netfilter: remove ip_queue support

This patch removes ip_queue support which was marked as obsolete years ago. The nfnetlink_queue modules provides more advanced user-space packet queueing mechanism. This patch also removes capability code included in SELinux that refers to ip_queue. Otherwise, we break compilation. Several warning has been sent regarding this to the mailing list in the past month without anyone rising the hand to stop this with some strong argument. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2012-05-08 13:45:28 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2012-05-08 14:25:42 -0400
commit: d16cf20e2f2f13411eece7f7fb72c17d141c4a84 (patch)
tree: 8154b3db8cdbb4b8d9f35d4c407cfe961253f0b4 /include/linux
parent: 6714cf5465d2803a21c6a46c1ea747795a8889fa (diff)
3 files changed, 1 insertions, 74 deletions
diff --git a/include/linux/netfilter_ipv4/Kbuild b/include/linux/netfilter_ipv4/Kbuild
index 31f8bec95650..c61b8fb1a9ef 100644
--- a/include/linux/netfilter_ipv4/Kbuild
+++ b/include/linux/netfilter_ipv4/Kbuild
@@ -1,4 +1,3 @@
-header-y += ip_queue.h
 header-y += ip_tables.h
 header-y += ipt_CLUSTERIP.h
 header-y += ipt_ECN.h
diff --git a/include/linux/netfilter_ipv4/ip_queue.h b/include/linux/netfilter_ipv4/ip_queue.h
deleted file mode 100644
index a03507f465f8..000000000000
--- a/include/linux/netfilter_ipv4/ip_queue.h
+++ /dev/null
@@ -1,72 +0,0 @@
-/*
- * This is a module which is used for queueing IPv4 packets and
- * communicating with userspace via netlink.
- *
- * (C) 2000 James Morris, this code is GPL.
- */
-#ifndef _IP_QUEUE_H
-#define _IP_QUEUE_H
-#ifdef __KERNEL__
-#ifdef DEBUG_IPQ
-#define QDEBUG(x...) printk(KERN_DEBUG ## x)
-#else
-#define QDEBUG(x...)
-#endif  /* DEBUG_IPQ */
-#else
-#include <net/if.h>
-#endif  /* ! __KERNEL__ */
-/* Messages sent from kernel */
-typedef struct ipq_packet_msg {
-        unsigned long packet_id;        /* ID of queued packet */
-        unsigned long mark;             /* Netfilter mark value */
-        long timestamp_sec;             /* Packet arrival time (seconds) */
-        long timestamp_usec;            /* Packet arrvial time (+useconds) */
-        unsigned int hook;              /* Netfilter hook we rode in on */
-        char indev_name[IFNAMSIZ];      /* Name of incoming interface */
-        char outdev_name[IFNAMSIZ];     /* Name of outgoing interface */
-        __be16 hw_protocol;             /* Hardware protocol (network order) */
-        unsigned short hw_type;         /* Hardware type */
-        unsigned char hw_addrlen;       /* Hardware address length */
-        unsigned char hw_addr[8];       /* Hardware address */
-        size_t data_len;                /* Length of packet data */
-        unsigned char payload[0];       /* Optional packet data */
-} ipq_packet_msg_t;
-/* Messages sent from userspace */
-typedef struct ipq_mode_msg {
-        unsigned char value;            /* Requested mode */
-        size_t range;                   /* Optional range of packet requested */
-} ipq_mode_msg_t;
-typedef struct ipq_verdict_msg {
-        unsigned int value;             /* Verdict to hand to netfilter */
-        unsigned long id;               /* Packet ID for this verdict */
-        size_t data_len;                /* Length of replacement data */
-        unsigned char payload[0];       /* Optional replacement packet */
-} ipq_verdict_msg_t;
-typedef struct ipq_peer_msg {
-        union {
-                ipq_verdict_msg_t verdict;
-                ipq_mode_msg_t mode;
-        } msg;
-} ipq_peer_msg_t;
-/* Packet delivery modes */
-enum {
-        IPQ_COPY_NONE,          /* Initial mode, packets are dropped */
-        IPQ_COPY_META,          /* Copy metadata */
-        IPQ_COPY_PACKET         /* Copy metadata + packet (range) */
-};
-#define IPQ_COPY_MAX IPQ_COPY_PACKET
-/* Types of messages */
-#define IPQM_BASE       0x10    /* standard netlink messages below this */
-#define IPQM_MODE       (IPQM_BASE + 1)         /* Mode request from peer */
-#define IPQM_VERDICT    (IPQM_BASE + 2)         /* Verdict from peer */ 
-#define IPQM_PACKET     (IPQM_BASE + 3)         /* Packet from kernel */
-#define IPQM_MAX        (IPQM_BASE + 4)
-#endif /*_IP_QUEUE_H*/
diff --git a/include/linux/netlink.h b/include/linux/netlink.h
index a2092f582a78..0f628ffa420c 100644
--- a/include/linux/netlink.h
+++ b/include/linux/netlink.h
@@ -7,7 +7,7 @@
 #define NETLINK_ROUTE           0       /* Routing/device hook                          */
 #define NETLINK_UNUSED          1       /* Unused number                                */
 #define NETLINK_USERSOCK        2       /* Reserved for user mode socket protocols      */
-#define NETLINK_FIREWALL        3       /* Firewalling hook                             */
+#define NETLINK_FIREWALL        3       /* Unused number, formerly ip_queue             */
 #define NETLINK_SOCK_DIAG       4       /* socket monitoring                            */
 #define NETLINK_NFLOG           5       /* netfilter/iptables ULOG */
 #define NETLINK_XFRM            6       /* ipsec */
author	Pablo Neira Ayuso <pablo@netfilter.org>	2012-05-08 13:45:28 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2012-05-08 14:25:42 -0400
commit	d16cf20e2f2f13411eece7f7fb72c17d141c4a84 (patch)
tree	8154b3db8cdbb4b8d9f35d4c407cfe961253f0b4 /include/linux
parent	6714cf5465d2803a21c6a46c1ea747795a8889fa (diff)

diff --git a/include/linux/netfilter_ipv4/Kbuild b/include/linux/netfilter_ipv4/Kbuild index 31f8bec95650..c61b8fb1a9ef 100644 --- a/include/linux/netfilter_ipv4/Kbuild +++ b/include/linux/netfilter_ipv4/Kbuild
@@ -1,4 +1,3 @@
1	header-y += ip_queue.h
2	header-y += ip_tables.h	1	header-y += ip_tables.h
3	header-y += ipt_CLUSTERIP.h	2	header-y += ipt_CLUSTERIP.h
4	header-y += ipt_ECN.h	3	header-y += ipt_ECN.h


diff --git a/include/linux/netfilter_ipv4/ip_queue.h b/include/linux/netfilter_ipv4/ip_queue.h deleted file mode 100644 index a03507f465f8..000000000000 --- a/include/linux/netfilter_ipv4/ip_queue.h +++ /dev/null
@@ -1,72 +0,0 @@
1	/*
2	* This is a module which is used for queueing IPv4 packets and
3	* communicating with userspace via netlink.
4	*
5	* (C) 2000 James Morris, this code is GPL.
6	*/
7	#ifndef _IP_QUEUE_H
8	#define _IP_QUEUE_H
9
10	#ifdef __KERNEL__
11	#ifdef DEBUG_IPQ
12	#define QDEBUG(x...) printk(KERN_DEBUG ## x)
13	#else
14	#define QDEBUG(x...)
15	#endif /* DEBUG_IPQ */
16	#else
17	#include <net/if.h>
18	#endif /* ! __KERNEL__ */
19
20	/* Messages sent from kernel */
21	typedef struct ipq_packet_msg {
22	unsigned long packet_id; /* ID of queued packet */
23	unsigned long mark; /* Netfilter mark value */
24	long timestamp_sec; /* Packet arrival time (seconds) */
25	long timestamp_usec; /* Packet arrvial time (+useconds) */
26	unsigned int hook; /* Netfilter hook we rode in on */
27	char indev_name[IFNAMSIZ]; /* Name of incoming interface */
28	char outdev_name[IFNAMSIZ]; /* Name of outgoing interface */
29	__be16 hw_protocol; /* Hardware protocol (network order) */
30	unsigned short hw_type; /* Hardware type */
31	unsigned char hw_addrlen; /* Hardware address length */
32	unsigned char hw_addr[8]; /* Hardware address */
33	size_t data_len; /* Length of packet data */
34	unsigned char payload[0]; /* Optional packet data */
35	} ipq_packet_msg_t;
36
37	/* Messages sent from userspace */
38	typedef struct ipq_mode_msg {
39	unsigned char value; /* Requested mode */
40	size_t range; /* Optional range of packet requested */
41	} ipq_mode_msg_t;
42
43	typedef struct ipq_verdict_msg {
44	unsigned int value; /* Verdict to hand to netfilter */
45	unsigned long id; /* Packet ID for this verdict */
46	size_t data_len; /* Length of replacement data */
47	unsigned char payload[0]; /* Optional replacement packet */
48	} ipq_verdict_msg_t;
49
50	typedef struct ipq_peer_msg {
51	union {
52	ipq_verdict_msg_t verdict;
53	ipq_mode_msg_t mode;
54	} msg;
55	} ipq_peer_msg_t;
56
57	/* Packet delivery modes */
58	enum {
59	IPQ_COPY_NONE, /* Initial mode, packets are dropped */
60	IPQ_COPY_META, /* Copy metadata */
61	IPQ_COPY_PACKET /* Copy metadata + packet (range) */
62	};
63	#define IPQ_COPY_MAX IPQ_COPY_PACKET
64
65	/* Types of messages */
66	#define IPQM_BASE 0x10 /* standard netlink messages below this */
67	#define IPQM_MODE (IPQM_BASE + 1) /* Mode request from peer */
68	#define IPQM_VERDICT (IPQM_BASE + 2) /* Verdict from peer */
69	#define IPQM_PACKET (IPQM_BASE + 3) /* Packet from kernel */
70	#define IPQM_MAX (IPQM_BASE + 4)
71
72	#endif /_IP_QUEUE_H/


diff --git a/include/linux/netlink.h b/include/linux/netlink.h index a2092f582a78..0f628ffa420c 100644 --- a/include/linux/netlink.h +++ b/include/linux/netlink.h
@@ -7,7 +7,7 @@
7	#define NETLINK_ROUTE 0 /* Routing/device hook */	7	#define NETLINK_ROUTE 0 /* Routing/device hook */
8	#define NETLINK_UNUSED 1 /* Unused number */	8	#define NETLINK_UNUSED 1 /* Unused number */
9	#define NETLINK_USERSOCK 2 /* Reserved for user mode socket protocols */	9	#define NETLINK_USERSOCK 2 /* Reserved for user mode socket protocols */
10	#define NETLINK_FIREWALL 3 /* Firewalling hook */	10	#define NETLINK_FIREWALL 3 /* Unused number, formerly ip_queue */
11	#define NETLINK_SOCK_DIAG 4 /* socket monitoring */	11	#define NETLINK_SOCK_DIAG 4 /* socket monitoring */
12	#define NETLINK_NFLOG 5 /* netfilter/iptables ULOG */	12	#define NETLINK_NFLOG 5 /* netfilter/iptables ULOG */
13	#define NETLINK_XFRM 6 /* ipsec */	13	#define NETLINK_XFRM 6 /* ipsec */