diff options
| author | Patrick McHardy <kaber@trash.net> | 2009-08-10 11:14:59 -0400 |
|---|---|---|
| committer | Patrick McHardy <kaber@trash.net> | 2009-08-10 11:14:59 -0400 |
| commit | dc05a564ab1b3a1957927da50912964b61f7da69 (patch) | |
| tree | 489905675f9954e5bf160a2eff6ea6ce93472d61 /net/ipv6 | |
| parent | be39ee11cd1f67b51ac8e71d177a981eb34f2ab2 (diff) | |
| parent | e2fe35c17fed62d4ab5038fa9bc489e967ff8416 (diff) | |
Merge branch 'master' of git://dev.medozas.de/linux
Diffstat (limited to 'net/ipv6')
| -rw-r--r-- | net/ipv6/netfilter/ip6_tables.c | 45 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6table_filter.c | 8 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6table_mangle.c | 12 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6table_raw.c | 6 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6table_security.c | 8 | ||||
| -rw-r--r-- | net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 12 |
6 files changed, 54 insertions, 37 deletions
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index ced1f2c0cb65..a5d0c27cc26f 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c | |||
| @@ -8,7 +8,7 @@ | |||
| 8 | * it under the terms of the GNU General Public License version 2 as | 8 | * it under the terms of the GNU General Public License version 2 as |
| 9 | * published by the Free Software Foundation. | 9 | * published by the Free Software Foundation. |
| 10 | */ | 10 | */ |
| 11 | 11 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
| 12 | #include <linux/capability.h> | 12 | #include <linux/capability.h> |
| 13 | #include <linux/in.h> | 13 | #include <linux/in.h> |
| 14 | #include <linux/skbuff.h> | 14 | #include <linux/skbuff.h> |
| @@ -222,16 +222,11 @@ get_entry(void *base, unsigned int offset) | |||
| 222 | 222 | ||
| 223 | /* All zeroes == unconditional rule. */ | 223 | /* All zeroes == unconditional rule. */ |
| 224 | /* Mildly perf critical (only if packet tracing is on) */ | 224 | /* Mildly perf critical (only if packet tracing is on) */ |
| 225 | static inline int | 225 | static inline bool unconditional(const struct ip6t_ip6 *ipv6) |
| 226 | unconditional(const struct ip6t_ip6 *ipv6) | ||
| 227 | { | 226 | { |
| 228 | unsigned int i; | 227 | static const struct ip6t_ip6 uncond; |
| 229 | |||
| 230 | for (i = 0; i < sizeof(*ipv6); i++) | ||
| 231 | if (((char *)ipv6)[i]) | ||
| 232 | break; | ||
| 233 | 228 | ||
| 234 | return (i == sizeof(*ipv6)); | 229 | return memcmp(ipv6, &uncond, sizeof(uncond)) == 0; |
| 235 | } | 230 | } |
| 236 | 231 | ||
| 237 | #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ | 232 | #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ |
| @@ -745,6 +740,21 @@ find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size, | |||
| 745 | return ret; | 740 | return ret; |
| 746 | } | 741 | } |
| 747 | 742 | ||
| 743 | static bool check_underflow(struct ip6t_entry *e) | ||
| 744 | { | ||
| 745 | const struct ip6t_entry_target *t; | ||
| 746 | unsigned int verdict; | ||
| 747 | |||
| 748 | if (!unconditional(&e->ipv6)) | ||
| 749 | return false; | ||
| 750 | t = ip6t_get_target(e); | ||
| 751 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) | ||
| 752 | return false; | ||
| 753 | verdict = ((struct ip6t_standard_target *)t)->verdict; | ||
| 754 | verdict = -verdict - 1; | ||
| 755 | return verdict == NF_DROP || verdict == NF_ACCEPT; | ||
| 756 | } | ||
| 757 | |||
| 748 | static int | 758 | static int |
| 749 | check_entry_size_and_hooks(struct ip6t_entry *e, | 759 | check_entry_size_and_hooks(struct ip6t_entry *e, |
| 750 | struct xt_table_info *newinfo, | 760 | struct xt_table_info *newinfo, |
| @@ -752,6 +762,7 @@ check_entry_size_and_hooks(struct ip6t_entry *e, | |||
| 752 | unsigned char *limit, | 762 | unsigned char *limit, |
| 753 | const unsigned int *hook_entries, | 763 | const unsigned int *hook_entries, |
| 754 | const unsigned int *underflows, | 764 | const unsigned int *underflows, |
| 765 | unsigned int valid_hooks, | ||
| 755 | unsigned int *i) | 766 | unsigned int *i) |
| 756 | { | 767 | { |
| 757 | unsigned int h; | 768 | unsigned int h; |
| @@ -771,15 +782,21 @@ check_entry_size_and_hooks(struct ip6t_entry *e, | |||
| 771 | 782 | ||
| 772 | /* Check hooks & underflows */ | 783 | /* Check hooks & underflows */ |
| 773 | for (h = 0; h < NF_INET_NUMHOOKS; h++) { | 784 | for (h = 0; h < NF_INET_NUMHOOKS; h++) { |
| 785 | if (!(valid_hooks & (1 << h))) | ||
| 786 | continue; | ||
| 774 | if ((unsigned char *)e - base == hook_entries[h]) | 787 | if ((unsigned char *)e - base == hook_entries[h]) |
| 775 | newinfo->hook_entry[h] = hook_entries[h]; | 788 | newinfo->hook_entry[h] = hook_entries[h]; |
| 776 | if ((unsigned char *)e - base == underflows[h]) | 789 | if ((unsigned char *)e - base == underflows[h]) { |
| 790 | if (!check_underflow(e)) { | ||
| 791 | pr_err("Underflows must be unconditional and " | ||
| 792 | "use the STANDARD target with " | ||
| 793 | "ACCEPT/DROP\n"); | ||
| 794 | return -EINVAL; | ||
| 795 | } | ||
| 777 | newinfo->underflow[h] = underflows[h]; | 796 | newinfo->underflow[h] = underflows[h]; |
| 797 | } | ||
| 778 | } | 798 | } |
| 779 | 799 | ||
| 780 | /* FIXME: underflows must be unconditional, standard verdicts | ||
| 781 | < 0 (not IP6T_RETURN). --RR */ | ||
| 782 | |||
| 783 | /* Clear counters and comefrom */ | 800 | /* Clear counters and comefrom */ |
| 784 | e->counters = ((struct xt_counters) { 0, 0 }); | 801 | e->counters = ((struct xt_counters) { 0, 0 }); |
| 785 | e->comefrom = 0; | 802 | e->comefrom = 0; |
| @@ -842,7 +859,7 @@ translate_table(const char *name, | |||
| 842 | newinfo, | 859 | newinfo, |
| 843 | entry0, | 860 | entry0, |
| 844 | entry0 + size, | 861 | entry0 + size, |
| 845 | hook_entries, underflows, &i); | 862 | hook_entries, underflows, valid_hooks, &i); |
| 846 | if (ret != 0) | 863 | if (ret != 0) |
| 847 | return ret; | 864 | return ret; |
| 848 | 865 | ||
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c index ef5a0a32bf8e..0a3ae48ac4d5 100644 --- a/net/ipv6/netfilter/ip6table_filter.c +++ b/net/ipv6/netfilter/ip6table_filter.c | |||
| @@ -55,7 +55,7 @@ static struct xt_table packet_filter = { | |||
| 55 | .name = "filter", | 55 | .name = "filter", |
| 56 | .valid_hooks = FILTER_VALID_HOOKS, | 56 | .valid_hooks = FILTER_VALID_HOOKS, |
| 57 | .me = THIS_MODULE, | 57 | .me = THIS_MODULE, |
| 58 | .af = AF_INET6, | 58 | .af = NFPROTO_IPV6, |
| 59 | }; | 59 | }; |
| 60 | 60 | ||
| 61 | /* The work comes in here from netfilter.c. */ | 61 | /* The work comes in here from netfilter.c. */ |
| @@ -95,21 +95,21 @@ static struct nf_hook_ops ip6t_ops[] __read_mostly = { | |||
| 95 | { | 95 | { |
| 96 | .hook = ip6t_in_hook, | 96 | .hook = ip6t_in_hook, |
| 97 | .owner = THIS_MODULE, | 97 | .owner = THIS_MODULE, |
| 98 | .pf = PF_INET6, | 98 | .pf = NFPROTO_IPV6, |
| 99 | .hooknum = NF_INET_LOCAL_IN, | 99 | .hooknum = NF_INET_LOCAL_IN, |
| 100 | .priority = NF_IP6_PRI_FILTER, | 100 | .priority = NF_IP6_PRI_FILTER, |
| 101 | }, | 101 | }, |
| 102 | { | 102 | { |
| 103 | .hook = ip6t_in_hook, | 103 | .hook = ip6t_in_hook, |
| 104 | .owner = THIS_MODULE, | 104 | .owner = THIS_MODULE, |
| 105 | .pf = PF_INET6, | 105 | .pf = NFPROTO_IPV6, |
| 106 | .hooknum = NF_INET_FORWARD, | 106 | .hooknum = NF_INET_FORWARD, |
| 107 | .priority = NF_IP6_PRI_FILTER, | 107 | .priority = NF_IP6_PRI_FILTER, |
| 108 | }, | 108 | }, |
| 109 | { | 109 | { |
| 110 | .hook = ip6t_local_out_hook, | 110 | .hook = ip6t_local_out_hook, |
| 111 | .owner = THIS_MODULE, | 111 | .owner = THIS_MODULE, |
| 112 | .pf = PF_INET6, | 112 | .pf = NFPROTO_IPV6, |
| 113 | .hooknum = NF_INET_LOCAL_OUT, | 113 | .hooknum = NF_INET_LOCAL_OUT, |
| 114 | .priority = NF_IP6_PRI_FILTER, | 114 | .priority = NF_IP6_PRI_FILTER, |
| 115 | }, | 115 | }, |
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c index ab0d398a2ba7..0f49e005a8c5 100644 --- a/net/ipv6/netfilter/ip6table_mangle.c +++ b/net/ipv6/netfilter/ip6table_mangle.c | |||
| @@ -61,7 +61,7 @@ static struct xt_table packet_mangler = { | |||
| 61 | .name = "mangle", | 61 | .name = "mangle", |
| 62 | .valid_hooks = MANGLE_VALID_HOOKS, | 62 | .valid_hooks = MANGLE_VALID_HOOKS, |
| 63 | .me = THIS_MODULE, | 63 | .me = THIS_MODULE, |
| 64 | .af = AF_INET6, | 64 | .af = NFPROTO_IPV6, |
| 65 | }; | 65 | }; |
| 66 | 66 | ||
| 67 | /* The work comes in here from netfilter.c. */ | 67 | /* The work comes in here from netfilter.c. */ |
| @@ -136,35 +136,35 @@ static struct nf_hook_ops ip6t_ops[] __read_mostly = { | |||
| 136 | { | 136 | { |
| 137 | .hook = ip6t_in_hook, | 137 | .hook = ip6t_in_hook, |
| 138 | .owner = THIS_MODULE, | 138 | .owner = THIS_MODULE, |
| 139 | .pf = PF_INET6, | 139 | .pf = NFPROTO_IPV6, |
| 140 | .hooknum = NF_INET_PRE_ROUTING, | 140 | .hooknum = NF_INET_PRE_ROUTING, |
| 141 | .priority = NF_IP6_PRI_MANGLE, | 141 | .priority = NF_IP6_PRI_MANGLE, |
| 142 | }, | 142 | }, |
| 143 | { | 143 | { |
| 144 | .hook = ip6t_in_hook, | 144 | .hook = ip6t_in_hook, |
| 145 | .owner = THIS_MODULE, | 145 | .owner = THIS_MODULE, |
| 146 | .pf = PF_INET6, | 146 | .pf = NFPROTO_IPV6, |
| 147 | .hooknum = NF_INET_LOCAL_IN, | 147 | .hooknum = NF_INET_LOCAL_IN, |
| 148 | .priority = NF_IP6_PRI_MANGLE, | 148 | .priority = NF_IP6_PRI_MANGLE, |
| 149 | }, | 149 | }, |
| 150 | { | 150 | { |
| 151 | .hook = ip6t_in_hook, | 151 | .hook = ip6t_in_hook, |
| 152 | .owner = THIS_MODULE, | 152 | .owner = THIS_MODULE, |
| 153 | .pf = PF_INET6, | 153 | .pf = NFPROTO_IPV6, |
| 154 | .hooknum = NF_INET_FORWARD, | 154 | .hooknum = NF_INET_FORWARD, |
| 155 | .priority = NF_IP6_PRI_MANGLE, | 155 | .priority = NF_IP6_PRI_MANGLE, |
| 156 | }, | 156 | }, |
| 157 | { | 157 | { |
| 158 | .hook = ip6t_local_out_hook, | 158 | .hook = ip6t_local_out_hook, |
| 159 | .owner = THIS_MODULE, | 159 | .owner = THIS_MODULE, |
| 160 | .pf = PF_INET6, | 160 | .pf = NFPROTO_IPV6, |
| 161 | .hooknum = NF_INET_LOCAL_OUT, | 161 | .hooknum = NF_INET_LOCAL_OUT, |
| 162 | .priority = NF_IP6_PRI_MANGLE, | 162 | .priority = NF_IP6_PRI_MANGLE, |
| 163 | }, | 163 | }, |
| 164 | { | 164 | { |
| 165 | .hook = ip6t_post_routing_hook, | 165 | .hook = ip6t_post_routing_hook, |
| 166 | .owner = THIS_MODULE, | 166 | .owner = THIS_MODULE, |
| 167 | .pf = PF_INET6, | 167 | .pf = NFPROTO_IPV6, |
| 168 | .hooknum = NF_INET_POST_ROUTING, | 168 | .hooknum = NF_INET_POST_ROUTING, |
| 169 | .priority = NF_IP6_PRI_MANGLE, | 169 | .priority = NF_IP6_PRI_MANGLE, |
| 170 | }, | 170 | }, |
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c index 4b792b6ca321..679865e3d5ff 100644 --- a/net/ipv6/netfilter/ip6table_raw.c +++ b/net/ipv6/netfilter/ip6table_raw.c | |||
| @@ -39,7 +39,7 @@ static struct xt_table packet_raw = { | |||
| 39 | .name = "raw", | 39 | .name = "raw", |
| 40 | .valid_hooks = RAW_VALID_HOOKS, | 40 | .valid_hooks = RAW_VALID_HOOKS, |
| 41 | .me = THIS_MODULE, | 41 | .me = THIS_MODULE, |
| 42 | .af = AF_INET6, | 42 | .af = NFPROTO_IPV6, |
| 43 | }; | 43 | }; |
| 44 | 44 | ||
| 45 | /* The work comes in here from netfilter.c. */ | 45 | /* The work comes in here from netfilter.c. */ |
| @@ -68,14 +68,14 @@ ip6t_local_out_hook(unsigned int hook, | |||
| 68 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { | 68 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { |
| 69 | { | 69 | { |
| 70 | .hook = ip6t_pre_routing_hook, | 70 | .hook = ip6t_pre_routing_hook, |
| 71 | .pf = PF_INET6, | 71 | .pf = NFPROTO_IPV6, |
| 72 | .hooknum = NF_INET_PRE_ROUTING, | 72 | .hooknum = NF_INET_PRE_ROUTING, |
| 73 | .priority = NF_IP6_PRI_FIRST, | 73 | .priority = NF_IP6_PRI_FIRST, |
| 74 | .owner = THIS_MODULE, | 74 | .owner = THIS_MODULE, |
| 75 | }, | 75 | }, |
| 76 | { | 76 | { |
| 77 | .hook = ip6t_local_out_hook, | 77 | .hook = ip6t_local_out_hook, |
| 78 | .pf = PF_INET6, | 78 | .pf = NFPROTO_IPV6, |
| 79 | .hooknum = NF_INET_LOCAL_OUT, | 79 | .hooknum = NF_INET_LOCAL_OUT, |
| 80 | .priority = NF_IP6_PRI_FIRST, | 80 | .priority = NF_IP6_PRI_FIRST, |
| 81 | .owner = THIS_MODULE, | 81 | .owner = THIS_MODULE, |
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c index 0ea37ff15d56..822afabbdc88 100644 --- a/net/ipv6/netfilter/ip6table_security.c +++ b/net/ipv6/netfilter/ip6table_security.c | |||
| @@ -60,7 +60,7 @@ static struct xt_table security_table = { | |||
| 60 | .name = "security", | 60 | .name = "security", |
| 61 | .valid_hooks = SECURITY_VALID_HOOKS, | 61 | .valid_hooks = SECURITY_VALID_HOOKS, |
| 62 | .me = THIS_MODULE, | 62 | .me = THIS_MODULE, |
| 63 | .af = AF_INET6, | 63 | .af = NFPROTO_IPV6, |
| 64 | }; | 64 | }; |
| 65 | 65 | ||
| 66 | static unsigned int | 66 | static unsigned int |
| @@ -101,21 +101,21 @@ static struct nf_hook_ops ip6t_ops[] __read_mostly = { | |||
| 101 | { | 101 | { |
| 102 | .hook = ip6t_local_in_hook, | 102 | .hook = ip6t_local_in_hook, |
| 103 | .owner = THIS_MODULE, | 103 | .owner = THIS_MODULE, |
| 104 | .pf = PF_INET6, | 104 | .pf = NFPROTO_IPV6, |
| 105 | .hooknum = NF_INET_LOCAL_IN, | 105 | .hooknum = NF_INET_LOCAL_IN, |
| 106 | .priority = NF_IP6_PRI_SECURITY, | 106 | .priority = NF_IP6_PRI_SECURITY, |
| 107 | }, | 107 | }, |
| 108 | { | 108 | { |
| 109 | .hook = ip6t_forward_hook, | 109 | .hook = ip6t_forward_hook, |
| 110 | .owner = THIS_MODULE, | 110 | .owner = THIS_MODULE, |
| 111 | .pf = PF_INET6, | 111 | .pf = NFPROTO_IPV6, |
| 112 | .hooknum = NF_INET_FORWARD, | 112 | .hooknum = NF_INET_FORWARD, |
| 113 | .priority = NF_IP6_PRI_SECURITY, | 113 | .priority = NF_IP6_PRI_SECURITY, |
| 114 | }, | 114 | }, |
| 115 | { | 115 | { |
| 116 | .hook = ip6t_local_out_hook, | 116 | .hook = ip6t_local_out_hook, |
| 117 | .owner = THIS_MODULE, | 117 | .owner = THIS_MODULE, |
| 118 | .pf = PF_INET6, | 118 | .pf = NFPROTO_IPV6, |
| 119 | .hooknum = NF_INET_LOCAL_OUT, | 119 | .hooknum = NF_INET_LOCAL_OUT, |
| 120 | .priority = NF_IP6_PRI_SECURITY, | 120 | .priority = NF_IP6_PRI_SECURITY, |
| 121 | }, | 121 | }, |
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c index 2a15c2d66c69..a7f4cd607356 100644 --- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c +++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | |||
| @@ -265,42 +265,42 @@ static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = { | |||
| 265 | { | 265 | { |
| 266 | .hook = ipv6_defrag, | 266 | .hook = ipv6_defrag, |
| 267 | .owner = THIS_MODULE, | 267 | .owner = THIS_MODULE, |
| 268 | .pf = PF_INET6, | 268 | .pf = NFPROTO_IPV6, |
| 269 | .hooknum = NF_INET_PRE_ROUTING, | 269 | .hooknum = NF_INET_PRE_ROUTING, |
| 270 | .priority = NF_IP6_PRI_CONNTRACK_DEFRAG, | 270 | .priority = NF_IP6_PRI_CONNTRACK_DEFRAG, |
| 271 | }, | 271 | }, |
| 272 | { | 272 | { |
| 273 | .hook = ipv6_conntrack_in, | 273 | .hook = ipv6_conntrack_in, |
| 274 | .owner = THIS_MODULE, | 274 | .owner = THIS_MODULE, |
| 275 | .pf = PF_INET6, | 275 | .pf = NFPROTO_IPV6, |
| 276 | .hooknum = NF_INET_PRE_ROUTING, | 276 | .hooknum = NF_INET_PRE_ROUTING, |
| 277 | .priority = NF_IP6_PRI_CONNTRACK, | 277 | .priority = NF_IP6_PRI_CONNTRACK, |
| 278 | }, | 278 | }, |
| 279 | { | 279 | { |
| 280 | .hook = ipv6_conntrack_local, | 280 | .hook = ipv6_conntrack_local, |
| 281 | .owner = THIS_MODULE, | 281 | .owner = THIS_MODULE, |
| 282 | .pf = PF_INET6, | 282 | .pf = NFPROTO_IPV6, |
| 283 | .hooknum = NF_INET_LOCAL_OUT, | 283 | .hooknum = NF_INET_LOCAL_OUT, |
| 284 | .priority = NF_IP6_PRI_CONNTRACK, | 284 | .priority = NF_IP6_PRI_CONNTRACK, |
| 285 | }, | 285 | }, |
| 286 | { | 286 | { |
| 287 | .hook = ipv6_defrag, | 287 | .hook = ipv6_defrag, |
| 288 | .owner = THIS_MODULE, | 288 | .owner = THIS_MODULE, |
| 289 | .pf = PF_INET6, | 289 | .pf = NFPROTO_IPV6, |
| 290 | .hooknum = NF_INET_LOCAL_OUT, | 290 | .hooknum = NF_INET_LOCAL_OUT, |
| 291 | .priority = NF_IP6_PRI_CONNTRACK_DEFRAG, | 291 | .priority = NF_IP6_PRI_CONNTRACK_DEFRAG, |
| 292 | }, | 292 | }, |
| 293 | { | 293 | { |
| 294 | .hook = ipv6_confirm, | 294 | .hook = ipv6_confirm, |
| 295 | .owner = THIS_MODULE, | 295 | .owner = THIS_MODULE, |
| 296 | .pf = PF_INET6, | 296 | .pf = NFPROTO_IPV6, |
| 297 | .hooknum = NF_INET_POST_ROUTING, | 297 | .hooknum = NF_INET_POST_ROUTING, |
| 298 | .priority = NF_IP6_PRI_LAST, | 298 | .priority = NF_IP6_PRI_LAST, |
| 299 | }, | 299 | }, |
| 300 | { | 300 | { |
| 301 | .hook = ipv6_confirm, | 301 | .hook = ipv6_confirm, |
| 302 | .owner = THIS_MODULE, | 302 | .owner = THIS_MODULE, |
| 303 | .pf = PF_INET6, | 303 | .pf = NFPROTO_IPV6, |
| 304 | .hooknum = NF_INET_LOCAL_IN, | 304 | .hooknum = NF_INET_LOCAL_IN, |
| 305 | .priority = NF_IP6_PRI_LAST-1, | 305 | .priority = NF_IP6_PRI_LAST-1, |
| 306 | }, | 306 | }, |