Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6

Conflicts: Documentation/feature-removal-schedule.txt
author: David S. Miller <davem@davemloft.net> 2011-03-15 16:03:27 -0400
committer: David S. Miller <davem@davemloft.net> 2011-03-15 16:03:27 -0400
commit: 31111c26d976ca0f298312f08e44cdb078005b03 (patch)
tree: ca08ef55b2ea91f9e69f8a78bb8b4363a1759b54 /net/ipv4
parent: 0c0217b016ba8a970a6f6ab62ad0d858f39881ca (diff)
parent: 2f5dc63123905a89d4260ab8ee08d19ec104db04 (diff)
5 files changed, 6 insertions, 145 deletions
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index f926a310075d..1dfc18a03fd4 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -64,16 +64,6 @@ config IP_NF_IPTABLES
 if IP_NF_IPTABLES
 # The matches.
-config IP_NF_MATCH_ADDRTYPE
-        tristate '"addrtype" address type match support'
-        depends on NETFILTER_ADVANCED
-        help
-          This option allows you to match what routing thinks of an address,
-          eg. UNICAST, LOCAL, BROADCAST, ...
-          If you want to compile it as a module, say M here and read
-          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 config IP_NF_MATCH_AH
        tristate '"ah" match support'
        depends on NETFILTER_ADVANCED
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 19eb59d01037..dca2082ec683 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -48,7 +48,6 @@ obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
 obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o
 # matches
-obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
 obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
 obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index e95054c690c6..4b5d457c2d76 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1066,6 +1066,7 @@ static int do_replace(struct net *net, const void __user *user,
        /* overflow check */
        if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
                return -ENOMEM;
+        tmp.name[sizeof(tmp.name)-1] = 0;
        newinfo = xt_alloc_table_info(tmp.size);
        if (!newinfo)
@@ -1488,6 +1489,7 @@ static int compat_do_replace(struct net *net, void __user *user,
                return -ENOMEM;
        if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
                return -ENOMEM;
+        tmp.name[sizeof(tmp.name)-1] = 0;
        newinfo = xt_alloc_table_info(tmp.size);
        if (!newinfo)
@@ -1740,6 +1742,7 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
                        ret = -EFAULT;
                        break;
                }
+                rev.name[sizeof(rev.name)-1] = 0;
                try_then_request_module(xt_find_revision(NFPROTO_ARP, rev.name,
                                                         rev.revision, 1, &ret),
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index ef7d7b9680ea..b09ed0d080f9 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1262,6 +1262,7 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
        /* overflow check */
        if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
                return -ENOMEM;
+        tmp.name[sizeof(tmp.name)-1] = 0;
        newinfo = xt_alloc_table_info(tmp.size);
        if (!newinfo)
@@ -1807,6 +1808,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
                return -ENOMEM;
        if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
                return -ENOMEM;
+        tmp.name[sizeof(tmp.name)-1] = 0;
        newinfo = xt_alloc_table_info(tmp.size);
        if (!newinfo)
@@ -2036,6 +2038,7 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
                        ret = -EFAULT;
                        break;
                }
+                rev.name[sizeof(rev.name)-1] = 0;
                if (cmd == IPT_SO_GET_REVISION_TARGET)
                        target = 1;
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c
deleted file mode 100644
index db8bff0fb86d..000000000000
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ /dev/null
@@ -1,134 +0,0 @@
-/*
- *  iptables module to match inet_addr_type() of an ip.
- *
- *  Copyright (c) 2004 Patrick McHardy <kaber@trash.net>
- *  (C) 2007 Laszlo Attila Toth <panther@balabit.hu>
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License version 2 as
- *  published by the Free Software Foundation.
- */
-#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
-#include <linux/kernel.h>
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/netdevice.h>
-#include <linux/ip.h>
-#include <net/route.h>
-#include <linux/netfilter_ipv4/ipt_addrtype.h>
-#include <linux/netfilter/x_tables.h>
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("Xtables: address type match for IPv4");
-static inline bool match_type(struct net *net, const struct net_device *dev,
-                              __be32 addr, u_int16_t mask)
-{
-        return !!(mask & (1 << inet_dev_addr_type(net, dev, addr)));
-}
-static bool
-addrtype_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
-{
-        struct net *net = dev_net(par->in ? par->in : par->out);
-        const struct ipt_addrtype_info *info = par->matchinfo;
-        const struct iphdr *iph = ip_hdr(skb);
-        bool ret = true;
-        if (info->source)
-                ret &= match_type(net, NULL, iph->saddr, info->source) ^
-                       info->invert_source;
-        if (info->dest)
-                ret &= match_type(net, NULL, iph->daddr, info->dest) ^
-                       info->invert_dest;
-        return ret;
-}
-static bool
-addrtype_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
-{
-        struct net *net = dev_net(par->in ? par->in : par->out);
-        const struct ipt_addrtype_info_v1 *info = par->matchinfo;
-        const struct iphdr *iph = ip_hdr(skb);
-        const struct net_device *dev = NULL;
-        bool ret = true;
-        if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN)
-                dev = par->in;
-        else if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT)
-                dev = par->out;
-        if (info->source)
-                ret &= match_type(net, dev, iph->saddr, info->source) ^
-                       (info->flags & IPT_ADDRTYPE_INVERT_SOURCE);
-        if (ret && info->dest)
-                ret &= match_type(net, dev, iph->daddr, info->dest) ^
-                       !!(info->flags & IPT_ADDRTYPE_INVERT_DEST);
-        return ret;
-}
-static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
-{
-        struct ipt_addrtype_info_v1 *info = par->matchinfo;
-        if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN &&
-            info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
-                pr_info("both incoming and outgoing "
-                        "interface limitation cannot be selected\n");
-                return -EINVAL;
-        }
-        if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
-            (1 << NF_INET_LOCAL_IN)) &&
-            info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
-                pr_info("output interface limitation "
-                        "not valid in PREROUTING and INPUT\n");
-                return -EINVAL;
-        }
-        if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
-            (1 << NF_INET_LOCAL_OUT)) &&
-            info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) {
-                pr_info("input interface limitation "
-                        "not valid in POSTROUTING and OUTPUT\n");
-                return -EINVAL;
-        }
-        return 0;
-}
-static struct xt_match addrtype_mt_reg[] __read_mostly = {
-        {
-                .name           = "addrtype",
-                .family         = NFPROTO_IPV4,
-                .match          = addrtype_mt_v0,
-                .matchsize      = sizeof(struct ipt_addrtype_info),
-                .me             = THIS_MODULE
-        },
-        {
-                .name           = "addrtype",
-                .family         = NFPROTO_IPV4,
-                .revision       = 1,
-                .match          = addrtype_mt_v1,
-                .checkentry     = addrtype_mt_checkentry_v1,
-                .matchsize      = sizeof(struct ipt_addrtype_info_v1),
-                .me             = THIS_MODULE
-        }
-};
-static int __init addrtype_mt_init(void)
-{
-        return xt_register_matches(addrtype_mt_reg,
-                                   ARRAY_SIZE(addrtype_mt_reg));
-}
-static void __exit addrtype_mt_exit(void)
-{
-        xt_unregister_matches(addrtype_mt_reg, ARRAY_SIZE(addrtype_mt_reg));
-}
-module_init(addrtype_mt_init);
-module_exit(addrtype_mt_exit);
author	David S. Miller <davem@davemloft.net>	2011-03-15 16:03:27 -0400
committer	David S. Miller <davem@davemloft.net>	2011-03-15 16:03:27 -0400
commit	31111c26d976ca0f298312f08e44cdb078005b03 (patch)
tree	ca08ef55b2ea91f9e69f8a78bb8b4363a1759b54 /net/ipv4
parent	0c0217b016ba8a970a6f6ab62ad0d858f39881ca (diff)
parent	2f5dc63123905a89d4260ab8ee08d19ec104db04 (diff)

diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index f926a310075d..1dfc18a03fd4 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig
@@ -64,16 +64,6 @@ config IP_NF_IPTABLES
64	if IP_NF_IPTABLES	64	if IP_NF_IPTABLES
65		65
66	# The matches.	66	# The matches.
67	config IP_NF_MATCH_ADDRTYPE
68	tristate '"addrtype" address type match support'
69	depends on NETFILTER_ADVANCED
70	help
71	This option allows you to match what routing thinks of an address,
72	eg. UNICAST, LOCAL, BROADCAST, ...
73
74	If you want to compile it as a module, say M here and read
75	<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
76
77	config IP_NF_MATCH_AH	67	config IP_NF_MATCH_AH
78	tristate '"ah" match support'	68	tristate '"ah" match support'
79	depends on NETFILTER_ADVANCED	69	depends on NETFILTER_ADVANCED


diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile index 19eb59d01037..dca2082ec683 100644 --- a/net/ipv4/netfilter/Makefile +++ b/net/ipv4/netfilter/Makefile
@@ -48,7 +48,6 @@ obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
48	obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o	48	obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o
49		49
50	# matches	50	# matches
51	obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
52	obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o	51	obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
53	obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o	52	obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
54		53


diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index e95054c690c6..4b5d457c2d76 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c
@@ -1066,6 +1066,7 @@ static int do_replace(struct net net, const void __user user,
1066	/* overflow check */	1066	/* overflow check */
1067	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))	1067	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1068	return -ENOMEM;	1068	return -ENOMEM;
		1069	tmp.name[sizeof(tmp.name)-1] = 0;
1069		1070
1070	newinfo = xt_alloc_table_info(tmp.size);	1071	newinfo = xt_alloc_table_info(tmp.size);
1071	if (!newinfo)	1072	if (!newinfo)
@@ -1488,6 +1489,7 @@ static int compat_do_replace(struct net net, void __user user,
1488	return -ENOMEM;	1489	return -ENOMEM;
1489	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))	1490	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1490	return -ENOMEM;	1491	return -ENOMEM;
		1492	tmp.name[sizeof(tmp.name)-1] = 0;
1491		1493
1492	newinfo = xt_alloc_table_info(tmp.size);	1494	newinfo = xt_alloc_table_info(tmp.size);
1493	if (!newinfo)	1495	if (!newinfo)
@@ -1740,6 +1742,7 @@ static int do_arpt_get_ctl(struct sock sk, int cmd, void __user user, int *len
1740	ret = -EFAULT;	1742	ret = -EFAULT;
1741	break;	1743	break;
1742	}	1744	}
		1745	rev.name[sizeof(rev.name)-1] = 0;
1743		1746
1744	try_then_request_module(xt_find_revision(NFPROTO_ARP, rev.name,	1747	try_then_request_module(xt_find_revision(NFPROTO_ARP, rev.name,
1745	rev.revision, 1, &ret),	1748	rev.revision, 1, &ret),


diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index ef7d7b9680ea..b09ed0d080f9 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c
@@ -1262,6 +1262,7 @@ do_replace(struct net net, const void __user user, unsigned int len)
1262	/* overflow check */	1262	/* overflow check */
1263	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))	1263	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1264	return -ENOMEM;	1264	return -ENOMEM;
		1265	tmp.name[sizeof(tmp.name)-1] = 0;
1265		1266
1266	newinfo = xt_alloc_table_info(tmp.size);	1267	newinfo = xt_alloc_table_info(tmp.size);
1267	if (!newinfo)	1268	if (!newinfo)
@@ -1807,6 +1808,7 @@ compat_do_replace(struct net net, void __user user, unsigned int len)
1807	return -ENOMEM;	1808	return -ENOMEM;
1808	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))	1809	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
1809	return -ENOMEM;	1810	return -ENOMEM;
		1811	tmp.name[sizeof(tmp.name)-1] = 0;
1810		1812
1811	newinfo = xt_alloc_table_info(tmp.size);	1813	newinfo = xt_alloc_table_info(tmp.size);
1812	if (!newinfo)	1814	if (!newinfo)
@@ -2036,6 +2038,7 @@ do_ipt_get_ctl(struct sock sk, int cmd, void __user user, int *len)
2036	ret = -EFAULT;	2038	ret = -EFAULT;
2037	break;	2039	break;
2038	}	2040	}
		2041	rev.name[sizeof(rev.name)-1] = 0;
2039		2042
2040	if (cmd == IPT_SO_GET_REVISION_TARGET)	2043	if (cmd == IPT_SO_GET_REVISION_TARGET)
2041	target = 1;	2044	target = 1;


diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c deleted file mode 100644 index db8bff0fb86d..000000000000 --- a/net/ipv4/netfilter/ipt_addrtype.c +++ /dev/null
@@ -1,134 +0,0 @@
1	/*
2	* iptables module to match inet_addr_type() of an ip.
3	*
4	* Copyright (c) 2004 Patrick McHardy <kaber@trash.net>
5	* (C) 2007 Laszlo Attila Toth <panther@balabit.hu>
6	*
7	* This program is free software; you can redistribute it and/or modify
8	* it under the terms of the GNU General Public License version 2 as
9	* published by the Free Software Foundation.
10	*/
11	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12	#include <linux/kernel.h>
13	#include <linux/module.h>
14	#include <linux/skbuff.h>
15	#include <linux/netdevice.h>
16	#include <linux/ip.h>
17	#include <net/route.h>
18
19	#include <linux/netfilter_ipv4/ipt_addrtype.h>
20	#include <linux/netfilter/x_tables.h>
21
22	MODULE_LICENSE("GPL");
23	MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
24	MODULE_DESCRIPTION("Xtables: address type match for IPv4");
25
26	static inline bool match_type(struct net net, const struct net_device dev,
27	__be32 addr, u_int16_t mask)
28	{
29	return !!(mask & (1 << inet_dev_addr_type(net, dev, addr)));
30	}
31
32	static bool
33	addrtype_mt_v0(const struct sk_buff skb, struct xt_action_param par)
34	{
35	struct net *net = dev_net(par->in ? par->in : par->out);
36	const struct ipt_addrtype_info *info = par->matchinfo;
37	const struct iphdr *iph = ip_hdr(skb);
38	bool ret = true;
39
40	if (info->source)
41	ret &= match_type(net, NULL, iph->saddr, info->source) ^
42	info->invert_source;
43	if (info->dest)
44	ret &= match_type(net, NULL, iph->daddr, info->dest) ^
45	info->invert_dest;
46
47	return ret;
48	}
49
50	static bool
51	addrtype_mt_v1(const struct sk_buff skb, struct xt_action_param par)
52	{
53	struct net *net = dev_net(par->in ? par->in : par->out);
54	const struct ipt_addrtype_info_v1 *info = par->matchinfo;
55	const struct iphdr *iph = ip_hdr(skb);
56	const struct net_device *dev = NULL;
57	bool ret = true;
58
59	if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN)
60	dev = par->in;
61	else if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT)
62	dev = par->out;
63
64	if (info->source)
65	ret &= match_type(net, dev, iph->saddr, info->source) ^
66	(info->flags & IPT_ADDRTYPE_INVERT_SOURCE);
67	if (ret && info->dest)
68	ret &= match_type(net, dev, iph->daddr, info->dest) ^
69	!!(info->flags & IPT_ADDRTYPE_INVERT_DEST);
70	return ret;
71	}
72
73	static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
74	{
75	struct ipt_addrtype_info_v1 *info = par->matchinfo;
76
77	if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN &&
78	info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
79	pr_info("both incoming and outgoing "
80	"interface limitation cannot be selected\n");
81	return -EINVAL;
82	}
83
84	if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) \|
85	(1 << NF_INET_LOCAL_IN)) &&
86	info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
87	pr_info("output interface limitation "
88	"not valid in PREROUTING and INPUT\n");
89	return -EINVAL;
90	}
91
92	if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) \|
93	(1 << NF_INET_LOCAL_OUT)) &&
94	info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) {
95	pr_info("input interface limitation "
96	"not valid in POSTROUTING and OUTPUT\n");
97	return -EINVAL;
98	}
99
100	return 0;
101	}
102
103	static struct xt_match addrtype_mt_reg[] __read_mostly = {
104	{
105	.name = "addrtype",
106	.family = NFPROTO_IPV4,
107	.match = addrtype_mt_v0,
108	.matchsize = sizeof(struct ipt_addrtype_info),
109	.me = THIS_MODULE
110	},
111	{
112	.name = "addrtype",
113	.family = NFPROTO_IPV4,
114	.revision = 1,
115	.match = addrtype_mt_v1,
116	.checkentry = addrtype_mt_checkentry_v1,
117	.matchsize = sizeof(struct ipt_addrtype_info_v1),
118	.me = THIS_MODULE
119	}
120	};
121
122	static int __init addrtype_mt_init(void)
123	{
124	return xt_register_matches(addrtype_mt_reg,
125	ARRAY_SIZE(addrtype_mt_reg));
126	}
127
128	static void __exit addrtype_mt_exit(void)
129	{
130	xt_unregister_matches(addrtype_mt_reg, ARRAY_SIZE(addrtype_mt_reg));
131	}
132
133	module_init(addrtype_mt_init);
134	module_exit(addrtype_mt_exit);