aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/linux/netfilter_ipv4/ip_conntrack.h2
-rw-r--r--include/linux/skbuff.h2
-rw-r--r--net/ipv4/netfilter/ip_conntrack_standalone.c2
-rw-r--r--net/ipv4/netfilter/ipt_CLUSTERIP.c2
-rw-r--r--net/ipv4/netfilter/ipt_CONNMARK.c11
-rw-r--r--net/ipv4/netfilter/ipt_MARK.c12
-rw-r--r--net/ipv4/netfilter/ipt_connmark.c7
-rw-r--r--net/ipv4/netfilter/ipt_mark.c7
8 files changed, 38 insertions, 7 deletions
diff --git a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h
index 08fe5f7d14a0..4ed720f0c4cd 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack.h
@@ -171,7 +171,7 @@ struct ip_conntrack
171#endif /* CONFIG_IP_NF_NAT_NEEDED */ 171#endif /* CONFIG_IP_NF_NAT_NEEDED */
172 172
173#if defined(CONFIG_IP_NF_CONNTRACK_MARK) 173#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
174 unsigned long mark; 174 u_int32_t mark;
175#endif 175#endif
176 176
177 /* Traversed often, so hopefully in different cacheline to top */ 177 /* Traversed often, so hopefully in different cacheline to top */
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 948527e42a60..2e40f4c9f7a6 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -259,7 +259,7 @@ struct sk_buff {
259 259
260 void (*destructor)(struct sk_buff *skb); 260 void (*destructor)(struct sk_buff *skb);
261#ifdef CONFIG_NETFILTER 261#ifdef CONFIG_NETFILTER
262 unsigned long nfmark; 262 __u32 nfmark;
263 __u32 nfcache; 263 __u32 nfcache;
264 __u32 nfctinfo; 264 __u32 nfctinfo;
265 struct nf_conntrack *nfct; 265 struct nf_conntrack *nfct;
diff --git a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c
index 61798c46e91d..dccd4abab7ae 100644
--- a/net/ipv4/netfilter/ip_conntrack_standalone.c
+++ b/net/ipv4/netfilter/ip_conntrack_standalone.c
@@ -185,7 +185,7 @@ static int ct_seq_show(struct seq_file *s, void *v)
185 return -ENOSPC; 185 return -ENOSPC;
186 186
187#if defined(CONFIG_IP_NF_CONNTRACK_MARK) 187#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
188 if (seq_printf(s, "mark=%lu ", conntrack->mark)) 188 if (seq_printf(s, "mark=%u ", conntrack->mark))
189 return -ENOSPC; 189 return -ENOSPC;
190#endif 190#endif
191 191
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 6706d3a1bc4f..2d05cafec221 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -367,7 +367,7 @@ target(struct sk_buff **pskb,
367#ifdef DEBUG_CLUSTERP 367#ifdef DEBUG_CLUSTERP
368 DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); 368 DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
369#endif 369#endif
370 DEBUGP("hash=%u ct_hash=%lu ", hash, ct->mark); 370 DEBUGP("hash=%u ct_hash=%u ", hash, ct->mark);
371 if (!clusterip_responsible(cipinfo->config, hash)) { 371 if (!clusterip_responsible(cipinfo->config, hash)) {
372 DEBUGP("not responsible\n"); 372 DEBUGP("not responsible\n");
373 return NF_DROP; 373 return NF_DROP;
diff --git a/net/ipv4/netfilter/ipt_CONNMARK.c b/net/ipv4/netfilter/ipt_CONNMARK.c
index 30ddd3e18eb7..8ed744157b1a 100644
--- a/net/ipv4/netfilter/ipt_CONNMARK.c
+++ b/net/ipv4/netfilter/ipt_CONNMARK.c
@@ -40,9 +40,9 @@ target(struct sk_buff **pskb,
40 void *userinfo) 40 void *userinfo)
41{ 41{
42 const struct ipt_connmark_target_info *markinfo = targinfo; 42 const struct ipt_connmark_target_info *markinfo = targinfo;
43 unsigned long diff; 43 u_int32_t diff;
44 unsigned long nfmark; 44 u_int32_t nfmark;
45 unsigned long newmark; 45 u_int32_t newmark;
46 46
47 enum ip_conntrack_info ctinfo; 47 enum ip_conntrack_info ctinfo;
48 struct ip_conntrack *ct = ip_conntrack_get((*pskb), &ctinfo); 48 struct ip_conntrack *ct = ip_conntrack_get((*pskb), &ctinfo);
@@ -94,6 +94,11 @@ checkentry(const char *tablename,
94 } 94 }
95 } 95 }
96 96
97 if (matchinfo->mark > 0xffffffff || matchinfo->mask > 0xffffffff) {
98 printk(KERN_WARNING "CONNMARK: Only supports 32bit mark\n");
99 return 0;
100 }
101
97 return 1; 102 return 1;
98} 103}
99 104
diff --git a/net/ipv4/netfilter/ipt_MARK.c b/net/ipv4/netfilter/ipt_MARK.c
index 33c6f9b63b8d..8526398346cf 100644
--- a/net/ipv4/netfilter/ipt_MARK.c
+++ b/net/ipv4/netfilter/ipt_MARK.c
@@ -76,6 +76,8 @@ checkentry_v0(const char *tablename,
76 unsigned int targinfosize, 76 unsigned int targinfosize,
77 unsigned int hook_mask) 77 unsigned int hook_mask)
78{ 78{
79 struct ipt_mark_target_info *markinfo = targinfo;
80
79 if (targinfosize != IPT_ALIGN(sizeof(struct ipt_mark_target_info))) { 81 if (targinfosize != IPT_ALIGN(sizeof(struct ipt_mark_target_info))) {
80 printk(KERN_WARNING "MARK: targinfosize %u != %Zu\n", 82 printk(KERN_WARNING "MARK: targinfosize %u != %Zu\n",
81 targinfosize, 83 targinfosize,
@@ -88,6 +90,11 @@ checkentry_v0(const char *tablename,
88 return 0; 90 return 0;
89 } 91 }
90 92
93 if (markinfo->mark > 0xffffffff) {
94 printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n");
95 return 0;
96 }
97
91 return 1; 98 return 1;
92} 99}
93 100
@@ -120,6 +127,11 @@ checkentry_v1(const char *tablename,
120 return 0; 127 return 0;
121 } 128 }
122 129
130 if (markinfo->mark > 0xffffffff) {
131 printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n");
132 return 0;
133 }
134
123 return 1; 135 return 1;
124} 136}
125 137
diff --git a/net/ipv4/netfilter/ipt_connmark.c b/net/ipv4/netfilter/ipt_connmark.c
index 2706f96cea55..bf8de47ce004 100644
--- a/net/ipv4/netfilter/ipt_connmark.c
+++ b/net/ipv4/netfilter/ipt_connmark.c
@@ -54,9 +54,16 @@ checkentry(const char *tablename,
54 unsigned int matchsize, 54 unsigned int matchsize,
55 unsigned int hook_mask) 55 unsigned int hook_mask)
56{ 56{
57 struct ipt_connmark_info *cm =
58 (struct ipt_connmark_info *)matchinfo;
57 if (matchsize != IPT_ALIGN(sizeof(struct ipt_connmark_info))) 59 if (matchsize != IPT_ALIGN(sizeof(struct ipt_connmark_info)))
58 return 0; 60 return 0;
59 61
62 if (cm->mark > 0xffffffff || cm->mask > 0xffffffff) {
63 printk(KERN_WARNING "connmark: only support 32bit mark\n");
64 return 0;
65 }
66
60 return 1; 67 return 1;
61} 68}
62 69
diff --git a/net/ipv4/netfilter/ipt_mark.c b/net/ipv4/netfilter/ipt_mark.c
index 8955728127b9..00bef6cdd3f8 100644
--- a/net/ipv4/netfilter/ipt_mark.c
+++ b/net/ipv4/netfilter/ipt_mark.c
@@ -37,9 +37,16 @@ checkentry(const char *tablename,
37 unsigned int matchsize, 37 unsigned int matchsize,
38 unsigned int hook_mask) 38 unsigned int hook_mask)
39{ 39{
40 struct ipt_mark_info *minfo = (struct ipt_mark_info *) matchinfo;
41
40 if (matchsize != IPT_ALIGN(sizeof(struct ipt_mark_info))) 42 if (matchsize != IPT_ALIGN(sizeof(struct ipt_mark_info)))
41 return 0; 43 return 0;
42 44
45 if (minfo->mark > 0xffffffff || minfo->mask > 0xffffffff) {
46 printk(KERN_WARNING "mark: only supports 32bit mark\n");
47 return 0;
48 }
49
43 return 1; 50 return 1;
44} 51}
45 52