diff options
| author | David S. Miller <davem@davemloft.net> | 2012-09-24 15:36:53 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2012-09-24 15:42:04 -0400 |
| commit | ae4735166ee31e29fbf8615949dac9e56299b1fd (patch) | |
| tree | ee39087a83e0e6d6aaab87e905ce6d170185e32d /include | |
| parent | 2ddc7fe1cd1b2e0502f12b89c60b6e1ca66837dd (diff) | |
| parent | 6ee584be3ee30f72dec8a8ca87bc10824e27a631 (diff) | |
Merge branch 'master' of git://1984.lsi.us.es/nf-next
Pablo Neira Ayuso says:
====================
This patchset contains updates for your net-next tree, they are:
* Mostly fixes for the recently pushed IPv6 NAT support:
- Fix crash while removing nf_nat modules from Patrick McHardy.
- Fix unbalanced rcu_read_unlock from Ulrich Weber.
- Merge NETMAP and REDIRECT into one single xt_target module, from
Jan Engelhardt.
- Fix Kconfig for IPv6 NAT, which allows inconsistent configurations,
from myself.
* Updates for ipset, all of the from Jozsef Kadlecsik:
- Add the new "nomatch" option to obtain reverse set matching.
- Support for /0 CIDR in hash:net,iface set type.
- One non-critical fix for a rare crash due to pass really
wrong configuration parameters.
- Coding style cleanups.
- Sparse fixes.
- Add set revision supported via modinfo.i
* One extension for the xt_time match, to support matching during
the transition between two days with one single rule, from
Florian Westphal.
* Fix maximum packet length supported by nfnetlink_queue and add
NFQA_CAP_LEN attribute, from myself.
You can notice that this batch contains a couple of fixes that may
go to 3.6-rc but I don't consider them critical to push them:
* The ipset fix for the /0 cidr case, which is triggered with one
inconsistent command line invocation of ipset.
* The nfnetlink_queue maximum packet length supported since it requires
the new NFQA_CAP_LEN attribute to provide a full workaround for the
described problem.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/netfilter/ipset/ip_set.h | 15 | ||||
| -rw-r--r-- | include/linux/netfilter/ipset/ip_set_ahash.h | 106 | ||||
| -rw-r--r-- | include/linux/netfilter/nf_conntrack_ftp.h | 6 | ||||
| -rw-r--r-- | include/linux/netfilter/nfnetlink_queue.h | 1 | ||||
| -rw-r--r-- | include/linux/netfilter/xt_time.h | 5 |
5 files changed, 80 insertions, 53 deletions
diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h index 2edc64cab739..528697b3c152 100644 --- a/include/linux/netfilter/ipset/ip_set.h +++ b/include/linux/netfilter/ipset/ip_set.h | |||
| @@ -190,6 +190,7 @@ enum ip_set_dim { | |||
| 190 | * If changed, new revision of iptables match/target is required. | 190 | * If changed, new revision of iptables match/target is required. |
| 191 | */ | 191 | */ |
| 192 | IPSET_DIM_MAX = 6, | 192 | IPSET_DIM_MAX = 6, |
| 193 | IPSET_BIT_RETURN_NOMATCH = 7, | ||
| 193 | }; | 194 | }; |
| 194 | 195 | ||
| 195 | /* Option flags for kernel operations */ | 196 | /* Option flags for kernel operations */ |
| @@ -198,6 +199,7 @@ enum ip_set_kopt { | |||
| 198 | IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE), | 199 | IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE), |
| 199 | IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO), | 200 | IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO), |
| 200 | IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE), | 201 | IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE), |
| 202 | IPSET_RETURN_NOMATCH = (1 << IPSET_BIT_RETURN_NOMATCH), | ||
| 201 | }; | 203 | }; |
| 202 | 204 | ||
| 203 | #ifdef __KERNEL__ | 205 | #ifdef __KERNEL__ |
| @@ -206,9 +208,15 @@ enum ip_set_kopt { | |||
| 206 | #include <linux/netlink.h> | 208 | #include <linux/netlink.h> |
| 207 | #include <linux/netfilter.h> | 209 | #include <linux/netfilter.h> |
| 208 | #include <linux/netfilter/x_tables.h> | 210 | #include <linux/netfilter/x_tables.h> |
| 211 | #include <linux/stringify.h> | ||
| 209 | #include <linux/vmalloc.h> | 212 | #include <linux/vmalloc.h> |
| 210 | #include <net/netlink.h> | 213 | #include <net/netlink.h> |
| 211 | 214 | ||
| 215 | #define _IP_SET_MODULE_DESC(a, b, c) \ | ||
| 216 | MODULE_DESCRIPTION(a " type of IP sets, revisions " b "-" c) | ||
| 217 | #define IP_SET_MODULE_DESC(a, b, c) \ | ||
| 218 | _IP_SET_MODULE_DESC(a, __stringify(b), __stringify(c)) | ||
| 219 | |||
| 212 | /* Set features */ | 220 | /* Set features */ |
| 213 | enum ip_set_feature { | 221 | enum ip_set_feature { |
| 214 | IPSET_TYPE_IP_FLAG = 0, | 222 | IPSET_TYPE_IP_FLAG = 0, |
| @@ -223,6 +231,8 @@ enum ip_set_feature { | |||
| 223 | IPSET_TYPE_NAME = (1 << IPSET_TYPE_NAME_FLAG), | 231 | IPSET_TYPE_NAME = (1 << IPSET_TYPE_NAME_FLAG), |
| 224 | IPSET_TYPE_IFACE_FLAG = 5, | 232 | IPSET_TYPE_IFACE_FLAG = 5, |
| 225 | IPSET_TYPE_IFACE = (1 << IPSET_TYPE_IFACE_FLAG), | 233 | IPSET_TYPE_IFACE = (1 << IPSET_TYPE_IFACE_FLAG), |
| 234 | IPSET_TYPE_NOMATCH_FLAG = 6, | ||
| 235 | IPSET_TYPE_NOMATCH = (1 << IPSET_TYPE_NOMATCH_FLAG), | ||
| 226 | /* Strictly speaking not a feature, but a flag for dumping: | 236 | /* Strictly speaking not a feature, but a flag for dumping: |
| 227 | * this settype must be dumped last */ | 237 | * this settype must be dumped last */ |
| 228 | IPSET_DUMP_LAST_FLAG = 7, | 238 | IPSET_DUMP_LAST_FLAG = 7, |
| @@ -249,7 +259,7 @@ struct ip_set_type_variant { | |||
| 249 | * returns negative error code, | 259 | * returns negative error code, |
| 250 | * zero for no match/success to add/delete | 260 | * zero for no match/success to add/delete |
| 251 | * positive for matching element */ | 261 | * positive for matching element */ |
| 252 | int (*kadt)(struct ip_set *set, const struct sk_buff * skb, | 262 | int (*kadt)(struct ip_set *set, const struct sk_buff *skb, |
| 253 | const struct xt_action_param *par, | 263 | const struct xt_action_param *par, |
| 254 | enum ipset_adt adt, const struct ip_set_adt_opt *opt); | 264 | enum ipset_adt adt, const struct ip_set_adt_opt *opt); |
| 255 | 265 | ||
| @@ -424,7 +434,8 @@ static inline int nla_put_ipaddr4(struct sk_buff *skb, int type, __be32 ipaddr) | |||
| 424 | return ret; | 434 | return ret; |
| 425 | } | 435 | } |
| 426 | 436 | ||
| 427 | static inline int nla_put_ipaddr6(struct sk_buff *skb, int type, const struct in6_addr *ipaddrptr) | 437 | static inline int nla_put_ipaddr6(struct sk_buff *skb, int type, |
| 438 | const struct in6_addr *ipaddrptr) | ||
| 428 | { | 439 | { |
| 429 | struct nlattr *__nested = ipset_nest_start(skb, type); | 440 | struct nlattr *__nested = ipset_nest_start(skb, type); |
| 430 | int ret; | 441 | int ret; |
diff --git a/include/linux/netfilter/ipset/ip_set_ahash.h b/include/linux/netfilter/ipset/ip_set_ahash.h index b114d35aea5e..ef9acd3c8450 100644 --- a/include/linux/netfilter/ipset/ip_set_ahash.h +++ b/include/linux/netfilter/ipset/ip_set_ahash.h | |||
| @@ -137,50 +137,59 @@ htable_bits(u32 hashsize) | |||
| 137 | #endif | 137 | #endif |
| 138 | 138 | ||
| 139 | #define SET_HOST_MASK(family) (family == AF_INET ? 32 : 128) | 139 | #define SET_HOST_MASK(family) (family == AF_INET ? 32 : 128) |
| 140 | #ifdef IP_SET_HASH_WITH_MULTI | ||
| 141 | #define NETS_LENGTH(family) (SET_HOST_MASK(family) + 1) | ||
| 142 | #else | ||
| 143 | #define NETS_LENGTH(family) SET_HOST_MASK(family) | ||
| 144 | #endif | ||
| 140 | 145 | ||
| 141 | /* Network cidr size book keeping when the hash stores different | 146 | /* Network cidr size book keeping when the hash stores different |
| 142 | * sized networks */ | 147 | * sized networks */ |
| 143 | static void | 148 | static void |
| 144 | add_cidr(struct ip_set_hash *h, u8 cidr, u8 host_mask) | 149 | add_cidr(struct ip_set_hash *h, u8 cidr, u8 nets_length) |
| 145 | { | 150 | { |
| 146 | u8 i; | 151 | int i, j; |
| 147 | |||
| 148 | ++h->nets[cidr-1].nets; | ||
| 149 | |||
| 150 | pr_debug("add_cidr added %u: %u\n", cidr, h->nets[cidr-1].nets); | ||
| 151 | 152 | ||
| 152 | if (h->nets[cidr-1].nets > 1) | 153 | /* Add in increasing prefix order, so larger cidr first */ |
| 153 | return; | 154 | for (i = 0, j = -1; i < nets_length && h->nets[i].nets; i++) { |
| 154 | 155 | if (j != -1) | |
| 155 | /* New cidr size */ | 156 | continue; |
| 156 | for (i = 0; i < host_mask && h->nets[i].cidr; i++) { | 157 | else if (h->nets[i].cidr < cidr) |
| 157 | /* Add in increasing prefix order, so larger cidr first */ | 158 | j = i; |
| 158 | if (h->nets[i].cidr < cidr) | 159 | else if (h->nets[i].cidr == cidr) { |
| 159 | swap(h->nets[i].cidr, cidr); | 160 | h->nets[i].nets++; |
| 161 | return; | ||
| 162 | } | ||
| 163 | } | ||
| 164 | if (j != -1) { | ||
| 165 | for (; i > j; i--) { | ||
| 166 | h->nets[i].cidr = h->nets[i - 1].cidr; | ||
| 167 | h->nets[i].nets = h->nets[i - 1].nets; | ||
| 168 | } | ||
| 160 | } | 169 | } |
| 161 | if (i < host_mask) | 170 | h->nets[i].cidr = cidr; |
| 162 | h->nets[i].cidr = cidr; | 171 | h->nets[i].nets = 1; |
| 163 | } | 172 | } |
| 164 | 173 | ||
| 165 | static void | 174 | static void |
| 166 | del_cidr(struct ip_set_hash *h, u8 cidr, u8 host_mask) | 175 | del_cidr(struct ip_set_hash *h, u8 cidr, u8 nets_length) |
| 167 | { | 176 | { |
| 168 | u8 i; | 177 | u8 i, j; |
| 169 | |||
| 170 | --h->nets[cidr-1].nets; | ||
| 171 | 178 | ||
| 172 | pr_debug("del_cidr deleted %u: %u\n", cidr, h->nets[cidr-1].nets); | 179 | for (i = 0; i < nets_length - 1 && h->nets[i].cidr != cidr; i++) |
| 180 | ; | ||
| 181 | h->nets[i].nets--; | ||
| 173 | 182 | ||
| 174 | if (h->nets[cidr-1].nets != 0) | 183 | if (h->nets[i].nets != 0) |
| 175 | return; | 184 | return; |
| 176 | 185 | ||
| 177 | /* All entries with this cidr size deleted, so cleanup h->cidr[] */ | 186 | for (j = i; j < nets_length - 1 && h->nets[j].nets; j++) { |
| 178 | for (i = 0; i < host_mask - 1 && h->nets[i].cidr; i++) { | 187 | h->nets[j].cidr = h->nets[j + 1].cidr; |
| 179 | if (h->nets[i].cidr == cidr) | 188 | h->nets[j].nets = h->nets[j + 1].nets; |
| 180 | h->nets[i].cidr = cidr = h->nets[i+1].cidr; | ||
| 181 | } | 189 | } |
| 182 | h->nets[i - 1].cidr = 0; | ||
| 183 | } | 190 | } |
| 191 | #else | ||
| 192 | #define NETS_LENGTH(family) 0 | ||
| 184 | #endif | 193 | #endif |
| 185 | 194 | ||
| 186 | /* Destroy the hashtable part of the set */ | 195 | /* Destroy the hashtable part of the set */ |
| @@ -202,14 +211,14 @@ ahash_destroy(struct htable *t) | |||
| 202 | 211 | ||
| 203 | /* Calculate the actual memory size of the set data */ | 212 | /* Calculate the actual memory size of the set data */ |
| 204 | static size_t | 213 | static size_t |
| 205 | ahash_memsize(const struct ip_set_hash *h, size_t dsize, u8 host_mask) | 214 | ahash_memsize(const struct ip_set_hash *h, size_t dsize, u8 nets_length) |
| 206 | { | 215 | { |
| 207 | u32 i; | 216 | u32 i; |
| 208 | struct htable *t = h->table; | 217 | struct htable *t = h->table; |
| 209 | size_t memsize = sizeof(*h) | 218 | size_t memsize = sizeof(*h) |
| 210 | + sizeof(*t) | 219 | + sizeof(*t) |
| 211 | #ifdef IP_SET_HASH_WITH_NETS | 220 | #ifdef IP_SET_HASH_WITH_NETS |
| 212 | + sizeof(struct ip_set_hash_nets) * host_mask | 221 | + sizeof(struct ip_set_hash_nets) * nets_length |
| 213 | #endif | 222 | #endif |
| 214 | + jhash_size(t->htable_bits) * sizeof(struct hbucket); | 223 | + jhash_size(t->htable_bits) * sizeof(struct hbucket); |
| 215 | 224 | ||
| @@ -238,7 +247,7 @@ ip_set_hash_flush(struct ip_set *set) | |||
| 238 | } | 247 | } |
| 239 | #ifdef IP_SET_HASH_WITH_NETS | 248 | #ifdef IP_SET_HASH_WITH_NETS |
| 240 | memset(h->nets, 0, sizeof(struct ip_set_hash_nets) | 249 | memset(h->nets, 0, sizeof(struct ip_set_hash_nets) |
| 241 | * SET_HOST_MASK(set->family)); | 250 | * NETS_LENGTH(set->family)); |
| 242 | #endif | 251 | #endif |
| 243 | h->elements = 0; | 252 | h->elements = 0; |
| 244 | } | 253 | } |
| @@ -271,9 +280,6 @@ ip_set_hash_destroy(struct ip_set *set) | |||
| 271 | (jhash2((u32 *)(data), HKEY_DATALEN/sizeof(u32), initval) \ | 280 | (jhash2((u32 *)(data), HKEY_DATALEN/sizeof(u32), initval) \ |
| 272 | & jhash_mask(htable_bits)) | 281 | & jhash_mask(htable_bits)) |
| 273 | 282 | ||
| 274 | #define CONCAT(a, b, c) a##b##c | ||
| 275 | #define TOKEN(a, b, c) CONCAT(a, b, c) | ||
| 276 | |||
| 277 | /* Type/family dependent function prototypes */ | 283 | /* Type/family dependent function prototypes */ |
| 278 | 284 | ||
| 279 | #define type_pf_data_equal TOKEN(TYPE, PF, _data_equal) | 285 | #define type_pf_data_equal TOKEN(TYPE, PF, _data_equal) |
| @@ -478,7 +484,7 @@ type_pf_add(struct ip_set *set, void *value, u32 timeout, u32 flags) | |||
| 478 | } | 484 | } |
| 479 | 485 | ||
| 480 | #ifdef IP_SET_HASH_WITH_NETS | 486 | #ifdef IP_SET_HASH_WITH_NETS |
| 481 | add_cidr(h, CIDR(d->cidr), HOST_MASK); | 487 | add_cidr(h, CIDR(d->cidr), NETS_LENGTH(set->family)); |
| 482 | #endif | 488 | #endif |
| 483 | h->elements++; | 489 | h->elements++; |
| 484 | out: | 490 | out: |
| @@ -513,7 +519,7 @@ type_pf_del(struct ip_set *set, void *value, u32 timeout, u32 flags) | |||
| 513 | n->pos--; | 519 | n->pos--; |
| 514 | h->elements--; | 520 | h->elements--; |
| 515 | #ifdef IP_SET_HASH_WITH_NETS | 521 | #ifdef IP_SET_HASH_WITH_NETS |
| 516 | del_cidr(h, CIDR(d->cidr), HOST_MASK); | 522 | del_cidr(h, CIDR(d->cidr), NETS_LENGTH(set->family)); |
| 517 | #endif | 523 | #endif |
| 518 | if (n->pos + AHASH_INIT_SIZE < n->size) { | 524 | if (n->pos + AHASH_INIT_SIZE < n->size) { |
| 519 | void *tmp = kzalloc((n->size - AHASH_INIT_SIZE) | 525 | void *tmp = kzalloc((n->size - AHASH_INIT_SIZE) |
| @@ -546,10 +552,10 @@ type_pf_test_cidrs(struct ip_set *set, struct type_pf_elem *d, u32 timeout) | |||
| 546 | const struct type_pf_elem *data; | 552 | const struct type_pf_elem *data; |
| 547 | int i, j = 0; | 553 | int i, j = 0; |
| 548 | u32 key, multi = 0; | 554 | u32 key, multi = 0; |
| 549 | u8 host_mask = SET_HOST_MASK(set->family); | 555 | u8 nets_length = NETS_LENGTH(set->family); |
| 550 | 556 | ||
| 551 | pr_debug("test by nets\n"); | 557 | pr_debug("test by nets\n"); |
| 552 | for (; j < host_mask && h->nets[j].cidr && !multi; j++) { | 558 | for (; j < nets_length && h->nets[j].nets && !multi; j++) { |
| 553 | type_pf_data_netmask(d, h->nets[j].cidr); | 559 | type_pf_data_netmask(d, h->nets[j].cidr); |
| 554 | key = HKEY(d, h->initval, t->htable_bits); | 560 | key = HKEY(d, h->initval, t->htable_bits); |
| 555 | n = hbucket(t, key); | 561 | n = hbucket(t, key); |
| @@ -604,7 +610,7 @@ type_pf_head(struct ip_set *set, struct sk_buff *skb) | |||
| 604 | memsize = ahash_memsize(h, with_timeout(h->timeout) | 610 | memsize = ahash_memsize(h, with_timeout(h->timeout) |
| 605 | ? sizeof(struct type_pf_telem) | 611 | ? sizeof(struct type_pf_telem) |
| 606 | : sizeof(struct type_pf_elem), | 612 | : sizeof(struct type_pf_elem), |
| 607 | set->family == AF_INET ? 32 : 128); | 613 | NETS_LENGTH(set->family)); |
| 608 | read_unlock_bh(&set->lock); | 614 | read_unlock_bh(&set->lock); |
| 609 | 615 | ||
| 610 | nested = ipset_nest_start(skb, IPSET_ATTR_DATA); | 616 | nested = ipset_nest_start(skb, IPSET_ATTR_DATA); |
| @@ -690,7 +696,7 @@ nla_put_failure: | |||
| 690 | } | 696 | } |
| 691 | 697 | ||
| 692 | static int | 698 | static int |
| 693 | type_pf_kadt(struct ip_set *set, const struct sk_buff * skb, | 699 | type_pf_kadt(struct ip_set *set, const struct sk_buff *skb, |
| 694 | const struct xt_action_param *par, | 700 | const struct xt_action_param *par, |
| 695 | enum ipset_adt adt, const struct ip_set_adt_opt *opt); | 701 | enum ipset_adt adt, const struct ip_set_adt_opt *opt); |
| 696 | static int | 702 | static int |
| @@ -783,7 +789,7 @@ type_pf_elem_tadd(struct hbucket *n, const struct type_pf_elem *value, | |||
| 783 | 789 | ||
| 784 | /* Delete expired elements from the hashtable */ | 790 | /* Delete expired elements from the hashtable */ |
| 785 | static void | 791 | static void |
| 786 | type_pf_expire(struct ip_set_hash *h) | 792 | type_pf_expire(struct ip_set_hash *h, u8 nets_length) |
| 787 | { | 793 | { |
| 788 | struct htable *t = h->table; | 794 | struct htable *t = h->table; |
| 789 | struct hbucket *n; | 795 | struct hbucket *n; |
| @@ -798,7 +804,7 @@ type_pf_expire(struct ip_set_hash *h) | |||
| 798 | if (type_pf_data_expired(data)) { | 804 | if (type_pf_data_expired(data)) { |
| 799 | pr_debug("expired %u/%u\n", i, j); | 805 | pr_debug("expired %u/%u\n", i, j); |
| 800 | #ifdef IP_SET_HASH_WITH_NETS | 806 | #ifdef IP_SET_HASH_WITH_NETS |
| 801 | del_cidr(h, CIDR(data->cidr), HOST_MASK); | 807 | del_cidr(h, CIDR(data->cidr), nets_length); |
| 802 | #endif | 808 | #endif |
| 803 | if (j != n->pos - 1) | 809 | if (j != n->pos - 1) |
| 804 | /* Not last one */ | 810 | /* Not last one */ |
| @@ -839,7 +845,7 @@ type_pf_tresize(struct ip_set *set, bool retried) | |||
| 839 | if (!retried) { | 845 | if (!retried) { |
| 840 | i = h->elements; | 846 | i = h->elements; |
| 841 | write_lock_bh(&set->lock); | 847 | write_lock_bh(&set->lock); |
| 842 | type_pf_expire(set->data); | 848 | type_pf_expire(set->data, NETS_LENGTH(set->family)); |
| 843 | write_unlock_bh(&set->lock); | 849 | write_unlock_bh(&set->lock); |
| 844 | if (h->elements < i) | 850 | if (h->elements < i) |
| 845 | return 0; | 851 | return 0; |
| @@ -904,7 +910,7 @@ type_pf_tadd(struct ip_set *set, void *value, u32 timeout, u32 flags) | |||
| 904 | 910 | ||
| 905 | if (h->elements >= h->maxelem) | 911 | if (h->elements >= h->maxelem) |
| 906 | /* FIXME: when set is full, we slow down here */ | 912 | /* FIXME: when set is full, we slow down here */ |
| 907 | type_pf_expire(h); | 913 | type_pf_expire(h, NETS_LENGTH(set->family)); |
| 908 | if (h->elements >= h->maxelem) { | 914 | if (h->elements >= h->maxelem) { |
| 909 | if (net_ratelimit()) | 915 | if (net_ratelimit()) |
| 910 | pr_warning("Set %s is full, maxelem %u reached\n", | 916 | pr_warning("Set %s is full, maxelem %u reached\n", |
| @@ -933,8 +939,8 @@ type_pf_tadd(struct ip_set *set, void *value, u32 timeout, u32 flags) | |||
| 933 | if (j != AHASH_MAX(h) + 1) { | 939 | if (j != AHASH_MAX(h) + 1) { |
| 934 | data = ahash_tdata(n, j); | 940 | data = ahash_tdata(n, j); |
| 935 | #ifdef IP_SET_HASH_WITH_NETS | 941 | #ifdef IP_SET_HASH_WITH_NETS |
| 936 | del_cidr(h, CIDR(data->cidr), HOST_MASK); | 942 | del_cidr(h, CIDR(data->cidr), NETS_LENGTH(set->family)); |
| 937 | add_cidr(h, CIDR(d->cidr), HOST_MASK); | 943 | add_cidr(h, CIDR(d->cidr), NETS_LENGTH(set->family)); |
| 938 | #endif | 944 | #endif |
| 939 | type_pf_data_copy(data, d); | 945 | type_pf_data_copy(data, d); |
| 940 | type_pf_data_timeout_set(data, timeout); | 946 | type_pf_data_timeout_set(data, timeout); |
| @@ -952,7 +958,7 @@ type_pf_tadd(struct ip_set *set, void *value, u32 timeout, u32 flags) | |||
| 952 | } | 958 | } |
| 953 | 959 | ||
| 954 | #ifdef IP_SET_HASH_WITH_NETS | 960 | #ifdef IP_SET_HASH_WITH_NETS |
| 955 | add_cidr(h, CIDR(d->cidr), HOST_MASK); | 961 | add_cidr(h, CIDR(d->cidr), NETS_LENGTH(set->family)); |
| 956 | #endif | 962 | #endif |
| 957 | h->elements++; | 963 | h->elements++; |
| 958 | out: | 964 | out: |
| @@ -986,7 +992,7 @@ type_pf_tdel(struct ip_set *set, void *value, u32 timeout, u32 flags) | |||
| 986 | n->pos--; | 992 | n->pos--; |
| 987 | h->elements--; | 993 | h->elements--; |
| 988 | #ifdef IP_SET_HASH_WITH_NETS | 994 | #ifdef IP_SET_HASH_WITH_NETS |
| 989 | del_cidr(h, CIDR(d->cidr), HOST_MASK); | 995 | del_cidr(h, CIDR(d->cidr), NETS_LENGTH(set->family)); |
| 990 | #endif | 996 | #endif |
| 991 | if (n->pos + AHASH_INIT_SIZE < n->size) { | 997 | if (n->pos + AHASH_INIT_SIZE < n->size) { |
| 992 | void *tmp = kzalloc((n->size - AHASH_INIT_SIZE) | 998 | void *tmp = kzalloc((n->size - AHASH_INIT_SIZE) |
| @@ -1016,9 +1022,9 @@ type_pf_ttest_cidrs(struct ip_set *set, struct type_pf_elem *d, u32 timeout) | |||
| 1016 | struct hbucket *n; | 1022 | struct hbucket *n; |
| 1017 | int i, j = 0; | 1023 | int i, j = 0; |
| 1018 | u32 key, multi = 0; | 1024 | u32 key, multi = 0; |
| 1019 | u8 host_mask = SET_HOST_MASK(set->family); | 1025 | u8 nets_length = NETS_LENGTH(set->family); |
| 1020 | 1026 | ||
| 1021 | for (; j < host_mask && h->nets[j].cidr && !multi; j++) { | 1027 | for (; j < nets_length && h->nets[j].nets && !multi; j++) { |
| 1022 | type_pf_data_netmask(d, h->nets[j].cidr); | 1028 | type_pf_data_netmask(d, h->nets[j].cidr); |
| 1023 | key = HKEY(d, h->initval, t->htable_bits); | 1029 | key = HKEY(d, h->initval, t->htable_bits); |
| 1024 | n = hbucket(t, key); | 1030 | n = hbucket(t, key); |
| @@ -1147,7 +1153,7 @@ type_pf_gc(unsigned long ul_set) | |||
| 1147 | 1153 | ||
| 1148 | pr_debug("called\n"); | 1154 | pr_debug("called\n"); |
| 1149 | write_lock_bh(&set->lock); | 1155 | write_lock_bh(&set->lock); |
| 1150 | type_pf_expire(h); | 1156 | type_pf_expire(h, NETS_LENGTH(set->family)); |
| 1151 | write_unlock_bh(&set->lock); | 1157 | write_unlock_bh(&set->lock); |
| 1152 | 1158 | ||
| 1153 | h->gc.expires = jiffies + IPSET_GC_PERIOD(h->timeout) * HZ; | 1159 | h->gc.expires = jiffies + IPSET_GC_PERIOD(h->timeout) * HZ; |
diff --git a/include/linux/netfilter/nf_conntrack_ftp.h b/include/linux/netfilter/nf_conntrack_ftp.h index 28f18df36525..8faf3f792d13 100644 --- a/include/linux/netfilter/nf_conntrack_ftp.h +++ b/include/linux/netfilter/nf_conntrack_ftp.h | |||
| @@ -18,13 +18,17 @@ enum nf_ct_ftp_type { | |||
| 18 | 18 | ||
| 19 | #define FTP_PORT 21 | 19 | #define FTP_PORT 21 |
| 20 | 20 | ||
| 21 | #define NF_CT_FTP_SEQ_PICKUP (1 << 0) | ||
| 22 | |||
| 21 | #define NUM_SEQ_TO_REMEMBER 2 | 23 | #define NUM_SEQ_TO_REMEMBER 2 |
| 22 | /* This structure exists only once per master */ | 24 | /* This structure exists only once per master */ |
| 23 | struct nf_ct_ftp_master { | 25 | struct nf_ct_ftp_master { |
| 24 | /* Valid seq positions for cmd matching after newline */ | 26 | /* Valid seq positions for cmd matching after newline */ |
| 25 | u_int32_t seq_aft_nl[IP_CT_DIR_MAX][NUM_SEQ_TO_REMEMBER]; | 27 | u_int32_t seq_aft_nl[IP_CT_DIR_MAX][NUM_SEQ_TO_REMEMBER]; |
| 26 | /* 0 means seq_match_aft_nl not set */ | 28 | /* 0 means seq_match_aft_nl not set */ |
| 27 | int seq_aft_nl_num[IP_CT_DIR_MAX]; | 29 | u_int16_t seq_aft_nl_num[IP_CT_DIR_MAX]; |
| 30 | /* pickup sequence tracking, useful for conntrackd */ | ||
| 31 | u_int16_t flags[IP_CT_DIR_MAX]; | ||
| 28 | }; | 32 | }; |
| 29 | 33 | ||
| 30 | struct nf_conntrack_expect; | 34 | struct nf_conntrack_expect; |
diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h index 3b1c1360aedf..70ec8c2bc11a 100644 --- a/include/linux/netfilter/nfnetlink_queue.h +++ b/include/linux/netfilter/nfnetlink_queue.h | |||
| @@ -44,6 +44,7 @@ enum nfqnl_attr_type { | |||
| 44 | NFQA_PAYLOAD, /* opaque data payload */ | 44 | NFQA_PAYLOAD, /* opaque data payload */ |
| 45 | NFQA_CT, /* nf_conntrack_netlink.h */ | 45 | NFQA_CT, /* nf_conntrack_netlink.h */ |
| 46 | NFQA_CT_INFO, /* enum ip_conntrack_info */ | 46 | NFQA_CT_INFO, /* enum ip_conntrack_info */ |
| 47 | NFQA_CAP_LEN, /* __u32 length of captured packet */ | ||
| 47 | 48 | ||
| 48 | __NFQA_MAX | 49 | __NFQA_MAX |
| 49 | }; | 50 | }; |
diff --git a/include/linux/netfilter/xt_time.h b/include/linux/netfilter/xt_time.h index 7c37fac576c4..095886019396 100644 --- a/include/linux/netfilter/xt_time.h +++ b/include/linux/netfilter/xt_time.h | |||
| @@ -17,6 +17,9 @@ enum { | |||
| 17 | /* Match against local time (instead of UTC) */ | 17 | /* Match against local time (instead of UTC) */ |
| 18 | XT_TIME_LOCAL_TZ = 1 << 0, | 18 | XT_TIME_LOCAL_TZ = 1 << 0, |
| 19 | 19 | ||
| 20 | /* treat timestart > timestop (e.g. 23:00-01:00) as single period */ | ||
| 21 | XT_TIME_CONTIGUOUS = 1 << 1, | ||
| 22 | |||
| 20 | /* Shortcuts */ | 23 | /* Shortcuts */ |
| 21 | XT_TIME_ALL_MONTHDAYS = 0xFFFFFFFE, | 24 | XT_TIME_ALL_MONTHDAYS = 0xFFFFFFFE, |
| 22 | XT_TIME_ALL_WEEKDAYS = 0xFE, | 25 | XT_TIME_ALL_WEEKDAYS = 0xFE, |
| @@ -24,4 +27,6 @@ enum { | |||
| 24 | XT_TIME_MAX_DAYTIME = 24 * 60 * 60 - 1, | 27 | XT_TIME_MAX_DAYTIME = 24 * 60 * 60 - 1, |
| 25 | }; | 28 | }; |
| 26 | 29 | ||
| 30 | #define XT_TIME_ALL_FLAGS (XT_TIME_LOCAL_TZ|XT_TIME_CONTIGUOUS) | ||
| 31 | |||
| 27 | #endif /* _XT_TIME_H */ | 32 | #endif /* _XT_TIME_H */ |