aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/net/netfilter/nf_conntrack.h2
-rw-r--r--net/ipv4/netfilter/nf_nat_proto_tcp.c2
-rw-r--r--net/netfilter/nf_conntrack_proto_tcp.c44
3 files changed, 26 insertions, 22 deletions
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index bda78a286e2b..90b3e7f5df5f 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -216,7 +216,7 @@ static inline void nf_ct_refresh(struct nf_conn *ct,
216 216
217/* These are for NAT. Icky. */ 217/* These are for NAT. Icky. */
218/* Update TCP window tracking data when NAT mangles the packet */ 218/* Update TCP window tracking data when NAT mangles the packet */
219extern void nf_conntrack_tcp_update(struct sk_buff *skb, 219extern void nf_conntrack_tcp_update(const struct sk_buff *skb,
220 unsigned int dataoff, 220 unsigned int dataoff,
221 struct nf_conn *ct, 221 struct nf_conn *ct,
222 int dir); 222 int dir);
diff --git a/net/ipv4/netfilter/nf_nat_proto_tcp.c b/net/ipv4/netfilter/nf_nat_proto_tcp.c
index da23e9fbe679..ffd5d1589eca 100644
--- a/net/ipv4/netfilter/nf_nat_proto_tcp.c
+++ b/net/ipv4/netfilter/nf_nat_proto_tcp.c
@@ -93,7 +93,7 @@ tcp_manip_pkt(struct sk_buff *skb,
93 const struct nf_conntrack_tuple *tuple, 93 const struct nf_conntrack_tuple *tuple,
94 enum nf_nat_manip_type maniptype) 94 enum nf_nat_manip_type maniptype)
95{ 95{
96 struct iphdr *iph = (struct iphdr *)(skb->data + iphdroff); 96 const struct iphdr *iph = (struct iphdr *)(skb->data + iphdroff);
97 struct tcphdr *hdr; 97 struct tcphdr *hdr;
98 unsigned int hdroff = iphdroff + iph->ihl*4; 98 unsigned int hdroff = iphdroff + iph->ihl*4;
99 __be32 oldip, newip; 99 __be32 oldip, newip;
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 9807af677a56..3e0cccae5636 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -46,7 +46,7 @@ static int nf_ct_tcp_max_retrans __read_mostly = 3;
46 /* FIXME: Examine ipfilter's timeouts and conntrack transitions more 46 /* FIXME: Examine ipfilter's timeouts and conntrack transitions more
47 closely. They're more complex. --RR */ 47 closely. They're more complex. --RR */
48 48
49static const char *tcp_conntrack_names[] = { 49static const char *const tcp_conntrack_names[] = {
50 "NONE", 50 "NONE",
51 "SYN_SENT", 51 "SYN_SENT",
52 "SYN_RECV", 52 "SYN_RECV",
@@ -261,7 +261,8 @@ static int tcp_pkt_to_tuple(const struct sk_buff *skb,
261 unsigned int dataoff, 261 unsigned int dataoff,
262 struct nf_conntrack_tuple *tuple) 262 struct nf_conntrack_tuple *tuple)
263{ 263{
264 struct tcphdr _hdr, *hp; 264 const struct tcphdr *hp;
265 struct tcphdr _hdr;
265 266
266 /* Actually only need first 8 bytes. */ 267 /* Actually only need first 8 bytes. */
267 hp = skb_header_pointer(skb, dataoff, 8, &_hdr); 268 hp = skb_header_pointer(skb, dataoff, 8, &_hdr);
@@ -343,7 +344,7 @@ static unsigned int get_conntrack_index(const struct tcphdr *tcph)
343static inline __u32 segment_seq_plus_len(__u32 seq, 344static inline __u32 segment_seq_plus_len(__u32 seq,
344 size_t len, 345 size_t len,
345 unsigned int dataoff, 346 unsigned int dataoff,
346 struct tcphdr *tcph) 347 const struct tcphdr *tcph)
347{ 348{
348 /* XXX Should I use payload length field in IP/IPv6 header ? 349 /* XXX Should I use payload length field in IP/IPv6 header ?
349 * - YK */ 350 * - YK */
@@ -362,11 +363,11 @@ static inline __u32 segment_seq_plus_len(__u32 seq,
362 */ 363 */
363static void tcp_options(const struct sk_buff *skb, 364static void tcp_options(const struct sk_buff *skb,
364 unsigned int dataoff, 365 unsigned int dataoff,
365 struct tcphdr *tcph, 366 const struct tcphdr *tcph,
366 struct ip_ct_tcp_state *state) 367 struct ip_ct_tcp_state *state)
367{ 368{
368 unsigned char buff[(15 * 4) - sizeof(struct tcphdr)]; 369 unsigned char buff[(15 * 4) - sizeof(struct tcphdr)];
369 unsigned char *ptr; 370 const unsigned char *ptr;
370 int length = (tcph->doff*4) - sizeof(struct tcphdr); 371 int length = (tcph->doff*4) - sizeof(struct tcphdr);
371 372
372 if (!length) 373 if (!length)
@@ -417,10 +418,10 @@ static void tcp_options(const struct sk_buff *skb,
417} 418}
418 419
419static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff, 420static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
420 struct tcphdr *tcph, __u32 *sack) 421 const struct tcphdr *tcph, __u32 *sack)
421{ 422{
422 unsigned char buff[(15 * 4) - sizeof(struct tcphdr)]; 423 unsigned char buff[(15 * 4) - sizeof(struct tcphdr)];
423 unsigned char *ptr; 424 const unsigned char *ptr;
424 int length = (tcph->doff*4) - sizeof(struct tcphdr); 425 int length = (tcph->doff*4) - sizeof(struct tcphdr);
425 __u32 tmp; 426 __u32 tmp;
426 427
@@ -477,18 +478,18 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
477 } 478 }
478} 479}
479 480
480static int tcp_in_window(struct nf_conn *ct, 481static int tcp_in_window(const struct nf_conn *ct,
481 struct ip_ct_tcp *state, 482 struct ip_ct_tcp *state,
482 enum ip_conntrack_dir dir, 483 enum ip_conntrack_dir dir,
483 unsigned int index, 484 unsigned int index,
484 const struct sk_buff *skb, 485 const struct sk_buff *skb,
485 unsigned int dataoff, 486 unsigned int dataoff,
486 struct tcphdr *tcph, 487 const struct tcphdr *tcph,
487 int pf) 488 int pf)
488{ 489{
489 struct ip_ct_tcp_state *sender = &state->seen[dir]; 490 struct ip_ct_tcp_state *sender = &state->seen[dir];
490 struct ip_ct_tcp_state *receiver = &state->seen[!dir]; 491 struct ip_ct_tcp_state *receiver = &state->seen[!dir];
491 struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple; 492 const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple;
492 __u32 seq, ack, sack, end, win, swin; 493 __u32 seq, ack, sack, end, win, swin;
493 int res; 494 int res;
494 495
@@ -686,14 +687,14 @@ static int tcp_in_window(struct nf_conn *ct,
686#ifdef CONFIG_NF_NAT_NEEDED 687#ifdef CONFIG_NF_NAT_NEEDED
687/* Update sender->td_end after NAT successfully mangled the packet */ 688/* Update sender->td_end after NAT successfully mangled the packet */
688/* Caller must linearize skb at tcp header. */ 689/* Caller must linearize skb at tcp header. */
689void nf_conntrack_tcp_update(struct sk_buff *skb, 690void nf_conntrack_tcp_update(const struct sk_buff *skb,
690 unsigned int dataoff, 691 unsigned int dataoff,
691 struct nf_conn *ct, 692 struct nf_conn *ct,
692 int dir) 693 int dir)
693{ 694{
694 struct tcphdr *tcph = (void *)skb->data + dataoff; 695 const struct tcphdr *tcph = (const void *)skb->data + dataoff;
695 struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[dir]; 696 const struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[dir];
696 struct ip_ct_tcp_state *receiver = &ct->proto.tcp.seen[!dir]; 697 const struct ip_ct_tcp_state *receiver = &ct->proto.tcp.seen[!dir];
697 __u32 end; 698 __u32 end;
698 699
699 end = segment_seq_plus_len(ntohl(tcph->seq), skb->len, dataoff, tcph); 700 end = segment_seq_plus_len(ntohl(tcph->seq), skb->len, dataoff, tcph);
@@ -726,7 +727,7 @@ EXPORT_SYMBOL_GPL(nf_conntrack_tcp_update);
726#define TH_CWR 0x80 727#define TH_CWR 0x80
727 728
728/* table of valid flag combinations - PUSH, ECE and CWR are always valid */ 729/* table of valid flag combinations - PUSH, ECE and CWR are always valid */
729static u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG) + 1] = 730static const u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG) + 1] =
730{ 731{
731 [TH_SYN] = 1, 732 [TH_SYN] = 1,
732 [TH_SYN|TH_URG] = 1, 733 [TH_SYN|TH_URG] = 1,
@@ -746,7 +747,8 @@ static int tcp_error(struct sk_buff *skb,
746 int pf, 747 int pf,
747 unsigned int hooknum) 748 unsigned int hooknum)
748{ 749{
749 struct tcphdr _tcph, *th; 750 const struct tcphdr *th;
751 struct tcphdr _tcph;
750 unsigned int tcplen = skb->len - dataoff; 752 unsigned int tcplen = skb->len - dataoff;
751 u_int8_t tcpflags; 753 u_int8_t tcpflags;
752 754
@@ -803,7 +805,8 @@ static int tcp_packet(struct nf_conn *ct,
803 struct nf_conntrack_tuple *tuple; 805 struct nf_conntrack_tuple *tuple;
804 enum tcp_conntrack new_state, old_state; 806 enum tcp_conntrack new_state, old_state;
805 enum ip_conntrack_dir dir; 807 enum ip_conntrack_dir dir;
806 struct tcphdr *th, _tcph; 808 const struct tcphdr *th;
809 struct tcphdr _tcph;
807 unsigned long timeout; 810 unsigned long timeout;
808 unsigned int index; 811 unsigned int index;
809 812
@@ -964,9 +967,10 @@ static int tcp_new(struct nf_conn *ct,
964 unsigned int dataoff) 967 unsigned int dataoff)
965{ 968{
966 enum tcp_conntrack new_state; 969 enum tcp_conntrack new_state;
967 struct tcphdr *th, _tcph; 970 const struct tcphdr *th;
968 struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[0]; 971 struct tcphdr _tcph;
969 struct ip_ct_tcp_state *receiver = &ct->proto.tcp.seen[1]; 972 const struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[0];
973 const struct ip_ct_tcp_state *receiver = &ct->proto.tcp.seen[1];
970 974
971 th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph); 975 th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph);
972 BUG_ON(th == NULL); 976 BUG_ON(th == NULL);