diff options
-rw-r--r-- | include/linux/netfilter_ipv4/ip_conntrack.h | 2 | ||||
-rw-r--r-- | include/linux/skbuff.h | 2 | ||||
-rw-r--r-- | net/ipv4/netfilter/ip_conntrack_standalone.c | 2 | ||||
-rw-r--r-- | net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 | ||||
-rw-r--r-- | net/ipv4/netfilter/ipt_CONNMARK.c | 11 | ||||
-rw-r--r-- | net/ipv4/netfilter/ipt_MARK.c | 12 | ||||
-rw-r--r-- | net/ipv4/netfilter/ipt_connmark.c | 7 | ||||
-rw-r--r-- | net/ipv4/netfilter/ipt_mark.c | 7 |
8 files changed, 38 insertions, 7 deletions
diff --git a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h index 08fe5f7d14a0..4ed720f0c4cd 100644 --- a/include/linux/netfilter_ipv4/ip_conntrack.h +++ b/include/linux/netfilter_ipv4/ip_conntrack.h | |||
@@ -171,7 +171,7 @@ struct ip_conntrack | |||
171 | #endif /* CONFIG_IP_NF_NAT_NEEDED */ | 171 | #endif /* CONFIG_IP_NF_NAT_NEEDED */ |
172 | 172 | ||
173 | #if defined(CONFIG_IP_NF_CONNTRACK_MARK) | 173 | #if defined(CONFIG_IP_NF_CONNTRACK_MARK) |
174 | unsigned long mark; | 174 | u_int32_t mark; |
175 | #endif | 175 | #endif |
176 | 176 | ||
177 | /* Traversed often, so hopefully in different cacheline to top */ | 177 | /* Traversed often, so hopefully in different cacheline to top */ |
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 948527e42a60..2e40f4c9f7a6 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h | |||
@@ -259,7 +259,7 @@ struct sk_buff { | |||
259 | 259 | ||
260 | void (*destructor)(struct sk_buff *skb); | 260 | void (*destructor)(struct sk_buff *skb); |
261 | #ifdef CONFIG_NETFILTER | 261 | #ifdef CONFIG_NETFILTER |
262 | unsigned long nfmark; | 262 | __u32 nfmark; |
263 | __u32 nfcache; | 263 | __u32 nfcache; |
264 | __u32 nfctinfo; | 264 | __u32 nfctinfo; |
265 | struct nf_conntrack *nfct; | 265 | struct nf_conntrack *nfct; |
diff --git a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c index 61798c46e91d..dccd4abab7ae 100644 --- a/net/ipv4/netfilter/ip_conntrack_standalone.c +++ b/net/ipv4/netfilter/ip_conntrack_standalone.c | |||
@@ -185,7 +185,7 @@ static int ct_seq_show(struct seq_file *s, void *v) | |||
185 | return -ENOSPC; | 185 | return -ENOSPC; |
186 | 186 | ||
187 | #if defined(CONFIG_IP_NF_CONNTRACK_MARK) | 187 | #if defined(CONFIG_IP_NF_CONNTRACK_MARK) |
188 | if (seq_printf(s, "mark=%lu ", conntrack->mark)) | 188 | if (seq_printf(s, "mark=%u ", conntrack->mark)) |
189 | return -ENOSPC; | 189 | return -ENOSPC; |
190 | #endif | 190 | #endif |
191 | 191 | ||
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 6706d3a1bc4f..2d05cafec221 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c | |||
@@ -367,7 +367,7 @@ target(struct sk_buff **pskb, | |||
367 | #ifdef DEBUG_CLUSTERP | 367 | #ifdef DEBUG_CLUSTERP |
368 | DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); | 368 | DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); |
369 | #endif | 369 | #endif |
370 | DEBUGP("hash=%u ct_hash=%lu ", hash, ct->mark); | 370 | DEBUGP("hash=%u ct_hash=%u ", hash, ct->mark); |
371 | if (!clusterip_responsible(cipinfo->config, hash)) { | 371 | if (!clusterip_responsible(cipinfo->config, hash)) { |
372 | DEBUGP("not responsible\n"); | 372 | DEBUGP("not responsible\n"); |
373 | return NF_DROP; | 373 | return NF_DROP; |
diff --git a/net/ipv4/netfilter/ipt_CONNMARK.c b/net/ipv4/netfilter/ipt_CONNMARK.c index 30ddd3e18eb7..8ed744157b1a 100644 --- a/net/ipv4/netfilter/ipt_CONNMARK.c +++ b/net/ipv4/netfilter/ipt_CONNMARK.c | |||
@@ -40,9 +40,9 @@ target(struct sk_buff **pskb, | |||
40 | void *userinfo) | 40 | void *userinfo) |
41 | { | 41 | { |
42 | const struct ipt_connmark_target_info *markinfo = targinfo; | 42 | const struct ipt_connmark_target_info *markinfo = targinfo; |
43 | unsigned long diff; | 43 | u_int32_t diff; |
44 | unsigned long nfmark; | 44 | u_int32_t nfmark; |
45 | unsigned long newmark; | 45 | u_int32_t newmark; |
46 | 46 | ||
47 | enum ip_conntrack_info ctinfo; | 47 | enum ip_conntrack_info ctinfo; |
48 | struct ip_conntrack *ct = ip_conntrack_get((*pskb), &ctinfo); | 48 | struct ip_conntrack *ct = ip_conntrack_get((*pskb), &ctinfo); |
@@ -94,6 +94,11 @@ checkentry(const char *tablename, | |||
94 | } | 94 | } |
95 | } | 95 | } |
96 | 96 | ||
97 | if (matchinfo->mark > 0xffffffff || matchinfo->mask > 0xffffffff) { | ||
98 | printk(KERN_WARNING "CONNMARK: Only supports 32bit mark\n"); | ||
99 | return 0; | ||
100 | } | ||
101 | |||
97 | return 1; | 102 | return 1; |
98 | } | 103 | } |
99 | 104 | ||
diff --git a/net/ipv4/netfilter/ipt_MARK.c b/net/ipv4/netfilter/ipt_MARK.c index 33c6f9b63b8d..8526398346cf 100644 --- a/net/ipv4/netfilter/ipt_MARK.c +++ b/net/ipv4/netfilter/ipt_MARK.c | |||
@@ -76,6 +76,8 @@ checkentry_v0(const char *tablename, | |||
76 | unsigned int targinfosize, | 76 | unsigned int targinfosize, |
77 | unsigned int hook_mask) | 77 | unsigned int hook_mask) |
78 | { | 78 | { |
79 | struct ipt_mark_target_info *markinfo = targinfo; | ||
80 | |||
79 | if (targinfosize != IPT_ALIGN(sizeof(struct ipt_mark_target_info))) { | 81 | if (targinfosize != IPT_ALIGN(sizeof(struct ipt_mark_target_info))) { |
80 | printk(KERN_WARNING "MARK: targinfosize %u != %Zu\n", | 82 | printk(KERN_WARNING "MARK: targinfosize %u != %Zu\n", |
81 | targinfosize, | 83 | targinfosize, |
@@ -88,6 +90,11 @@ checkentry_v0(const char *tablename, | |||
88 | return 0; | 90 | return 0; |
89 | } | 91 | } |
90 | 92 | ||
93 | if (markinfo->mark > 0xffffffff) { | ||
94 | printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n"); | ||
95 | return 0; | ||
96 | } | ||
97 | |||
91 | return 1; | 98 | return 1; |
92 | } | 99 | } |
93 | 100 | ||
@@ -120,6 +127,11 @@ checkentry_v1(const char *tablename, | |||
120 | return 0; | 127 | return 0; |
121 | } | 128 | } |
122 | 129 | ||
130 | if (markinfo->mark > 0xffffffff) { | ||
131 | printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n"); | ||
132 | return 0; | ||
133 | } | ||
134 | |||
123 | return 1; | 135 | return 1; |
124 | } | 136 | } |
125 | 137 | ||
diff --git a/net/ipv4/netfilter/ipt_connmark.c b/net/ipv4/netfilter/ipt_connmark.c index 2706f96cea55..bf8de47ce004 100644 --- a/net/ipv4/netfilter/ipt_connmark.c +++ b/net/ipv4/netfilter/ipt_connmark.c | |||
@@ -54,9 +54,16 @@ checkentry(const char *tablename, | |||
54 | unsigned int matchsize, | 54 | unsigned int matchsize, |
55 | unsigned int hook_mask) | 55 | unsigned int hook_mask) |
56 | { | 56 | { |
57 | struct ipt_connmark_info *cm = | ||
58 | (struct ipt_connmark_info *)matchinfo; | ||
57 | if (matchsize != IPT_ALIGN(sizeof(struct ipt_connmark_info))) | 59 | if (matchsize != IPT_ALIGN(sizeof(struct ipt_connmark_info))) |
58 | return 0; | 60 | return 0; |
59 | 61 | ||
62 | if (cm->mark > 0xffffffff || cm->mask > 0xffffffff) { | ||
63 | printk(KERN_WARNING "connmark: only support 32bit mark\n"); | ||
64 | return 0; | ||
65 | } | ||
66 | |||
60 | return 1; | 67 | return 1; |
61 | } | 68 | } |
62 | 69 | ||
diff --git a/net/ipv4/netfilter/ipt_mark.c b/net/ipv4/netfilter/ipt_mark.c index 8955728127b9..00bef6cdd3f8 100644 --- a/net/ipv4/netfilter/ipt_mark.c +++ b/net/ipv4/netfilter/ipt_mark.c | |||
@@ -37,9 +37,16 @@ checkentry(const char *tablename, | |||
37 | unsigned int matchsize, | 37 | unsigned int matchsize, |
38 | unsigned int hook_mask) | 38 | unsigned int hook_mask) |
39 | { | 39 | { |
40 | struct ipt_mark_info *minfo = (struct ipt_mark_info *) matchinfo; | ||
41 | |||
40 | if (matchsize != IPT_ALIGN(sizeof(struct ipt_mark_info))) | 42 | if (matchsize != IPT_ALIGN(sizeof(struct ipt_mark_info))) |
41 | return 0; | 43 | return 0; |
42 | 44 | ||
45 | if (minfo->mark > 0xffffffff || minfo->mask > 0xffffffff) { | ||
46 | printk(KERN_WARNING "mark: only supports 32bit mark\n"); | ||
47 | return 0; | ||
48 | } | ||
49 | |||
43 | return 1; | 50 | return 1; |
44 | } | 51 | } |
45 | 52 | ||