diff options
| author | David S. Miller <davem@conan.davemloft.net> | 2011-06-16 21:38:01 -0400 |
|---|---|---|
| committer | David S. Miller <davem@conan.davemloft.net> | 2011-06-16 21:38:01 -0400 |
| commit | 3009adf5acb2245216651318c2226812fd1b01a6 (patch) | |
| tree | 3fa6a085be2eab409aec447ab8bd7c4737321688 /net/ipv4 | |
| parent | 9281b2a2e2e02ad4bcc2fdd11797709b815d5f8e (diff) | |
| parent | 42c1edd345c8412d96e7a362ee06feb7be73bb6c (diff) | |
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6
Diffstat (limited to 'net/ipv4')
| -rw-r--r-- | net/ipv4/netfilter/ip_queue.c | 3 | ||||
| -rw-r--r-- | net/ipv4/netfilter/ip_tables.c | 2 | ||||
| -rw-r--r-- | net/ipv4/netfilter/ipt_ecn.c | 7 | ||||
| -rw-r--r-- | net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 4 |
4 files changed, 9 insertions, 7 deletions
diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c index f7f9bd7ba12d..5c9b9d963918 100644 --- a/net/ipv4/netfilter/ip_queue.c +++ b/net/ipv4/netfilter/ip_queue.c | |||
| @@ -203,7 +203,8 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp) | |||
| 203 | else | 203 | else |
| 204 | pmsg->outdev_name[0] = '\0'; | 204 | pmsg->outdev_name[0] = '\0'; |
| 205 | 205 | ||
| 206 | if (entry->indev && entry->skb->dev) { | 206 | if (entry->indev && entry->skb->dev && |
| 207 | entry->skb->mac_header != entry->skb->network_header) { | ||
| 207 | pmsg->hw_type = entry->skb->dev->type; | 208 | pmsg->hw_type = entry->skb->dev->type; |
| 208 | pmsg->hw_addrlen = dev_parse_header(entry->skb, | 209 | pmsg->hw_addrlen = dev_parse_header(entry->skb, |
| 209 | pmsg->hw_addr); | 210 | pmsg->hw_addr); |
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index 764743843503..24e556e83a3b 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c | |||
| @@ -566,7 +566,7 @@ check_entry(const struct ipt_entry *e, const char *name) | |||
| 566 | const struct xt_entry_target *t; | 566 | const struct xt_entry_target *t; |
| 567 | 567 | ||
| 568 | if (!ip_checkentry(&e->ip)) { | 568 | if (!ip_checkentry(&e->ip)) { |
| 569 | duprintf("ip check failed %p %s.\n", e, par->match->name); | 569 | duprintf("ip check failed %p %s.\n", e, name); |
| 570 | return -EINVAL; | 570 | return -EINVAL; |
| 571 | } | 571 | } |
| 572 | 572 | ||
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c index af6e9c778345..2b57e52c746c 100644 --- a/net/ipv4/netfilter/ipt_ecn.c +++ b/net/ipv4/netfilter/ipt_ecn.c | |||
| @@ -25,7 +25,8 @@ MODULE_LICENSE("GPL"); | |||
| 25 | static inline bool match_ip(const struct sk_buff *skb, | 25 | static inline bool match_ip(const struct sk_buff *skb, |
| 26 | const struct ipt_ecn_info *einfo) | 26 | const struct ipt_ecn_info *einfo) |
| 27 | { | 27 | { |
| 28 | return (ip_hdr(skb)->tos & IPT_ECN_IP_MASK) == einfo->ip_ect; | 28 | return ((ip_hdr(skb)->tos & IPT_ECN_IP_MASK) == einfo->ip_ect) ^ |
| 29 | !!(einfo->invert & IPT_ECN_OP_MATCH_IP); | ||
| 29 | } | 30 | } |
| 30 | 31 | ||
| 31 | static inline bool match_tcp(const struct sk_buff *skb, | 32 | static inline bool match_tcp(const struct sk_buff *skb, |
| @@ -76,8 +77,6 @@ static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 76 | return false; | 77 | return false; |
| 77 | 78 | ||
| 78 | if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) { | 79 | if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) { |
| 79 | if (ip_hdr(skb)->protocol != IPPROTO_TCP) | ||
| 80 | return false; | ||
| 81 | if (!match_tcp(skb, info, &par->hotdrop)) | 80 | if (!match_tcp(skb, info, &par->hotdrop)) |
| 82 | return false; | 81 | return false; |
| 83 | } | 82 | } |
| @@ -97,7 +96,7 @@ static int ecn_mt_check(const struct xt_mtchk_param *par) | |||
| 97 | return -EINVAL; | 96 | return -EINVAL; |
| 98 | 97 | ||
| 99 | if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) && | 98 | if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) && |
| 100 | ip->proto != IPPROTO_TCP) { | 99 | (ip->proto != IPPROTO_TCP || ip->invflags & IPT_INV_PROTO)) { |
| 101 | pr_info("cannot match TCP bits in rule for non-tcp packets\n"); | 100 | pr_info("cannot match TCP bits in rule for non-tcp packets\n"); |
| 102 | return -EINVAL; | 101 | return -EINVAL; |
| 103 | } | 102 | } |
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c index db10075dd88e..de9da21113a1 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | |||
| @@ -121,7 +121,9 @@ static unsigned int ipv4_confirm(unsigned int hooknum, | |||
| 121 | return ret; | 121 | return ret; |
| 122 | } | 122 | } |
| 123 | 123 | ||
| 124 | if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status)) { | 124 | /* adjust seqs for loopback traffic only in outgoing direction */ |
| 125 | if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status) && | ||
| 126 | !nf_is_loopback_packet(skb)) { | ||
| 125 | typeof(nf_nat_seq_adjust_hook) seq_adjust; | 127 | typeof(nf_nat_seq_adjust_hook) seq_adjust; |
| 126 | 128 | ||
| 127 | seq_adjust = rcu_dereference(nf_nat_seq_adjust_hook); | 129 | seq_adjust = rcu_dereference(nf_nat_seq_adjust_hook); |