Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6

author: David S. Miller <davem@davemloft.net> 2009-09-10 21:17:09 -0400
committer: David S. Miller <davem@davemloft.net> 2009-09-10 21:17:09 -0400
commit: 9a0da0d19c573e01aded6ac17747d2efc5b1115f (patch)
tree: 76294327bae4b3e45b16c690bda4b24951f237cf /net/ipv6
parent: ec282e9225be924479d4880b51f13524795bd8d3 (diff)
parent: 8a56df0ae1690f8f42a3c6c4532f4b06f93febea (diff)
7 files changed, 70 insertions, 53 deletions
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index ced1f2c0cb65..cc9f8ef303fd 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -8,7 +8,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/capability.h>
 #include <linux/in.h>
 #include <linux/skbuff.h>
@@ -222,16 +222,11 @@ get_entry(void *base, unsigned int offset)
 /* All zeroes == unconditional rule. */
 /* Mildly perf critical (only if packet tracing is on) */
-static inline int
+static inline bool unconditional(const struct ip6t_ip6 *ipv6)
-unconditional(const struct ip6t_ip6 *ipv6)
 {
-        unsigned int i;
+        static const struct ip6t_ip6 uncond;
-        for (i = 0; i < sizeof(*ipv6); i++)
-                if (((char *)ipv6)[i])
-                        break;
-        return (i == sizeof(*ipv6));
+        return memcmp(ipv6, &uncond, sizeof(uncond)) == 0;
 }
 #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
@@ -745,6 +740,21 @@ find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
        return ret;
 }
+static bool check_underflow(struct ip6t_entry *e)
+{
+        const struct ip6t_entry_target *t;
+        unsigned int verdict;
+        if (!unconditional(&e->ipv6))
+                return false;
+        t = ip6t_get_target(e);
+        if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
+                return false;
+        verdict = ((struct ip6t_standard_target *)t)->verdict;
+        verdict = -verdict - 1;
+        return verdict == NF_DROP || verdict == NF_ACCEPT;
+}
 static int
 check_entry_size_and_hooks(struct ip6t_entry *e,
                           struct xt_table_info *newinfo,
@@ -752,6 +762,7 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
                           unsigned char *limit,
                           const unsigned int *hook_entries,
                           const unsigned int *underflows,
+                           unsigned int valid_hooks,
                           unsigned int *i)
 {
        unsigned int h;
@@ -771,15 +782,21 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
        /* Check hooks & underflows */
        for (h = 0; h < NF_INET_NUMHOOKS; h++) {
+                if (!(valid_hooks & (1 << h)))
+                        continue;
                if ((unsigned char *)e - base == hook_entries[h])
                        newinfo->hook_entry[h] = hook_entries[h];
-                if ((unsigned char *)e - base == underflows[h])
+                if ((unsigned char *)e - base == underflows[h]) {
+                        if (!check_underflow(e)) {
+                                pr_err("Underflows must be unconditional and "
+                                       "use the STANDARD target with "
+                                       "ACCEPT/DROP\n");
+                                return -EINVAL;
+                        }
                        newinfo->underflow[h] = underflows[h];
+                }
        }
-        /* FIXME: underflows must be unconditional, standard verdicts
-           < 0 (not IP6T_RETURN). --RR */
        /* Clear counters and comefrom */
        e->counters = ((struct xt_counters) { 0, 0 });
        e->comefrom = 0;
@@ -842,7 +859,7 @@ translate_table(const char *name,
                                newinfo,
                                entry0,
                                entry0 + size,
-                                hook_entries, underflows, &i);
+                                hook_entries, underflows, valid_hooks, &i);
        if (ret != 0)
                return ret;
@@ -2083,7 +2100,8 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
        return ret;
 }
-struct xt_table *ip6t_register_table(struct net *net, struct xt_table *table,
+struct xt_table *ip6t_register_table(struct net *net,
+                                     const struct xt_table *table,
                                     const struct ip6t_replace *repl)
 {
        int ret;
diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
index db610bacbcce..ca287f6d2bce 100644
--- a/net/ipv6/netfilter/ip6t_eui64.c
+++ b/net/ipv6/netfilter/ip6t_eui64.c
@@ -23,7 +23,6 @@ static bool
 eui64_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
 {
        unsigned char eui64[8];
-        int i = 0;
        if (!(skb_mac_header(skb) >= skb->head &&
              skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
@@ -42,12 +41,8 @@ eui64_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
                        eui64[4] = 0xfe;
                        eui64[0] ^= 0x02;
-                        i = 0;
+                        if (!memcmp(ipv6_hdr(skb)->saddr.s6_addr + 8, eui64,
-                        while (ipv6_hdr(skb)->saddr.s6_addr[8 + i] == eui64[i]
+                                    sizeof(eui64)))
-                               && i < 8)
-                                i++;
-                        if (i == 8)
                                return true;
                }
        }
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index ef5a0a32bf8e..6f4383ad86f9 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -51,11 +51,11 @@ static struct
        .term = IP6T_ERROR_INIT,                /* ERROR */
 };
-static struct xt_table packet_filter = {
+static const struct xt_table packet_filter = {
        .name           = "filter",
        .valid_hooks    = FILTER_VALID_HOOKS,
        .me             = THIS_MODULE,
-        .af             = AF_INET6,
+        .af             = NFPROTO_IPV6,
 };
 /* The work comes in here from netfilter.c. */
@@ -95,21 +95,21 @@ static struct nf_hook_ops ip6t_ops[] __read_mostly = {
        {
                .hook           = ip6t_in_hook,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET6,
+                .pf             = NFPROTO_IPV6,
                .hooknum        = NF_INET_LOCAL_IN,
                .priority       = NF_IP6_PRI_FILTER,
        },
        {
                .hook           = ip6t_in_hook,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET6,
+                .pf             = NFPROTO_IPV6,
                .hooknum        = NF_INET_FORWARD,
                .priority       = NF_IP6_PRI_FILTER,
        },
        {
                .hook           = ip6t_local_out_hook,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET6,
+                .pf             = NFPROTO_IPV6,
                .hooknum        = NF_INET_LOCAL_OUT,
                .priority       = NF_IP6_PRI_FILTER,
        },
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index ab0d398a2ba7..0ad91433ed61 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -21,7 +21,7 @@ MODULE_DESCRIPTION("ip6tables mangle table");
                            (1 << NF_INET_LOCAL_OUT) | \
                            (1 << NF_INET_POST_ROUTING))
-static struct
+static const struct
 {
        struct ip6t_replace repl;
        struct ip6t_standard entries[5];
@@ -57,11 +57,11 @@ static struct
        .term = IP6T_ERROR_INIT,                /* ERROR */
 };
-static struct xt_table packet_mangler = {
+static const struct xt_table packet_mangler = {
        .name           = "mangle",
        .valid_hooks    = MANGLE_VALID_HOOKS,
        .me             = THIS_MODULE,
-        .af             = AF_INET6,
+        .af             = NFPROTO_IPV6,
 };
 /* The work comes in here from netfilter.c. */
@@ -136,35 +136,35 @@ static struct nf_hook_ops ip6t_ops[] __read_mostly = {
        {
                .hook           = ip6t_in_hook,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET6,
+                .pf             = NFPROTO_IPV6,
                .hooknum        = NF_INET_PRE_ROUTING,
                .priority       = NF_IP6_PRI_MANGLE,
        },
        {
                .hook           = ip6t_in_hook,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET6,
+                .pf             = NFPROTO_IPV6,
                .hooknum        = NF_INET_LOCAL_IN,
                .priority       = NF_IP6_PRI_MANGLE,
        },
        {
                .hook           = ip6t_in_hook,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET6,
+                .pf             = NFPROTO_IPV6,
                .hooknum        = NF_INET_FORWARD,
                .priority       = NF_IP6_PRI_MANGLE,
        },
        {
                .hook           = ip6t_local_out_hook,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET6,
+                .pf             = NFPROTO_IPV6,
                .hooknum        = NF_INET_LOCAL_OUT,
                .priority       = NF_IP6_PRI_MANGLE,
        },
        {
                .hook           = ip6t_post_routing_hook,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET6,
+                .pf             = NFPROTO_IPV6,
                .hooknum        = NF_INET_POST_ROUTING,
                .priority       = NF_IP6_PRI_MANGLE,
        },
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 4b792b6ca321..ed1a1180f3b3 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -8,7 +8,7 @@
 #define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT))
-static struct
+static const struct
 {
        struct ip6t_replace repl;
        struct ip6t_standard entries[2];
@@ -35,11 +35,11 @@ static struct
        .term = IP6T_ERROR_INIT,                /* ERROR */
 };
-static struct xt_table packet_raw = {
+static const struct xt_table packet_raw = {
        .name = "raw",
        .valid_hooks = RAW_VALID_HOOKS,
        .me = THIS_MODULE,
-        .af = AF_INET6,
+        .af = NFPROTO_IPV6,
 };
 /* The work comes in here from netfilter.c. */
@@ -68,14 +68,14 @@ ip6t_local_out_hook(unsigned int hook,
 static struct nf_hook_ops ip6t_ops[] __read_mostly = {
        {
          .hook = ip6t_pre_routing_hook,
-          .pf = PF_INET6,
+          .pf = NFPROTO_IPV6,
          .hooknum = NF_INET_PRE_ROUTING,
          .priority = NF_IP6_PRI_FIRST,
          .owner = THIS_MODULE,
        },
        {
          .hook = ip6t_local_out_hook,
-          .pf = PF_INET6,
+          .pf = NFPROTO_IPV6,
          .hooknum = NF_INET_LOCAL_OUT,
          .priority = NF_IP6_PRI_FIRST,
          .owner = THIS_MODULE,
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index 0ea37ff15d56..41b444c60934 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -26,7 +26,7 @@ MODULE_DESCRIPTION("ip6tables security table, for MAC rules");
                                (1 << NF_INET_FORWARD) | \
                                (1 << NF_INET_LOCAL_OUT)
-static struct
+static const struct
 {
        struct ip6t_replace repl;
        struct ip6t_standard entries[3];
@@ -56,11 +56,11 @@ static struct
        .term = IP6T_ERROR_INIT,                /* ERROR */
 };
-static struct xt_table security_table = {
+static const struct xt_table security_table = {
        .name           = "security",
        .valid_hooks    = SECURITY_VALID_HOOKS,
        .me             = THIS_MODULE,
-        .af             = AF_INET6,
+        .af             = NFPROTO_IPV6,
 };
 static unsigned int
@@ -101,21 +101,21 @@ static struct nf_hook_ops ip6t_ops[] __read_mostly = {
        {
                .hook           = ip6t_local_in_hook,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET6,
+                .pf             = NFPROTO_IPV6,
                .hooknum        = NF_INET_LOCAL_IN,
                .priority       = NF_IP6_PRI_SECURITY,
        },
        {
                .hook           = ip6t_forward_hook,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET6,
+                .pf             = NFPROTO_IPV6,
                .hooknum        = NF_INET_FORWARD,
                .priority       = NF_IP6_PRI_SECURITY,
        },
        {
                .hook           = ip6t_local_out_hook,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET6,
+                .pf             = NFPROTO_IPV6,
                .hooknum        = NF_INET_LOCAL_OUT,
                .priority       = NF_IP6_PRI_SECURITY,
        },
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 2a15c2d66c69..5f2ec208a8c3 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -27,6 +27,7 @@
 #include <net/netfilter/nf_conntrack_l3proto.h>
 #include <net/netfilter/nf_conntrack_core.h>
 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
+#include <net/netfilter/nf_log.h>
 static bool ipv6_pkt_to_tuple(const struct sk_buff *skb, unsigned int nhoff,
                              struct nf_conntrack_tuple *tuple)
@@ -176,8 +177,11 @@ static unsigned int ipv6_confirm(unsigned int hooknum,
        }
        ret = helper->help(skb, protoff, ct, ctinfo);
-        if (ret != NF_ACCEPT)
+        if (ret != NF_ACCEPT) {
+                nf_log_packet(NFPROTO_IPV6, hooknum, skb, in, out, NULL,
+                              "nf_ct_%s: dropping packet", helper->name);
                return ret;
+        }
 out:
        /* We've seen it coming out the other side: confirm it */
        return nf_conntrack_confirm(skb);
@@ -265,42 +269,42 @@ static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = {
        {
                .hook           = ipv6_defrag,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET6,
+                .pf             = NFPROTO_IPV6,
                .hooknum        = NF_INET_PRE_ROUTING,
                .priority       = NF_IP6_PRI_CONNTRACK_DEFRAG,
        },
        {
                .hook           = ipv6_conntrack_in,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET6,
+                .pf             = NFPROTO_IPV6,
                .hooknum        = NF_INET_PRE_ROUTING,
                .priority       = NF_IP6_PRI_CONNTRACK,
        },
        {
                .hook           = ipv6_conntrack_local,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET6,
+                .pf             = NFPROTO_IPV6,
                .hooknum        = NF_INET_LOCAL_OUT,
                .priority       = NF_IP6_PRI_CONNTRACK,
        },
        {
                .hook           = ipv6_defrag,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET6,
+                .pf             = NFPROTO_IPV6,
                .hooknum        = NF_INET_LOCAL_OUT,
                .priority       = NF_IP6_PRI_CONNTRACK_DEFRAG,
        },
        {
                .hook           = ipv6_confirm,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET6,
+                .pf             = NFPROTO_IPV6,
                .hooknum        = NF_INET_POST_ROUTING,
                .priority       = NF_IP6_PRI_LAST,
        },
        {
                .hook           = ipv6_confirm,
                .owner          = THIS_MODULE,
-                .pf             = PF_INET6,
+                .pf             = NFPROTO_IPV6,
                .hooknum        = NF_INET_LOCAL_IN,
                .priority       = NF_IP6_PRI_LAST-1,
        },
author	David S. Miller <davem@davemloft.net>	2009-09-10 21:17:09 -0400
committer	David S. Miller <davem@davemloft.net>	2009-09-10 21:17:09 -0400
commit	9a0da0d19c573e01aded6ac17747d2efc5b1115f (patch)
tree	76294327bae4b3e45b16c690bda4b24951f237cf /net/ipv6
parent	ec282e9225be924479d4880b51f13524795bd8d3 (diff)
parent	8a56df0ae1690f8f42a3c6c4532f4b06f93febea (diff)

diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index ced1f2c0cb65..cc9f8ef303fd 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c
@@ -8,7 +8,7 @@
8	* it under the terms of the GNU General Public License version 2 as	8	* it under the terms of the GNU General Public License version 2 as
9	* published by the Free Software Foundation.	9	* published by the Free Software Foundation.
10	*/	10	*/
11		11	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12	#include <linux/capability.h>	12	#include <linux/capability.h>
13	#include <linux/in.h>	13	#include <linux/in.h>
14	#include <linux/skbuff.h>	14	#include <linux/skbuff.h>
@@ -222,16 +222,11 @@ get_entry(void *base, unsigned int offset)
222		222
223	/* All zeroes == unconditional rule. */	223	/* All zeroes == unconditional rule. */
224	/* Mildly perf critical (only if packet tracing is on) */	224	/* Mildly perf critical (only if packet tracing is on) */
225	static inline int	225	static inline bool unconditional(const struct ip6t_ip6 *ipv6)
226	unconditional(const struct ip6t_ip6 *ipv6)
227	{	226	{
228	unsigned int i;	227	static const struct ip6t_ip6 uncond;
229
230	for (i = 0; i < sizeof(*ipv6); i++)
231	if (((char *)ipv6)[i])
232	break;
233		228
234	return (i == sizeof(*ipv6));	229	return memcmp(ipv6, &uncond, sizeof(uncond)) == 0;
235	}	230	}
236		231
237	#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) \|\| \	232	#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) \|\| \
@@ -745,6 +740,21 @@ find_check_entry(struct ip6t_entry e, const char name, unsigned int size,
745	return ret;	740	return ret;
746	}	741	}
747		742
		743	static bool check_underflow(struct ip6t_entry *e)
		744	{
		745	const struct ip6t_entry_target *t;
		746	unsigned int verdict;
		747
		748	if (!unconditional(&e->ipv6))
		749	return false;
		750	t = ip6t_get_target(e);
		751	if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
		752	return false;
		753	verdict = ((struct ip6t_standard_target *)t)->verdict;
		754	verdict = -verdict - 1;
		755	return verdict == NF_DROP \|\| verdict == NF_ACCEPT;
		756	}
		757
748	static int	758	static int
749	check_entry_size_and_hooks(struct ip6t_entry *e,	759	check_entry_size_and_hooks(struct ip6t_entry *e,
750	struct xt_table_info *newinfo,	760	struct xt_table_info *newinfo,
@@ -752,6 +762,7 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
752	unsigned char *limit,	762	unsigned char *limit,
753	const unsigned int *hook_entries,	763	const unsigned int *hook_entries,
754	const unsigned int *underflows,	764	const unsigned int *underflows,
		765	unsigned int valid_hooks,
755	unsigned int *i)	766	unsigned int *i)
756	{	767	{
757	unsigned int h;	768	unsigned int h;
@@ -771,15 +782,21 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
771		782
772	/* Check hooks & underflows */	783	/* Check hooks & underflows */
773	for (h = 0; h < NF_INET_NUMHOOKS; h++) {	784	for (h = 0; h < NF_INET_NUMHOOKS; h++) {
		785	if (!(valid_hooks & (1 << h)))
		786	continue;
774	if ((unsigned char *)e - base == hook_entries[h])	787	if ((unsigned char *)e - base == hook_entries[h])
775	newinfo->hook_entry[h] = hook_entries[h];	788	newinfo->hook_entry[h] = hook_entries[h];
776	if ((unsigned char *)e - base == underflows[h])	789	if ((unsigned char *)e - base == underflows[h]) {
		790	if (!check_underflow(e)) {
		791	pr_err("Underflows must be unconditional and "
		792	"use the STANDARD target with "
		793	"ACCEPT/DROP\n");
		794	return -EINVAL;
		795	}
777	newinfo->underflow[h] = underflows[h];	796	newinfo->underflow[h] = underflows[h];
		797	}
778	}	798	}
779		799
780	/* FIXME: underflows must be unconditional, standard verdicts
781	< 0 (not IP6T_RETURN). --RR */
782
783	/* Clear counters and comefrom */	800	/* Clear counters and comefrom */
784	e->counters = ((struct xt_counters) { 0, 0 });	801	e->counters = ((struct xt_counters) { 0, 0 });
785	e->comefrom = 0;	802	e->comefrom = 0;
@@ -842,7 +859,7 @@ translate_table(const char *name,
842	newinfo,	859	newinfo,
843	entry0,	860	entry0,
844	entry0 + size,	861	entry0 + size,
845	hook_entries, underflows, &i);	862	hook_entries, underflows, valid_hooks, &i);
846	if (ret != 0)	863	if (ret != 0)
847	return ret;	864	return ret;
848		865
@@ -2083,7 +2100,8 @@ do_ip6t_get_ctl(struct sock sk, int cmd, void __user user, int *len)
2083	return ret;	2100	return ret;
2084	}	2101	}
2085		2102
2086	struct xt_table ip6t_register_table(struct net net, struct xt_table *table,	2103	struct xt_table ip6t_register_table(struct net net,
		2104	const struct xt_table *table,
2087	const struct ip6t_replace *repl)	2105	const struct ip6t_replace *repl)
2088	{	2106	{
2089	int ret;	2107	int ret;


diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c index db610bacbcce..ca287f6d2bce 100644 --- a/net/ipv6/netfilter/ip6t_eui64.c +++ b/net/ipv6/netfilter/ip6t_eui64.c
@@ -23,7 +23,6 @@ static bool
23	eui64_mt6(const struct sk_buff skb, const struct xt_match_param par)	23	eui64_mt6(const struct sk_buff skb, const struct xt_match_param par)
24	{	24	{
25	unsigned char eui64[8];	25	unsigned char eui64[8];
26	int i = 0;
27		26
28	if (!(skb_mac_header(skb) >= skb->head &&	27	if (!(skb_mac_header(skb) >= skb->head &&
29	skb_mac_header(skb) + ETH_HLEN <= skb->data) &&	28	skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
@@ -42,12 +41,8 @@ eui64_mt6(const struct sk_buff skb, const struct xt_match_param par)
42	eui64[4] = 0xfe;	41	eui64[4] = 0xfe;
43	eui64[0] ^= 0x02;	42	eui64[0] ^= 0x02;
44		43
45	i = 0;	44	if (!memcmp(ipv6_hdr(skb)->saddr.s6_addr + 8, eui64,
46	while (ipv6_hdr(skb)->saddr.s6_addr[8 + i] == eui64[i]	45	sizeof(eui64)))
47	&& i < 8)
48	i++;
49
50	if (i == 8)
51	return true;	46	return true;
52	}	47	}
53	}	48	}


diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c index ef5a0a32bf8e..6f4383ad86f9 100644 --- a/net/ipv6/netfilter/ip6table_filter.c +++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -51,11 +51,11 @@ static struct
51	.term = IP6T_ERROR_INIT, /* ERROR */	51	.term = IP6T_ERROR_INIT, /* ERROR */
52	};	52	};
53		53
54	static struct xt_table packet_filter = {	54	static const struct xt_table packet_filter = {
55	.name = "filter",	55	.name = "filter",
56	.valid_hooks = FILTER_VALID_HOOKS,	56	.valid_hooks = FILTER_VALID_HOOKS,
57	.me = THIS_MODULE,	57	.me = THIS_MODULE,
58	.af = AF_INET6,	58	.af = NFPROTO_IPV6,
59	};	59	};
60		60
61	/* The work comes in here from netfilter.c. */	61	/* The work comes in here from netfilter.c. */
@@ -95,21 +95,21 @@ static struct nf_hook_ops ip6t_ops[] __read_mostly = {
95	{	95	{
96	.hook = ip6t_in_hook,	96	.hook = ip6t_in_hook,
97	.owner = THIS_MODULE,	97	.owner = THIS_MODULE,
98	.pf = PF_INET6,	98	.pf = NFPROTO_IPV6,
99	.hooknum = NF_INET_LOCAL_IN,	99	.hooknum = NF_INET_LOCAL_IN,
100	.priority = NF_IP6_PRI_FILTER,	100	.priority = NF_IP6_PRI_FILTER,
101	},	101	},
102	{	102	{
103	.hook = ip6t_in_hook,	103	.hook = ip6t_in_hook,
104	.owner = THIS_MODULE,	104	.owner = THIS_MODULE,
105	.pf = PF_INET6,	105	.pf = NFPROTO_IPV6,
106	.hooknum = NF_INET_FORWARD,	106	.hooknum = NF_INET_FORWARD,
107	.priority = NF_IP6_PRI_FILTER,	107	.priority = NF_IP6_PRI_FILTER,
108	},	108	},
109	{	109	{
110	.hook = ip6t_local_out_hook,	110	.hook = ip6t_local_out_hook,
111	.owner = THIS_MODULE,	111	.owner = THIS_MODULE,
112	.pf = PF_INET6,	112	.pf = NFPROTO_IPV6,
113	.hooknum = NF_INET_LOCAL_OUT,	113	.hooknum = NF_INET_LOCAL_OUT,
114	.priority = NF_IP6_PRI_FILTER,	114	.priority = NF_IP6_PRI_FILTER,
115	},	115	},


diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c index ab0d398a2ba7..0ad91433ed61 100644 --- a/net/ipv6/netfilter/ip6table_mangle.c +++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -21,7 +21,7 @@ MODULE_DESCRIPTION("ip6tables mangle table");
21	(1 << NF_INET_LOCAL_OUT) \| \	21	(1 << NF_INET_LOCAL_OUT) \| \
22	(1 << NF_INET_POST_ROUTING))	22	(1 << NF_INET_POST_ROUTING))
23		23
24	static struct	24	static const struct
25	{	25	{
26	struct ip6t_replace repl;	26	struct ip6t_replace repl;
27	struct ip6t_standard entries[5];	27	struct ip6t_standard entries[5];
@@ -57,11 +57,11 @@ static struct
57	.term = IP6T_ERROR_INIT, /* ERROR */	57	.term = IP6T_ERROR_INIT, /* ERROR */
58	};	58	};
59		59
60	static struct xt_table packet_mangler = {	60	static const struct xt_table packet_mangler = {
61	.name = "mangle",	61	.name = "mangle",
62	.valid_hooks = MANGLE_VALID_HOOKS,	62	.valid_hooks = MANGLE_VALID_HOOKS,
63	.me = THIS_MODULE,	63	.me = THIS_MODULE,
64	.af = AF_INET6,	64	.af = NFPROTO_IPV6,
65	};	65	};
66		66
67	/* The work comes in here from netfilter.c. */	67	/* The work comes in here from netfilter.c. */
@@ -136,35 +136,35 @@ static struct nf_hook_ops ip6t_ops[] __read_mostly = {
136	{	136	{
137	.hook = ip6t_in_hook,	137	.hook = ip6t_in_hook,
138	.owner = THIS_MODULE,	138	.owner = THIS_MODULE,
139	.pf = PF_INET6,	139	.pf = NFPROTO_IPV6,
140	.hooknum = NF_INET_PRE_ROUTING,	140	.hooknum = NF_INET_PRE_ROUTING,
141	.priority = NF_IP6_PRI_MANGLE,	141	.priority = NF_IP6_PRI_MANGLE,
142	},	142	},
143	{	143	{
144	.hook = ip6t_in_hook,	144	.hook = ip6t_in_hook,
145	.owner = THIS_MODULE,	145	.owner = THIS_MODULE,
146	.pf = PF_INET6,	146	.pf = NFPROTO_IPV6,
147	.hooknum = NF_INET_LOCAL_IN,	147	.hooknum = NF_INET_LOCAL_IN,
148	.priority = NF_IP6_PRI_MANGLE,	148	.priority = NF_IP6_PRI_MANGLE,
149	},	149	},
150	{	150	{
151	.hook = ip6t_in_hook,	151	.hook = ip6t_in_hook,
152	.owner = THIS_MODULE,	152	.owner = THIS_MODULE,
153	.pf = PF_INET6,	153	.pf = NFPROTO_IPV6,
154	.hooknum = NF_INET_FORWARD,	154	.hooknum = NF_INET_FORWARD,
155	.priority = NF_IP6_PRI_MANGLE,	155	.priority = NF_IP6_PRI_MANGLE,
156	},	156	},
157	{	157	{
158	.hook = ip6t_local_out_hook,	158	.hook = ip6t_local_out_hook,
159	.owner = THIS_MODULE,	159	.owner = THIS_MODULE,
160	.pf = PF_INET6,	160	.pf = NFPROTO_IPV6,
161	.hooknum = NF_INET_LOCAL_OUT,	161	.hooknum = NF_INET_LOCAL_OUT,
162	.priority = NF_IP6_PRI_MANGLE,	162	.priority = NF_IP6_PRI_MANGLE,
163	},	163	},
164	{	164	{
165	.hook = ip6t_post_routing_hook,	165	.hook = ip6t_post_routing_hook,
166	.owner = THIS_MODULE,	166	.owner = THIS_MODULE,
167	.pf = PF_INET6,	167	.pf = NFPROTO_IPV6,
168	.hooknum = NF_INET_POST_ROUTING,	168	.hooknum = NF_INET_POST_ROUTING,
169	.priority = NF_IP6_PRI_MANGLE,	169	.priority = NF_IP6_PRI_MANGLE,
170	},	170	},


diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c index 4b792b6ca321..ed1a1180f3b3 100644 --- a/net/ipv6/netfilter/ip6table_raw.c +++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -8,7 +8,7 @@
8		8
9	#define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) \| (1 << NF_INET_LOCAL_OUT))	9	#define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) \| (1 << NF_INET_LOCAL_OUT))
10		10
11	static struct	11	static const struct
12	{	12	{
13	struct ip6t_replace repl;	13	struct ip6t_replace repl;
14	struct ip6t_standard entries[2];	14	struct ip6t_standard entries[2];
@@ -35,11 +35,11 @@ static struct
35	.term = IP6T_ERROR_INIT, /* ERROR */	35	.term = IP6T_ERROR_INIT, /* ERROR */
36	};	36	};
37		37
38	static struct xt_table packet_raw = {	38	static const struct xt_table packet_raw = {
39	.name = "raw",	39	.name = "raw",
40	.valid_hooks = RAW_VALID_HOOKS,	40	.valid_hooks = RAW_VALID_HOOKS,
41	.me = THIS_MODULE,	41	.me = THIS_MODULE,
42	.af = AF_INET6,	42	.af = NFPROTO_IPV6,
43	};	43	};
44		44
45	/* The work comes in here from netfilter.c. */	45	/* The work comes in here from netfilter.c. */
@@ -68,14 +68,14 @@ ip6t_local_out_hook(unsigned int hook,
68	static struct nf_hook_ops ip6t_ops[] __read_mostly = {	68	static struct nf_hook_ops ip6t_ops[] __read_mostly = {
69	{	69	{
70	.hook = ip6t_pre_routing_hook,	70	.hook = ip6t_pre_routing_hook,
71	.pf = PF_INET6,	71	.pf = NFPROTO_IPV6,
72	.hooknum = NF_INET_PRE_ROUTING,	72	.hooknum = NF_INET_PRE_ROUTING,
73	.priority = NF_IP6_PRI_FIRST,	73	.priority = NF_IP6_PRI_FIRST,
74	.owner = THIS_MODULE,	74	.owner = THIS_MODULE,
75	},	75	},
76	{	76	{
77	.hook = ip6t_local_out_hook,	77	.hook = ip6t_local_out_hook,
78	.pf = PF_INET6,	78	.pf = NFPROTO_IPV6,
79	.hooknum = NF_INET_LOCAL_OUT,	79	.hooknum = NF_INET_LOCAL_OUT,
80	.priority = NF_IP6_PRI_FIRST,	80	.priority = NF_IP6_PRI_FIRST,
81	.owner = THIS_MODULE,	81	.owner = THIS_MODULE,


diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c index 0ea37ff15d56..41b444c60934 100644 --- a/net/ipv6/netfilter/ip6table_security.c +++ b/net/ipv6/netfilter/ip6table_security.c
@@ -26,7 +26,7 @@ MODULE_DESCRIPTION("ip6tables security table, for MAC rules");
26	(1 << NF_INET_FORWARD) \| \	26	(1 << NF_INET_FORWARD) \| \
27	(1 << NF_INET_LOCAL_OUT)	27	(1 << NF_INET_LOCAL_OUT)
28		28
29	static struct	29	static const struct
30	{	30	{
31	struct ip6t_replace repl;	31	struct ip6t_replace repl;
32	struct ip6t_standard entries[3];	32	struct ip6t_standard entries[3];
@@ -56,11 +56,11 @@ static struct
56	.term = IP6T_ERROR_INIT, /* ERROR */	56	.term = IP6T_ERROR_INIT, /* ERROR */
57	};	57	};
58		58
59	static struct xt_table security_table = {	59	static const struct xt_table security_table = {
60	.name = "security",	60	.name = "security",
61	.valid_hooks = SECURITY_VALID_HOOKS,	61	.valid_hooks = SECURITY_VALID_HOOKS,
62	.me = THIS_MODULE,	62	.me = THIS_MODULE,
63	.af = AF_INET6,	63	.af = NFPROTO_IPV6,
64	};	64	};
65		65
66	static unsigned int	66	static unsigned int
@@ -101,21 +101,21 @@ static struct nf_hook_ops ip6t_ops[] __read_mostly = {
101	{	101	{
102	.hook = ip6t_local_in_hook,	102	.hook = ip6t_local_in_hook,
103	.owner = THIS_MODULE,	103	.owner = THIS_MODULE,
104	.pf = PF_INET6,	104	.pf = NFPROTO_IPV6,
105	.hooknum = NF_INET_LOCAL_IN,	105	.hooknum = NF_INET_LOCAL_IN,
106	.priority = NF_IP6_PRI_SECURITY,	106	.priority = NF_IP6_PRI_SECURITY,
107	},	107	},
108	{	108	{
109	.hook = ip6t_forward_hook,	109	.hook = ip6t_forward_hook,
110	.owner = THIS_MODULE,	110	.owner = THIS_MODULE,
111	.pf = PF_INET6,	111	.pf = NFPROTO_IPV6,
112	.hooknum = NF_INET_FORWARD,	112	.hooknum = NF_INET_FORWARD,
113	.priority = NF_IP6_PRI_SECURITY,	113	.priority = NF_IP6_PRI_SECURITY,
114	},	114	},
115	{	115	{
116	.hook = ip6t_local_out_hook,	116	.hook = ip6t_local_out_hook,
117	.owner = THIS_MODULE,	117	.owner = THIS_MODULE,
118	.pf = PF_INET6,	118	.pf = NFPROTO_IPV6,
119	.hooknum = NF_INET_LOCAL_OUT,	119	.hooknum = NF_INET_LOCAL_OUT,
120	.priority = NF_IP6_PRI_SECURITY,	120	.priority = NF_IP6_PRI_SECURITY,
121	},	121	},


diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c index 2a15c2d66c69..5f2ec208a8c3 100644 --- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c +++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -27,6 +27,7 @@
27	#include <net/netfilter/nf_conntrack_l3proto.h>	27	#include <net/netfilter/nf_conntrack_l3proto.h>
28	#include <net/netfilter/nf_conntrack_core.h>	28	#include <net/netfilter/nf_conntrack_core.h>
29	#include <net/netfilter/ipv6/nf_conntrack_ipv6.h>	29	#include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
		30	#include <net/netfilter/nf_log.h>
30		31
31	static bool ipv6_pkt_to_tuple(const struct sk_buff *skb, unsigned int nhoff,	32	static bool ipv6_pkt_to_tuple(const struct sk_buff *skb, unsigned int nhoff,
32	struct nf_conntrack_tuple *tuple)	33	struct nf_conntrack_tuple *tuple)
@@ -176,8 +177,11 @@ static unsigned int ipv6_confirm(unsigned int hooknum,
176	}	177	}
177		178
178	ret = helper->help(skb, protoff, ct, ctinfo);	179	ret = helper->help(skb, protoff, ct, ctinfo);
179	if (ret != NF_ACCEPT)	180	if (ret != NF_ACCEPT) {
		181	nf_log_packet(NFPROTO_IPV6, hooknum, skb, in, out, NULL,
		182	"nf_ct_%s: dropping packet", helper->name);
180	return ret;	183	return ret;
		184	}
181	out:	185	out:
182	/* We've seen it coming out the other side: confirm it */	186	/* We've seen it coming out the other side: confirm it */
183	return nf_conntrack_confirm(skb);	187	return nf_conntrack_confirm(skb);
@@ -265,42 +269,42 @@ static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = {
265	{	269	{
266	.hook = ipv6_defrag,	270	.hook = ipv6_defrag,
267	.owner = THIS_MODULE,	271	.owner = THIS_MODULE,
268	.pf = PF_INET6,	272	.pf = NFPROTO_IPV6,
269	.hooknum = NF_INET_PRE_ROUTING,	273	.hooknum = NF_INET_PRE_ROUTING,
270	.priority = NF_IP6_PRI_CONNTRACK_DEFRAG,	274	.priority = NF_IP6_PRI_CONNTRACK_DEFRAG,
271	},	275	},
272	{	276	{
273	.hook = ipv6_conntrack_in,	277	.hook = ipv6_conntrack_in,
274	.owner = THIS_MODULE,	278	.owner = THIS_MODULE,
275	.pf = PF_INET6,	279	.pf = NFPROTO_IPV6,
276	.hooknum = NF_INET_PRE_ROUTING,	280	.hooknum = NF_INET_PRE_ROUTING,
277	.priority = NF_IP6_PRI_CONNTRACK,	281	.priority = NF_IP6_PRI_CONNTRACK,
278	},	282	},
279	{	283	{
280	.hook = ipv6_conntrack_local,	284	.hook = ipv6_conntrack_local,
281	.owner = THIS_MODULE,	285	.owner = THIS_MODULE,
282	.pf = PF_INET6,	286	.pf = NFPROTO_IPV6,
283	.hooknum = NF_INET_LOCAL_OUT,	287	.hooknum = NF_INET_LOCAL_OUT,
284	.priority = NF_IP6_PRI_CONNTRACK,	288	.priority = NF_IP6_PRI_CONNTRACK,
285	},	289	},
286	{	290	{
287	.hook = ipv6_defrag,	291	.hook = ipv6_defrag,
288	.owner = THIS_MODULE,	292	.owner = THIS_MODULE,
289	.pf = PF_INET6,	293	.pf = NFPROTO_IPV6,
290	.hooknum = NF_INET_LOCAL_OUT,	294	.hooknum = NF_INET_LOCAL_OUT,
291	.priority = NF_IP6_PRI_CONNTRACK_DEFRAG,	295	.priority = NF_IP6_PRI_CONNTRACK_DEFRAG,
292	},	296	},
293	{	297	{
294	.hook = ipv6_confirm,	298	.hook = ipv6_confirm,
295	.owner = THIS_MODULE,	299	.owner = THIS_MODULE,
296	.pf = PF_INET6,	300	.pf = NFPROTO_IPV6,
297	.hooknum = NF_INET_POST_ROUTING,	301	.hooknum = NF_INET_POST_ROUTING,
298	.priority = NF_IP6_PRI_LAST,	302	.priority = NF_IP6_PRI_LAST,
299	},	303	},
300	{	304	{
301	.hook = ipv6_confirm,	305	.hook = ipv6_confirm,
302	.owner = THIS_MODULE,	306	.owner = THIS_MODULE,
303	.pf = PF_INET6,	307	.pf = NFPROTO_IPV6,
304	.hooknum = NF_INET_LOCAL_IN,	308	.hooknum = NF_INET_LOCAL_IN,
305	.priority = NF_IP6_PRI_LAST-1,	309	.priority = NF_IP6_PRI_LAST-1,
306	},	310	},