Merge branch 'master' of git://dev.medozas.de/linux

author: Patrick McHardy <kaber@trash.net> 2009-08-10 11:14:59 -0400
committer: Patrick McHardy <kaber@trash.net> 2009-08-10 11:14:59 -0400
commit: dc05a564ab1b3a1957927da50912964b61f7da69 (patch)
tree: 489905675f9954e5bf160a2eff6ea6ce93472d61 /net/netfilter
parent: be39ee11cd1f67b51ac8e71d177a981eb34f2ab2 (diff)
parent: e2fe35c17fed62d4ab5038fa9bc489e967ff8416 (diff)
9 files changed, 56 insertions, 821 deletions
diff --git a/net/netfilter/xt_CONNMARK.c b/net/netfilter/xt_CONNMARK.c
index d6e5ab463277..593457068ae1 100644
--- a/net/netfilter/xt_CONNMARK.c
+++ b/net/netfilter/xt_CONNMARK.c
@@ -36,45 +36,6 @@ MODULE_ALIAS("ip6t_CONNMARK");
 #include <net/netfilter/nf_conntrack_ecache.h>
 static unsigned int
-connmark_tg_v0(struct sk_buff *skb, const struct xt_target_param *par)
-{
-        const struct xt_connmark_target_info *markinfo = par->targinfo;
-        struct nf_conn *ct;
-        enum ip_conntrack_info ctinfo;
-        u_int32_t diff;
-        u_int32_t mark;
-        u_int32_t newmark;
-        ct = nf_ct_get(skb, &ctinfo);
-        if (ct) {
-                switch(markinfo->mode) {
-                case XT_CONNMARK_SET:
-                        newmark = (ct->mark & ~markinfo->mask) | markinfo->mark;
-                        if (newmark != ct->mark) {
-                                ct->mark = newmark;
-                                nf_conntrack_event_cache(IPCT_MARK, ct);
-                        }
-                        break;
-                case XT_CONNMARK_SAVE:
-                        newmark = (ct->mark & ~markinfo->mask) |
-                                  (skb->mark & markinfo->mask);
-                        if (ct->mark != newmark) {
-                                ct->mark = newmark;
-                                nf_conntrack_event_cache(IPCT_MARK, ct);
-                        }
-                        break;
-                case XT_CONNMARK_RESTORE:
-                        mark = skb->mark;
-                        diff = (ct->mark ^ mark) & markinfo->mask;
-                        skb->mark = mark ^ diff;
-                        break;
-                }
-        }
-        return XT_CONTINUE;
-}
-static unsigned int
 connmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
 {
        const struct xt_connmark_tginfo1 *info = par->targinfo;
@@ -112,30 +73,6 @@ connmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
        return XT_CONTINUE;
 }
-static bool connmark_tg_check_v0(const struct xt_tgchk_param *par)
-{
-        const struct xt_connmark_target_info *matchinfo = par->targinfo;
-        if (matchinfo->mode == XT_CONNMARK_RESTORE) {
-                if (strcmp(par->table, "mangle") != 0) {
-                        printk(KERN_WARNING "CONNMARK: restore can only be "
-                               "called from \"mangle\" table, not \"%s\"\n",
-                               par->table);
-                        return false;
-                }
-        }
-        if (matchinfo->mark > 0xffffffff || matchinfo->mask > 0xffffffff) {
-                printk(KERN_WARNING "CONNMARK: Only supports 32bit mark\n");
-                return false;
-        }
-        if (nf_ct_l3proto_try_module_get(par->family) < 0) {
-                printk(KERN_WARNING "can't load conntrack support for "
-                                    "proto=%u\n", par->family);
-                return false;
-        }
-        return true;
-}
 static bool connmark_tg_check(const struct xt_tgchk_param *par)
 {
        if (nf_ct_l3proto_try_module_get(par->family) < 0) {
@@ -151,74 +88,25 @@ static void connmark_tg_destroy(const struct xt_tgdtor_param *par)
        nf_ct_l3proto_module_put(par->family);
 }
-#ifdef CONFIG_COMPAT
+static struct xt_target connmark_tg_reg __read_mostly = {
-struct compat_xt_connmark_target_info {
+        .name           = "CONNMARK",
-        compat_ulong_t  mark, mask;
+        .revision       = 1,
-        u_int8_t        mode;
+        .family         = NFPROTO_UNSPEC,
-        u_int8_t        __pad1;
+        .checkentry     = connmark_tg_check,
-        u_int16_t       __pad2;
+        .target         = connmark_tg,
-};
+        .targetsize     = sizeof(struct xt_connmark_tginfo1),
+        .destroy        = connmark_tg_destroy,
-static void connmark_tg_compat_from_user_v0(void *dst, void *src)
+        .me             = THIS_MODULE,
-{
-        const struct compat_xt_connmark_target_info *cm = src;
-        struct xt_connmark_target_info m = {
-                .mark   = cm->mark,
-                .mask   = cm->mask,
-                .mode   = cm->mode,
-        };
-        memcpy(dst, &m, sizeof(m));
-}
-static int connmark_tg_compat_to_user_v0(void __user *dst, void *src)
-{
-        const struct xt_connmark_target_info *m = src;
-        struct compat_xt_connmark_target_info cm = {
-                .mark   = m->mark,
-                .mask   = m->mask,
-                .mode   = m->mode,
-        };
-        return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
-}
-#endif /* CONFIG_COMPAT */
-static struct xt_target connmark_tg_reg[] __read_mostly = {
-        {
-                .name           = "CONNMARK",
-                .revision       = 0,
-                .family         = NFPROTO_UNSPEC,
-                .checkentry     = connmark_tg_check_v0,
-                .destroy        = connmark_tg_destroy,
-                .target         = connmark_tg_v0,
-                .targetsize     = sizeof(struct xt_connmark_target_info),
-#ifdef CONFIG_COMPAT
-                .compatsize     = sizeof(struct compat_xt_connmark_target_info),
-                .compat_from_user = connmark_tg_compat_from_user_v0,
-                .compat_to_user = connmark_tg_compat_to_user_v0,
-#endif
-                .me             = THIS_MODULE
-        },
-        {
-                .name           = "CONNMARK",
-                .revision       = 1,
-                .family         = NFPROTO_UNSPEC,
-                .checkentry     = connmark_tg_check,
-                .target         = connmark_tg,
-                .targetsize     = sizeof(struct xt_connmark_tginfo1),
-                .destroy        = connmark_tg_destroy,
-                .me             = THIS_MODULE,
-        },
 };
 static int __init connmark_tg_init(void)
 {
-        return xt_register_targets(connmark_tg_reg,
+        return xt_register_target(&connmark_tg_reg);
-               ARRAY_SIZE(connmark_tg_reg));
 }
 static void __exit connmark_tg_exit(void)
 {
-        xt_unregister_targets(connmark_tg_reg, ARRAY_SIZE(connmark_tg_reg));
+        xt_unregister_target(&connmark_tg_reg);
 }
 module_init(connmark_tg_init);
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index 6a347e768f86..74ce89260056 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -18,7 +18,6 @@
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_DSCP.h>
-#include <linux/netfilter_ipv4/ipt_TOS.h>
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
 MODULE_DESCRIPTION("Xtables: DSCP/TOS field modification");
@@ -73,41 +72,6 @@ static bool dscp_tg_check(const struct xt_tgchk_param *par)
 }
 static unsigned int
-tos_tg_v0(struct sk_buff *skb, const struct xt_target_param *par)
-{
-        const struct ipt_tos_target_info *info = par->targinfo;
-        struct iphdr *iph = ip_hdr(skb);
-        u_int8_t oldtos;
-        if ((iph->tos & IPTOS_TOS_MASK) != info->tos) {
-                if (!skb_make_writable(skb, sizeof(struct iphdr)))
-                        return NF_DROP;
-                iph      = ip_hdr(skb);
-                oldtos   = iph->tos;
-                iph->tos = (iph->tos & IPTOS_PREC_MASK) | info->tos;
-                csum_replace2(&iph->check, htons(oldtos), htons(iph->tos));
-        }
-        return XT_CONTINUE;
-}
-static bool tos_tg_check_v0(const struct xt_tgchk_param *par)
-{
-        const struct ipt_tos_target_info *info = par->targinfo;
-        const uint8_t tos = info->tos;
-        if (tos != IPTOS_LOWDELAY && tos != IPTOS_THROUGHPUT &&
-            tos != IPTOS_RELIABILITY && tos != IPTOS_MINCOST &&
-            tos != IPTOS_NORMALSVC) {
-                printk(KERN_WARNING "TOS: bad tos value %#x\n", tos);
-                return false;
-        }
-        return true;
-}
-static unsigned int
 tos_tg(struct sk_buff *skb, const struct xt_target_param *par)
 {
        const struct xt_tos_target_info *info = par->targinfo;
@@ -168,16 +132,6 @@ static struct xt_target dscp_tg_reg[] __read_mostly = {
        },
        {
                .name           = "TOS",
-                .revision       = 0,
-                .family         = NFPROTO_IPV4,
-                .table          = "mangle",
-                .target         = tos_tg_v0,
-                .targetsize     = sizeof(struct ipt_tos_target_info),
-                .checkentry     = tos_tg_check_v0,
-                .me             = THIS_MODULE,
-        },
-        {
-                .name           = "TOS",
                .revision       = 1,
                .family         = NFPROTO_IPV4,
                .table          = "mangle",
diff --git a/net/netfilter/xt_MARK.c b/net/netfilter/xt_MARK.c
index 67574bcfb8ac..225f8d11e173 100644
--- a/net/netfilter/xt_MARK.c
+++ b/net/netfilter/xt_MARK.c
@@ -25,39 +25,6 @@ MODULE_ALIAS("ipt_MARK");
 MODULE_ALIAS("ip6t_MARK");
 static unsigned int
-mark_tg_v0(struct sk_buff *skb, const struct xt_target_param *par)
-{
-        const struct xt_mark_target_info *markinfo = par->targinfo;
-        skb->mark = markinfo->mark;
-        return XT_CONTINUE;
-}
-static unsigned int
-mark_tg_v1(struct sk_buff *skb, const struct xt_target_param *par)
-{
-        const struct xt_mark_target_info_v1 *markinfo = par->targinfo;
-        int mark = 0;
-        switch (markinfo->mode) {
-        case XT_MARK_SET:
-                mark = markinfo->mark;
-                break;
-        case XT_MARK_AND:
-                mark = skb->mark & markinfo->mark;
-                break;
-        case XT_MARK_OR:
-                mark = skb->mark | markinfo->mark;
-                break;
-        }
-        skb->mark = mark;
-        return XT_CONTINUE;
-}
-static unsigned int
 mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
 {
        const struct xt_mark_tginfo2 *info = par->targinfo;
@@ -66,135 +33,23 @@ mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
        return XT_CONTINUE;
 }
-static bool mark_tg_check_v0(const struct xt_tgchk_param *par)
+static struct xt_target mark_tg_reg __read_mostly = {
-{
+        .name           = "MARK",
-        const struct xt_mark_target_info *markinfo = par->targinfo;
+        .revision       = 2,
+        .family         = NFPROTO_UNSPEC,
-        if (markinfo->mark > 0xffffffff) {
+        .target         = mark_tg,
-                printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n");
+        .targetsize     = sizeof(struct xt_mark_tginfo2),
-                return false;
+        .me             = THIS_MODULE,
-        }
-        return true;
-}
-static bool mark_tg_check_v1(const struct xt_tgchk_param *par)
-{
-        const struct xt_mark_target_info_v1 *markinfo = par->targinfo;
-        if (markinfo->mode != XT_MARK_SET
-            && markinfo->mode != XT_MARK_AND
-            && markinfo->mode != XT_MARK_OR) {
-                printk(KERN_WARNING "MARK: unknown mode %u\n",
-                       markinfo->mode);
-                return false;
-        }
-        if (markinfo->mark > 0xffffffff) {
-                printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n");
-                return false;
-        }
-        return true;
-}
-#ifdef CONFIG_COMPAT
-struct compat_xt_mark_target_info {
-        compat_ulong_t  mark;
-};
-static void mark_tg_compat_from_user_v0(void *dst, void *src)
-{
-        const struct compat_xt_mark_target_info *cm = src;
-        struct xt_mark_target_info m = {
-                .mark   = cm->mark,
-        };
-        memcpy(dst, &m, sizeof(m));
-}
-static int mark_tg_compat_to_user_v0(void __user *dst, void *src)
-{
-        const struct xt_mark_target_info *m = src;
-        struct compat_xt_mark_target_info cm = {
-                .mark   = m->mark,
-        };
-        return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
-}
-struct compat_xt_mark_target_info_v1 {
-        compat_ulong_t  mark;
-        u_int8_t        mode;
-        u_int8_t        __pad1;
-        u_int16_t       __pad2;
-};
-static void mark_tg_compat_from_user_v1(void *dst, void *src)
-{
-        const struct compat_xt_mark_target_info_v1 *cm = src;
-        struct xt_mark_target_info_v1 m = {
-                .mark   = cm->mark,
-                .mode   = cm->mode,
-        };
-        memcpy(dst, &m, sizeof(m));
-}
-static int mark_tg_compat_to_user_v1(void __user *dst, void *src)
-{
-        const struct xt_mark_target_info_v1 *m = src;
-        struct compat_xt_mark_target_info_v1 cm = {
-                .mark   = m->mark,
-                .mode   = m->mode,
-        };
-        return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
-}
-#endif /* CONFIG_COMPAT */
-static struct xt_target mark_tg_reg[] __read_mostly = {
-        {
-                .name           = "MARK",
-                .family         = NFPROTO_UNSPEC,
-                .revision       = 0,
-                .checkentry     = mark_tg_check_v0,
-                .target         = mark_tg_v0,
-                .targetsize     = sizeof(struct xt_mark_target_info),
-#ifdef CONFIG_COMPAT
-                .compatsize     = sizeof(struct compat_xt_mark_target_info),
-                .compat_from_user = mark_tg_compat_from_user_v0,
-                .compat_to_user = mark_tg_compat_to_user_v0,
-#endif
-                .table          = "mangle",
-                .me             = THIS_MODULE,
-        },
-        {
-                .name           = "MARK",
-                .family         = NFPROTO_UNSPEC,
-                .revision       = 1,
-                .checkentry     = mark_tg_check_v1,
-                .target         = mark_tg_v1,
-                .targetsize     = sizeof(struct xt_mark_target_info_v1),
-#ifdef CONFIG_COMPAT
-                .compatsize     = sizeof(struct compat_xt_mark_target_info_v1),
-                .compat_from_user = mark_tg_compat_from_user_v1,
-                .compat_to_user = mark_tg_compat_to_user_v1,
-#endif
-                .table          = "mangle",
-                .me             = THIS_MODULE,
-        },
-        {
-                .name           = "MARK",
-                .revision       = 2,
-                .family         = NFPROTO_UNSPEC,
-                .target         = mark_tg,
-                .targetsize     = sizeof(struct xt_mark_tginfo2),
-                .me             = THIS_MODULE,
-        },
 };
 static int __init mark_tg_init(void)
 {
-        return xt_register_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg));
+        return xt_register_target(&mark_tg_reg);
 }
 static void __exit mark_tg_exit(void)
 {
-        xt_unregister_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg));
+        xt_unregister_target(&mark_tg_reg);
 }
 module_init(mark_tg_init);
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 86cacab7a4a3..122aa8b0147b 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -47,36 +47,6 @@ connmark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return ((ct->mark & info->mask) == info->mark) ^ info->invert;
 }
-static bool
-connmark_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
-{
-        const struct xt_connmark_info *info = par->matchinfo;
-        const struct nf_conn *ct;
-        enum ip_conntrack_info ctinfo;
-        ct = nf_ct_get(skb, &ctinfo);
-        if (!ct)
-                return false;
-        return ((ct->mark & info->mask) == info->mark) ^ info->invert;
-}
-static bool connmark_mt_check_v0(const struct xt_mtchk_param *par)
-{
-        const struct xt_connmark_info *cm = par->matchinfo;
-        if (cm->mark > 0xffffffff || cm->mask > 0xffffffff) {
-                printk(KERN_WARNING "connmark: only support 32bit mark\n");
-                return false;
-        }
-        if (nf_ct_l3proto_try_module_get(par->family) < 0) {
-                printk(KERN_WARNING "can't load conntrack support for "
-                                    "proto=%u\n", par->family);
-                return false;
-        }
-        return true;
-}
 static bool connmark_mt_check(const struct xt_mtchk_param *par)
 {
        if (nf_ct_l3proto_try_module_get(par->family) < 0) {
@@ -92,74 +62,25 @@ static void connmark_mt_destroy(const struct xt_mtdtor_param *par)
        nf_ct_l3proto_module_put(par->family);
 }
-#ifdef CONFIG_COMPAT
+static struct xt_match connmark_mt_reg __read_mostly = {
-struct compat_xt_connmark_info {
+        .name           = "connmark",
-        compat_ulong_t  mark, mask;
+        .revision       = 1,
-        u_int8_t        invert;
+        .family         = NFPROTO_UNSPEC,
-        u_int8_t        __pad1;
+        .checkentry     = connmark_mt_check,
-        u_int16_t       __pad2;
+        .match          = connmark_mt,
-};
+        .matchsize      = sizeof(struct xt_connmark_mtinfo1),
+        .destroy        = connmark_mt_destroy,
-static void connmark_mt_compat_from_user_v0(void *dst, void *src)
+        .me             = THIS_MODULE,
-{
-        const struct compat_xt_connmark_info *cm = src;
-        struct xt_connmark_info m = {
-                .mark   = cm->mark,
-                .mask   = cm->mask,
-                .invert = cm->invert,
-        };
-        memcpy(dst, &m, sizeof(m));
-}
-static int connmark_mt_compat_to_user_v0(void __user *dst, void *src)
-{
-        const struct xt_connmark_info *m = src;
-        struct compat_xt_connmark_info cm = {
-                .mark   = m->mark,
-                .mask   = m->mask,
-                .invert = m->invert,
-        };
-        return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
-}
-#endif /* CONFIG_COMPAT */
-static struct xt_match connmark_mt_reg[] __read_mostly = {
-        {
-                .name           = "connmark",
-                .revision       = 0,
-                .family         = NFPROTO_UNSPEC,
-                .checkentry     = connmark_mt_check_v0,
-                .match          = connmark_mt_v0,
-                .destroy        = connmark_mt_destroy,
-                .matchsize      = sizeof(struct xt_connmark_info),
-#ifdef CONFIG_COMPAT
-                .compatsize     = sizeof(struct compat_xt_connmark_info),
-                .compat_from_user = connmark_mt_compat_from_user_v0,
-                .compat_to_user = connmark_mt_compat_to_user_v0,
-#endif
-                .me             = THIS_MODULE
-        },
-        {
-                .name           = "connmark",
-                .revision       = 1,
-                .family         = NFPROTO_UNSPEC,
-                .checkentry     = connmark_mt_check,
-                .match          = connmark_mt,
-                .matchsize      = sizeof(struct xt_connmark_mtinfo1),
-                .destroy        = connmark_mt_destroy,
-                .me             = THIS_MODULE,
-        },
 };
 static int __init connmark_mt_init(void)
 {
-        return xt_register_matches(connmark_mt_reg,
+        return xt_register_match(&connmark_mt_reg);
-               ARRAY_SIZE(connmark_mt_reg));
 }
 static void __exit connmark_mt_exit(void)
 {
-        xt_unregister_matches(connmark_mt_reg, ARRAY_SIZE(connmark_mt_reg));
+        xt_unregister_match(&connmark_mt_reg);
 }
 module_init(connmark_mt_init);
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index fc581800698e..6dc4652f2fe8 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -19,101 +19,12 @@
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_DESCRIPTION("Xtables: connection tracking state match");
 MODULE_ALIAS("ipt_conntrack");
 MODULE_ALIAS("ip6t_conntrack");
 static bool
-conntrack_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
-{
-        const struct xt_conntrack_info *sinfo = par->matchinfo;
-        const struct nf_conn *ct;
-        enum ip_conntrack_info ctinfo;
-        unsigned int statebit;
-        ct = nf_ct_get(skb, &ctinfo);
-#define FWINV(bool, invflg) ((bool) ^ !!(sinfo->invflags & (invflg)))
-        if (ct == &nf_conntrack_untracked)
-                statebit = XT_CONNTRACK_STATE_UNTRACKED;
-        else if (ct)
-                statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
-        else
-                statebit = XT_CONNTRACK_STATE_INVALID;
-        if (sinfo->flags & XT_CONNTRACK_STATE) {
-                if (ct) {
-                        if (test_bit(IPS_SRC_NAT_BIT, &ct->status))
-                                statebit |= XT_CONNTRACK_STATE_SNAT;
-                        if (test_bit(IPS_DST_NAT_BIT, &ct->status))
-                                statebit |= XT_CONNTRACK_STATE_DNAT;
-                }
-                if (FWINV((statebit & sinfo->statemask) == 0,
-                          XT_CONNTRACK_STATE))
-                        return false;
-        }
-        if (ct == NULL) {
-                if (sinfo->flags & ~XT_CONNTRACK_STATE)
-                        return false;
-                return true;
-        }
-        if (sinfo->flags & XT_CONNTRACK_PROTO &&
-            FWINV(nf_ct_protonum(ct) !=
-                  sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum,
-                  XT_CONNTRACK_PROTO))
-                return false;
-        if (sinfo->flags & XT_CONNTRACK_ORIGSRC &&
-            FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip &
-                   sinfo->sipmsk[IP_CT_DIR_ORIGINAL].s_addr) !=
-                  sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip,
-                  XT_CONNTRACK_ORIGSRC))
-                return false;
-        if (sinfo->flags & XT_CONNTRACK_ORIGDST &&
-            FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.ip &
-                   sinfo->dipmsk[IP_CT_DIR_ORIGINAL].s_addr) !=
-                  sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip,
-                  XT_CONNTRACK_ORIGDST))
-                return false;
-        if (sinfo->flags & XT_CONNTRACK_REPLSRC &&
-            FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip &
-                   sinfo->sipmsk[IP_CT_DIR_REPLY].s_addr) !=
-                  sinfo->tuple[IP_CT_DIR_REPLY].src.ip,
-                  XT_CONNTRACK_REPLSRC))
-                return false;
-        if (sinfo->flags & XT_CONNTRACK_REPLDST &&
-            FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip &
-                   sinfo->dipmsk[IP_CT_DIR_REPLY].s_addr) !=
-                  sinfo->tuple[IP_CT_DIR_REPLY].dst.ip,
-                  XT_CONNTRACK_REPLDST))
-                return false;
-        if (sinfo->flags & XT_CONNTRACK_STATUS &&
-            FWINV((ct->status & sinfo->statusmask) == 0,
-                  XT_CONNTRACK_STATUS))
-                return false;
-        if(sinfo->flags & XT_CONNTRACK_EXPIRES) {
-                unsigned long expires = timer_pending(&ct->timeout) ?
-                                        (ct->timeout.expires - jiffies)/HZ : 0;
-                if (FWINV(!(expires >= sinfo->expires_min &&
-                            expires <= sinfo->expires_max),
-                          XT_CONNTRACK_EXPIRES))
-                        return false;
-        }
-        return true;
-#undef FWINV
-}
-static bool
 conntrack_addrcmp(const union nf_inet_addr *kaddr,
                  const union nf_inet_addr *uaddr,
                  const union nf_inet_addr *umask, unsigned int l3proto)
@@ -337,73 +248,9 @@ static void conntrack_mt_destroy_v1(const struct xt_mtdtor_param *par)
        conntrack_mt_destroy(par);
 }
-#ifdef CONFIG_COMPAT
-struct compat_xt_conntrack_info
-{
-        compat_uint_t                   statemask;
-        compat_uint_t                   statusmask;
-        struct ip_conntrack_old_tuple   tuple[IP_CT_DIR_MAX];
-        struct in_addr                  sipmsk[IP_CT_DIR_MAX];
-        struct in_addr                  dipmsk[IP_CT_DIR_MAX];
-        compat_ulong_t                  expires_min;
-        compat_ulong_t                  expires_max;
-        u_int8_t                        flags;
-        u_int8_t                        invflags;
-};
-static void conntrack_mt_compat_from_user_v0(void *dst, void *src)
-{
-        const struct compat_xt_conntrack_info *cm = src;
-        struct xt_conntrack_info m = {
-                .statemask      = cm->statemask,
-                .statusmask     = cm->statusmask,
-                .expires_min    = cm->expires_min,
-                .expires_max    = cm->expires_max,
-                .flags          = cm->flags,
-                .invflags       = cm->invflags,
-        };
-        memcpy(m.tuple, cm->tuple, sizeof(m.tuple));
-        memcpy(m.sipmsk, cm->sipmsk, sizeof(m.sipmsk));
-        memcpy(m.dipmsk, cm->dipmsk, sizeof(m.dipmsk));
-        memcpy(dst, &m, sizeof(m));
-}
-static int conntrack_mt_compat_to_user_v0(void __user *dst, void *src)
-{
-        const struct xt_conntrack_info *m = src;
-        struct compat_xt_conntrack_info cm = {
-                .statemask      = m->statemask,
-                .statusmask     = m->statusmask,
-                .expires_min    = m->expires_min,
-                .expires_max    = m->expires_max,
-                .flags          = m->flags,
-                .invflags       = m->invflags,
-        };
-        memcpy(cm.tuple, m->tuple, sizeof(cm.tuple));
-        memcpy(cm.sipmsk, m->sipmsk, sizeof(cm.sipmsk));
-        memcpy(cm.dipmsk, m->dipmsk, sizeof(cm.dipmsk));
-        return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
-}
-#endif
 static struct xt_match conntrack_mt_reg[] __read_mostly = {
        {
                .name       = "conntrack",
-                .revision   = 0,
-                .family     = NFPROTO_IPV4,
-                .match      = conntrack_mt_v0,
-                .checkentry = conntrack_mt_check,
-                .destroy    = conntrack_mt_destroy,
-                .matchsize  = sizeof(struct xt_conntrack_info),
-                .me         = THIS_MODULE,
-#ifdef CONFIG_COMPAT
-                .compatsize       = sizeof(struct compat_xt_conntrack_info),
-                .compat_from_user = conntrack_mt_compat_from_user_v0,
-                .compat_to_user   = conntrack_mt_compat_to_user_v0,
-#endif
-        },
-        {
-                .name       = "conntrack",
                .revision   = 1,
                .family     = NFPROTO_UNSPEC,
                .matchsize  = sizeof(struct xt_conntrack_mtinfo1),
diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c
index c3f8085460d7..0280d3a8c161 100644
--- a/net/netfilter/xt_dscp.c
+++ b/net/netfilter/xt_dscp.c
@@ -15,7 +15,6 @@
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_dscp.h>
-#include <linux/netfilter_ipv4/ipt_tos.h>
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
 MODULE_DESCRIPTION("Xtables: DSCP/TOS field match");
@@ -55,14 +54,6 @@ static bool dscp_mt_check(const struct xt_mtchk_param *par)
        return true;
 }
-static bool
-tos_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
-{
-        const struct ipt_tos_info *info = par->matchinfo;
-        return (ip_hdr(skb)->tos == info->tos) ^ info->invert;
-}
 static bool tos_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 {
        const struct xt_tos_match_info *info = par->matchinfo;
@@ -94,14 +85,6 @@ static struct xt_match dscp_mt_reg[] __read_mostly = {
        },
        {
                .name           = "tos",
-                .revision       = 0,
-                .family         = NFPROTO_IPV4,
-                .match          = tos_mt_v0,
-                .matchsize      = sizeof(struct ipt_tos_info),
-                .me             = THIS_MODULE,
-        },
-        {
-                .name           = "tos",
                .revision       = 1,
                .family         = NFPROTO_IPV4,
                .match          = tos_mt,
diff --git a/net/netfilter/xt_iprange.c b/net/netfilter/xt_iprange.c
index 501f9b623188..ffc96387d556 100644
--- a/net/netfilter/xt_iprange.c
+++ b/net/netfilter/xt_iprange.c
@@ -14,40 +14,6 @@
 #include <linux/ipv6.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_iprange.h>
-#include <linux/netfilter_ipv4/ipt_iprange.h>
-static bool
-iprange_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
-{
-        const struct ipt_iprange_info *info = par->matchinfo;
-        const struct iphdr *iph = ip_hdr(skb);
-        if (info->flags & IPRANGE_SRC) {
-                if ((ntohl(iph->saddr) < ntohl(info->src.min_ip)
-                          || ntohl(iph->saddr) > ntohl(info->src.max_ip))
-                         ^ !!(info->flags & IPRANGE_SRC_INV)) {
-                        pr_debug("src IP %pI4 NOT in range %s%pI4-%pI4\n",
-                                 &iph->saddr,
-                                 info->flags & IPRANGE_SRC_INV ? "(INV) " : "",
-                                 &info->src.min_ip,
-                                 &info->src.max_ip);
-                        return false;
-                }
-        }
-        if (info->flags & IPRANGE_DST) {
-                if ((ntohl(iph->daddr) < ntohl(info->dst.min_ip)
-                          || ntohl(iph->daddr) > ntohl(info->dst.max_ip))
-                         ^ !!(info->flags & IPRANGE_DST_INV)) {
-                        pr_debug("dst IP %pI4 NOT in range %s%pI4-%pI4\n",
-                                 &iph->daddr,
-                                 info->flags & IPRANGE_DST_INV ? "(INV) " : "",
-                                 &info->dst.min_ip,
-                                 &info->dst.max_ip);
-                        return false;
-                }
-        }
-        return true;
-}
 static bool
 iprange_mt4(const struct sk_buff *skb, const struct xt_match_param *par)
@@ -127,14 +93,6 @@ iprange_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
 static struct xt_match iprange_mt_reg[] __read_mostly = {
        {
                .name      = "iprange",
-                .revision  = 0,
-                .family    = NFPROTO_IPV4,
-                .match     = iprange_mt_v0,
-                .matchsize = sizeof(struct ipt_iprange_info),
-                .me        = THIS_MODULE,
-        },
-        {
-                .name      = "iprange",
                .revision  = 1,
                .family    = NFPROTO_IPV4,
                .match     = iprange_mt4,
@@ -164,7 +122,8 @@ static void __exit iprange_mt_exit(void)
 module_init(iprange_mt_init);
 module_exit(iprange_mt_exit);
 MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>, Jan Engelhardt <jengelh@computergmbh.de>");
+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_DESCRIPTION("Xtables: arbitrary IPv4 range matching");
 MODULE_ALIAS("ipt_iprange");
 MODULE_ALIAS("ip6t_iprange");
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index 10b9e34bbc5b..1db07d8125f8 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -3,7 +3,7 @@
 *
 *      (C) 1999-2001 Marc Boucher <marc@mbsi.ca>
 *      Copyright © CC Computer Consultants GmbH, 2007 - 2008
- *      Jan Engelhardt <jengelh@computergmbh.de>
+ *      Jan Engelhardt <jengelh@medozas.de>
 *
 *      This program is free software; you can redistribute it and/or modify
 *      it under the terms of the GNU General Public License version 2 as
@@ -23,14 +23,6 @@ MODULE_ALIAS("ipt_mark");
 MODULE_ALIAS("ip6t_mark");
 static bool
-mark_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
-{
-        const struct xt_mark_info *info = par->matchinfo;
-        return ((skb->mark & info->mask) == info->mark) ^ info->invert;
-}
-static bool
 mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 {
        const struct xt_mark_mtinfo1 *info = par->matchinfo;
@@ -38,81 +30,23 @@ mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return ((skb->mark & info->mask) == info->mark) ^ info->invert;
 }
-static bool mark_mt_check_v0(const struct xt_mtchk_param *par)
+static struct xt_match mark_mt_reg __read_mostly = {
-{
+        .name           = "mark",
-        const struct xt_mark_info *minfo = par->matchinfo;
+        .revision       = 1,
+        .family         = NFPROTO_UNSPEC,
-        if (minfo->mark > 0xffffffff || minfo->mask > 0xffffffff) {
+        .match          = mark_mt,
-                printk(KERN_WARNING "mark: only supports 32bit mark\n");
+        .matchsize      = sizeof(struct xt_mark_mtinfo1),
-                return false;
+        .me             = THIS_MODULE,
-        }
-        return true;
-}
-#ifdef CONFIG_COMPAT
-struct compat_xt_mark_info {
-        compat_ulong_t  mark, mask;
-        u_int8_t        invert;
-        u_int8_t        __pad1;
-        u_int16_t       __pad2;
-};
-static void mark_mt_compat_from_user_v0(void *dst, void *src)
-{
-        const struct compat_xt_mark_info *cm = src;
-        struct xt_mark_info m = {
-                .mark   = cm->mark,
-                .mask   = cm->mask,
-                .invert = cm->invert,
-        };
-        memcpy(dst, &m, sizeof(m));
-}
-static int mark_mt_compat_to_user_v0(void __user *dst, void *src)
-{
-        const struct xt_mark_info *m = src;
-        struct compat_xt_mark_info cm = {
-                .mark   = m->mark,
-                .mask   = m->mask,
-                .invert = m->invert,
-        };
-        return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
-}
-#endif /* CONFIG_COMPAT */
-static struct xt_match mark_mt_reg[] __read_mostly = {
-        {
-                .name           = "mark",
-                .revision       = 0,
-                .family         = NFPROTO_UNSPEC,
-                .checkentry     = mark_mt_check_v0,
-                .match          = mark_mt_v0,
-                .matchsize      = sizeof(struct xt_mark_info),
-#ifdef CONFIG_COMPAT
-                .compatsize     = sizeof(struct compat_xt_mark_info),
-                .compat_from_user = mark_mt_compat_from_user_v0,
-                .compat_to_user = mark_mt_compat_to_user_v0,
-#endif
-                .me             = THIS_MODULE,
-        },
-        {
-                .name           = "mark",
-                .revision       = 1,
-                .family         = NFPROTO_UNSPEC,
-                .match          = mark_mt,
-                .matchsize      = sizeof(struct xt_mark_mtinfo1),
-                .me             = THIS_MODULE,
-        },
 };
 static int __init mark_mt_init(void)
 {
-        return xt_register_matches(mark_mt_reg, ARRAY_SIZE(mark_mt_reg));
+        return xt_register_match(&mark_mt_reg);
 }
 static void __exit mark_mt_exit(void)
 {
-        xt_unregister_matches(mark_mt_reg, ARRAY_SIZE(mark_mt_reg));
+        xt_unregister_match(&mark_mt_reg);
 }
 module_init(mark_mt_init);
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index 22b2a5e881ea..d24c76dffee2 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -5,7 +5,6 @@
 * (C) 2000 Marc Boucher <marc@mbsi.ca>
 *
 * Copyright © CC Computer Consultants GmbH, 2007 - 2008
- * <jengelh@computergmbh.de>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
@@ -17,60 +16,6 @@
 #include <net/sock.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_owner.h>
-#include <linux/netfilter_ipv4/ipt_owner.h>
-#include <linux/netfilter_ipv6/ip6t_owner.h>
-static bool
-owner_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
-{
-        const struct ipt_owner_info *info = par->matchinfo;
-        const struct file *filp;
-        if (skb->sk == NULL || skb->sk->sk_socket == NULL)
-                return false;
-        filp = skb->sk->sk_socket->file;
-        if (filp == NULL)
-                return false;
-        if (info->match & IPT_OWNER_UID)
-                if ((filp->f_cred->fsuid != info->uid) ^
-                    !!(info->invert & IPT_OWNER_UID))
-                        return false;
-        if (info->match & IPT_OWNER_GID)
-                if ((filp->f_cred->fsgid != info->gid) ^
-                    !!(info->invert & IPT_OWNER_GID))
-                        return false;
-        return true;
-}
-static bool
-owner_mt6_v0(const struct sk_buff *skb, const struct xt_match_param *par)
-{
-        const struct ip6t_owner_info *info = par->matchinfo;
-        const struct file *filp;
-        if (skb->sk == NULL || skb->sk->sk_socket == NULL)
-                return false;
-        filp = skb->sk->sk_socket->file;
-        if (filp == NULL)
-                return false;
-        if (info->match & IP6T_OWNER_UID)
-                if ((filp->f_cred->fsuid != info->uid) ^
-                    !!(info->invert & IP6T_OWNER_UID))
-                        return false;
-        if (info->match & IP6T_OWNER_GID)
-                if ((filp->f_cred->fsgid != info->gid) ^
-                    !!(info->invert & IP6T_OWNER_GID))
-                        return false;
-        return true;
-}
 static bool
 owner_mt(const struct sk_buff *skb, const struct xt_match_param *par)
@@ -107,81 +52,30 @@ owner_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return true;
 }
-static bool owner_mt_check_v0(const struct xt_mtchk_param *par)
+static struct xt_match owner_mt_reg __read_mostly = {
-{
+        .name       = "owner",
-        const struct ipt_owner_info *info = par->matchinfo;
+        .revision   = 1,
+        .family     = NFPROTO_UNSPEC,
-        if (info->match & (IPT_OWNER_PID | IPT_OWNER_SID | IPT_OWNER_COMM)) {
+        .match      = owner_mt,
-                printk(KERN_WARNING KBUILD_MODNAME
+        .matchsize  = sizeof(struct xt_owner_match_info),
-                       ": PID, SID and command matching is not "
+        .hooks      = (1 << NF_INET_LOCAL_OUT) |
-                       "supported anymore\n");
+                      (1 << NF_INET_POST_ROUTING),
-                return false;
+        .me         = THIS_MODULE,
-        }
-        return true;
-}
-static bool owner_mt6_check_v0(const struct xt_mtchk_param *par)
-{
-        const struct ip6t_owner_info *info = par->matchinfo;
-        if (info->match & (IP6T_OWNER_PID | IP6T_OWNER_SID)) {
-                printk(KERN_WARNING KBUILD_MODNAME
-                       ": PID and SID matching is not supported anymore\n");
-                return false;
-        }
-        return true;
-}
-static struct xt_match owner_mt_reg[] __read_mostly = {
-        {
-                .name       = "owner",
-                .revision   = 0,
-                .family     = NFPROTO_IPV4,
-                .match      = owner_mt_v0,
-                .matchsize  = sizeof(struct ipt_owner_info),
-                .checkentry = owner_mt_check_v0,
-                .hooks      = (1 << NF_INET_LOCAL_OUT) |
-                              (1 << NF_INET_POST_ROUTING),
-                .me         = THIS_MODULE,
-        },
-        {
-                .name       = "owner",
-                .revision   = 0,
-                .family     = NFPROTO_IPV6,
-                .match      = owner_mt6_v0,
-                .matchsize  = sizeof(struct ip6t_owner_info),
-                .checkentry = owner_mt6_check_v0,
-                .hooks      = (1 << NF_INET_LOCAL_OUT) |
-                              (1 << NF_INET_POST_ROUTING),
-                .me         = THIS_MODULE,
-        },
-        {
-                .name       = "owner",
-                .revision   = 1,
-                .family     = NFPROTO_UNSPEC,
-                .match      = owner_mt,
-                .matchsize  = sizeof(struct xt_owner_match_info),
-                .hooks      = (1 << NF_INET_LOCAL_OUT) |
-                              (1 << NF_INET_POST_ROUTING),
-                .me         = THIS_MODULE,
-        },
 };
 static int __init owner_mt_init(void)
 {
-        return xt_register_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
+        return xt_register_match(&owner_mt_reg);
 }
 static void __exit owner_mt_exit(void)
 {
-        xt_unregister_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
+        xt_unregister_match(&owner_mt_reg);
 }
 module_init(owner_mt_init);
 module_exit(owner_mt_exit);
-MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_DESCRIPTION("Xtables: socket owner matching");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_owner");
author	Patrick McHardy <kaber@trash.net>	2009-08-10 11:14:59 -0400
committer	Patrick McHardy <kaber@trash.net>	2009-08-10 11:14:59 -0400
commit	dc05a564ab1b3a1957927da50912964b61f7da69 (patch)
tree	489905675f9954e5bf160a2eff6ea6ce93472d61 /net/netfilter
parent	be39ee11cd1f67b51ac8e71d177a981eb34f2ab2 (diff)
parent	e2fe35c17fed62d4ab5038fa9bc489e967ff8416 (diff)