1944,35 @@ ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb, | |||
1846 | const struct nlmsghdr *nlh, | 1944 | const struct nlmsghdr *nlh, |
1847 | const struct nlattr * const cda[]) | 1945 | const struct nlattr * const cda[]) |
1848 | { | 1946 | { |
1947 | struct net *net = sock_net(ctnl); | ||
1849 | struct nf_conntrack_tuple tuple; | 1948 | struct nf_conntrack_tuple tuple; |
1850 | struct nf_conntrack_expect *exp; | 1949 | struct nf_conntrack_expect *exp; |
1851 | struct nfgenmsg *nfmsg = nlmsg_data(nlh); | 1950 | struct nfgenmsg *nfmsg = nlmsg_data(nlh); |
1852 | u_int8_t u3 = nfmsg->nfgen_family; | 1951 | u_int8_t u3 = nfmsg->nfgen_family; |
1853 | int err = 0; | 1952 | u16 zone; |
1953 | int err; | ||
1854 | 1954 | ||
1855 | if (!cda[CTA_EXPECT_TUPLE] | 1955 | if (!cda[CTA_EXPECT_TUPLE] |
1856 | || !cda[CTA_EXPECT_MASK] | 1956 | || !cda[CTA_EXPECT_MASK] |
1857 | || !cda[CTA_EXPECT_MASTER]) | 1957 | || !cda[CTA_EXPECT_MASTER]) |
1858 | return -EINVAL; | 1958 | return -EINVAL; |
1859 | 1959 | ||
1960 | err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); | ||
1961 | if (err < 0) | ||
1962 | return err; | ||
1963 | |||
1860 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3); | 1964 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3); |
1861 | if (err < 0) | 1965 | if (err < 0) |
1862 | return err; | 1966 | return err; |
1863 | 1967 | ||
1864 | spin_lock_bh(&nf_conntrack_lock); | 1968 | spin_lock_bh(&nf_conntrack_lock); |
1865 | exp = __nf_ct_expect_find(&init_net, &tuple); | 1969 | exp = __nf_ct_expect_find(net, zone, &tuple); |
1866 | 1970 | ||
1867 | if (!exp) { | 1971 | if (!exp) { |
1868 | spin_unlock_bh(&nf_conntrack_lock); | 1972 | spin_unlock_bh(&nf_conntrack_lock); |
1869 | err = -ENOENT; | 1973 | err = -ENOENT; |
1870 | if (nlh->nlmsg_flags & NLM_F_CREATE) { | 1974 | if (nlh->nlmsg_flags & NLM_F_CREATE) { |
1871 | err = ctnetlink_create_expect(cda, | 1975 | err = ctnetlink_create_expect(net, zone, cda, |
1872 | u3, | 1976 | u3, |
1873 | NETLINK_CB(skb).pid, | 1977 | NETLINK_CB(skb).pid, |
1874 | nlmsg_report(nlh)); | 1978 | nlmsg_report(nlh)); |
diff --git a/net/netfilter/nf_conntrack_pptp.c b/net/netfilter/nf_conntrack_pptp.c index 3807ac7faf4c..088944824e13 100644 --- a/net/netfilter/nf_conntrack_pptp.c +++ b/net/netfilter/nf_conntrack_pptp.c | |||
@@ -28,6 +28,7 @@ | |||
28 | #include <net/netfilter/nf_conntrack.h> | 28 | #include <net/netfilter/nf_conntrack.h> |
29 | #include <net/netfilter/nf_conntrack_core.h> | 29 | #include <net/netfilter/nf_conntrack_core.h> |
30 | #include <net/netfilter/nf_conntrack_helper.h> | 30 | #include <net/netfilter/nf_conntrack_helper.h> |
31 | #include <net/netfilter/nf_conntrack_zones.h> | ||
31 | #include <linux/netfilter/nf_conntrack_proto_gre.h> | 32 | #include <linux/netfilter/nf_conntrack_proto_gre.h> |
32 | #include <linux/netfilter/nf_conntrack_pptp.h> | 33 | #include <linux/netfilter/nf_conntrack_pptp.h> |
33 | 34 | ||
@@ -123,7 +124,7 @@ static void pptp_expectfn(struct nf_conn *ct, | |||
123 | pr_debug("trying to unexpect other dir: "); | 124 | pr_debug("trying to unexpect other dir: "); |
124 | nf_ct_dump_tuple(&inv_t); | 125 | nf_ct_dump_tuple(&inv_t); |
125 | 126 | ||
126 | exp_other = nf_ct_expect_find_get(net, &inv_t); | 127 | exp_other = nf_ct_expect_find_get(net, nf_ct_zone(ct), &inv_t); |
127 | if (exp_other) { | 128 | if (exp_other) { |
128 | /* delete other expectation. */ | 129 | /* delete other expectation. */ |
129 | pr_debug("found\n"); | 130 | pr_debug("found\n"); |
@@ -136,17 +137,18 @@ static void pptp_expectfn(struct nf_conn *ct, | |||
136 | rcu_read_unlock(); | 137 | rcu_read_unlock(); |
137 | } | 138 | } |
138 | 139 | ||
139 | static int destroy_sibling_or_exp(struct net *net, | 140 | static int destroy_sibling_or_exp(struct net *net, struct nf_conn *ct, |
140 | const struct nf_conntrack_tuple *t) | 141 | const struct nf_conntrack_tuple *t) |
141 | { | 142 | { |
142 | const struct nf_conntrack_tuple_hash *h; | 143 | const struct nf_conntrack_tuple_hash *h; |
143 | struct nf_conntrack_expect *exp; | 144 | struct nf_conntrack_expect *exp; |
144 | struct nf_conn *sibling; | 145 | struct nf_conn *sibling; |
146 | u16 zone = nf_ct_zone(ct); | ||
145 | 147 | ||
146 | pr_debug("trying to timeout ct or exp for tuple "); | 148 | pr_debug("trying to timeout ct or exp for tuple "); |
147 | nf_ct_dump_tuple(t); | 149 | nf_ct_dump_tuple(t); |
148 | 150 | ||
149 | h = nf_conntrack_find_get(net, t); | 151 | h = nf_conntrack_find_get(net, zone, t); |
150 | if (h) { | 152 | if (h) { |
151 | sibling = nf_ct_tuplehash_to_ctrack(h); | 153 | sibling = nf_ct_tuplehash_to_ctrack(h); |
152 | pr_debug("setting timeout of conntrack %p to 0\n", sibling); | 154 | pr_debug("setting timeout of conntrack %p to 0\n", sibling); |
@@ -157,7 +159,7 @@ static int destroy_sibling_or_exp(struct net *net, | |||
157 | nf_ct_put(sibling); | 159 | nf_ct_put(sibling); |
158 | return 1; | 160 | return 1; |
159 | } else { | 161 | } else { |
160 | exp = nf_ct_expect_find_get(net, t); | 162 | exp = nf_ct_expect_find_get(net, zone, t); |
161 | if (exp) { | 163 | if (exp) { |
162 | pr_debug("unexpect_related of expect %p\n", exp); | 164 | pr_debug("unexpect_related of expect %p\n", exp); |
163 | nf_ct_unexpect_related(exp); | 165 | nf_ct_unexpect_related(exp); |
@@ -182,7 +184,7 @@ static void pptp_destroy_siblings(struct nf_conn *ct) | |||
182 | t.dst.protonum = IPPROTO_GRE; | 184 | t.dst.protonum = IPPROTO_GRE; |
183 | t.src.u.gre.key = help->help.ct_pptp_info.pns_call_id; | 185 | t.src.u.gre.key = help->help.ct_pptp_info.pns_call_id; |
184 | t.dst.u.gre.key = help->help.ct_pptp_info.pac_call_id; | 186 | t.dst.u.gre.key = help->help.ct_pptp_info.pac_call_id; |
185 | if (!destroy_sibling_or_exp(net, &t)) | 187 | if (!destroy_sibling_or_exp(net, ct, &t)) |
186 | pr_debug("failed to timeout original pns->pac ct/exp\n"); | 188 | pr_debug("failed to timeout original pns->pac ct/exp\n"); |
187 | 189 | ||
188 | /* try reply (pac->pns) tuple */ | 190 | /* try reply (pac->pns) tuple */ |
@@ -190,7 +192,7 @@ static void pptp_destroy_siblings(struct nf_conn *ct) | |||
190 | t.dst.protonum = IPPROTO_GRE; | 192 | t.dst.protonum = IPPROTO_GRE; |
191 | t.src.u.gre.key = help->help.ct_pptp_info.pac_call_id; | 193 | t.src.u.gre.key = help->help.ct_pptp_info.pac_call_id; |
192 | t.dst.u.gre.key = help->help.ct_pptp_info.pns_call_id; | 194 | t.dst.u.gre.key = help->help.ct_pptp_info.pns_call_id; |
193 | if (!destroy_sibling_or_exp(net, &t)) | 195 | if (!destroy_sibling_or_exp(net, ct, &t)) |
194 | pr_debug("failed to timeout reply pac->pns ct/exp\n"); | 196 | pr_debug("failed to timeout reply pac->pns ct/exp\n"); |
195 | } | 197 | } |
196 | 198 | ||
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c index dd375500dccc..9a2815549375 100644 --- a/net/netfilter/nf_conntrack_proto_dccp.c +++ b/net/netfilter/nf_conntrack_proto_dccp.c | |||
@@ -561,8 +561,9 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb, | |||
561 | return NF_ACCEPT; | 561 | return NF_ACCEPT; |
562 | } | 562 | } |
563 | 563 | ||
564 | static int dccp_error(struct net *net, struct sk_buff *skb, | 564 | static int dccp_error(struct net *net, struct nf_conn *tmpl, |
565 | unsigned int dataoff, enum ip_conntrack_info *ctinfo, | 565 | struct sk_buff *skb, unsigned int dataoff, |
566 | enum ip_conntrack_info *ctinfo, | ||
566 | u_int8_t pf, unsigned int hooknum) | 567 | u_int8_t pf, unsigned int hooknum) |
567 | { | 568 | { |
568 | struct dccp_hdr _dh, *dh; | 569 | struct dccp_hdr _dh, *dh; |
diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c index c99cfba64ddc..d899b1a69940 100644 --- a/net/netfilter/nf_conntrack_proto_gre.c +++ b/net/netfilter/nf_conntrack_proto_gre.c | |||
@@ -241,7 +241,7 @@ static int gre_packet(struct nf_conn *ct, | |||
241 | ct->proto.gre.stream_timeout); | 241 | ct->proto.gre.stream_timeout); |
242 | /* Also, more likely to be important, and not a probe. */ | 242 | /* Also, more likely to be important, and not a probe. */ |
243 | set_bit(IPS_ASSURED_BIT, &ct->status); | 243 | set_bit(IPS_ASSURED_BIT, &ct->status); |
244 | nf_conntrack_event_cache(IPCT_STATUS, ct); | 244 | nf_conntrack_event_cache(IPCT_ASSURED, ct); |
245 | } else | 245 | } else |
246 | nf_ct_refresh_acct(ct, ctinfo, skb, | 246 | nf_ct_refresh_acct(ct, ctinfo, skb, |
247 | ct->proto.gre.timeout); | 247 | ct->proto.gre.timeout); |
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c index f9d930f80276..b68ff15ed979 100644 --- a/net/netfilter/nf_conntrack_proto_sctp.c +++ b/net/netfilter/nf_conntrack_proto_sctp.c | |||
@@ -377,7 +377,7 @@ static int sctp_packet(struct nf_conn *ct, | |||
377 | new_state == SCTP_CONNTRACK_ESTABLISHED) { | 377 | new_state == SCTP_CONNTRACK_ESTABLISHED) { |
378 | pr_debug("Setting assured bit\n"); | 378 | pr_debug("Setting assured bit\n"); |
379 | set_bit(IPS_ASSURED_BIT, &ct->status); | 379 | set_bit(IPS_ASSURED_BIT, &ct->status); |
380 | nf_conntrack_event_cache(IPCT_STATUS, ct); | 380 | nf_conntrack_event_cache(IPCT_ASSURED, ct); |
381 | } | 381 | } |
382 | 382 | ||
383 | return NF_ACCEPT; | 383 | return NF_ACCEPT; |
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index 3c96437b45ad..9dd8cd4fb6e6 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c | |||
@@ -760,7 +760,7 @@ static const u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG) + 1] = | |||
760 | }; | 760 | }; |
761 | 761 | ||
762 | /* Protect conntrack agaist broken packets. Code taken from ipt_unclean.c. */ | 762 | /* Protect conntrack agaist broken packets. Code taken from ipt_unclean.c. */ |
763 | static int tcp_error(struct net *net, | 763 | static int tcp_error(struct net *net, struct nf_conn *tmpl, |
764 | struct sk_buff *skb, | 764 | struct sk_buff *skb, |
765 | unsigned int dataoff, | 765 | unsigned int dataoff, |
766 | enum ip_conntrack_info *ctinfo, | 766 | enum ip_conntrack_info *ctinfo, |
@@ -1045,7 +1045,7 @@ static int tcp_packet(struct nf_conn *ct, | |||
1045 | after SYN_RECV or a valid answer for a picked up | 1045 | after SYN_RECV or a valid answer for a picked up |
1046 | connection. */ | 1046 | connection. */ |
1047 | set_bit(IPS_ASSURED_BIT, &ct->status); | 1047 | set_bit(IPS_ASSURED_BIT, &ct->status); |
1048 | nf_conntrack_event_cache(IPCT_STATUS, ct); | 1048 | nf_conntrack_event_cache(IPCT_ASSURED, ct); |
1049 | } | 1049 | } |
1050 | nf_ct_refresh_acct(ct, ctinfo, skb, timeout); | 1050 | nf_ct_refresh_acct(ct, ctinfo, skb, timeout); |
1051 | 1051 | ||
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c index 5c5518bedb4b..8289088b8218 100644 --- a/net/netfilter/nf_conntrack_proto_udp.c +++ b/net/netfilter/nf_conntrack_proto_udp.c | |||
@@ -77,7 +77,7 @@ static int udp_packet(struct nf_conn *ct, | |||
77 | nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udp_timeout_stream); | 77 | nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udp_timeout_stream); |
78 | /* Also, more likely to be important, and not a probe */ | 78 | /* Also, more likely to be important, and not a probe */ |
79 | if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) | 79 | if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) |
80 | nf_conntrack_event_cache(IPCT_STATUS, ct); | 80 | nf_conntrack_event_cache(IPCT_ASSURED, ct); |
81 | } else | 81 | } else |
82 | nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udp_timeout); | 82 | nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udp_timeout); |
83 | 83 | ||
@@ -91,8 +91,8 @@ static bool udp_new(struct nf_conn *ct, const struct sk_buff *skb, | |||
91 | return true; | 91 | return true; |
92 | } | 92 | } |
93 | 93 | ||
94 | static int udp_error(struct net *net, struct sk_buff *skb, unsigned int dataoff, | 94 | static int udp_error(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb, |
95 | enum ip_conntrack_info *ctinfo, | 95 | unsigned int dataoff, enum ip_conntrack_info *ctinfo, |
96 | u_int8_t pf, | 96 | u_int8_t pf, |
97 | unsigned int hooknum) | 97 | unsigned int hooknum) |
98 | { | 98 | { |
diff --git a/net/netfilter/nf_conntrack_proto_udplite.c b/net/netfilter/nf_conntrack_proto_udplite.c index 458655bb2106..263b5a72588d 100644 --- a/net/netfilter/nf_conntrack_proto_udplite.c +++ b/net/netfilter/nf_conntrack_proto_udplite.c | |||
@@ -75,7 +75,7 @@ static int udplite_packet(struct nf_conn *ct, | |||
75 | nf_ct_udplite_timeout_stream); | 75 | nf_ct_udplite_timeout_stream); |
76 | /* Also, more likely to be important, and not a probe */ | 76 | /* Also, more likely to be important, and not a probe */ |
77 | if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) | 77 | if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) |
78 | nf_conntrack_event_cache(IPCT_STATUS, ct); | 78 | nf_conntrack_event_cache(IPCT_ASSURED, ct); |
79 | } else | 79 | } else |
80 | nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udplite_timeout); | 80 | nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udplite_timeout); |
81 | 81 | ||
@@ -89,7 +89,7 @@ static bool udplite_new(struct nf_conn *ct, const struct sk_buff *skb, | |||
89 | return true; | 89 | return true; |
90 | } | 90 | } |
91 | 91 | ||
92 | static int udplite_error(struct net *net, | 92 | static int udplite_error(struct net *net, struct nf_conn *tmpl, |
93 | struct sk_buff *skb, | 93 | struct sk_buff *skb, |
94 | unsigned int dataoff, | 94 | unsigned int dataoff, |
95 | enum ip_conntrack_info *ctinfo, | 95 | enum ip_conntrack_info *ctinfo, |
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c index 023966b569bf..8dd75d90efc0 100644 --- a/net/netfilter/nf_conntrack_sip.c +++ b/net/netfilter/nf_conntrack_sip.c | |||
@@ -16,12 +16,14 @@ | |||
16 | #include <linux/inet.h> | 16 | #include <linux/inet.h> |
17 | #include <linux/in.h> | 17 | #include <linux/in.h> |
18 | #include <linux/udp.h> | 18 | #include <linux/udp.h> |
19 | #include <linux/tcp.h> | ||
19 | #include <linux/netfilter.h> | 20 | #include <linux/netfilter.h> |
20 | 21 | ||
21 | #include <net/netfilter/nf_conntrack.h> | 22 | #include <net/netfilter/nf_conntrack.h> |
22 | #include <net/netfilter/nf_conntrack_core.h> | 23 | #include <net/netfilter/nf_conntrack_core.h> |
23 | #include <net/netfilter/nf_conntrack_expect.h> | 24 | #include <net/netfilter/nf_conntrack_expect.h> |
24 | #include <net/netfilter/nf_conntrack_helper.h> | 25 | #include <net/netfilter/nf_conntrack_helper.h> |
26 | #include <net/netfilter/nf_conntrack_zones.h> | ||
25 | #include <linux/netfilter/nf_conntrack_sip.h> | 27 | #include <linux/netfilter/nf_conntrack_sip.h> |
26 | 28 | ||
27 | MODULE_LICENSE("GPL"); | 29 | MODULE_LICENSE("GPL"); |
@@ -50,12 +52,16 @@ module_param(sip_direct_media, int, 0600); | |||
50 | MODULE_PARM_DESC(sip_direct_media, "Expect Media streams between signalling " | 52 | MODULE_PARM_DESC(sip_direct_media, "Expect Media streams between signalling " |
51 | "endpoints only (default 1)"); | 53 | "endpoints only (default 1)"); |
52 | 54 | ||
53 | unsigned int (*nf_nat_sip_hook)(struct sk_buff *skb, | 55 | unsigned int (*nf_nat_sip_hook)(struct sk_buff *skb, unsigned int dataoff, |
54 | const char **dptr, | 56 | const char **dptr, |
55 | unsigned int *datalen) __read_mostly; | 57 | unsigned int *datalen) __read_mostly; |
56 | EXPORT_SYMBOL_GPL(nf_nat_sip_hook); | 58 | EXPORT_SYMBOL_GPL(nf_nat_sip_hook); |
57 | 59 | ||
60 | void (*nf_nat_sip_seq_adjust_hook)(struct sk_buff *skb, s16 off) __read_mostly; | ||
61 | EXPORT_SYMBOL_GPL(nf_nat_sip_seq_adjust_hook); | ||
62 | |||
58 | unsigned int (*nf_nat_sip_expect_hook)(struct sk_buff *skb, | 63 | unsigned int (*nf_nat_sip_expect_hook)(struct sk_buff *skb, |
64 | unsigned int dataoff, | ||
59 | const char **dptr, | 65 | const char **dptr, |
60 | unsigned int *datalen, | 66 | unsigned int *datalen, |
61 | struct nf_conntrack_expect *exp, | 67 | struct nf_conntrack_expect *exp, |
@@ -63,17 +69,17 @@ unsigned int (*nf_nat_sip_expect_hook)(struct sk_buff *skb, | |||
63 | unsigned int matchlen) __read_mostly; | 69 | unsigned int matchlen) __read_mostly; |
64 | EXPORT_SYMBOL_GPL(nf_nat_sip_expect_hook); | 70 | EXPORT_SYMBOL_GPL(nf_nat_sip_expect_hook); |
65 | 71 | ||
66 | unsigned int (*nf_nat_sdp_addr_hook)(struct sk_buff *skb, | 72 | unsigned int (*nf_nat_sdp_addr_hook)(struct sk_buff *skb, unsigned int dataoff, |
67 | const char **dptr, | 73 | const char **dptr, |
68 | unsigned int dataoff, | ||
69 | unsigned int *datalen, | 74 | unsigned int *datalen, |
75 | unsigned int sdpoff, | ||
70 | enum sdp_header_types type, | 76 | enum sdp_header_types type, |
71 | enum sdp_header_types term, | 77 | enum sdp_header_types term, |
72 | const union nf_inet_addr *addr) | 78 | const union nf_inet_addr *addr) |
73 | __read_mostly; | 79 | __read_mostly; |
74 | EXPORT_SYMBOL_GPL(nf_nat_sdp_addr_hook); | 80 | EXPORT_SYMBOL_GPL(nf_nat_sdp_addr_hook); |
75 | 81 | ||
76 | unsigned int (*nf_nat_sdp_port_hook)(struct sk_buff *skb, | 82 | unsigned int (*nf_nat_sdp_port_hook)(struct sk_buff *skb, unsigned int dataoff, |
77 | const char **dptr, | 83 | const char **dptr, |
78 | unsigned int *datalen, | 84 | unsigned int *datalen, |
79 | unsigned int matchoff, | 85 | unsigned int matchoff, |
@@ -82,14 +88,15 @@ unsigned int (*nf_nat_sdp_port_hook)(struct sk_buff *skb, | |||
82 | EXPORT_SYMBOL_GPL(nf_nat_sdp_port_hook); | 88 | EXPORT_SYMBOL_GPL(nf_nat_sdp_port_hook); |
83 | 89 | ||
84 | unsigned int (*nf_nat_sdp_session_hook)(struct sk_buff *skb, | 90 | unsigned int (*nf_nat_sdp_session_hook)(struct sk_buff *skb, |
85 | const char **dptr, | ||
86 | unsigned int dataoff, | 91 | unsigned int dataoff, |
92 | const char **dptr, | ||
87 | unsigned int *datalen, | 93 | unsigned int *datalen, |
94 | unsigned int sdpoff, | ||
88 | const union nf_inet_addr *addr) | 95 | const union nf_inet_addr *addr) |
89 | __read_mostly; | 96 | __read_mostly; |
90 | EXPORT_SYMBOL_GPL(nf_nat_sdp_session_hook); | 97 | EXPORT_SYMBOL_GPL(nf_nat_sdp_session_hook); |
91 | 98 | ||
92 | unsigned int (*nf_nat_sdp_media_hook)(struct sk_buff *skb, | 99 | unsigned int (*nf_nat_sdp_media_hook)(struct sk_buff *skb, unsigned int dataoff, |
93 | const char **dptr, | 100 | const char **dptr, |
94 | unsigned int *datalen, | 101 | unsigned int *datalen, |
95 | struct nf_conntrack_expect *rtp_exp, | 102 | struct nf_conntrack_expect *rtp_exp, |
@@ -236,12 +243,13 @@ int ct_sip_parse_request(const struct nf_conn *ct, | |||
236 | return 0; | 243 | return 0; |
237 | 244 | ||
238 | /* Find SIP URI */ | 245 | /* Find SIP URI */ |
239 | limit -= strlen("sip:"); | 246 | for (; dptr < limit - strlen("sip:"); dptr++) { |
240 | for (; dptr < limit; dptr++) { | ||
241 | if (*dptr == '\r' || *dptr == '\n') | 247 | if (*dptr == '\r' || *dptr == '\n') |
242 | return -1; | 248 | return -1; |
243 | if (strnicmp(dptr, "sip:", strlen("sip:")) == 0) | 249 | if (strnicmp(dptr, "sip:", strlen("sip:")) == 0) { |
250 | dptr += strlen("sip:"); | ||
244 | break; | 251 | break; |
252 | } | ||
245 | } | 253 | } |
246 | if (!skp_epaddr_len(ct, dptr, limit, &shift)) | 254 | if (!skp_epaddr_len(ct, dptr, limit, &shift)) |
247 | return 0; | 255 | return 0; |
@@ -284,7 +292,8 @@ static const struct sip_header ct_sip_hdrs[] = { | |||
284 | [SIP_HDR_FROM] = SIP_HDR("From", "f", "sip:", skp_epaddr_len), | 292 | [SIP_HDR_FROM] = SIP_HDR("From", "f", "sip:", skp_epaddr_len), |
285 | [SIP_HDR_TO] = SIP_HDR("To", "t", "sip:", skp_epaddr_len), | 293 | [SIP_HDR_TO] = SIP_HDR("To", "t", "sip:", skp_epaddr_len), |
286 | [SIP_HDR_CONTACT] = SIP_HDR("Contact", "m", "sip:", skp_epaddr_len), | 294 | [SIP_HDR_CONTACT] = SIP_HDR("Contact", "m", "sip:", skp_epaddr_len), |
287 | [SIP_HDR_VIA] = SIP_HDR("Via", "v", "UDP ", epaddr_len), | 295 | [SIP_HDR_VIA_UDP] = SIP_HDR("Via", "v", "UDP ", epaddr_len), |
296 | [SIP_HDR_VIA_TCP] = SIP_HDR("Via", "v", "TCP ", epaddr_len), | ||
288 | [SIP_HDR_EXPIRES] = SIP_HDR("Expires", NULL, NULL, digits_len), | 297 | [SIP_HDR_EXPIRES] = SIP_HDR("Expires", NULL, NULL, digits_len), |
289 | [SIP_HDR_CONTENT_LENGTH] = SIP_HDR("Content-Length", "l", NULL, digits_len), | 298 | [SIP_HDR_CONTENT_LENGTH] = SIP_HDR("Content-Length", "l", NULL, digits_len), |
290 | }; | 299 | }; |
@@ -516,6 +525,33 @@ int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr, | |||
516 | } | 525 | } |
517 | EXPORT_SYMBOL_GPL(ct_sip_parse_header_uri); | 526 | EXPORT_SYMBOL_GPL(ct_sip_parse_header_uri); |
518 | 527 | ||
528 | static int ct_sip_parse_param(const struct nf_conn *ct, const char *dptr, | ||
529 | unsigned int dataoff, unsigned int datalen, | ||
530 | const char *name, | ||
531 | unsigned int *matchoff, unsigned int *matchlen) | ||
532 | { | ||
533 | const char *limit = dptr + datalen; | ||
534 | const char *start; | ||
535 | const char *end; | ||
536 | |||
537 | limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(",")); | ||
538 | if (!limit) | ||
539 | limit = dptr + datalen; | ||
540 | |||
541 | start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name)); | ||
542 | if (!start) | ||
543 | return 0; | ||
544 | start += strlen(name); | ||
545 | |||
546 | end = ct_sip_header_search(start, limit, ";", strlen(";")); | ||
547 | if (!end) | ||
548 | end = limit; | ||
549 | |||
550 | *matchoff = start - dptr; | ||
551 | *matchlen = end - start; | ||
552 | return 1; | ||
553 | } | ||
554 | |||
519 | /* Parse address from header parameter and return address, offset and length */ | 555 | /* Parse address from header parameter and return address, offset and length */ |
520 | int ct_sip_parse_address_param(const struct nf_conn *ct, const char *dptr, | 556 | int ct_sip_parse_address_param(const struct nf_conn *ct, const char *dptr, |
521 | unsigned int dataoff, unsigned int datalen, | 557 | unsigned int dataoff, unsigned int datalen, |
@@ -574,6 +610,29 @@ int ct_sip_parse_numerical_param(const struct nf_conn *ct, const char *dptr, | |||
574 | } | 610 | } |
575 | EXPORT_SYMBOL_GPL(ct_sip_parse_numerical_param); | 611 | EXPORT_SYMBOL_GPL(ct_sip_parse_numerical_param); |
576 | 612 | ||
613 | static int ct_sip_parse_transport(struct nf_conn *ct, const char *dptr, | ||
614 | unsigned int dataoff, unsigned int datalen, | ||
615 | u8 *proto) | ||
616 | { | ||
617 | unsigned int matchoff, matchlen; | ||
618 | |||
619 | if (ct_sip_parse_param(ct, dptr, dataoff, datalen, "transport=", | ||
620 | &matchoff, &matchlen)) { | ||
621 | if (!strnicmp(dptr + matchoff, "TCP", strlen("TCP"))) | ||
622 | *proto = IPPROTO_TCP; | ||
623 | else if (!strnicmp(dptr + matchoff, "UDP", strlen("UDP"))) | ||
624 | *proto = IPPROTO_UDP; | ||
625 | else | ||
626 | return 0; | ||
627 | |||
628 | if (*proto != nf_ct_protonum(ct)) | ||
629 | return 0; | ||
630 | } else | ||
631 | *proto = nf_ct_protonum(ct); | ||
632 | |||
633 | return 1; | ||
634 | } | ||
635 | |||
577 | /* SDP header parsing: a SDP session description contains an ordered set of | 636 | /* SDP header parsing: a SDP session description contains an ordered set of |
578 | * headers, starting with a section containing general session parameters, | 637 | * headers, starting with a section containing general session parameters, |
579 | * optionally followed by multiple media descriptions. | 638 | * optionally followed by multiple media descriptions. |
@@ -682,7 +741,7 @@ static int ct_sip_parse_sdp_addr(const struct nf_conn *ct, const char *dptr, | |||
682 | 741 | ||
683 | static int refresh_signalling_expectation(struct nf_conn *ct, | 742 | static int refresh_signalling_expectation(struct nf_conn *ct, |
684 | union nf_inet_addr *addr, | 743 | union nf_inet_addr *addr, |
685 | __be16 port, | 744 | u8 proto, __be16 port, |
686 | unsigned int expires) | 745 | unsigned int expires) |
687 | { | 746 | { |
688 | struct nf_conn_help *help = nfct_help(ct); | 747 | struct nf_conn_help *help = nfct_help(ct); |
@@ -694,6 +753,7 @@ static int refresh_signalling_expectation(struct nf_conn *ct, | |||
694 | hlist_for_each_entry_safe(exp, n, next, &help->expectations, lnode) { | 753 | hlist_for_each_entry_safe(exp, n, next, &help->expectations, lnode) { |
695 | if (exp->class != SIP_EXPECT_SIGNALLING || | 754 | if (exp->class != SIP_EXPECT_SIGNALLING || |
696 | !nf_inet_addr_cmp(&exp->tuple.dst.u3, addr) || | 755 | !nf_inet_addr_cmp(&exp->tuple.dst.u3, addr) || |
756 | exp->tuple.dst.protonum != proto || | ||
697 | exp->tuple.dst.u.udp.port != port) | 757 | exp->tuple.dst.u.udp.port != port) |
698 | continue; | 758 | continue; |
699 | if (!del_timer(&exp->timeout)) | 759 | if (!del_timer(&exp->timeout)) |
@@ -728,7 +788,7 @@ static void flush_expectations(struct nf_conn *ct, bool media) | |||
728 | spin_unlock_bh(&nf_conntrack_lock); | 788 | spin_unlock_bh(&nf_conntrack_lock); |
729 | } | 789 | } |
730 | 790 | ||
731 | static int set_expected_rtp_rtcp(struct sk_buff *skb, | 791 | static int set_expected_rtp_rtcp(struct sk_buff *skb, unsigned int dataoff, |
732 | const char **dptr, unsigned int *datalen, | 792 | const char **dptr, unsigned int *datalen, |
733 | union nf_inet_addr *daddr, __be16 port, | 793 | union nf_inet_addr *daddr, __be16 port, |
734 | enum sip_expectation_classes class, | 794 | enum sip_expectation_classes class, |
@@ -777,7 +837,7 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb, | |||
777 | 837 | ||
778 | rcu_read_lock(); | 838 | rcu_read_lock(); |
779 | do { | 839 | do { |
780 | exp = __nf_ct_expect_find(net, &tuple); | 840 | exp = __nf_ct_expect_find(net, nf_ct_zone(ct), &tuple); |
781 | 841 | ||
782 | if (!exp || exp->master == ct || | 842 | if (!exp || exp->master == ct || |
783 | nfct_help(exp->master)->helper != nfct_help(ct)->helper || | 843 | nfct_help(exp->master)->helper != nfct_help(ct)->helper || |
@@ -805,7 +865,7 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb, | |||
805 | if (direct_rtp) { | 865 | if (direct_rtp) { |
806 | nf_nat_sdp_port = rcu_dereference(nf_nat_sdp_port_hook); | 866 | nf_nat_sdp_port = rcu_dereference(nf_nat_sdp_port_hook); |
807 | if (nf_nat_sdp_port && | 867 | if (nf_nat_sdp_port && |
808 | !nf_nat_sdp_port(skb, dptr, datalen, | 868 | !nf_nat_sdp_port(skb, dataoff, dptr, datalen, |
809 | mediaoff, medialen, ntohs(rtp_port))) | 869 | mediaoff, medialen, ntohs(rtp_port))) |
810 | goto err1; | 870 | goto err1; |
811 | } | 871 | } |
@@ -827,7 +887,8 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb, | |||
827 | 887 | ||
828 | nf_nat_sdp_media = rcu_dereference(nf_nat_sdp_media_hook); | 888 | nf_nat_sdp_media = rcu_dereference(nf_nat_sdp_media_hook); |
829 | if (nf_nat_sdp_media && ct->status & IPS_NAT_MASK && !direct_rtp) | 889 | if (nf_nat_sdp_media && ct->status & IPS_NAT_MASK && !direct_rtp) |
830 | ret = nf_nat_sdp_media(skb, dptr, datalen, rtp_exp, rtcp_exp, | 890 | ret = nf_nat_sdp_media(skb, dataoff, dptr, datalen, |
891 | rtp_exp, rtcp_exp, | ||
831 | mediaoff, medialen, daddr); | 892 | mediaoff, medialen, daddr); |
832 | else { | 893 | else { |
833 | if (nf_ct_expect_related(rtp_exp) == 0) { | 894 | if (nf_ct_expect_related(rtp_exp) == 0) { |
@@ -847,6 +908,7 @@ err1: | |||
847 | static const struct sdp_media_type sdp_media_types[] = { | 908 | static const struct sdp_media_type sdp_media_types[] = { |
848 | SDP_MEDIA_TYPE("audio ", SIP_EXPECT_AUDIO), | 909 | SDP_MEDIA_TYPE("audio ", SIP_EXPECT_AUDIO), |
849 | SDP_MEDIA_TYPE("video ", SIP_EXPECT_VIDEO), | 910 | SDP_MEDIA_TYPE("video ", SIP_EXPECT_VIDEO), |
911 | SDP_MEDIA_TYPE("image ", SIP_EXPECT_IMAGE), | ||
850 | }; | 912 | }; |
851 | 913 | ||
852 | static const struct sdp_media_type *sdp_media_type(const char *dptr, | 914 | static const struct sdp_media_type *sdp_media_type(const char *dptr, |
@@ -866,13 +928,12 @@ static const struct sdp_media_type *sdp_media_type(const char *dptr, | |||
866 | return NULL; | 928 | return NULL; |
867 | } | 929 | } |
868 | 930 | ||
869 | static int process_sdp(struct sk_buff *skb, | 931 | static int process_sdp(struct sk_buff *skb, unsigned int dataoff, |
870 | const char **dptr, unsigned int *datalen, | 932 | const char **dptr, unsigned int *datalen, |
871 | unsigned int cseq) | 933 | unsigned int cseq) |
872 | { | 934 | { |
873 | enum ip_conntrack_info ctinfo; | 935 | enum ip_conntrack_info ctinfo; |
874 | struct nf_conn *ct = nf_ct_get(skb, &ctinfo); | 936 | struct nf_conn *ct = nf_ct_get(skb, &ctinfo); |
875 | struct nf_conn_help *help = nfct_help(ct); | ||
876 | unsigned int matchoff, matchlen; | 937 | unsigned int matchoff, matchlen; |
877 | unsigned int mediaoff, medialen; | 938 | unsigned int mediaoff, medialen; |
878 | unsigned int sdpoff; | 939 | unsigned int sdpoff; |
@@ -941,7 +1002,7 @@ static int process_sdp(struct sk_buff *skb, | |||
941 | else | 1002 | else |
942 | return NF_DROP; | 1003 | return NF_DROP; |
943 | 1004 | ||
944 | ret = set_expected_rtp_rtcp(skb, dptr, datalen, | 1005 | ret = set_expected_rtp_rtcp(skb, dataoff, dptr, datalen, |
945 | &rtp_addr, htons(port), t->class, | 1006 | &rtp_addr, htons(port), t->class, |
946 | mediaoff, medialen); | 1007 | mediaoff, medialen); |
947 | if (ret != NF_ACCEPT) | 1008 | if (ret != NF_ACCEPT) |
@@ -949,8 +1010,9 @@ static int process_sdp(struct sk_buff *skb, | |||
949 | 1010 | ||
950 | /* Update media connection address if present */ | 1011 | /* Update media connection address if present */ |
951 | if (maddr_len && nf_nat_sdp_addr && ct->status & IPS_NAT_MASK) { | 1012 | if (maddr_len && nf_nat_sdp_addr && ct->status & IPS_NAT_MASK) { |
952 | ret = nf_nat_sdp_addr(skb, dptr, mediaoff, datalen, | 1013 | ret = nf_nat_sdp_addr(skb, dataoff, dptr, datalen, |
953 | c_hdr, SDP_HDR_MEDIA, &rtp_addr); | 1014 | mediaoff, c_hdr, SDP_HDR_MEDIA, |
1015 | &rtp_addr); | ||
954 | if (ret != NF_ACCEPT) | 1016 | if (ret != NF_ACCEPT) |
955 | return ret; | 1017 | return ret; |
956 | } | 1018 | } |
@@ -960,14 +1022,12 @@ static int process_sdp(struct sk_buff *skb, | |||
960 | /* Update session connection and owner addresses */ | 1022 | /* Update session connection and owner addresses */ |
961 | nf_nat_sdp_session = rcu_dereference(nf_nat_sdp_session_hook); | 1023 | nf_nat_sdp_session = rcu_dereference(nf_nat_sdp_session_hook); |
962 | if (nf_nat_sdp_session && ct->status & IPS_NAT_MASK) | 1024 | if (nf_nat_sdp_session && ct->status & IPS_NAT_MASK) |
963 | ret = nf_nat_sdp_session(skb, dptr, sdpoff, datalen, &rtp_addr); | 1025 | ret = nf_nat_sdp_session(skb, dataoff, dptr, datalen, sdpoff, |
964 | 1026 | &rtp_addr); | |
965 | if (ret == NF_ACCEPT && i > 0) | ||
966 | help->help.ct_sip_info.invite_cseq = cseq; | ||
967 | 1027 | ||
968 | return ret; | 1028 | return ret; |
969 | } | 1029 | } |
970 | static int process_invite_response(struct sk_buff *skb, | 1030 | static int process_invite_response(struct sk_buff *skb, unsigned int dataoff, |
971 | const char **dptr, unsigned int *datalen, | 1031 | const char **dptr, unsigned int *datalen, |
972 | unsigned int cseq, unsigned int code) | 1032 | unsigned int cseq, unsigned int code) |
973 | { | 1033 | { |
@@ -977,13 +1037,13 @@ static int process_invite_response(struct sk_buff *skb, | |||
977 | 1037 | ||
978 | if ((code >= 100 && code <= 199) || | 1038 | if ((code >= 100 && code <= 199) || |
979 | (code >= 200 && code <= 299)) | 1039 | (code >= 200 && code <= 299)) |
980 | return process_sdp(skb, dptr, datalen, cseq); | 1040 | return process_sdp(skb, dataoff, dptr, datalen, cseq); |
981 | else if (help->help.ct_sip_info.invite_cseq == cseq) | 1041 | else if (help->help.ct_sip_info.invite_cseq == cseq) |
982 | flush_expectations(ct, true); | 1042 | flush_expectations(ct, true); |
983 | return NF_ACCEPT; | 1043 | return NF_ACCEPT; |
984 | } | 1044 | } |
985 | 1045 | ||
986 | static int process_update_response(struct sk_buff *skb, | 1046 | static int process_update_response(struct sk_buff *skb, unsigned int dataoff, |
987 | const char **dptr, unsigned int *datalen, | 1047 | const char **dptr, unsigned int *datalen, |
988 | unsigned int cseq, unsigned int code) | 1048 | unsigned int cseq, unsigned int code) |
989 | { | 1049 | { |
@@ -993,13 +1053,13 @@ static int process_update_response(struct sk_buff *skb, | |||
993 | 1053 | ||
994 | if ((code >= 100 && code <= 199) || | 1054 | if ((code >= 100 && code <= 199) || |
995 | (code >= 200 && code <= 299)) | 1055 | (code >= 200 && code <= 299)) |
996 | return process_sdp(skb, dptr, datalen, cseq); | 1056 | return process_sdp(skb, dataoff, dptr, datalen, cseq); |
997 | else if (help->help.ct_sip_info.invite_cseq == cseq) | 1057 | else if (help->help.ct_sip_info.invite_cseq == cseq) |
998 | flush_expectations(ct, true); | 1058 | flush_expectations(ct, true); |
999 | return NF_ACCEPT; | 1059 | return NF_ACCEPT; |
1000 | } | 1060 | } |
1001 | 1061 | ||
1002 | static int process_prack_response(struct sk_buff *skb, | 1062 | static int process_prack_response(struct sk_buff *skb, unsigned int dataoff, |
1003 | const char **dptr, unsigned int *datalen, | 1063 | const char **dptr, unsigned int *datalen, |
1004 | unsigned int cseq, unsigned int code) | 1064 | unsigned int cseq, unsigned int code) |
1005 | { | 1065 | { |
@@ -1009,13 +1069,29 @@ static int process_prack_response(struct sk_buff *skb, | |||
1009 | 1069 | ||
1010 | if ((code >= 100 && code <= 199) || | 1070 | if ((code >= 100 && code <= 199) || |
1011 | (code >= 200 && code <= 299)) | 1071 | (code >= 200 && code <= 299)) |
1012 | return process_sdp(skb, dptr, datalen, cseq); | 1072 | return process_sdp(skb, dataoff, dptr, datalen, cseq); |
1013 | else if (help->help.ct_sip_info.invite_cseq == cseq) | 1073 | else if (help->help.ct_sip_info.invite_cseq == cseq) |
1014 | flush_expectations(ct, true); | 1074 | flush_expectations(ct, true); |
1015 | return NF_ACCEPT; | 1075 | return NF_ACCEPT; |
1016 | } | 1076 | } |
1017 | 1077 | ||
1018 | static int process_bye_request(struct sk_buff *skb, | 1078 | static int process_invite_request(struct sk_buff *skb, unsigned int dataoff, |
1079 | const char **dptr, unsigned int *datalen, | ||
1080 | unsigned int cseq) | ||
1081 | { | ||
1082 | enum ip_conntrack_info ctinfo; | ||
1083 | struct nf_conn *ct = nf_ct_get(skb, &ctinfo); | ||
1084 | struct nf_conn_help *help = nfct_help(ct); | ||
1085 | unsigned int ret; | ||
1086 | |||
1087 | flush_expectations(ct, true); | ||
1088 | ret = process_sdp(skb, dataoff, dptr, datalen, cseq); | ||
1089 | if (ret == NF_ACCEPT) | ||
1090 | help->help.ct_sip_info.invite_cseq = cseq; | ||
1091 | return ret; | ||
1092 | } | ||
1093 | |||
1094 | static int process_bye_request(struct sk_buff *skb, unsigned int dataoff, | ||
1019 | const char **dptr, unsigned int *datalen, | 1095 | const char **dptr, unsigned int *datalen, |
1020 | unsigned int cseq) | 1096 | unsigned int cseq) |
1021 | { | 1097 | { |
@@ -1030,7 +1106,7 @@ static int process_bye_request(struct sk_buff *skb, | |||
1030 | * signalling connections. The expectation is marked inactive and is activated | 1106 | * signalling connections. The expectation is marked inactive and is activated |
1031 | * when receiving a response indicating success from the registrar. | 1107 | * when receiving a response indicating success from the registrar. |
1032 | */ | 1108 | */ |
1033 | static int process_register_request(struct sk_buff *skb, | 1109 | static int process_register_request(struct sk_buff *skb, unsigned int dataoff, |
1034 | const char **dptr, unsigned int *datalen, | 1110 | const char **dptr, unsigned int *datalen, |
1035 | unsigned int cseq) | 1111 | unsigned int cseq) |
1036 | { | 1112 | { |
@@ -1042,6 +1118,7 @@ static int process_register_request(struct sk_buff *skb, | |||
1042 | struct nf_conntrack_expect *exp; | 1118 | struct nf_conntrack_expect *exp; |
1043 | union nf_inet_addr *saddr, daddr; | 1119 | union nf_inet_addr *saddr, daddr; |
1044 | __be16 port; | 1120 | __be16 port; |
1121 | u8 proto; | ||
1045 | unsigned int expires = 0; | 1122 | unsigned int expires = 0; |
1046 | int ret; | 1123 | int ret; |
1047 | typeof(nf_nat_sip_expect_hook) nf_nat_sip_expect; | 1124 | typeof(nf_nat_sip_expect_hook) nf_nat_sip_expect; |
@@ -1074,6 +1151,10 @@ static int process_register_request(struct sk_buff *skb, | |||
1074 | if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.src.u3, &daddr)) | 1151 | if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.src.u3, &daddr)) |
1075 | return NF_ACCEPT; | 1152 | return NF_ACCEPT; |
1076 | 1153 | ||
1154 | if (ct_sip_parse_transport(ct, *dptr, matchoff + matchlen, *datalen, | ||
1155 | &proto) == 0) | ||
1156 | return NF_ACCEPT; | ||
1157 | |||
1077 | if (ct_sip_parse_numerical_param(ct, *dptr, | 1158 | if (ct_sip_parse_numerical_param(ct, *dptr, |
1078 | matchoff + matchlen, *datalen, | 1159 | matchoff + matchlen, *datalen, |
1079 | "expires=", NULL, NULL, &expires) < 0) | 1160 | "expires=", NULL, NULL, &expires) < 0) |
@@ -1093,14 +1174,14 @@ static int process_register_request(struct sk_buff *skb, | |||
1093 | saddr = &ct->tuplehash[!dir].tuple.src.u3; | 1174 | saddr = &ct->tuplehash[!dir].tuple.src.u3; |
1094 | 1175 | ||
1095 | nf_ct_expect_init(exp, SIP_EXPECT_SIGNALLING, nf_ct_l3num(ct), | 1176 | nf_ct_expect_init(exp, SIP_EXPECT_SIGNALLING, nf_ct_l3num(ct), |
1096 | saddr, &daddr, IPPROTO_UDP, NULL, &port); | 1177 | saddr, &daddr, proto, NULL, &port); |
1097 | exp->timeout.expires = sip_timeout * HZ; | 1178 | exp->timeout.expires = sip_timeout * HZ; |
1098 | exp->helper = nfct_help(ct)->helper; | 1179 | exp->helper = nfct_help(ct)->helper; |
1099 | exp->flags = NF_CT_EXPECT_PERMANENT | NF_CT_EXPECT_INACTIVE; | 1180 | exp->flags = NF_CT_EXPECT_PERMANENT | NF_CT_EXPECT_INACTIVE; |
1100 | 1181 | ||
1101 | nf_nat_sip_expect = rcu_dereference(nf_nat_sip_expect_hook); | 1182 | nf_nat_sip_expect = rcu_dereference(nf_nat_sip_expect_hook); |
1102 | if (nf_nat_sip_expect && ct->status & IPS_NAT_MASK) | 1183 | if (nf_nat_sip_expect && ct->status & IPS_NAT_MASK) |
1103 | ret = nf_nat_sip_expect(skb, dptr, datalen, exp, | 1184 | ret = nf_nat_sip_expect(skb, dataoff, dptr, datalen, exp, |
1104 | matchoff, matchlen); | 1185 | matchoff, matchlen); |
1105 | else { | 1186 | else { |
1106 | if (nf_ct_expect_related(exp) != 0) | 1187 | if (nf_ct_expect_related(exp) != 0) |
@@ -1116,7 +1197,7 @@ store_cseq: | |||
1116 | return ret; | 1197 | return ret; |
1117 | } | 1198 | } |
1118 | 1199 | ||
1119 | static int process_register_response(struct sk_buff *skb, | 1200 | static int process_register_response(struct sk_buff *skb, unsigned int dataoff, |
1120 | const char **dptr, unsigned int *datalen, | 1201 | const char **dptr, unsigned int *datalen, |
1121 | unsigned int cseq, unsigned int code) | 1202 | unsigned int cseq, unsigned int code) |
1122 | { | 1203 | { |
@@ -1126,7 +1207,8 @@ static int process_register_response(struct sk_buff *skb, | |||
1126 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); | 1207 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); |
1127 | union nf_inet_addr addr; | 1208 | union nf_inet_addr addr; |
1128 | __be16 port; | 1209 | __be16 port; |
1129 | unsigned int matchoff, matchlen, dataoff = 0; | 1210 | u8 proto; |
1211 | unsigned int matchoff, matchlen, coff = 0; | ||
1130 | unsigned int expires = 0; | 1212 | unsigned int expires = 0; |
1131 | int in_contact = 0, ret; | 1213 | int in_contact = 0, ret; |
1132 | 1214 | ||
@@ -1153,7 +1235,7 @@ static int process_register_response(struct sk_buff *skb, | |||
1153 | while (1) { | 1235 | while (1) { |
1154 | unsigned int c_expires = expires; | 1236 | unsigned int c_expires = expires; |
1155 | 1237 | ||
1156 | ret = ct_sip_parse_header_uri(ct, *dptr, &dataoff, *datalen, | 1238 | ret = ct_sip_parse_header_uri(ct, *dptr, &coff, *datalen, |
1157 | SIP_HDR_CONTACT, &in_contact, | 1239 | SIP_HDR_CONTACT, &in_contact, |
1158 | &matchoff, &matchlen, | 1240 | &matchoff, &matchlen, |
1159 | &addr, &port); | 1241 | &addr, &port); |
@@ -1166,6 +1248,10 @@ static int process_register_response(struct sk_buff *skb, | |||
1166 | if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.dst.u3, &addr)) | 1248 | if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.dst.u3, &addr)) |
1167 | continue; | 1249 | continue; |
1168 | 1250 | ||
1251 | if (ct_sip_parse_transport(ct, *dptr, matchoff + matchlen, | ||
1252 | *datalen, &proto) == 0) | ||
1253 | continue; | ||
1254 | |||
1169 | ret = ct_sip_parse_numerical_param(ct, *dptr, | 1255 | ret = ct_sip_parse_numerical_param(ct, *dptr, |
1170 | matchoff + matchlen, | 1256 | matchoff + matchlen, |
1171 | *datalen, "expires=", | 1257 | *datalen, "expires=", |
@@ -1174,7 +1260,8 @@ static int process_register_response(struct sk_buff *skb, | |||
1174 | return NF_DROP; | 1260 | return NF_DROP; |
1175 | if (c_expires == 0) | 1261 | if (c_expires == 0) |
1176 | break; | 1262 | break; |
1177 | if (refresh_signalling_expectation(ct, &addr, port, c_expires)) | 1263 | if (refresh_signalling_expectation(ct, &addr, proto, port, |
1264 | c_expires)) | ||
1178 | return NF_ACCEPT; | 1265 | return NF_ACCEPT; |
1179 | } | 1266 | } |
1180 | 1267 | ||
@@ -1184,7 +1271,7 @@ flush: | |||
1184 | } | 1271 | } |
1185 | 1272 | ||
1186 | static const struct sip_handler sip_handlers[] = { | 1273 | static const struct sip_handler sip_handlers[] = { |
1187 | SIP_HANDLER("INVITE", process_sdp, process_invite_response), | 1274 | SIP_HANDLER("INVITE", process_invite_request, process_invite_response), |
1188 | SIP_HANDLER("UPDATE", process_sdp, process_update_response), | 1275 | SIP_HANDLER("UPDATE", process_sdp, process_update_response), |
1189 | SIP_HANDLER("ACK", process_sdp, NULL), | 1276 | SIP_HANDLER("ACK", process_sdp, NULL), |
1190 | SIP_HANDLER("PRACK", process_sdp, process_prack_response), | 1277 | SIP_HANDLER("PRACK", process_sdp, process_prack_response), |
@@ -1192,13 +1279,13 @@ static const struct sip_handler sip_handlers[] = { | |||
1192 | SIP_HANDLER("REGISTER", process_register_request, process_register_response), | 1279 | SIP_HANDLER("REGISTER", process_register_request, process_register_response), |
1193 | }; | 1280 | }; |
1194 | 1281 | ||
1195 | static int process_sip_response(struct sk_buff *skb, | 1282 | static int process_sip_response(struct sk_buff *skb, unsigned int dataoff, |
1196 | const char **dptr, unsigned int *datalen) | 1283 | const char **dptr, unsigned int *datalen) |
1197 | { | 1284 | { |
1198 | enum ip_conntrack_info ctinfo; | 1285 | enum ip_conntrack_info ctinfo; |
1199 | struct nf_conn *ct = nf_ct_get(skb, &ctinfo); | 1286 | struct nf_conn *ct = nf_ct_get(skb, &ctinfo); |
1200 | unsigned int matchoff, matchlen; | 1287 | unsigned int matchoff, matchlen, matchend; |
1201 | unsigned int code, cseq, dataoff, i; | 1288 | unsigned int code, cseq, i; |
1202 | 1289 | ||
1203 | if (*datalen < strlen("SIP/2.0 200")) | 1290 | if (*datalen < strlen("SIP/2.0 200")) |
1204 | return NF_ACCEPT; | 1291 | return NF_ACCEPT; |
@@ -1212,7 +1299,7 @@ static int process_sip_response(struct sk_buff *skb, | |||
1212 | cseq = simple_strtoul(*dptr + matchoff, NULL, 10); | 1299 | cseq = simple_strtoul(*dptr + matchoff, NULL, 10); |
1213 | if (!cseq) | 1300 | if (!cseq) |
1214 | return NF_DROP; | 1301 | return NF_DROP; |
1215 | dataoff = matchoff + matchlen + 1; | 1302 | matchend = matchoff + matchlen + 1; |
1216 | 1303 | ||
1217 | for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) { | 1304 | for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) { |
1218 | const struct sip_handler *handler; | 1305 | const struct sip_handler *handler; |
@@ -1220,15 +1307,16 @@ static int process_sip_response(struct sk_buff *skb, | |||
1220 | handler = &sip_handlers[i]; | 1307 | handler = &sip_handlers[i]; |
1221 | if (handler->response == NULL) | 1308 | if (handler->response == NULL) |
1222 | continue; | 1309 | continue; |
1223 | if (*datalen < dataoff + handler->len || | 1310 | if (*datalen < matchend + handler->len || |
1224 | strnicmp(*dptr + dataoff, handler->method, handler->len)) | 1311 | strnicmp(*dptr + matchend, handler->method, handler->len)) |
1225 | continue; | 1312 | continue; |
1226 | return handler->response(skb, dptr, datalen, cseq, code); | 1313 | return handler->response(skb, dataoff, dptr, datalen, |
1314 | cseq, code); | ||
1227 | } | 1315 | } |
1228 | return NF_ACCEPT; | 1316 | return NF_ACCEPT; |
1229 | } | 1317 | } |
1230 | 1318 | ||
1231 | static int process_sip_request(struct sk_buff *skb, | 1319 | static int process_sip_request(struct sk_buff *skb, unsigned int dataoff, |
1232 | const char **dptr, unsigned int *datalen) | 1320 | const char **dptr, unsigned int *datalen) |
1233 | { | 1321 | { |
1234 | enum ip_conntrack_info ctinfo; | 1322 | enum ip_conntrack_info ctinfo; |
@@ -1253,69 +1341,157 @@ static int process_sip_request(struct sk_buff *skb, | |||
1253 | if (!cseq) | 1341 | if (!cseq) |
1254 | return NF_DROP; | 1342 | return NF_DROP; |
1255 | 1343 | ||
1256 | return handler->request(skb, dptr, datalen, cseq); | 1344 | return handler->request(skb, dataoff, dptr, datalen, cseq); |
1257 | } | 1345 | } |
1258 | return NF_ACCEPT; | 1346 | return NF_ACCEPT; |
1259 | } | 1347 | } |
1260 | 1348 | ||
1261 | static int sip_help(struct sk_buff *skb, | 1349 | static int process_sip_msg(struct sk_buff *skb, struct nf_conn *ct, |
1262 | unsigned int protoff, | 1350 | unsigned int dataoff, const char **dptr, |
1263 | struct nf_conn *ct, | 1351 | unsigned int *datalen) |
1264 | enum ip_conntrack_info ctinfo) | 1352 | { |
1353 | typeof(nf_nat_sip_hook) nf_nat_sip; | ||
1354 | int ret; | ||
1355 | |||
1356 | if (strnicmp(*dptr, "SIP/2.0 ", strlen("SIP/2.0 ")) != 0) | ||
1357 | ret = process_sip_request(skb, dataoff, dptr, datalen); | ||
1358 | else | ||
1359 | ret = process_sip_response(skb, dataoff, dptr, datalen); | ||
1360 | |||
1361 | if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) { | ||
1362 | nf_nat_sip = rcu_dereference(nf_nat_sip_hook); | ||
1363 | if (nf_nat_sip && !nf_nat_sip(skb, dataoff, dptr, datalen)) | ||
1364 | ret = NF_DROP; | ||
1365 | } | ||
1366 | |||
1367 | return ret; | ||
1368 | } | ||
1369 | |||
1370 | static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff, | ||
1371 | struct nf_conn *ct, enum ip_conntrack_info ctinfo) | ||
1265 | { | 1372 | { |
1373 | struct tcphdr *th, _tcph; | ||
1266 | unsigned int dataoff, datalen; | 1374 | unsigned int dataoff, datalen; |
1267 | const char *dptr; | 1375 | unsigned int matchoff, matchlen, clen; |
1376 | unsigned int msglen, origlen; | ||
1377 | const char *dptr, *end; | ||
1378 | s16 diff, tdiff = 0; | ||
1268 | int ret; | 1379 | int ret; |
1269 | typeof(nf_nat_sip_hook) nf_nat_sip; | 1380 | typeof(nf_nat_sip_seq_adjust_hook) nf_nat_sip_seq_adjust; |
1381 | |||
1382 | if (ctinfo != IP_CT_ESTABLISHED && | ||
1383 | ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) | ||
1384 | return NF_ACCEPT; | ||
1270 | 1385 | ||
1271 | /* No Data ? */ | 1386 | /* No Data ? */ |
1272 | dataoff = protoff + sizeof(struct udphdr); | 1387 | th = skb_header_pointer(skb, protoff, sizeof(_tcph), &_tcph); |
1388 | if (th == NULL) | ||
1389 | return NF_ACCEPT; | ||
1390 | dataoff = protoff + th->doff * 4; | ||
1273 | if (dataoff >= skb->len) | 1391 | if (dataoff >= skb->len) |
1274 | return NF_ACCEPT; | 1392 | return NF_ACCEPT; |
1275 | 1393 | ||
1276 | nf_ct_refresh(ct, skb, sip_timeout * HZ); | 1394 | nf_ct_refresh(ct, skb, sip_timeout * HZ); |
1277 | 1395 | ||
1278 | if (!skb_is_nonlinear(skb)) | 1396 | if (skb_is_nonlinear(skb)) { |
1279 | dptr = skb->data + dataoff; | ||
1280 | else { | ||
1281 | pr_debug("Copy of skbuff not supported yet.\n"); | 1397 | pr_debug("Copy of skbuff not supported yet.\n"); |
1282 | return NF_ACCEPT; | 1398 | return NF_ACCEPT; |
1283 | } | 1399 | } |
1284 | 1400 | ||
1401 | dptr = skb->data + dataoff; | ||
1285 | datalen = skb->len - dataoff; | 1402 | datalen = skb->len - dataoff; |
1286 | if (datalen < strlen("SIP/2.0 200")) | 1403 | if (datalen < strlen("SIP/2.0 200")) |
1287 | return NF_ACCEPT; | 1404 | return NF_ACCEPT; |
1288 | 1405 | ||
1289 | if (strnicmp(dptr, "SIP/2.0 ", strlen("SIP/2.0 ")) != 0) | 1406 | while (1) { |
1290 | ret = process_sip_request(skb, &dptr, &datalen); | 1407 | if (ct_sip_get_header(ct, dptr, 0, datalen, |
1291 | else | 1408 | SIP_HDR_CONTENT_LENGTH, |
1292 | ret = process_sip_response(skb, &dptr, &datalen); | 1409 | &matchoff, &matchlen) <= 0) |
1410 | break; | ||
1411 | |||
1412 | clen = simple_strtoul(dptr + matchoff, (char **)&end, 10); | ||
1413 | if (dptr + matchoff == end) | ||
1414 | break; | ||
1415 | |||
1416 | if (end + strlen("\r\n\r\n") > dptr + datalen) | ||
1417 | break; | ||
1418 | if (end[0] != '\r' || end[1] != '\n' || | ||
1419 | end[2] != '\r' || end[3] != '\n') | ||
1420 | break; | ||
1421 | end += strlen("\r\n\r\n") + clen; | ||
1422 | |||
1423 | msglen = origlen = end - dptr; | ||
1424 | |||
1425 | ret = process_sip_msg(skb, ct, dataoff, &dptr, &msglen); | ||
1426 | if (ret != NF_ACCEPT) | ||
1427 | break; | ||
1428 | diff = msglen - origlen; | ||
1429 | tdiff += diff; | ||
1430 | |||
1431 | dataoff += msglen; | ||
1432 | dptr += msglen; | ||
1433 | datalen = datalen + diff - msglen; | ||
1434 | } | ||
1293 | 1435 | ||
1294 | if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) { | 1436 | if (ret == NF_ACCEPT && ct->status & IPS_NAT_MASK) { |
1295 | nf_nat_sip = rcu_dereference(nf_nat_sip_hook); | 1437 | nf_nat_sip_seq_adjust = rcu_dereference(nf_nat_sip_seq_adjust_hook); |
1296 | if (nf_nat_sip && !nf_nat_sip(skb, &dptr, &datalen)) | 1438 | if (nf_nat_sip_seq_adjust) |
1297 | ret = NF_DROP; | 1439 | nf_nat_sip_seq_adjust(skb, tdiff); |
1298 | } | 1440 | } |
1299 | 1441 | ||
1300 | return ret; | 1442 | return ret; |
1301 | } | 1443 | } |
1302 | 1444 | ||
1303 | static struct nf_conntrack_helper sip[MAX_PORTS][2] __read_mostly; | 1445 | static int sip_help_udp(struct sk_buff *skb, unsigned int protoff, |
1304 | static char sip_names[MAX_PORTS][2][sizeof("sip-65535")] __read_mostly; | 1446 | struct nf_conn *ct, enum ip_conntrack_info ctinfo) |
1447 | { | ||
1448 | unsigned int dataoff, datalen; | ||
1449 | const char *dptr; | ||
1450 | |||
1451 | /* No Data ? */ | ||
1452 | dataoff = protoff + sizeof(struct udphdr); | ||
1453 | if (dataoff >= skb->len) | ||
1454 | return NF_ACCEPT; | ||
1455 | |||
1456 | nf_ct_refresh(ct, skb, sip_timeout * HZ); | ||
1457 | |||
1458 | if (skb_is_nonlinear(skb)) { | ||
1459 | pr_debug("Copy of skbuff not supported yet.\n"); | ||
1460 | return NF_ACCEPT; | ||
1461 | } | ||
1462 | |||
1463 | dptr = skb->data + dataoff; | ||
1464 | datalen = skb->len - dataoff; | ||
1465 | if (datalen < strlen("SIP/2.0 200")) | ||
1466 | return NF_ACCEPT; | ||
1467 | |||
1468 | return process_sip_msg(skb, ct, dataoff, &dptr, &datalen); | ||
1469 | } | ||
1470 | |||
1471 | static struct nf_conntrack_helper sip[MAX_PORTS][4] __read_mostly; | ||
1472 | static char sip_names[MAX_PORTS][4][sizeof("sip-65535")] __read_mostly; | ||
1305 | 1473 | ||
1306 | static const struct nf_conntrack_expect_policy sip_exp_policy[SIP_EXPECT_MAX + 1] = { | 1474 | static const struct nf_conntrack_expect_policy sip_exp_policy[SIP_EXPECT_MAX + 1] = { |
1307 | [SIP_EXPECT_SIGNALLING] = { | 1475 | [SIP_EXPECT_SIGNALLING] = { |
1476 | .name = "signalling", | ||
1308 | .max_expected = 1, | 1477 | .max_expected = 1, |
1309 | .timeout = 3 * 60, | 1478 | .timeout = 3 * 60, |
1310 | }, | 1479 | }, |
1311 | [SIP_EXPECT_AUDIO] = { | 1480 | [SIP_EXPECT_AUDIO] = { |
1481 | .name = "audio", | ||
1312 | .max_expected = 2 * IP_CT_DIR_MAX, | 1482 | .max_expected = 2 * IP_CT_DIR_MAX, |
1313 | .timeout = 3 * 60, | 1483 | .timeout = 3 * 60, |
1314 | }, | 1484 | }, |
1315 | [SIP_EXPECT_VIDEO] = { | 1485 | [SIP_EXPECT_VIDEO] = { |
1486 | .name = "video", | ||
1316 | .max_expected = 2 * IP_CT_DIR_MAX, | 1487 | .max_expected = 2 * IP_CT_DIR_MAX, |
1317 | .timeout = 3 * 60, | 1488 | .timeout = 3 * 60, |
1318 | }, | 1489 | }, |
1490 | [SIP_EXPECT_IMAGE] = { | ||
1491 | .name = "image", | ||
1492 | .max_expected = IP_CT_DIR_MAX, | ||
1493 | .timeout = 3 * 60, | ||
1494 | }, | ||
1319 | }; | 1495 | }; |
1320 | 1496 | ||
1321 | static void nf_conntrack_sip_fini(void) | 1497 | static void nf_conntrack_sip_fini(void) |
@@ -1323,7 +1499,7 @@ static void nf_conntrack_sip_fini(void) | |||
1323 | int i, j; | 1499 | int i, j; |
1324 | 1500 | ||
1325 | for (i = 0; i < ports_c; i++) { | 1501 | for (i = 0; i < ports_c; i++) { |
1326 | for (j = 0; j < 2; j++) { | 1502 | for (j = 0; j < ARRAY_SIZE(sip[i]); j++) { |
1327 | if (sip[i][j].me == NULL) | 1503 | if (sip[i][j].me == NULL) |
1328 | continue; | 1504 | continue; |
1329 | nf_conntrack_helper_unregister(&sip[i][j]); | 1505 | nf_conntrack_helper_unregister(&sip[i][j]); |
@@ -1343,14 +1519,24 @@ static int __init nf_conntrack_sip_init(void) | |||
1343 | memset(&sip[i], 0, sizeof(sip[i])); | 1519 | memset(&sip[i], 0, sizeof(sip[i])); |
1344 | 1520 | ||
1345 | sip[i][0].tuple.src.l3num = AF_INET; | 1521 | sip[i][0].tuple.src.l3num = AF_INET; |
1346 | sip[i][1].tuple.src.l3num = AF_INET6; | 1522 | sip[i][0].tuple.dst.protonum = IPPROTO_UDP; |
1347 | for (j = 0; j < 2; j++) { | 1523 | sip[i][0].help = sip_help_udp; |
1348 | sip[i][j].tuple.dst.protonum = IPPROTO_UDP; | 1524 | sip[i][1].tuple.src.l3num = AF_INET; |
1525 | sip[i][1].tuple.dst.protonum = IPPROTO_TCP; | ||
1526 | sip[i][1].help = sip_help_tcp; | ||
1527 | |||
1528 | sip[i][2].tuple.src.l3num = AF_INET6; | ||
1529 | sip[i][2].tuple.dst.protonum = IPPROTO_UDP; | ||
1530 | sip[i][2].help = sip_help_udp; | ||
1531 | sip[i][3].tuple.src.l3num = AF_INET6; | ||
1532 | sip[i][3].tuple.dst.protonum = IPPROTO_TCP; | ||
1533 | sip[i][3].help = sip_help_tcp; | ||
1534 | |||
1535 | for (j = 0; j < ARRAY_SIZE(sip[i]); j++) { | ||
1349 | sip[i][j].tuple.src.u.udp.port = htons(ports[i]); | 1536 | sip[i][j].tuple.src.u.udp.port = htons(ports[i]); |
1350 | sip[i][j].expect_policy = sip_exp_policy; | 1537 | sip[i][j].expect_policy = sip_exp_policy; |
1351 | sip[i][j].expect_class_max = SIP_EXPECT_MAX; | 1538 | sip[i][j].expect_class_max = SIP_EXPECT_MAX; |
1352 | sip[i][j].me = THIS_MODULE; | 1539 | sip[i][j].me = THIS_MODULE; |
1353 | sip[i][j].help = sip_help; | ||
1354 | 1540 | ||
1355 | tmpname = &sip_names[i][j][0]; | 1541 | tmpname = &sip_names[i][j][0]; |
1356 | if (ports[i] == SIP_PORT) | 1542 | if (ports[i] == SIP_PORT) |
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index e310f1561bb2..24a42efe62ef 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c | |||
@@ -26,6 +26,7 @@ | |||
26 | #include <net/netfilter/nf_conntrack_expect.h> | 26 | #include <net/netfilter/nf_conntrack_expect.h> |
27 | #include <net/netfilter/nf_conntrack_helper.h> | 27 | #include <net/netfilter/nf_conntrack_helper.h> |
28 | #include <net/netfilter/nf_conntrack_acct.h> | 28 | #include <net/netfilter/nf_conntrack_acct.h> |
29 | #include <net/netfilter/nf_conntrack_zones.h> | ||
29 | 30 | ||
30 | MODULE_LICENSE("GPL"); | 31 | MODULE_LICENSE("GPL"); |
31 | 32 | ||
@@ -171,6 +172,11 @@ static int ct_seq_show(struct seq_file *s, void *v) | |||
171 | goto release; | 172 | goto release; |
172 | #endif | 173 | #endif |
173 | 174 | ||
175 | #ifdef CONFIG_NF_CONNTRACK_ZONES | ||
176 | if (seq_printf(s, "zone=%u ", nf_ct_zone(ct))) | ||
177 | goto release; | ||
178 | #endif | ||
179 | |||
174 | if (seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use))) | 180 | if (seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use))) |
175 | goto release; | 181 | goto release; |
176 | 182 | ||
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c index eedc0c1ac7a4..8eb0cc23ada3 100644 --- a/net/netfilter/nfnetlink.c +++ b/net/netfilter/nfnetlink.c | |||
@@ -40,7 +40,6 @@ MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_NETFILTER); | |||
40 | 40 | ||
41 | static char __initdata nfversion[] = "0.30"; | 41 | static char __initdata nfversion[] = "0.30"; |
42 | 42 | ||
43 | static struct sock *nfnl = NULL; | ||
44 | static const struct nfnetlink_subsystem *subsys_table[NFNL_SUBSYS_COUNT]; | 43 | static const struct nfnetlink_subsystem *subsys_table[NFNL_SUBSYS_COUNT]; |
45 | static DEFINE_MUTEX(nfnl_mutex); | 44 | static DEFINE_MUTEX(nfnl_mutex); |
46 | 45 | ||
@@ -101,34 +100,35 @@ nfnetlink_find_client(u_int16_t type, const struct nfnetlink_subsystem *ss) | |||
101 | return &ss->cb[cb_id]; | 100 | return &ss->cb[cb_id]; |
102 | } | 101 | } |
103 | 102 | ||
104 | int nfnetlink_has_listeners(unsigned int group) | 103 | int nfnetlink_has_listeners(struct net *net, unsigned int group) |
105 | { | 104 | { |
106 | return netlink_has_listeners(nfnl, group); | 105 | return netlink_has_listeners(net->nfnl, group); |
107 | } | 106 | } |
108 | EXPORT_SYMBOL_GPL(nfnetlink_has_listeners); | 107 | EXPORT_SYMBOL_GPL(nfnetlink_has_listeners); |
109 | 108 | ||
110 | int nfnetlink_send(struct sk_buff *skb, u32 pid, | 109 | int nfnetlink_send(struct sk_buff *skb, struct net *net, u32 pid, |
111 | unsigned group, int echo, gfp_t flags) | 110 | unsigned group, int echo, gfp_t flags) |
112 | { | 111 | { |
113 | return nlmsg_notify(nfnl, skb, pid, group, echo, flags); | 112 | return nlmsg_notify(net->nfnl, skb, pid, group, echo, flags); |
114 | } | 113 | } |
115 | EXPORT_SYMBOL_GPL(nfnetlink_send); | 114 | EXPORT_SYMBOL_GPL(nfnetlink_send); |
116 | 115 | ||
117 | void nfnetlink_set_err(u32 pid, u32 group, int error) | 116 | void nfnetlink_set_err(struct net *net, u32 pid, u32 group, int error) |
118 | { | 117 | { |
119 | netlink_set_err(nfnl, pid, group, error); | 118 | netlink_set_err(net->nfnl, pid, group, error); |
120 | } | 119 | } |
121 | EXPORT_SYMBOL_GPL(nfnetlink_set_err); | 120 | EXPORT_SYMBOL_GPL(nfnetlink_set_err); |
122 | 121 | ||
123 | int nfnetlink_unicast(struct sk_buff *skb, u_int32_t pid, int flags) | 122 | int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u_int32_t pid, int flags) |
124 | { | 123 | { |
125 | return netlink_unicast(nfnl, skb, pid, flags); | 124 | return netlink_unicast(net->nfnl, skb, pid, flags); |
126 | } | 125 | } |
127 | EXPORT_SYMBOL_GPL(nfnetlink_unicast); | 126 | EXPORT_SYMBOL_GPL(nfnetlink_unicast); |
128 | 127 | ||
129 | /* Process one complete nfnetlink message. */ | 128 | /* Process one complete nfnetlink message. */ |
130 | static int nfnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | 129 | static int nfnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) |
131 | { | 130 | { |
131 | struct net *net = sock_net(skb->sk); | ||
132 | const struct nfnl_callback *nc; | 132 | const struct nfnl_callback *nc; |
133 | const struct nfnetlink_subsystem *ss; | 133 | const struct nfnetlink_subsystem *ss; |
134 | int type, err; | 134 | int type, err; |
@@ -170,7 +170,7 @@ replay: | |||
170 | if (err < 0) | 170 | if (err < 0) |
171 | return err; | 171 | return err; |
172 | 172 | ||
173 | err = nc->call(nfnl, skb, nlh, (const struct nlattr **)cda); | 173 | err = nc->call(net->nfnl, skb, nlh, (const struct nlattr **)cda); |
174 | if (err == -EAGAIN) | 174 | if (err == -EAGAIN) |
175 | goto replay; | 175 | goto replay; |
176 | return err; | 176 | return err; |
@@ -184,26 +184,45 @@ static void nfnetlink_rcv(struct sk_buff *skb) | |||
184 | nfnl_unlock(); | 184 | nfnl_unlock(); |
185 | } | 185 | } |
186 | 186 | ||
187 | static void __exit nfnetlink_exit(void) | 187 | static int __net_init nfnetlink_net_init(struct net *net) |
188 | { | 188 | { |
189 | printk("Removing netfilter NETLINK layer.\n"); | 189 | struct sock *nfnl; |
190 | netlink_kernel_release(nfnl); | 190 | |
191 | return; | 191 | nfnl = netlink_kernel_create(net, NETLINK_NETFILTER, NFNLGRP_MAX, |
192 | nfnetlink_rcv, NULL, THIS_MODULE); | ||
193 | if (!nfnl) | ||
194 | return -ENOMEM; | ||
195 | net->nfnl_stash = nfnl; | ||
196 | rcu_assign_pointer(net->nfnl, nfnl); | ||
197 | return 0; | ||
192 | } | 198 | } |
193 | 199 | ||
194 | static int __init nfnetlink_init(void) | 200 | static void __net_exit nfnetlink_net_exit_batch(struct list_head *net_exit_list) |
195 | { | 201 | { |
196 | printk("Netfilter messages via NETLINK v%s.\n", nfversion); | 202 | struct net *net; |
197 | 203 | ||
198 | nfnl = netlink_kernel_create(&init_net, NETLINK_NETFILTER, NFNLGRP_MAX, | 204 | list_for_each_entry(net, net_exit_list, exit_list) |
199 | nfnetlink_rcv, NULL, THIS_MODULE); | 205 | rcu_assign_pointer(net->nfnl, NULL); |
200 | if (!nfnl) { | 206 | synchronize_net(); |
201 | printk(KERN_ERR "cannot initialize nfnetlink!\n"); | 207 | list_for_each_entry(net, net_exit_list, exit_list) |
202 | return -ENOMEM; | 208 | netlink_kernel_release(net->nfnl_stash); |
203 | } | 209 | } |
204 | 210 | ||
205 | return 0; | 211 | static struct pernet_operations nfnetlink_net_ops = { |
212 | .init = nfnetlink_net_init, | ||
213 | .exit_batch = nfnetlink_net_exit_batch, | ||
214 | }; | ||
215 | |||
216 | static int __init nfnetlink_init(void) | ||
217 | { | ||
218 | printk("Netfilter messages via NETLINK v%s.\n", nfversion); | ||
219 | return register_pernet_subsys(&nfnetlink_net_ops); | ||
206 | } | 220 | } |
207 | 221 | ||
222 | static void __exit nfnetlink_exit(void) | ||
223 | { | ||
224 | printk("Removing netfilter NETLINK layer.\n"); | ||
225 | unregister_pernet_subsys(&nfnetlink_net_ops); | ||
226 | } | ||
208 | module_init(nfnetlink_init); | 227 | module_init(nfnetlink_init); |
209 | module_exit(nfnetlink_exit); | 228 | module_exit(nfnetlink_exit); |
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c index 9de0470d557e..285e9029a9ff 100644 --- a/net/netfilter/nfnetlink_log.c +++ b/net/netfilter/nfnetlink_log.c | |||
@@ -323,7 +323,8 @@ __nfulnl_send(struct nfulnl_instance *inst) | |||
323 | NLMSG_DONE, | 323 | NLMSG_DONE, |
324 | sizeof(struct nfgenmsg)); | 324 | sizeof(struct nfgenmsg)); |
325 | 325 | ||
326 | status = nfnetlink_unicast(inst->skb, inst->peer_pid, MSG_DONTWAIT); | 326 | status = nfnetlink_unicast(inst->skb, &init_net, inst->peer_pid, |
327 | MSG_DONTWAIT); | ||
327 | 328 | ||
328 | inst->qlen = 0; | 329 | inst->qlen = 0; |
329 | inst->skb = NULL; | 330 | inst->skb = NULL; |
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 7e3fa410641e..7ba4abc405c9 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c | |||
@@ -112,7 +112,6 @@ instance_create(u_int16_t queue_num, int pid) | |||
112 | inst->copy_mode = NFQNL_COPY_NONE; | 112 | inst->copy_mode = NFQNL_COPY_NONE; |
113 | spin_lock_init(&inst->lock); | 113 | spin_lock_init(&inst->lock); |
114 | INIT_LIST_HEAD(&inst->queue_list); | 114 | INIT_LIST_HEAD(&inst->queue_list); |
115 | INIT_RCU_HEAD(&inst->rcu); | ||
116 | 115 | ||
117 | if (!try_module_get(THIS_MODULE)) { | 116 | if (!try_module_get(THIS_MODULE)) { |
118 | err = -EAGAIN; | 117 | err = -EAGAIN; |
@@ -414,13 +413,13 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum) | |||
414 | queue->queue_dropped++; | 413 | queue->queue_dropped++; |
415 | if (net_ratelimit()) | 414 | if (net_ratelimit()) |
416 | printk(KERN_WARNING "nf_queue: full at %d entries, " | 415 | printk(KERN_WARNING "nf_queue: full at %d entries, " |
417 | "dropping packets(s). Dropped: %d\n", | 416 | "dropping packets(s).\n", |
418 | queue->queue_total, queue->queue_dropped); | 417 | queue->queue_total); |
419 | goto err_out_free_nskb; | 418 | goto err_out_free_nskb; |
420 | } | 419 | } |
421 | 420 | ||
422 | /* nfnetlink_unicast will either free the nskb or add it to a socket */ | 421 | /* nfnetlink_unicast will either free the nskb or add it to a socket */ |
423 | err = nfnetlink_unicast(nskb, queue->peer_pid, MSG_DONTWAIT); | 422 | err = nfnetlink_unicast(nskb, &init_net, queue->peer_pid, MSG_DONTWAIT); |
424 | if (err < 0) { | 423 | if (err < 0) { |
425 | queue->queue_user_dropped++; | 424 | queue->queue_user_dropped++; |
426 | goto err_out_unlock; | 425 | goto err_out_unlock; |
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index f01955cce314..0a12cedfe9e3 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c | |||
@@ -26,7 +26,9 @@ | |||
26 | 26 | ||
27 | #include <linux/netfilter/x_tables.h> | 27 | #include <linux/netfilter/x_tables.h> |
28 | #include <linux/netfilter_arp.h> | 28 | #include <linux/netfilter_arp.h> |
29 | 29 | #include <linux/netfilter_ipv4/ip_tables.h> | |
30 | #include <linux/netfilter_ipv6/ip6_tables.h> | ||
31 | #include <linux/netfilter_arp/arp_tables.h> | ||
30 | 32 | ||
31 | MODULE_LICENSE("GPL"); | 33 | MODULE_LICENSE("GPL"); |
32 | MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); | 34 | MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); |
@@ -37,7 +39,7 @@ MODULE_DESCRIPTION("{ip,ip6,arp,eb}_tables backend module"); | |||
37 | struct compat_delta { | 39 | struct compat_delta { |
38 | struct compat_delta *next; | 40 | struct compat_delta *next; |
39 | unsigned int offset; | 41 | unsigned int offset; |
40 | short delta; | 42 | int delta; |
41 | }; | 43 | }; |
42 | 44 | ||
43 | struct xt_af { | 45 | struct xt_af { |
@@ -364,8 +366,10 @@ int xt_check_match(struct xt_mtchk_param *par, | |||
364 | * ebt_among is exempt from centralized matchsize checking | 366 | * ebt_among is exempt from centralized matchsize checking |
365 | * because it uses a dynamic-size data set. | 367 | * because it uses a dynamic-size data set. |
366 | */ | 368 | */ |
367 | pr_err("%s_tables: %s match: invalid size %Zu != %u\n", | 369 | pr_err("%s_tables: %s.%u match: invalid size " |
370 | "%u (kernel) != (user) %u\n", | ||
368 | xt_prefix[par->family], par->match->name, | 371 | xt_prefix[par->family], par->match->name, |
372 | par->match->revision, | ||
369 | XT_ALIGN(par->match->matchsize), size); | 373 | XT_ALIGN(par->match->matchsize), size); |
370 | return -EINVAL; | 374 | return -EINVAL; |
371 | } | 375 | } |
@@ -435,10 +439,10 @@ void xt_compat_flush_offsets(u_int8_t af) | |||
435 | } | 439 | } |
436 | EXPORT_SYMBOL_GPL(xt_compat_flush_offsets); | 440 | EXPORT_SYMBOL_GPL(xt_compat_flush_offsets); |
437 | 441 | ||
438 | short xt_compat_calc_jump(u_int8_t af, unsigned int offset) | 442 | int xt_compat_calc_jump(u_int8_t af, unsigned int offset) |
439 | { | 443 | { |
440 | struct compat_delta *tmp; | 444 | struct compat_delta *tmp; |
441 | short delta; | 445 | int delta; |
442 | 446 | ||
443 | for (tmp = xt[af].compat_offsets, delta = 0; tmp; tmp = tmp->next) | 447 | for (tmp = xt[af].compat_offsets, delta = 0; tmp; tmp = tmp->next) |
444 | if (tmp->offset < offset) | 448 | if (tmp->offset < offset) |
@@ -481,8 +485,8 @@ int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, | |||
481 | } | 485 | } |
482 | EXPORT_SYMBOL_GPL(xt_compat_match_from_user); | 486 | EXPORT_SYMBOL_GPL(xt_compat_match_from_user); |
483 | 487 | ||
484 | int xt_compat_match_to_user(struct xt_entry_match *m, void __user **dstptr, | 488 | int xt_compat_match_to_user(const struct xt_entry_match *m, |
485 | unsigned int *size) | 489 | void __user **dstptr, unsigned int *size) |
486 | { | 490 | { |
487 | const struct xt_match *match = m->u.kernel.match; | 491 | const struct xt_match *match = m->u.kernel.match; |
488 | struct compat_xt_entry_match __user *cm = *dstptr; | 492 | struct compat_xt_entry_match __user *cm = *dstptr; |
@@ -514,8 +518,10 @@ int xt_check_target(struct xt_tgchk_param *par, | |||
514 | unsigned int size, u_int8_t proto, bool inv_proto) | 518 | unsigned int size, u_int8_t proto, bool inv_proto) |
515 | { | 519 | { |
516 | if (XT_ALIGN(par->target->targetsize) != size) { | 520 | if (XT_ALIGN(par->target->targetsize) != size) { |
517 | pr_err("%s_tables: %s target: invalid size %Zu != %u\n", | 521 | pr_err("%s_tables: %s.%u target: invalid size " |
522 | "%u (kernel) != (user) %u\n", | ||
518 | xt_prefix[par->family], par->target->name, | 523 | xt_prefix[par->family], par->target->name, |
524 | par->target->revision, | ||
519 | XT_ALIGN(par->target->targetsize), size); | 525 | XT_ALIGN(par->target->targetsize), size); |
520 | return -EINVAL; | 526 | return -EINVAL; |
521 | } | 527 | } |
@@ -582,8 +588,8 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, | |||
582 | } | 588 | } |
583 | EXPORT_SYMBOL_GPL(xt_compat_target_from_user); | 589 | EXPORT_SYMBOL_GPL(xt_compat_target_from_user); |
584 | 590 | ||
585 | int xt_compat_target_to_user(struct xt_entry_target *t, void __user **dstptr, | 591 | int xt_compat_target_to_user(const struct xt_entry_target *t, |
586 | unsigned int *size) | 592 | void __user **dstptr, unsigned int *size) |
587 | { | 593 | { |
588 | const struct xt_target *target = t->u.kernel.target; | 594 | const struct xt_target *target = t->u.kernel.target; |
589 | struct compat_xt_entry_target __user *ct = *dstptr; | 595 | struct compat_xt_entry_target __user *ct = *dstptr; |
@@ -1091,6 +1097,60 @@ static const struct file_operations xt_target_ops = { | |||
1091 | 1097 | ||
1092 | #endif /* CONFIG_PROC_FS */ | 1098 | #endif /* CONFIG_PROC_FS */ |
1093 | 1099 | ||
1100 | /** | ||
1101 | * xt_hook_link - set up hooks for a new table | ||
1102 | * @table: table with metadata needed to set up hooks | ||
1103 | * @fn: Hook function | ||
1104 | * | ||
1105 | * This function will take care of creating and registering the necessary | ||
1106 | * Netfilter hooks for XT tables. | ||
1107 | */ | ||
1108 | struct nf_hook_ops *xt_hook_link(const struct xt_table *table, nf_hookfn *fn) | ||
1109 | { | ||
1110 | unsigned int hook_mask = table->valid_hooks; | ||
1111 | uint8_t i, num_hooks = hweight32(hook_mask); | ||
1112 | uint8_t hooknum; | ||
1113 | struct nf_hook_ops *ops; | ||
1114 | int ret; | ||
1115 | |||
1116 | ops = kmalloc(sizeof(*ops) * num_hooks, GFP_KERNEL); | ||
1117 | if (ops == NULL) | ||
1118 | return ERR_PTR(-ENOMEM); | ||
1119 | |||
1120 | for (i = 0, hooknum = 0; i < num_hooks && hook_mask != 0; | ||
1121 | hook_mask >>= 1, ++hooknum) { | ||
1122 | if (!(hook_mask & 1)) | ||
1123 | continue; | ||
1124 | ops[i].hook = fn; | ||
1125 | ops[i].owner = table->me; | ||
1126 | ops[i].pf = table->af; | ||
1127 | ops[i].hooknum = hooknum; | ||
1128 | ops[i].priority = table->priority; | ||
1129 | ++i; | ||
1130 | } | ||
1131 | |||
1132 | ret = nf_register_hooks(ops, num_hooks); | ||
1133 | if (ret < 0) { | ||
1134 | kfree(ops); | ||
1135 | return ERR_PTR(ret); | ||
1136 | } | ||
1137 | |||
1138 | return ops; | ||
1139 | } | ||
1140 | EXPORT_SYMBOL_GPL(xt_hook_link); | ||
1141 | |||
1142 | /** | ||
1143 | * xt_hook_unlink - remove hooks for a table | ||
1144 | * @ops: nf_hook_ops array as returned by nf_hook_link | ||
1145 | * @hook_mask: the very same mask that was passed to nf_hook_link | ||
1146 | */ | ||
1147 | void xt_hook_unlink(const struct xt_table *table, struct nf_hook_ops *ops) | ||
1148 | { | ||
1149 | nf_unregister_hooks(ops, hweight32(table->valid_hooks)); | ||
1150 | kfree(ops); | ||
1151 | } | ||
1152 | EXPORT_SYMBOL_GPL(xt_hook_unlink); | ||
1153 | |||
1094 | int xt_proto_init(struct net *net, u_int8_t af) | 1154 | int xt_proto_init(struct net *net, u_int8_t af) |
1095 | { | 1155 | { |
1096 | #ifdef CONFIG_PROC_FS | 1156 | #ifdef CONFIG_PROC_FS |
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c new file mode 100644 index 000000000000..61c50fa84703 --- /dev/null +++ b/net/netfilter/xt_CT.c | |||
@@ -0,0 +1,164 @@ | |||
1 | /* | ||
2 | * Copyright (c) 2010 Patrick McHardy <kaber@trash.net> | ||
3 | * | ||
4 | * This program is free software; you can redistribute it and/or modify | ||
5 | * it under the terms of the GNU General Public License version 2 as | ||
6 | * published by the Free Software Foundation. | ||
7 | */ | ||
8 | |||
9 | #include <linux/module.h> | ||
10 | #include <linux/skbuff.h> | ||
11 | #include <linux/selinux.h> | ||
12 | #include <linux/netfilter_ipv4/ip_tables.h> | ||
13 | #include <linux/netfilter_ipv6/ip6_tables.h> | ||
14 | #include <linux/netfilter/x_tables.h> | ||
15 | #include <linux/netfilter/xt_CT.h> | ||
16 | #include <net/netfilter/nf_conntrack.h> | ||
17 | #include <net/netfilter/nf_conntrack_helper.h> | ||
18 | #include <net/netfilter/nf_conntrack_ecache.h> | ||
19 | #include <net/netfilter/nf_conntrack_zones.h> | ||
20 | |||
21 | static unsigned int xt_ct_target(struct sk_buff *skb, | ||
22 | const struct xt_target_param *par) | ||
23 | { | ||
24 | const struct xt_ct_target_info *info = par->targinfo; | ||
25 | struct nf_conn *ct = info->ct; | ||
26 | |||
27 | /* Previously seen (loopback)? Ignore. */ | ||
28 | if (skb->nfct != NULL) | ||
29 | return XT_CONTINUE; | ||
30 | |||
31 | atomic_inc(&ct->ct_general.use); | ||
32 | skb->nfct = &ct->ct_general; | ||
33 | skb->nfctinfo = IP_CT_NEW; | ||
34 | |||
35 | return XT_CONTINUE; | ||
36 | } | ||
37 | |||
38 | static u8 xt_ct_find_proto(const struct xt_tgchk_param *par) | ||
39 | { | ||
40 | if (par->family == AF_INET) { | ||
41 | const struct ipt_entry *e = par->entryinfo; | ||
42 | |||
43 | if (e->ip.invflags & IPT_INV_PROTO) | ||
44 | return 0; | ||
45 | return e->ip.proto; | ||
46 | } else if (par->family == AF_INET6) { | ||
47 | const struct ip6t_entry *e = par->entryinfo; | ||
48 | |||
49 | if (e->ipv6.invflags & IP6T_INV_PROTO) | ||
50 | return 0; | ||
51 | return e->ipv6.proto; | ||
52 | } else | ||
53 | return 0; | ||
54 | } | ||
55 | |||
56 | static bool xt_ct_tg_check(const struct xt_tgchk_param *par) | ||
57 | { | ||
58 | struct xt_ct_target_info *info = par->targinfo; | ||
59 | struct nf_conntrack_tuple t; | ||
60 | struct nf_conn_help *help; | ||
61 | struct nf_conn *ct; | ||
62 | u8 proto; | ||
63 | |||
64 | if (info->flags & ~XT_CT_NOTRACK) | ||
65 | return false; | ||
66 | |||
67 | if (info->flags & XT_CT_NOTRACK) { | ||
68 | ct = &nf_conntrack_untracked; | ||
69 | atomic_inc(&ct->ct_general.use); | ||
70 | goto out; | ||
71 | } | ||
72 | |||
73 | #ifndef CONFIG_NF_CONNTRACK_ZONES | ||
74 | if (info->zone) | ||
75 | goto err1; | ||
76 | #endif | ||
77 | |||
78 | if (nf_ct_l3proto_try_module_get(par->family) < 0) | ||
79 | goto err1; | ||
80 | |||
81 | memset(&t, 0, sizeof(t)); | ||
82 | ct = nf_conntrack_alloc(par->net, info->zone, &t, &t, GFP_KERNEL); | ||
83 | if (IS_ERR(ct)) | ||
84 | goto err2; | ||
85 | |||
86 | if ((info->ct_events || info->exp_events) && | ||
87 | !nf_ct_ecache_ext_add(ct, info->ct_events, info->exp_events, | ||
88 | GFP_KERNEL)) | ||
89 | goto err3; | ||
90 | |||
91 | if (info->helper[0]) { | ||
92 | proto = xt_ct_find_proto(par); | ||
93 | if (!proto) | ||
94 | goto err3; | ||
95 | |||
96 | help = nf_ct_helper_ext_add(ct, GFP_KERNEL); | ||
97 | if (help == NULL) | ||
98 | goto err3; | ||
99 | |||
100 | help->helper = nf_conntrack_helper_try_module_get(info->helper, | ||
101 | par->family, | ||
102 | proto); | ||
103 | if (help->helper == NULL) | ||
104 | goto err3; | ||
105 | } | ||
106 | |||
107 | __set_bit(IPS_TEMPLATE_BIT, &ct->status); | ||
108 | __set_bit(IPS_CONFIRMED_BIT, &ct->status); | ||
109 | out: | ||
110 | info->ct = ct; | ||
111 | return true; | ||
112 | |||
113 | err3: | ||
114 | nf_conntrack_free(ct); | ||
115 | err2: | ||
116 | nf_ct_l3proto_module_put(par->family); | ||
117 | err1: | ||
118 | return false; | ||
119 | } | ||
120 | |||
121 | static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par) | ||
122 | { | ||
123 | struct xt_ct_target_info *info = par->targinfo; | ||
124 | struct nf_conn *ct = info->ct; | ||
125 | struct nf_conn_help *help; | ||
126 | |||
127 | if (ct != &nf_conntrack_untracked) { | ||
128 | help = nfct_help(ct); | ||
129 | if (help) | ||
130 | module_put(help->helper->me); | ||
131 | |||
132 | nf_ct_l3proto_module_put(par->family); | ||
133 | } | ||
134 | nf_ct_put(info->ct); | ||
135 | } | ||
136 | |||
137 | static struct xt_target xt_ct_tg __read_mostly = { | ||
138 | .name = "CT", | ||
139 | .family = NFPROTO_UNSPEC, | ||
140 | .targetsize = XT_ALIGN(sizeof(struct xt_ct_target_info)), | ||
141 | .checkentry = xt_ct_tg_check, | ||
142 | .destroy = xt_ct_tg_destroy, | ||
143 | .target = xt_ct_target, | ||
144 | .table = "raw", | ||
145 | .me = THIS_MODULE, | ||
146 | }; | ||
147 | |||
148 | static int __init xt_ct_tg_init(void) | ||
149 | { | ||
150 | return xt_register_target(&xt_ct_tg); | ||
151 | } | ||
152 | |||
153 | static void __exit xt_ct_tg_exit(void) | ||
154 | { | ||
155 | xt_unregister_target(&xt_ct_tg); | ||
156 | } | ||
157 | |||
158 | module_init(xt_ct_tg_init); | ||
159 | module_exit(xt_ct_tg_exit); | ||
160 | |||
161 | MODULE_LICENSE("GPL"); | ||
162 | MODULE_DESCRIPTION("Xtables: connection tracking target"); | ||
163 | MODULE_ALIAS("ipt_CT"); | ||
164 | MODULE_ALIAS("ip6t_CT"); | ||
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c index f28f6a5fc02d..12dcd7007c3e 100644 --- a/net/netfilter/xt_NFQUEUE.c +++ b/net/netfilter/xt_NFQUEUE.c | |||
@@ -28,6 +28,7 @@ MODULE_ALIAS("ip6t_NFQUEUE"); | |||
28 | MODULE_ALIAS("arpt_NFQUEUE"); | 28 | MODULE_ALIAS("arpt_NFQUEUE"); |
29 | 29 | ||
30 | static u32 jhash_initval __read_mostly; | 30 | static u32 jhash_initval __read_mostly; |
31 | static bool rnd_inited __read_mostly; | ||
31 | 32 | ||
32 | static unsigned int | 33 | static unsigned int |
33 | nfqueue_tg(struct sk_buff *skb, const struct xt_target_param *par) | 34 | nfqueue_tg(struct sk_buff *skb, const struct xt_target_param *par) |
@@ -90,6 +91,10 @@ static bool nfqueue_tg_v1_check(const struct xt_tgchk_param *par) | |||
90 | const struct xt_NFQ_info_v1 *info = par->targinfo; | 91 | const struct xt_NFQ_info_v1 *info = par->targinfo; |
91 | u32 maxid; | 92 | u32 maxid; |
92 | 93 | ||
94 | if (unlikely(!rnd_inited)) { | ||
95 | get_random_bytes(&jhash_initval, sizeof(jhash_initval)); | ||
96 | rnd_inited = true; | ||
97 | } | ||
93 | if (info->queues_total == 0) { | 98 | if (info->queues_total == 0) { |
94 | pr_err("NFQUEUE: number of total queues is 0\n"); | 99 | pr_err("NFQUEUE: number of total queues is 0\n"); |
95 | return false; | 100 | return false; |
@@ -135,7 +140,6 @@ static struct xt_target nfqueue_tg_reg[] __read_mostly = { | |||
135 | 140 | ||
136 | static int __init nfqueue_tg_init(void) | 141 | static int __init nfqueue_tg_init(void) |
137 | { | 142 | { |
138 | get_random_bytes(&jhash_initval, sizeof(jhash_initval)); | ||
139 | return xt_register_targets(nfqueue_tg_reg, ARRAY_SIZE(nfqueue_tg_reg)); | 143 | return xt_register_targets(nfqueue_tg_reg, ARRAY_SIZE(nfqueue_tg_reg)); |
140 | } | 144 | } |
141 | 145 | ||
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c index d80b8192e0d4..87ae97e5516f 100644 --- a/net/netfilter/xt_RATEEST.c +++ b/net/netfilter/xt_RATEEST.c | |||
@@ -23,6 +23,7 @@ static DEFINE_MUTEX(xt_rateest_mutex); | |||
23 | #define RATEEST_HSIZE 16 | 23 | #define RATEEST_HSIZE 16 |
24 | static struct hlist_head rateest_hash[RATEEST_HSIZE] __read_mostly; | 24 | static struct hlist_head rateest_hash[RATEEST_HSIZE] __read_mostly; |
25 | static unsigned int jhash_rnd __read_mostly; | 25 | static unsigned int jhash_rnd __read_mostly; |
26 | static bool rnd_inited __read_mostly; | ||
26 | 27 | ||
27 | static unsigned int xt_rateest_hash(const char *name) | 28 | static unsigned int xt_rateest_hash(const char *name) |
28 | { | 29 | { |
@@ -93,6 +94,11 @@ static bool xt_rateest_tg_checkentry(const struct xt_tgchk_param *par) | |||
93 | struct gnet_estimator est; | 94 | struct gnet_estimator est; |
94 | } cfg; | 95 | } cfg; |
95 | 96 | ||
97 | if (unlikely(!rnd_inited)) { | ||
98 | get_random_bytes(&jhash_rnd, sizeof(jhash_rnd)); | ||
99 | rnd_inited = true; | ||
100 | } | ||
101 | |||
96 | est = xt_rateest_lookup(info->name); | 102 | est = xt_rateest_lookup(info->name); |
97 | if (est) { | 103 | if (est) { |
98 | /* | 104 | /* |
@@ -164,7 +170,6 @@ static int __init xt_rateest_tg_init(void) | |||
164 | for (i = 0; i < ARRAY_SIZE(rateest_hash); i++) | 170 | for (i = 0; i < ARRAY_SIZE(rateest_hash); i++) |
165 | INIT_HLIST_HEAD(&rateest_hash[i]); | 171 | INIT_HLIST_HEAD(&rateest_hash[i]); |
166 | 172 | ||
167 | get_random_bytes(&jhash_rnd, sizeof(jhash_rnd)); | ||
168 | return xt_register_target(&xt_rateest_tg_reg); | 173 | return xt_register_target(&xt_rateest_tg_reg); |
169 | } | 174 | } |
170 | 175 | ||
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c index eda64c1cb1e5..6f21b4377dbb 100644 --- a/net/netfilter/xt_TCPMSS.c +++ b/net/netfilter/xt_TCPMSS.c | |||
@@ -60,17 +60,9 @@ tcpmss_mangle_packet(struct sk_buff *skb, | |||
60 | tcplen = skb->len - tcphoff; | 60 | tcplen = skb->len - tcphoff; |
61 | tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); | 61 | tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); |
62 | 62 | ||
63 | /* Since it passed flags test in tcp match, we know it is is | 63 | /* Header cannot be larger than the packet */ |
64 | not a fragment, and has data >= tcp header length. SYN | 64 | if (tcplen < tcph->doff*4) |
65 | packets should not contain data: if they did, then we risk | ||
66 | running over MTU, sending Frag Needed and breaking things | ||
67 | badly. --RR */ | ||
68 | if (tcplen != tcph->doff*4) { | ||
69 | if (net_ratelimit()) | ||
70 | printk(KERN_ERR "xt_TCPMSS: bad length (%u bytes)\n", | ||
71 | skb->len); | ||
72 | return -1; | 65 | return -1; |
73 | } | ||
74 | 66 | ||
75 | if (info->mss == XT_TCPMSS_CLAMP_PMTU) { | 67 | if (info->mss == XT_TCPMSS_CLAMP_PMTU) { |
76 | if (dst_mtu(skb_dst(skb)) <= minlen) { | 68 | if (dst_mtu(skb_dst(skb)) <= minlen) { |
@@ -115,6 +107,12 @@ tcpmss_mangle_packet(struct sk_buff *skb, | |||
115 | } | 107 | } |
116 | } | 108 | } |
117 | 109 | ||
110 | /* There is data after the header so the option can't be added | ||
111 | without moving it, and doing so may make the SYN packet | ||
112 | itself too large. Accept the packet unmodified instead. */ | ||
113 | if (tcplen > tcph->doff*4) | ||
114 | return 0; | ||
115 | |||
118 | /* | 116 | /* |
119 | * MSS Option not found ?! add it.. | 117 | * MSS Option not found ?! add it.. |
120 | */ | 118 | */ |
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c index 38f03f75a636..26997ce90e48 100644 --- a/net/netfilter/xt_connlimit.c +++ b/net/netfilter/xt_connlimit.c | |||
@@ -28,6 +28,7 @@ | |||
28 | #include <net/netfilter/nf_conntrack.h> | 28 | #include <net/netfilter/nf_conntrack.h> |
29 | #include <net/netfilter/nf_conntrack_core.h> | 29 | #include <net/netfilter/nf_conntrack_core.h> |
30 | #include <net/netfilter/nf_conntrack_tuple.h> | 30 | #include <net/netfilter/nf_conntrack_tuple.h> |
31 | #include <net/netfilter/nf_conntrack_zones.h> | ||
31 | 32 | ||
32 | /* we will save the tuples of all connections we care about */ | 33 | /* we will save the tuples of all connections we care about */ |
33 | struct xt_connlimit_conn { | 34 | struct xt_connlimit_conn { |
@@ -40,15 +41,11 @@ struct xt_connlimit_data { | |||
40 | spinlock_t lock; | 41 | spinlock_t lock; |
41 | }; | 42 | }; |
42 | 43 | ||
43 | static u_int32_t connlimit_rnd; | 44 | static u_int32_t connlimit_rnd __read_mostly; |
44 | static bool connlimit_rnd_inited; | 45 | static bool connlimit_rnd_inited __read_mostly; |
45 | 46 | ||
46 | static inline unsigned int connlimit_iphash(__be32 addr) | 47 | static inline unsigned int connlimit_iphash(__be32 addr) |
47 | { | 48 | { |
48 | if (unlikely(!connlimit_rnd_inited)) { | ||
49 | get_random_bytes(&connlimit_rnd, sizeof(connlimit_rnd)); | ||
50 | connlimit_rnd_inited = true; | ||
51 | } | ||
52 | return jhash_1word((__force __u32)addr, connlimit_rnd) & 0xFF; | 49 | return jhash_1word((__force __u32)addr, connlimit_rnd) & 0xFF; |
53 | } | 50 | } |
54 | 51 | ||
@@ -59,11 +56,6 @@ connlimit_iphash6(const union nf_inet_addr *addr, | |||
59 | union nf_inet_addr res; | 56 | union nf_inet_addr res; |
60 | unsigned int i; | 57 | unsigned int i; |
61 | 58 | ||
62 | if (unlikely(!connlimit_rnd_inited)) { | ||
63 | get_random_bytes(&connlimit_rnd, sizeof(connlimit_rnd)); | ||
64 | connlimit_rnd_inited = true; | ||
65 | } | ||
66 | |||
67 | for (i = 0; i < ARRAY_SIZE(addr->ip6); ++i) | 59 | for (i = 0; i < ARRAY_SIZE(addr->ip6); ++i) |
68 | res.ip6[i] = addr->ip6[i] & mask->ip6[i]; | 60 | res.ip6[i] = addr->ip6[i] & mask->ip6[i]; |
69 | 61 | ||
@@ -99,7 +91,8 @@ same_source_net(const union nf_inet_addr *addr, | |||
99 | } | 91 | } |
100 | } | 92 | } |
101 | 93 | ||
102 | static int count_them(struct xt_connlimit_data *data, | 94 | static int count_them(struct net *net, |
95 | struct xt_connlimit_data *data, | ||
103 | const struct nf_conntrack_tuple *tuple, | 96 | const struct nf_conntrack_tuple *tuple, |
104 | const union nf_inet_addr *addr, | 97 | const union nf_inet_addr *addr, |
105 | const union nf_inet_addr *mask, | 98 | const union nf_inet_addr *mask, |
@@ -122,7 +115,8 @@ static int count_them(struct xt_connlimit_data *data, | |||
122 | 115 | ||
123 | /* check the saved connections */ | 116 | /* check the saved connections */ |
124 | list_for_each_entry_safe(conn, tmp, hash, list) { | 117 | list_for_each_entry_safe(conn, tmp, hash, list) { |
125 | found = nf_conntrack_find_get(&init_net, &conn->tuple); | 118 | found = nf_conntrack_find_get(net, NF_CT_DEFAULT_ZONE, |
119 | &conn->tuple); | ||
126 | found_ct = NULL; | 120 | found_ct = NULL; |
127 | 121 | ||
128 | if (found != NULL) | 122 | if (found != NULL) |
@@ -180,6 +174,7 @@ static int count_them(struct xt_connlimit_data *data, | |||
180 | static bool | 174 | static bool |
181 | connlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par) | 175 | connlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par) |
182 | { | 176 | { |
177 | struct net *net = dev_net(par->in ? par->in : par->out); | ||
183 | const struct xt_connlimit_info *info = par->matchinfo; | 178 | const struct xt_connlimit_info *info = par->matchinfo; |
184 | union nf_inet_addr addr; | 179 | union nf_inet_addr addr; |
185 | struct nf_conntrack_tuple tuple; | 180 | struct nf_conntrack_tuple tuple; |
@@ -204,7 +199,7 @@ connlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
204 | } | 199 | } |
205 | 200 | ||
206 | spin_lock_bh(&info->data->lock); | 201 | spin_lock_bh(&info->data->lock); |
207 | connections = count_them(info->data, tuple_ptr, &addr, | 202 | connections = count_them(net, info->data, tuple_ptr, &addr, |
208 | &info->mask, par->family); | 203 | &info->mask, par->family); |
209 | spin_unlock_bh(&info->data->lock); | 204 | spin_unlock_bh(&info->data->lock); |
210 | 205 | ||
@@ -226,6 +221,10 @@ static bool connlimit_mt_check(const struct xt_mtchk_param *par) | |||
226 | struct xt_connlimit_info *info = par->matchinfo; | 221 | struct xt_connlimit_info *info = par->matchinfo; |
227 | unsigned int i; | 222 | unsigned int i; |
228 | 223 | ||
224 | if (unlikely(!connlimit_rnd_inited)) { | ||
225 | get_random_bytes(&connlimit_rnd, sizeof(connlimit_rnd)); | ||
226 | connlimit_rnd_inited = true; | ||
227 | } | ||
229 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { | 228 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { |
230 | printk(KERN_WARNING "cannot load conntrack support for " | 229 | printk(KERN_WARNING "cannot load conntrack support for " |
231 | "address family %u\n", par->family); | 230 | "address family %u\n", par->family); |
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c index dd16e404424f..e47fb805ffb4 100644 --- a/net/netfilter/xt_hashlimit.c +++ b/net/netfilter/xt_hashlimit.c | |||
@@ -26,6 +26,7 @@ | |||
26 | #endif | 26 | #endif |
27 | 27 | ||
28 | #include <net/net_namespace.h> | 28 | #include <net/net_namespace.h> |
29 | #include <net/netns/generic.h> | ||
29 | 30 | ||
30 | #include <linux/netfilter/x_tables.h> | 31 | #include <linux/netfilter/x_tables.h> |
31 | #include <linux/netfilter_ipv4/ip_tables.h> | 32 | #include <linux/netfilter_ipv4/ip_tables.h> |
@@ -40,9 +41,19 @@ MODULE_DESCRIPTION("Xtables: per hash-bucket rate-limit match"); | |||
40 | MODULE_ALIAS("ipt_hashlimit"); | 41 | MODULE_ALIAS("ipt_hashlimit"); |
41 | MODULE_ALIAS("ip6t_hashlimit"); | 42 | MODULE_ALIAS("ip6t_hashlimit"); |
42 | 43 | ||
44 | struct hashlimit_net { | ||
45 | struct hlist_head htables; | ||
46 | struct proc_dir_entry *ipt_hashlimit; | ||
47 | struct proc_dir_entry *ip6t_hashlimit; | ||
48 | }; | ||
49 | |||
50 | static int hashlimit_net_id; | ||
51 | static inline struct hashlimit_net *hashlimit_pernet(struct net *net) | ||
52 | { | ||
53 | return net_generic(net, hashlimit_net_id); | ||
54 | } | ||
55 | |||
43 | /* need to declare this at the top */ | 56 | /* need to declare this at the top */ |
44 | static struct proc_dir_entry *hashlimit_procdir4; | ||
45 | static struct proc_dir_entry *hashlimit_procdir6; | ||
46 | static const struct file_operations dl_file_ops; | 57 | static const struct file_operations dl_file_ops; |
47 | 58 | ||
48 | /* hash table crap */ | 59 | /* hash table crap */ |
@@ -79,27 +90,26 @@ struct dsthash_ent { | |||
79 | 90 | ||
80 | struct xt_hashlimit_htable { | 91 | struct xt_hashlimit_htable { |
81 | struct hlist_node node; /* global list of all htables */ | 92 | struct hlist_node node; /* global list of all htables */ |
82 | atomic_t use; | 93 | int use; |
83 | u_int8_t family; | 94 | u_int8_t family; |
95 | bool rnd_initialized; | ||
84 | 96 | ||
85 | struct hashlimit_cfg1 cfg; /* config */ | 97 | struct hashlimit_cfg1 cfg; /* config */ |
86 | 98 | ||
87 | /* used internally */ | 99 | /* used internally */ |
88 | spinlock_t lock; /* lock for list_head */ | 100 | spinlock_t lock; /* lock for list_head */ |
89 | u_int32_t rnd; /* random seed for hash */ | 101 | u_int32_t rnd; /* random seed for hash */ |
90 | int rnd_initialized; | ||
91 | unsigned int count; /* number entries in table */ | 102 | unsigned int count; /* number entries in table */ |
92 | struct timer_list timer; /* timer for gc */ | 103 | struct timer_list timer; /* timer for gc */ |
93 | 104 | ||
94 | /* seq_file stuff */ | 105 | /* seq_file stuff */ |
95 | struct proc_dir_entry *pde; | 106 | struct proc_dir_entry *pde; |
107 | struct net *net; | ||
96 | 108 | ||
97 | struct hlist_head hash[0]; /* hashtable itself */ | 109 | struct hlist_head hash[0]; /* hashtable itself */ |
98 | }; | 110 | }; |
99 | 111 | ||
100 | static DEFINE_SPINLOCK(hashlimit_lock); /* protects htables list */ | 112 | static DEFINE_MUTEX(hashlimit_mutex); /* protects htables list */ |
101 | static DEFINE_MUTEX(hlimit_mutex); /* additional checkentry protection */ | ||
102 | static HLIST_HEAD(hashlimit_htables); | ||
103 | static struct kmem_cache *hashlimit_cachep __read_mostly; | 113 | static struct kmem_cache *hashlimit_cachep __read_mostly; |
104 | 114 | ||
105 | static inline bool dst_cmp(const struct dsthash_ent *ent, | 115 | static inline bool dst_cmp(const struct dsthash_ent *ent, |
@@ -150,7 +160,7 @@ dsthash_alloc_init(struct xt_hashlimit_htable *ht, | |||
150 | * the first hashtable entry */ | 160 | * the first hashtable entry */ |
151 | if (!ht->rnd_initialized) { | 161 | if (!ht->rnd_initialized) { |
152 | get_random_bytes(&ht->rnd, sizeof(ht->rnd)); | 162 | get_random_bytes(&ht->rnd, sizeof(ht->rnd)); |
153 | ht->rnd_initialized = 1; | 163 | ht->rnd_initialized = true; |
154 | } | 164 | } |
155 | 165 | ||
156 | if (ht->cfg.max && ht->count >= ht->cfg.max) { | 166 | if (ht->cfg.max && ht->count >= ht->cfg.max) { |
@@ -185,8 +195,9 @@ dsthash_free(struct xt_hashlimit_htable *ht, struct dsthash_ent *ent) | |||
185 | } | 195 | } |
186 | static void htable_gc(unsigned long htlong); | 196 | static void htable_gc(unsigned long htlong); |
187 | 197 | ||
188 | static int htable_create_v0(struct xt_hashlimit_info *minfo, u_int8_t family) | 198 | static int htable_create_v0(struct net *net, struct xt_hashlimit_info *minfo, u_int8_t family) |
189 | { | 199 | { |
200 | struct hashlimit_net *hashlimit_net = hashlimit_pernet(net); | ||
190 | struct xt_hashlimit_htable *hinfo; | 201 | struct xt_hashlimit_htable *hinfo; |
191 | unsigned int size; | 202 | unsigned int size; |
192 | unsigned int i; | 203 | unsigned int i; |
@@ -232,33 +243,36 @@ static int htable_create_v0(struct xt_hashlimit_info *minfo, u_int8_t family) | |||
232 | for (i = 0; i < hinfo->cfg.size; i++) | 243 | for (i = 0; i < hinfo->cfg.size; i++) |
233 | INIT_HLIST_HEAD(&hinfo->hash[i]); | 244 | INIT_HLIST_HEAD(&hinfo->hash[i]); |
234 | 245 | ||
235 | atomic_set(&hinfo->use, 1); | 246 | hinfo->use = 1; |
236 | hinfo->count = 0; | 247 | hinfo->count = 0; |
237 | hinfo->family = family; | 248 | hinfo->family = family; |
238 | hinfo->rnd_initialized = 0; | 249 | hinfo->rnd_initialized = false; |
239 | spin_lock_init(&hinfo->lock); | 250 | spin_lock_init(&hinfo->lock); |
240 | hinfo->pde = proc_create_data(minfo->name, 0, | 251 | hinfo->pde = proc_create_data(minfo->name, 0, |
241 | (family == NFPROTO_IPV4) ? | 252 | (family == NFPROTO_IPV4) ? |
242 | hashlimit_procdir4 : hashlimit_procdir6, | 253 | hashlimit_net->ipt_hashlimit : hashlimit_net->ip6t_hashlimit, |
243 | &dl_file_ops, hinfo); | 254 | &dl_file_ops, hinfo); |
244 | if (!hinfo->pde) { | 255 | if (!hinfo->pde) { |
245 | vfree(hinfo); | 256 | vfree(hinfo); |
246 | return -1; | 257 | return -1; |
247 | } | 258 | } |
259 | hinfo->net = net; | ||
248 | 260 | ||
249 | setup_timer(&hinfo->timer, htable_gc, (unsigned long )hinfo); | 261 | setup_timer(&hinfo->timer, htable_gc, (unsigned long )hinfo); |
250 | hinfo->timer.expires = jiffies + msecs_to_jiffies(hinfo->cfg.gc_interval); | 262 | hinfo->timer.expires = jiffies + msecs_to_jiffies(hinfo->cfg.gc_interval); |
251 | add_timer(&hinfo->timer); | 263 | add_timer(&hinfo->timer); |
252 | 264 | ||
253 | spin_lock_bh(&hashlimit_lock); | 265 | mutex_lock(&hashlimit_mutex); |
254 | hlist_add_head(&hinfo->node, &hashlimit_htables); | 266 | hlist_add_head(&hinfo->node, &hashlimit_net->htables); |
255 | spin_unlock_bh(&hashlimit_lock); | 267 | mutex_unlock(&hashlimit_mutex); |
256 | 268 | ||
257 | return 0; | 269 | return 0; |
258 | } | 270 | } |
259 | 271 | ||
260 | static int htable_create(struct xt_hashlimit_mtinfo1 *minfo, u_int8_t family) | 272 | static int htable_create(struct net *net, struct xt_hashlimit_mtinfo1 *minfo, |
273 | u_int8_t family) | ||
261 | { | 274 | { |
275 | struct hashlimit_net *hashlimit_net = hashlimit_pernet(net); | ||
262 | struct xt_hashlimit_htable *hinfo; | 276 | struct xt_hashlimit_htable *hinfo; |
263 | unsigned int size; | 277 | unsigned int size; |
264 | unsigned int i; | 278 | unsigned int i; |
@@ -293,28 +307,29 @@ static int htable_create(struct xt_hashlimit_mtinfo1 *minfo, u_int8_t family) | |||
293 | for (i = 0; i < hinfo->cfg.size; i++) | 307 | for (i = 0; i < hinfo->cfg.size; i++) |
294 | INIT_HLIST_HEAD(&hinfo->hash[i]); | 308 | INIT_HLIST_HEAD(&hinfo->hash[i]); |
295 | 309 | ||
296 | atomic_set(&hinfo->use, 1); | 310 | hinfo->use = 1; |
297 | hinfo->count = 0; | 311 | hinfo->count = 0; |
298 | hinfo->family = family; | 312 | hinfo->family = family; |
299 | hinfo->rnd_initialized = 0; | 313 | hinfo->rnd_initialized = false; |
300 | spin_lock_init(&hinfo->lock); | 314 | spin_lock_init(&hinfo->lock); |
301 | 315 | ||
302 | hinfo->pde = proc_create_data(minfo->name, 0, | 316 | hinfo->pde = proc_create_data(minfo->name, 0, |
303 | (family == NFPROTO_IPV4) ? | 317 | (family == NFPROTO_IPV4) ? |
304 | hashlimit_procdir4 : hashlimit_procdir6, | 318 | hashlimit_net->ipt_hashlimit : hashlimit_net->ip6t_hashlimit, |
305 | &dl_file_ops, hinfo); | 319 | &dl_file_ops, hinfo); |
306 | if (hinfo->pde == NULL) { | 320 | if (hinfo->pde == NULL) { |
307 | vfree(hinfo); | 321 | vfree(hinfo); |
308 | return -1; | 322 | return -1; |
309 | } | 323 | } |
324 | hinfo->net = net; | ||
310 | 325 | ||
311 | setup_timer(&hinfo->timer, htable_gc, (unsigned long)hinfo); | 326 | setup_timer(&hinfo->timer, htable_gc, (unsigned long)hinfo); |
312 | hinfo->timer.expires = jiffies + msecs_to_jiffies(hinfo->cfg.gc_interval); | 327 | hinfo->timer.expires = jiffies + msecs_to_jiffies(hinfo->cfg.gc_interval); |
313 | add_timer(&hinfo->timer); | 328 | add_timer(&hinfo->timer); |
314 | 329 | ||
315 | spin_lock_bh(&hashlimit_lock); | 330 | mutex_lock(&hashlimit_mutex); |
316 | hlist_add_head(&hinfo->node, &hashlimit_htables); | 331 | hlist_add_head(&hinfo->node, &hashlimit_net->htables); |
317 | spin_unlock_bh(&hashlimit_lock); | 332 | mutex_unlock(&hashlimit_mutex); |
318 | 333 | ||
319 | return 0; | 334 | return 0; |
320 | } | 335 | } |
@@ -364,43 +379,46 @@ static void htable_gc(unsigned long htlong) | |||
364 | 379 | ||
365 | static void htable_destroy(struct xt_hashlimit_htable *hinfo) | 380 | static void htable_destroy(struct xt_hashlimit_htable *hinfo) |
366 | { | 381 | { |
382 | struct hashlimit_net *hashlimit_net = hashlimit_pernet(hinfo->net); | ||
383 | struct proc_dir_entry *parent; | ||
384 | |||
367 | del_timer_sync(&hinfo->timer); | 385 | del_timer_sync(&hinfo->timer); |
368 | 386 | ||
369 | /* remove proc entry */ | 387 | if (hinfo->family == NFPROTO_IPV4) |
370 | remove_proc_entry(hinfo->pde->name, | 388 | parent = hashlimit_net->ipt_hashlimit; |
371 | hinfo->family == NFPROTO_IPV4 ? hashlimit_procdir4 : | 389 | else |
372 | hashlimit_procdir6); | 390 | parent = hashlimit_net->ip6t_hashlimit; |
391 | remove_proc_entry(hinfo->pde->name, parent); | ||
373 | htable_selective_cleanup(hinfo, select_all); | 392 | htable_selective_cleanup(hinfo, select_all); |
374 | vfree(hinfo); | 393 | vfree(hinfo); |
375 | } | 394 | } |
376 | 395 | ||
377 | static struct xt_hashlimit_htable *htable_find_get(const char *name, | 396 | static struct xt_hashlimit_htable *htable_find_get(struct net *net, |
397 | const char *name, | ||
378 | u_int8_t family) | 398 | u_int8_t family) |
379 | { | 399 | { |
400 | struct hashlimit_net *hashlimit_net = hashlimit_pernet(net); | ||
380 | struct xt_hashlimit_htable *hinfo; | 401 | struct xt_hashlimit_htable *hinfo; |
381 | struct hlist_node *pos; | 402 | struct hlist_node *pos; |
382 | 403 | ||
383 | spin_lock_bh(&hashlimit_lock); | 404 | hlist_for_each_entry(hinfo, pos, &hashlimit_net->htables, node) { |
384 | hlist_for_each_entry(hinfo, pos, &hashlimit_htables, node) { | ||
385 | if (!strcmp(name, hinfo->pde->name) && | 405 | if (!strcmp(name, hinfo->pde->name) && |
386 | hinfo->family == family) { | 406 | hinfo->family == family) { |
387 | atomic_inc(&hinfo->use); | 407 | hinfo->use++; |
388 | spin_unlock_bh(&hashlimit_lock); | ||
389 | return hinfo; | 408 | return hinfo; |
390 | } | 409 | } |
391 | } | 410 | } |
392 | spin_unlock_bh(&hashlimit_lock); | ||
393 | return NULL; | 411 | return NULL; |
394 | } | 412 | } |
395 | 413 | ||
396 | static void htable_put(struct xt_hashlimit_htable *hinfo) | 414 | static void htable_put(struct xt_hashlimit_htable *hinfo) |
397 | { | 415 | { |
398 | if (atomic_dec_and_test(&hinfo->use)) { | 416 | mutex_lock(&hashlimit_mutex); |
399 | spin_lock_bh(&hashlimit_lock); | 417 | if (--hinfo->use == 0) { |
400 | hlist_del(&hinfo->node); | 418 | hlist_del(&hinfo->node); |
401 | spin_unlock_bh(&hashlimit_lock); | ||
402 | htable_destroy(hinfo); | 419 | htable_destroy(hinfo); |
403 | } | 420 | } |
421 | mutex_unlock(&hashlimit_mutex); | ||
404 | } | 422 | } |
405 | 423 | ||
406 | /* The algorithm used is the Simple Token Bucket Filter (TBF) | 424 | /* The algorithm used is the Simple Token Bucket Filter (TBF) |
@@ -665,6 +683,7 @@ hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
665 | 683 | ||
666 | static bool hashlimit_mt_check_v0(const struct xt_mtchk_param *par) | 684 | static bool hashlimit_mt_check_v0(const struct xt_mtchk_param *par) |
667 | { | 685 | { |
686 | struct net *net = par->net; | ||
668 | struct xt_hashlimit_info *r = par->matchinfo; | 687 | struct xt_hashlimit_info *r = par->matchinfo; |
669 | 688 | ||
670 | /* Check for overflow. */ | 689 | /* Check for overflow. */ |
@@ -687,25 +706,20 @@ static bool hashlimit_mt_check_v0(const struct xt_mtchk_param *par) | |||
687 | if (r->name[sizeof(r->name) - 1] != '\0') | 706 | if (r->name[sizeof(r->name) - 1] != '\0') |
688 | return false; | 707 | return false; |
689 | 708 | ||
690 | /* This is the best we've got: We cannot release and re-grab lock, | 709 | mutex_lock(&hashlimit_mutex); |
691 | * since checkentry() is called before x_tables.c grabs xt_mutex. | 710 | r->hinfo = htable_find_get(net, r->name, par->match->family); |
692 | * We also cannot grab the hashtable spinlock, since htable_create will | 711 | if (!r->hinfo && htable_create_v0(net, r, par->match->family) != 0) { |
693 | * call vmalloc, and that can sleep. And we cannot just re-search | 712 | mutex_unlock(&hashlimit_mutex); |
694 | * the list of htable's in htable_create(), since then we would | ||
695 | * create duplicate proc files. -HW */ | ||
696 | mutex_lock(&hlimit_mutex); | ||
697 | r->hinfo = htable_find_get(r->name, par->match->family); | ||
698 | if (!r->hinfo && htable_create_v0(r, par->match->family) != 0) { | ||
699 | mutex_unlock(&hlimit_mutex); | ||
700 | return false; | 713 | return false; |
701 | } | 714 | } |
702 | mutex_unlock(&hlimit_mutex); | 715 | mutex_unlock(&hashlimit_mutex); |
703 | 716 | ||
704 | return true; | 717 | return true; |
705 | } | 718 | } |
706 | 719 | ||
707 | static bool hashlimit_mt_check(const struct xt_mtchk_param *par) | 720 | static bool hashlimit_mt_check(const struct xt_mtchk_param *par) |
708 | { | 721 | { |
722 | struct net *net = par->net; | ||
709 | struct xt_hashlimit_mtinfo1 *info = par->matchinfo; | 723 | struct xt_hashlimit_mtinfo1 *info = par->matchinfo; |
710 | 724 | ||
711 | /* Check for overflow. */ | 725 | /* Check for overflow. */ |
@@ -728,19 +742,13 @@ static bool hashlimit_mt_check(const struct xt_mtchk_param *par) | |||
728 | return false; | 742 | return false; |
729 | } | 743 | } |
730 | 744 | ||
731 | /* This is the best we've got: We cannot release and re-grab lock, | 745 | mutex_lock(&hashlimit_mutex); |
732 | * since checkentry() is called before x_tables.c grabs xt_mutex. | 746 | info->hinfo = htable_find_get(net, info->name, par->match->family); |
733 | * We also cannot grab the hashtable spinlock, since htable_create will | 747 | if (!info->hinfo && htable_create(net, info, par->match->family) != 0) { |
734 | * call vmalloc, and that can sleep. And we cannot just re-search | 748 | mutex_unlock(&hashlimit_mutex); |
735 | * the list of htable's in htable_create(), since then we would | ||
736 | * create duplicate proc files. -HW */ | ||
737 | mutex_lock(&hlimit_mutex); | ||
738 | info->hinfo = htable_find_get(info->name, par->match->family); | ||
739 | if (!info->hinfo && htable_create(info, par->match->family) != 0) { | ||
740 | mutex_unlock(&hlimit_mutex); | ||
741 | return false; | 749 | return false; |
742 | } | 750 | } |
743 | mutex_unlock(&hlimit_mutex); | 751 | mutex_unlock(&hashlimit_mutex); |
744 | return true; | 752 | return true; |
745 | } | 753 | } |
746 | 754 | ||
@@ -767,7 +775,7 @@ struct compat_xt_hashlimit_info { | |||
767 | compat_uptr_t master; | 775 | compat_uptr_t master; |
768 | }; | 776 | }; |
769 | 777 | ||
770 | static void hashlimit_mt_compat_from_user(void *dst, void *src) | 778 | static void hashlimit_mt_compat_from_user(void *dst, const void *src) |
771 | { | 779 | { |
772 | int off = offsetof(struct compat_xt_hashlimit_info, hinfo); | 780 | int off = offsetof(struct compat_xt_hashlimit_info, hinfo); |
773 | 781 | ||
@@ -775,7 +783,7 @@ static void hashlimit_mt_compat_from_user(void *dst, void *src) | |||
775 | memset(dst + off, 0, sizeof(struct compat_xt_hashlimit_info) - off); | 783 | memset(dst + off, 0, sizeof(struct compat_xt_hashlimit_info) - off); |
776 | } | 784 | } |
777 | 785 | ||
778 | static int hashlimit_mt_compat_to_user(void __user *dst, void *src) | 786 | static int hashlimit_mt_compat_to_user(void __user *dst, const void *src) |
779 | { | 787 | { |
780 | int off = offsetof(struct compat_xt_hashlimit_info, hinfo); | 788 | int off = offsetof(struct compat_xt_hashlimit_info, hinfo); |
781 | 789 | ||
@@ -841,8 +849,7 @@ static struct xt_match hashlimit_mt_reg[] __read_mostly = { | |||
841 | static void *dl_seq_start(struct seq_file *s, loff_t *pos) | 849 | static void *dl_seq_start(struct seq_file *s, loff_t *pos) |
842 | __acquires(htable->lock) | 850 | __acquires(htable->lock) |
843 | { | 851 | { |
844 | struct proc_dir_entry *pde = s->private; | 852 | struct xt_hashlimit_htable *htable = s->private; |
845 | struct xt_hashlimit_htable *htable = pde->data; | ||
846 | unsigned int *bucket; | 853 | unsigned int *bucket; |
847 | 854 | ||
848 | spin_lock_bh(&htable->lock); | 855 | spin_lock_bh(&htable->lock); |
@@ -859,8 +866,7 @@ static void *dl_seq_start(struct seq_file *s, loff_t *pos) | |||
859 | 866 | ||
860 | static void *dl_seq_next(struct seq_file *s, void *v, loff_t *pos) | 867 | static void *dl_seq_next(struct seq_file *s, void *v, loff_t *pos) |
861 | { | 868 | { |
862 | struct proc_dir_entry *pde = s->private; | 869 | struct xt_hashlimit_htable *htable = s->private; |
863 | struct xt_hashlimit_htable *htable = pde->data; | ||
864 | unsigned int *bucket = (unsigned int *)v; | 870 | unsigned int *bucket = (unsigned int *)v; |
865 | 871 | ||
866 | *pos = ++(*bucket); | 872 | *pos = ++(*bucket); |
@@ -874,8 +880,7 @@ static void *dl_seq_next(struct seq_file *s, void *v, loff_t *pos) | |||
874 | static void dl_seq_stop(struct seq_file *s, void *v) | 880 | static void dl_seq_stop(struct seq_file *s, void *v) |
875 | __releases(htable->lock) | 881 | __releases(htable->lock) |
876 | { | 882 | { |
877 | struct proc_dir_entry *pde = s->private; | 883 | struct xt_hashlimit_htable *htable = s->private; |
878 | struct xt_hashlimit_htable *htable = pde->data; | ||
879 | unsigned int *bucket = (unsigned int *)v; | 884 | unsigned int *bucket = (unsigned int *)v; |
880 | 885 | ||
881 | kfree(bucket); | 886 | kfree(bucket); |
@@ -917,8 +922,7 @@ static int dl_seq_real_show(struct dsthash_ent *ent, u_int8_t family, | |||
917 | 922 | ||
918 | static int dl_seq_show(struct seq_file *s, void *v) | 923 | static int dl_seq_show(struct seq_file *s, void *v) |
919 | { | 924 | { |
920 | struct proc_dir_entry *pde = s->private; | 925 | struct xt_hashlimit_htable *htable = s->private; |
921 | struct xt_hashlimit_htable *htable = pde->data; | ||
922 | unsigned int *bucket = (unsigned int *)v; | 926 | unsigned int *bucket = (unsigned int *)v; |
923 | struct dsthash_ent *ent; | 927 | struct dsthash_ent *ent; |
924 | struct hlist_node *pos; | 928 | struct hlist_node *pos; |
@@ -944,7 +948,7 @@ static int dl_proc_open(struct inode *inode, struct file *file) | |||
944 | 948 | ||
945 | if (!ret) { | 949 | if (!ret) { |
946 | struct seq_file *sf = file->private_data; | 950 | struct seq_file *sf = file->private_data; |
947 | sf->private = PDE(inode); | 951 | sf->private = PDE(inode)->data; |
948 | } | 952 | } |
949 | return ret; | 953 | return ret; |
950 | } | 954 | } |
@@ -957,10 +961,61 @@ static const struct file_operations dl_file_ops = { | |||
957 | .release = seq_release | 961 | .release = seq_release |
958 | }; | 962 | }; |
959 | 963 | ||
964 | static int __net_init hashlimit_proc_net_init(struct net *net) | ||
965 | { | ||
966 | struct hashlimit_net *hashlimit_net = hashlimit_pernet(net); | ||
967 | |||
968 | hashlimit_net->ipt_hashlimit = proc_mkdir("ipt_hashlimit", net->proc_net); | ||
969 | if (!hashlimit_net->ipt_hashlimit) | ||
970 | return -ENOMEM; | ||
971 | #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) | ||
972 | hashlimit_net->ip6t_hashlimit = proc_mkdir("ip6t_hashlimit", net->proc_net); | ||
973 | if (!hashlimit_net->ip6t_hashlimit) { | ||
974 | proc_net_remove(net, "ipt_hashlimit"); | ||
975 | return -ENOMEM; | ||
976 | } | ||
977 | #endif | ||
978 | return 0; | ||
979 | } | ||
980 | |||
981 | static void __net_exit hashlimit_proc_net_exit(struct net *net) | ||
982 | { | ||
983 | proc_net_remove(net, "ipt_hashlimit"); | ||
984 | #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) | ||
985 | proc_net_remove(net, "ip6t_hashlimit"); | ||
986 | #endif | ||
987 | } | ||
988 | |||
989 | static int __net_init hashlimit_net_init(struct net *net) | ||
990 | { | ||
991 | struct hashlimit_net *hashlimit_net = hashlimit_pernet(net); | ||
992 | |||
993 | INIT_HLIST_HEAD(&hashlimit_net->htables); | ||
994 | return hashlimit_proc_net_init(net); | ||
995 | } | ||
996 | |||
997 | static void __net_exit hashlimit_net_exit(struct net *net) | ||
998 | { | ||
999 | struct hashlimit_net *hashlimit_net = hashlimit_pernet(net); | ||
1000 | |||
1001 | BUG_ON(!hlist_empty(&hashlimit_net->htables)); | ||
1002 | hashlimit_proc_net_exit(net); | ||
1003 | } | ||
1004 | |||
1005 | static struct pernet_operations hashlimit_net_ops = { | ||
1006 | .init = hashlimit_net_init, | ||
1007 | .exit = hashlimit_net_exit, | ||
1008 | .id = &hashlimit_net_id, | ||
1009 | .size = sizeof(struct hashlimit_net), | ||
1010 | }; | ||
1011 | |||
960 | static int __init hashlimit_mt_init(void) | 1012 | static int __init hashlimit_mt_init(void) |
961 | { | 1013 | { |
962 | int err; | 1014 | int err; |
963 | 1015 | ||
1016 | err = register_pernet_subsys(&hashlimit_net_ops); | ||
1017 | if (err < 0) | ||
1018 | return err; | ||
964 | err = xt_register_matches(hashlimit_mt_reg, | 1019 | err = xt_register_matches(hashlimit_mt_reg, |
965 | ARRAY_SIZE(hashlimit_mt_reg)); | 1020 | ARRAY_SIZE(hashlimit_mt_reg)); |
966 | if (err < 0) | 1021 | if (err < 0) |
@@ -974,41 +1029,21 @@ static int __init hashlimit_mt_init(void) | |||
974 | printk(KERN_ERR "xt_hashlimit: unable to create slab cache\n"); | 1029 | printk(KERN_ERR "xt_hashlimit: unable to create slab cache\n"); |
975 | goto err2; | 1030 | goto err2; |
976 | } | 1031 | } |
977 | hashlimit_procdir4 = proc_mkdir("ipt_hashlimit", init_net.proc_net); | 1032 | return 0; |
978 | if (!hashlimit_procdir4) { | 1033 | |
979 | printk(KERN_ERR "xt_hashlimit: unable to create proc dir " | ||
980 | "entry\n"); | ||
981 | goto err3; | ||
982 | } | ||
983 | err = 0; | ||
984 | #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) | ||
985 | hashlimit_procdir6 = proc_mkdir("ip6t_hashlimit", init_net.proc_net); | ||
986 | if (!hashlimit_procdir6) { | ||
987 | printk(KERN_ERR "xt_hashlimit: unable to create proc dir " | ||
988 | "entry\n"); | ||
989 | err = -ENOMEM; | ||
990 | } | ||
991 | #endif | ||
992 | if (!err) | ||
993 | return 0; | ||
994 | remove_proc_entry("ipt_hashlimit", init_net.proc_net); | ||
995 | err3: | ||
996 | kmem_cache_destroy(hashlimit_cachep); | ||
997 | err2: | 1034 | err2: |
998 | xt_unregister_matches(hashlimit_mt_reg, ARRAY_SIZE(hashlimit_mt_reg)); | 1035 | xt_unregister_matches(hashlimit_mt_reg, ARRAY_SIZE(hashlimit_mt_reg)); |
999 | err1: | 1036 | err1: |
1037 | unregister_pernet_subsys(&hashlimit_net_ops); | ||
1000 | return err; | 1038 | return err; |
1001 | 1039 | ||
1002 | } | 1040 | } |
1003 | 1041 | ||
1004 | static void __exit hashlimit_mt_exit(void) | 1042 | static void __exit hashlimit_mt_exit(void) |
1005 | { | 1043 | { |
1006 | remove_proc_entry("ipt_hashlimit", init_net.proc_net); | ||
1007 | #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) | ||
1008 | remove_proc_entry("ip6t_hashlimit", init_net.proc_net); | ||
1009 | #endif | ||
1010 | kmem_cache_destroy(hashlimit_cachep); | 1044 | kmem_cache_destroy(hashlimit_cachep); |
1011 | xt_unregister_matches(hashlimit_mt_reg, ARRAY_SIZE(hashlimit_mt_reg)); | 1045 | xt_unregister_matches(hashlimit_mt_reg, ARRAY_SIZE(hashlimit_mt_reg)); |
1046 | unregister_pernet_subsys(&hashlimit_net_ops); | ||
1012 | } | 1047 | } |
1013 | 1048 | ||
1014 | module_init(hashlimit_mt_init); | 1049 | module_init(hashlimit_mt_init); |
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c index 2773be6a71dd..a0ca5339af41 100644 --- a/net/netfilter/xt_limit.c +++ b/net/netfilter/xt_limit.c | |||
@@ -148,7 +148,7 @@ struct compat_xt_rateinfo { | |||
148 | 148 | ||
149 | /* To keep the full "prev" timestamp, the upper 32 bits are stored in the | 149 | /* To keep the full "prev" timestamp, the upper 32 bits are stored in the |
150 | * master pointer, which does not need to be preserved. */ | 150 | * master pointer, which does not need to be preserved. */ |
151 | static void limit_mt_compat_from_user(void *dst, void *src) | 151 | static void limit_mt_compat_from_user(void *dst, const void *src) |
152 | { | 152 | { |
153 | const struct compat_xt_rateinfo *cm = src; | 153 | const struct compat_xt_rateinfo *cm = src; |
154 | struct xt_rateinfo m = { | 154 | struct xt_rateinfo m = { |
@@ -162,7 +162,7 @@ static void limit_mt_compat_from_user(void *dst, void *src) | |||
162 | memcpy(dst, &m, sizeof(m)); | 162 | memcpy(dst, &m, sizeof(m)); |
163 | } | 163 | } |
164 | 164 | ||
165 | static int limit_mt_compat_to_user(void __user *dst, void *src) | 165 | static int limit_mt_compat_to_user(void __user *dst, const void *src) |
166 | { | 166 | { |
167 | const struct xt_rateinfo *m = src; | 167 | const struct xt_rateinfo *m = src; |
168 | struct compat_xt_rateinfo cm = { | 168 | struct compat_xt_rateinfo cm = { |
diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c index 4d1a41bbd5d7..4169e200588d 100644 --- a/net/netfilter/xt_osf.c +++ b/net/netfilter/xt_osf.c | |||
@@ -334,7 +334,7 @@ static bool xt_osf_match_packet(const struct sk_buff *skb, | |||
334 | if (info->flags & XT_OSF_LOG) | 334 | if (info->flags & XT_OSF_LOG) |
335 | nf_log_packet(p->family, p->hooknum, skb, | 335 | nf_log_packet(p->family, p->hooknum, skb, |
336 | p->in, p->out, NULL, | 336 | p->in, p->out, NULL, |
337 | "%s [%s:%s] : %pi4:%d -> %pi4:%d hops=%d\n", | 337 | "%s [%s:%s] : %pI4:%d -> %pI4:%d hops=%d\n", |
338 | f->genre, f->version, f->subtype, | 338 | f->genre, f->version, f->subtype, |
339 | &ip->saddr, ntohs(tcp->source), | 339 | &ip->saddr, ntohs(tcp->source), |
340 | &ip->daddr, ntohs(tcp->dest), | 340 | &ip->daddr, ntohs(tcp->dest), |
@@ -349,7 +349,7 @@ static bool xt_osf_match_packet(const struct sk_buff *skb, | |||
349 | 349 | ||
350 | if (!fcount && (info->flags & XT_OSF_LOG)) | 350 | if (!fcount && (info->flags & XT_OSF_LOG)) |
351 | nf_log_packet(p->family, p->hooknum, skb, p->in, p->out, NULL, | 351 | nf_log_packet(p->family, p->hooknum, skb, p->in, p->out, NULL, |
352 | "Remote OS is not known: %pi4:%u -> %pi4:%u\n", | 352 | "Remote OS is not known: %pI4:%u -> %pI4:%u\n", |
353 | &ip->saddr, ntohs(tcp->source), | 353 | &ip->saddr, ntohs(tcp->source), |
354 | &ip->daddr, ntohs(tcp->dest)); | 354 | &ip->daddr, ntohs(tcp->dest)); |
355 | 355 | ||
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c index fc70a49c0afd..132cfaa84cdc 100644 --- a/net/netfilter/xt_recent.c +++ b/net/netfilter/xt_recent.c | |||
@@ -28,6 +28,7 @@ | |||
28 | #include <linux/skbuff.h> | 28 | #include <linux/skbuff.h> |
29 | #include <linux/inet.h> | 29 | #include <linux/inet.h> |
30 | #include <net/net_namespace.h> | 30 | #include <net/net_namespace.h> |
31 | #include <net/netns/generic.h> | ||
31 | 32 | ||
32 | #include <linux/netfilter/x_tables.h> | 33 | #include <linux/netfilter/x_tables.h> |
33 | #include <linux/netfilter/xt_recent.h> | 34 | #include <linux/netfilter/xt_recent.h> |
@@ -52,7 +53,7 @@ module_param(ip_list_perms, uint, 0400); | |||
52 | module_param(ip_list_uid, uint, 0400); | 53 | module_param(ip_list_uid, uint, 0400); |
53 | module_param(ip_list_gid, uint, 0400); | 54 | module_param(ip_list_gid, uint, 0400); |
54 | MODULE_PARM_DESC(ip_list_tot, "number of IPs to remember per list"); | 55 | MODULE_PARM_DESC(ip_list_tot, "number of IPs to remember per list"); |
55 | MODULE_PARM_DESC(ip_pkt_list_tot, "number of packets per IP to remember (max. 255)"); | 56 | MODULE_PARM_DESC(ip_pkt_list_tot, "number of packets per IP address to remember (max. 255)"); |
56 | MODULE_PARM_DESC(ip_list_hash_size, "size of hash table used to look up IPs"); | 57 | MODULE_PARM_DESC(ip_list_hash_size, "size of hash table used to look up IPs"); |
57 | MODULE_PARM_DESC(ip_list_perms, "permissions on /proc/net/xt_recent/* files"); | 58 | MODULE_PARM_DESC(ip_list_perms, "permissions on /proc/net/xt_recent/* files"); |
58 | MODULE_PARM_DESC(ip_list_uid,"owner of /proc/net/xt_recent/* files"); | 59 | MODULE_PARM_DESC(ip_list_uid,"owner of /proc/net/xt_recent/* files"); |
@@ -78,37 +79,40 @@ struct recent_table { | |||
78 | struct list_head iphash[0]; | 79 | struct list_head iphash[0]; |
79 | }; | 80 | }; |
80 | 81 | ||
81 | static LIST_HEAD(tables); | 82 | struct recent_net { |
83 | struct list_head tables; | ||
84 | #ifdef CONFIG_PROC_FS | ||
85 | struct proc_dir_entry *xt_recent; | ||
86 | #ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT | ||
87 | struct proc_dir_entry *ipt_recent; | ||
88 | #endif | ||
89 | #endif | ||
90 | }; | ||
91 | |||
92 | static int recent_net_id; | ||
93 | static inline struct recent_net *recent_pernet(struct net *net) | ||
94 | { | ||
95 | return net_generic(net, recent_net_id); | ||
96 | } | ||
97 | |||
82 | static DEFINE_SPINLOCK(recent_lock); | 98 | static DEFINE_SPINLOCK(recent_lock); |
83 | static DEFINE_MUTEX(recent_mutex); | 99 | static DEFINE_MUTEX(recent_mutex); |
84 | 100 | ||
85 | #ifdef CONFIG_PROC_FS | 101 | #ifdef CONFIG_PROC_FS |
86 | #ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT | ||
87 | static struct proc_dir_entry *proc_old_dir; | ||
88 | #endif | ||
89 | static struct proc_dir_entry *recent_proc_dir; | ||
90 | static const struct file_operations recent_old_fops, recent_mt_fops; | 102 | static const struct file_operations recent_old_fops, recent_mt_fops; |
91 | #endif | 103 | #endif |
92 | 104 | ||
93 | static u_int32_t hash_rnd; | 105 | static u_int32_t hash_rnd __read_mostly; |
94 | static bool hash_rnd_initted; | 106 | static bool hash_rnd_inited __read_mostly; |
95 | 107 | ||
96 | static unsigned int recent_entry_hash4(const union nf_inet_addr *addr) | 108 | static inline unsigned int recent_entry_hash4(const union nf_inet_addr *addr) |
97 | { | 109 | { |
98 | if (!hash_rnd_initted) { | ||
99 | get_random_bytes(&hash_rnd, sizeof(hash_rnd)); | ||
100 | hash_rnd_initted = true; | ||
101 | } | ||
102 | return jhash_1word((__force u32)addr->ip, hash_rnd) & | 110 | return jhash_1word((__force u32)addr->ip, hash_rnd) & |
103 | (ip_list_hash_size - 1); | 111 | (ip_list_hash_size - 1); |
104 | } | 112 | } |
105 | 113 | ||
106 | static unsigned int recent_entry_hash6(const union nf_inet_addr *addr) | 114 | static inline unsigned int recent_entry_hash6(const union nf_inet_addr *addr) |
107 | { | 115 | { |
108 | if (!hash_rnd_initted) { | ||
109 | get_random_bytes(&hash_rnd, sizeof(hash_rnd)); | ||
110 | hash_rnd_initted = true; | ||
111 | } | ||
112 | return jhash2((u32 *)addr->ip6, ARRAY_SIZE(addr->ip6), hash_rnd) & | 116 | return jhash2((u32 *)addr->ip6, ARRAY_SIZE(addr->ip6), hash_rnd) & |
113 | (ip_list_hash_size - 1); | 117 | (ip_list_hash_size - 1); |
114 | } | 118 | } |
@@ -180,11 +184,12 @@ static void recent_entry_update(struct recent_table *t, struct recent_entry *e) | |||
180 | list_move_tail(&e->lru_list, &t->lru_list); | 184 | list_move_tail(&e->lru_list, &t->lru_list); |
181 | } | 185 | } |
182 | 186 | ||
183 | static struct recent_table *recent_table_lookup(const char *name) | 187 | static struct recent_table *recent_table_lookup(struct recent_net *recent_net, |
188 | const char *name) | ||
184 | { | 189 | { |
185 | struct recent_table *t; | 190 | struct recent_table *t; |
186 | 191 | ||
187 | list_for_each_entry(t, &tables, list) | 192 | list_for_each_entry(t, &recent_net->tables, list) |
188 | if (!strcmp(t->name, name)) | 193 | if (!strcmp(t->name, name)) |
189 | return t; | 194 | return t; |
190 | return NULL; | 195 | return NULL; |
@@ -203,6 +208,8 @@ static void recent_table_flush(struct recent_table *t) | |||
203 | static bool | 208 | static bool |
204 | recent_mt(const struct sk_buff *skb, const struct xt_match_param *par) | 209 | recent_mt(const struct sk_buff *skb, const struct xt_match_param *par) |
205 | { | 210 | { |
211 | struct net *net = dev_net(par->in ? par->in : par->out); | ||
212 | struct recent_net *recent_net = recent_pernet(net); | ||
206 | const struct xt_recent_mtinfo *info = par->matchinfo; | 213 | const struct xt_recent_mtinfo *info = par->matchinfo; |
207 | struct recent_table *t; | 214 | struct recent_table *t; |
208 | struct recent_entry *e; | 215 | struct recent_entry *e; |
@@ -235,7 +242,7 @@ recent_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
235 | ttl++; | 242 | ttl++; |
236 | 243 | ||
237 | spin_lock_bh(&recent_lock); | 244 | spin_lock_bh(&recent_lock); |
238 | t = recent_table_lookup(info->name); | 245 | t = recent_table_lookup(recent_net, info->name); |
239 | e = recent_entry_lookup(t, &addr, par->match->family, | 246 | e = recent_entry_lookup(t, &addr, par->match->family, |
240 | (info->check_set & XT_RECENT_TTL) ? ttl : 0); | 247 | (info->check_set & XT_RECENT_TTL) ? ttl : 0); |
241 | if (e == NULL) { | 248 | if (e == NULL) { |
@@ -279,6 +286,7 @@ out: | |||
279 | 286 | ||
280 | static bool recent_mt_check(const struct xt_mtchk_param *par) | 287 | static bool recent_mt_check(const struct xt_mtchk_param *par) |
281 | { | 288 | { |
289 | struct recent_net *recent_net = recent_pernet(par->net); | ||
282 | const struct xt_recent_mtinfo *info = par->matchinfo; | 290 | const struct xt_recent_mtinfo *info = par->matchinfo; |
283 | struct recent_table *t; | 291 | struct recent_table *t; |
284 | #ifdef CONFIG_PROC_FS | 292 | #ifdef CONFIG_PROC_FS |
@@ -287,6 +295,10 @@ static bool recent_mt_check(const struct xt_mtchk_param *par) | |||
287 | unsigned i; | 295 | unsigned i; |
288 | bool ret = false; | 296 | bool ret = false; |
289 | 297 | ||
298 | if (unlikely(!hash_rnd_inited)) { | ||
299 | get_random_bytes(&hash_rnd, sizeof(hash_rnd)); | ||
300 | hash_rnd_inited = true; | ||
301 | } | ||
290 | if (hweight8(info->check_set & | 302 | if (hweight8(info->check_set & |
291 | (XT_RECENT_SET | XT_RECENT_REMOVE | | 303 | (XT_RECENT_SET | XT_RECENT_REMOVE | |
292 | XT_RECENT_CHECK | XT_RECENT_UPDATE)) != 1) | 304 | XT_RECENT_CHECK | XT_RECENT_UPDATE)) != 1) |
@@ -294,14 +306,18 @@ static bool recent_mt_check(const struct xt_mtchk_param *par) | |||
294 | if ((info->check_set & (XT_RECENT_SET | XT_RECENT_REMOVE)) && | 306 | if ((info->check_set & (XT_RECENT_SET | XT_RECENT_REMOVE)) && |
295 | (info->seconds || info->hit_count)) | 307 | (info->seconds || info->hit_count)) |
296 | return false; | 308 | return false; |
297 | if (info->hit_count > ip_pkt_list_tot) | 309 | if (info->hit_count > ip_pkt_list_tot) { |
310 | pr_info(KBUILD_MODNAME ": hitcount (%u) is larger than " | ||
311 | "packets to be remembered (%u)\n", | ||
312 | info->hit_count, ip_pkt_list_tot); | ||
298 | return false; | 313 | return false; |
314 | } | ||
299 | if (info->name[0] == '\0' || | 315 | if (info->name[0] == '\0' || |
300 | strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN) | 316 | strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN) |
301 | return false; | 317 | return false; |
302 | 318 | ||
303 | mutex_lock(&recent_mutex); | 319 | mutex_lock(&recent_mutex); |
304 | t = recent_table_lookup(info->name); | 320 | t = recent_table_lookup(recent_net, info->name); |
305 | if (t != NULL) { | 321 | if (t != NULL) { |
306 | t->refcnt++; | 322 | t->refcnt++; |
307 | ret = true; | 323 | ret = true; |
@@ -318,7 +334,7 @@ static bool recent_mt_check(const struct xt_mtchk_param *par) | |||
318 | for (i = 0; i < ip_list_hash_size; i++) | 334 | for (i = 0; i < ip_list_hash_size; i++) |
319 | INIT_LIST_HEAD(&t->iphash[i]); | 335 | INIT_LIST_HEAD(&t->iphash[i]); |
320 | #ifdef CONFIG_PROC_FS | 336 | #ifdef CONFIG_PROC_FS |
321 | pde = proc_create_data(t->name, ip_list_perms, recent_proc_dir, | 337 | pde = proc_create_data(t->name, ip_list_perms, recent_net->xt_recent, |
322 | &recent_mt_fops, t); | 338 | &recent_mt_fops, t); |
323 | if (pde == NULL) { | 339 | if (pde == NULL) { |
324 | kfree(t); | 340 | kfree(t); |
@@ -327,10 +343,10 @@ static bool recent_mt_check(const struct xt_mtchk_param *par) | |||
327 | pde->uid = ip_list_uid; | 343 | pde->uid = ip_list_uid; |
328 | pde->gid = ip_list_gid; | 344 | pde->gid = ip_list_gid; |
329 | #ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT | 345 | #ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT |
330 | pde = proc_create_data(t->name, ip_list_perms, proc_old_dir, | 346 | pde = proc_create_data(t->name, ip_list_perms, recent_net->ipt_recent, |
331 | &recent_old_fops, t); | 347 | &recent_old_fops, t); |
332 | if (pde == NULL) { | 348 | if (pde == NULL) { |
333 | remove_proc_entry(t->name, proc_old_dir); | 349 | remove_proc_entry(t->name, recent_net->xt_recent); |
334 | kfree(t); | 350 | kfree(t); |
335 | goto out; | 351 | goto out; |
336 | } | 352 | } |
@@ -339,7 +355,7 @@ static bool recent_mt_check(const struct xt_mtchk_param *par) | |||
339 | #endif | 355 | #endif |
340 | #endif | 356 | #endif |
341 | spin_lock_bh(&recent_lock); | 357 | spin_lock_bh(&recent_lock); |
342 | list_add_tail(&t->list, &tables); | 358 | list_add_tail(&t->list, &recent_net->tables); |
343 | spin_unlock_bh(&recent_lock); | 359 | spin_unlock_bh(&recent_lock); |
344 | ret = true; | 360 | ret = true; |
345 | out: | 361 | out: |
@@ -349,20 +365,21 @@ out: | |||
349 | 365 | ||
350 | static void recent_mt_destroy(const struct xt_mtdtor_param *par) | 366 | static void recent_mt_destroy(const struct xt_mtdtor_param *par) |
351 | { | 367 | { |
368 | struct recent_net *recent_net = recent_pernet(par->net); | ||
352 | const struct xt_recent_mtinfo *info = par->matchinfo; | 369 | const struct xt_recent_mtinfo *info = par->matchinfo; |
353 | struct recent_table *t; | 370 | struct recent_table *t; |
354 | 371 | ||
355 | mutex_lock(&recent_mutex); | 372 | mutex_lock(&recent_mutex); |
356 | t = recent_table_lookup(info->name); | 373 | t = recent_table_lookup(recent_net, info->name); |
357 | if (--t->refcnt == 0) { | 374 | if (--t->refcnt == 0) { |
358 | spin_lock_bh(&recent_lock); | 375 | spin_lock_bh(&recent_lock); |
359 | list_del(&t->list); | 376 | list_del(&t->list); |
360 | spin_unlock_bh(&recent_lock); | 377 | spin_unlock_bh(&recent_lock); |
361 | #ifdef CONFIG_PROC_FS | 378 | #ifdef CONFIG_PROC_FS |
362 | #ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT | 379 | #ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT |
363 | remove_proc_entry(t->name, proc_old_dir); | 380 | remove_proc_entry(t->name, recent_net->ipt_recent); |
364 | #endif | 381 | #endif |
365 | remove_proc_entry(t->name, recent_proc_dir); | 382 | remove_proc_entry(t->name, recent_net->xt_recent); |
366 | #endif | 383 | #endif |
367 | recent_table_flush(t); | 384 | recent_table_flush(t); |
368 | kfree(t); | 385 | kfree(t); |
@@ -611,8 +628,65 @@ static const struct file_operations recent_mt_fops = { | |||
611 | .release = seq_release_private, | 628 | .release = seq_release_private, |
612 | .owner = THIS_MODULE, | 629 | .owner = THIS_MODULE, |
613 | }; | 630 | }; |
631 | |||
632 | static int __net_init recent_proc_net_init(struct net *net) | ||
633 | { | ||
634 | struct recent_net *recent_net = recent_pernet(net); | ||
635 | |||
636 | recent_net->xt_recent = proc_mkdir("xt_recent", net->proc_net); | ||
637 | if (!recent_net->xt_recent) | ||
638 | return -ENOMEM; | ||
639 | #ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT | ||
640 | recent_net->ipt_recent = proc_mkdir("ipt_recent", net->proc_net); | ||
641 | if (!recent_net->ipt_recent) { | ||
642 | proc_net_remove(net, "xt_recent"); | ||
643 | return -ENOMEM; | ||
644 | } | ||
645 | #endif | ||
646 | return 0; | ||
647 | } | ||
648 | |||
649 | static void __net_exit recent_proc_net_exit(struct net *net) | ||
650 | { | ||
651 | #ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT | ||
652 | proc_net_remove(net, "ipt_recent"); | ||
653 | #endif | ||
654 | proc_net_remove(net, "xt_recent"); | ||
655 | } | ||
656 | #else | ||
657 | static inline int recent_proc_net_init(struct net *net) | ||
658 | { | ||
659 | return 0; | ||
660 | } | ||
661 | |||
662 | static inline void recent_proc_net_exit(struct net *net) | ||
663 | { | ||
664 | } | ||
614 | #endif /* CONFIG_PROC_FS */ | 665 | #endif /* CONFIG_PROC_FS */ |
615 | 666 | ||
667 | static int __net_init recent_net_init(struct net *net) | ||
668 | { | ||
669 | struct recent_net *recent_net = recent_pernet(net); | ||
670 | |||
671 | INIT_LIST_HEAD(&recent_net->tables); | ||
672 | return recent_proc_net_init(net); | ||
673 | } | ||
674 | |||
675 | static void __net_exit recent_net_exit(struct net *net) | ||
676 | { | ||
677 | struct recent_net *recent_net = recent_pernet(net); | ||
678 | |||
679 | BUG_ON(!list_empty(&recent_net->tables)); | ||
680 | recent_proc_net_exit(net); | ||
681 | } | ||
682 | |||
683 | static struct pernet_operations recent_net_ops = { | ||
684 | .init = recent_net_init, | ||
685 | .exit = recent_net_exit, | ||
686 | .id = &recent_net_id, | ||
687 | .size = sizeof(struct recent_net), | ||
688 | }; | ||
689 | |||
616 | static struct xt_match recent_mt_reg[] __read_mostly = { | 690 | static struct xt_match recent_mt_reg[] __read_mostly = { |
617 | { | 691 | { |
618 | .name = "recent", | 692 | .name = "recent", |
@@ -644,39 +718,19 @@ static int __init recent_mt_init(void) | |||
644 | return -EINVAL; | 718 | return -EINVAL; |
645 | ip_list_hash_size = 1 << fls(ip_list_tot); | 719 | ip_list_hash_size = 1 << fls(ip_list_tot); |
646 | 720 | ||
647 | err = xt_register_matches(recent_mt_reg, ARRAY_SIZE(recent_mt_reg)); | 721 | err = register_pernet_subsys(&recent_net_ops); |
648 | #ifdef CONFIG_PROC_FS | ||
649 | if (err) | 722 | if (err) |
650 | return err; | 723 | return err; |
651 | recent_proc_dir = proc_mkdir("xt_recent", init_net.proc_net); | 724 | err = xt_register_matches(recent_mt_reg, ARRAY_SIZE(recent_mt_reg)); |
652 | if (recent_proc_dir == NULL) { | 725 | if (err) |
653 | xt_unregister_matches(recent_mt_reg, ARRAY_SIZE(recent_mt_reg)); | 726 | unregister_pernet_subsys(&recent_net_ops); |
654 | err = -ENOMEM; | ||
655 | } | ||
656 | #ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT | ||
657 | if (err < 0) | ||
658 | return err; | ||
659 | proc_old_dir = proc_mkdir("ipt_recent", init_net.proc_net); | ||
660 | if (proc_old_dir == NULL) { | ||
661 | remove_proc_entry("xt_recent", init_net.proc_net); | ||
662 | xt_unregister_matches(recent_mt_reg, ARRAY_SIZE(recent_mt_reg)); | ||
663 | err = -ENOMEM; | ||
664 | } | ||
665 | #endif | ||
666 | #endif | ||
667 | return err; | 727 | return err; |
668 | } | 728 | } |
669 | 729 | ||
670 | static void __exit recent_mt_exit(void) | 730 | static void __exit recent_mt_exit(void) |
671 | { | 731 | { |
672 | BUG_ON(!list_empty(&tables)); | ||
673 | xt_unregister_matches(recent_mt_reg, ARRAY_SIZE(recent_mt_reg)); | 732 | xt_unregister_matches(recent_mt_reg, ARRAY_SIZE(recent_mt_reg)); |
674 | #ifdef CONFIG_PROC_FS | 733 | unregister_pernet_subsys(&recent_net_ops); |
675 | #ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT | ||
676 | remove_proc_entry("ipt_recent", init_net.proc_net); | ||
677 | #endif | ||
678 | remove_proc_entry("xt_recent", init_net.proc_net); | ||
679 | #endif | ||
680 | } | 734 | } |
681 | 735 | ||
682 | module_init(recent_mt_init); | 736 | module_init(recent_mt_init); |
diff --git a/net/netfilter/xt_repldata.h b/net/netfilter/xt_repldata.h new file mode 100644 index 000000000000..6efe4e5a81c6 --- /dev/null +++ b/net/netfilter/xt_repldata.h | |||
@@ -0,0 +1,35 @@ | |||
1 | /* | ||
2 | * Today's hack: quantum tunneling in structs | ||
3 | * | ||
4 | * 'entries' and 'term' are never anywhere referenced by word in code. In fact, | ||
5 | * they serve as the hanging-off data accessed through repl.data[]. | ||
6 | */ | ||
7 | |||
8 | #define xt_alloc_initial_table(type, typ2) ({ \ | ||
9 | unsigned int hook_mask = info->valid_hooks; \ | ||
10 | unsigned int nhooks = hweight32(hook_mask); \ | ||
11 | unsigned int bytes = 0, hooknum = 0, i = 0; \ | ||
12 | struct { \ | ||
13 | struct type##_replace repl; \ | ||
14 | struct type##_standard entries[nhooks]; \ | ||
15 | struct type##_error term; \ | ||
16 | } *tbl = kzalloc(sizeof(*tbl), GFP_KERNEL); \ | ||
17 | if (tbl == NULL) \ | ||
18 | return NULL; \ | ||
19 | strncpy(tbl->repl.name, info->name, sizeof(tbl->repl.name)); \ | ||
20 | tbl->term = (struct type##_error)typ2##_ERROR_INIT; \ | ||
21 | tbl->repl.valid_hooks = hook_mask; \ | ||
22 | tbl->repl.num_entries = nhooks + 1; \ | ||
23 | tbl->repl.size = nhooks * sizeof(struct type##_standard) + \ | ||
24 | sizeof(struct type##_error); \ | ||
25 | for (; hook_mask != 0; hook_mask >>= 1, ++hooknum) { \ | ||
26 | if (!(hook_mask & 1)) \ | ||
27 | continue; \ | ||
28 | tbl->repl.hook_entry[hooknum] = bytes; \ | ||
29 | tbl->repl.underflow[hooknum] = bytes; \ | ||
30 | tbl->entries[i++] = (struct type##_standard) \ | ||
31 | typ2##_STANDARD_INIT(NF_ACCEPT); \ | ||
32 | bytes += sizeof(struct type##_standard); \ | ||
33 | } \ | ||
34 | tbl; \ | ||
35 | }) | ||