aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/net/netfilter/ipv6/nf_conntrack_ipv6.h2
-rw-r--r--include/net/netfilter/nf_conntrack_l3proto.h6
-rw-r--r--net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c23
-rw-r--r--net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c27
-rw-r--r--net/netfilter/nf_conntrack_core.c5
-rw-r--r--net/netfilter/nf_conntrack_l3proto_generic.c7
6 files changed, 40 insertions, 30 deletions
diff --git a/include/net/netfilter/ipv6/nf_conntrack_ipv6.h b/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
index b4b6049e01fa..5a8965904377 100644
--- a/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
+++ b/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
@@ -7,7 +7,7 @@ extern struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6;
7extern struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6; 7extern struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6;
8extern struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6; 8extern struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6;
9 9
10extern int nf_ct_ipv6_skip_exthdr(struct sk_buff *skb, int start, 10extern int nf_ct_ipv6_skip_exthdr(const struct sk_buff *skb, int start,
11 u8 *nexthdrp, int len); 11 u8 *nexthdrp, int len);
12 12
13extern int nf_ct_frag6_init(void); 13extern int nf_ct_frag6_init(void);
diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h
index 890752d7f673..e3708a698d8b 100644
--- a/include/net/netfilter/nf_conntrack_l3proto.h
+++ b/include/net/netfilter/nf_conntrack_l3proto.h
@@ -58,11 +58,11 @@ struct nf_conntrack_l3proto
58 58
59 /* 59 /*
60 * Called before tracking. 60 * Called before tracking.
61 * *dataoff: offset of protocol header (TCP, UDP,...) in *pskb 61 * *dataoff: offset of protocol header (TCP, UDP,...) in skb
62 * *protonum: protocol number 62 * *protonum: protocol number
63 */ 63 */
64 int (*prepare)(struct sk_buff **pskb, unsigned int hooknum, 64 int (*get_l4proto)(const struct sk_buff *skb, unsigned int nhoff,
65 unsigned int *dataoff, u_int8_t *protonum); 65 unsigned int *dataoff, u_int8_t *protonum);
66 66
67 int (*tuple_to_nfattr)(struct sk_buff *skb, 67 int (*tuple_to_nfattr)(struct sk_buff *skb,
68 const struct nf_conntrack_tuple *t); 68 const struct nf_conntrack_tuple *t);
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 3c5629938487..ee29f4e9eac2 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -78,21 +78,26 @@ nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user)
78 return skb; 78 return skb;
79} 79}
80 80
81static int 81static int ipv4_get_l4proto(const struct sk_buff *skb, unsigned int nhoff,
82ipv4_prepare(struct sk_buff **pskb, unsigned int hooknum, unsigned int *dataoff, 82 unsigned int *dataoff, u_int8_t *protonum)
83 u_int8_t *protonum)
84{ 83{
84 struct iphdr _iph, *iph;
85
86 iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
87 if (iph == NULL)
88 return -NF_DROP;
89
85 /* Never happen */ 90 /* Never happen */
86 if (ip_hdr(*pskb)->frag_off & htons(IP_OFFSET)) { 91 if (iph->frag_off & htons(IP_OFFSET)) {
87 if (net_ratelimit()) { 92 if (net_ratelimit()) {
88 printk(KERN_ERR "ipv4_prepare: Frag of proto %u (hook=%u)\n", 93 printk(KERN_ERR "ipv4_get_l4proto: Frag of proto %u\n",
89 ip_hdr(*pskb)->protocol, hooknum); 94 iph->protocol);
90 } 95 }
91 return -NF_DROP; 96 return -NF_DROP;
92 } 97 }
93 98
94 *dataoff = skb_network_offset(*pskb) + ip_hdrlen(*pskb); 99 *dataoff = nhoff + (iph->ihl << 2);
95 *protonum = ip_hdr(*pskb)->protocol; 100 *protonum = iph->protocol;
96 101
97 return NF_ACCEPT; 102 return NF_ACCEPT;
98} 103}
@@ -407,7 +412,7 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 = {
407 .invert_tuple = ipv4_invert_tuple, 412 .invert_tuple = ipv4_invert_tuple,
408 .print_tuple = ipv4_print_tuple, 413 .print_tuple = ipv4_print_tuple,
409 .print_conntrack = ipv4_print_conntrack, 414 .print_conntrack = ipv4_print_conntrack,
410 .prepare = ipv4_prepare, 415 .get_l4proto = ipv4_get_l4proto,
411#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 416#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
412 .tuple_to_nfattr = ipv4_tuple_to_nfattr, 417 .tuple_to_nfattr = ipv4_tuple_to_nfattr,
413 .nfattr_to_tuple = ipv4_nfattr_to_tuple, 418 .nfattr_to_tuple = ipv4_nfattr_to_tuple,
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index b5c4bb54691e..9b7eaaadc67e 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -86,7 +86,7 @@ static int ipv6_print_conntrack(struct seq_file *s,
86 * - Note also special handling of AUTH header. Thanks to IPsec wizards. 86 * - Note also special handling of AUTH header. Thanks to IPsec wizards.
87 */ 87 */
88 88
89int nf_ct_ipv6_skip_exthdr(struct sk_buff *skb, int start, u8 *nexthdrp, 89int nf_ct_ipv6_skip_exthdr(const struct sk_buff *skb, int start, u8 *nexthdrp,
90 int len) 90 int len)
91{ 91{
92 u8 nexthdr = *nexthdrp; 92 u8 nexthdr = *nexthdrp;
@@ -117,19 +117,24 @@ int nf_ct_ipv6_skip_exthdr(struct sk_buff *skb, int start, u8 *nexthdrp,
117 return start; 117 return start;
118} 118}
119 119
120static int 120static int ipv6_get_l4proto(const struct sk_buff *skb, unsigned int nhoff,
121ipv6_prepare(struct sk_buff **pskb, unsigned int hooknum, unsigned int *dataoff, 121 unsigned int *dataoff, u_int8_t *protonum)
122 u_int8_t *protonum)
123{ 122{
124 unsigned int extoff = (u8 *)(ipv6_hdr(*pskb) + 1) - (*pskb)->data; 123 unsigned int extoff = nhoff + sizeof(struct ipv6hdr);
125 unsigned char pnum = ipv6_hdr(*pskb)->nexthdr; 124 unsigned char pnum;
126 int protoff = nf_ct_ipv6_skip_exthdr(*pskb, extoff, &pnum, 125 int protoff;
127 (*pskb)->len - extoff); 126
127 if (skb_copy_bits(skb, nhoff + offsetof(struct ipv6hdr, nexthdr),
128 &pnum, sizeof(pnum)) != 0) {
129 pr_debug("ip6_conntrack_core: can't get nexthdr\n");
130 return -NF_ACCEPT;
131 }
132 protoff = nf_ct_ipv6_skip_exthdr(skb, extoff, &pnum, skb->len - extoff);
128 /* 133 /*
129 * (protoff == (*pskb)->len) mean that the packet doesn't have no data 134 * (protoff == skb->len) mean that the packet doesn't have no data
130 * except of IPv6 & ext headers. but it's tracked anyway. - YK 135 * except of IPv6 & ext headers. but it's tracked anyway. - YK
131 */ 136 */
132 if ((protoff < 0) || (protoff > (*pskb)->len)) { 137 if ((protoff < 0) || (protoff > skb->len)) {
133 pr_debug("ip6_conntrack_core: can't find proto in pkt\n"); 138 pr_debug("ip6_conntrack_core: can't find proto in pkt\n");
134 return -NF_ACCEPT; 139 return -NF_ACCEPT;
135 } 140 }
@@ -375,7 +380,7 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv6 = {
375 .invert_tuple = ipv6_invert_tuple, 380 .invert_tuple = ipv6_invert_tuple,
376 .print_tuple = ipv6_print_tuple, 381 .print_tuple = ipv6_print_tuple,
377 .print_conntrack = ipv6_print_conntrack, 382 .print_conntrack = ipv6_print_conntrack,
378 .prepare = ipv6_prepare, 383 .get_l4proto = ipv6_get_l4proto,
379#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 384#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
380 .tuple_to_nfattr = ipv6_tuple_to_nfattr, 385 .tuple_to_nfattr = ipv6_tuple_to_nfattr,
381 .nfattr_to_tuple = ipv6_nfattr_to_tuple, 386 .nfattr_to_tuple = ipv6_nfattr_to_tuple,
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index b730413738a6..5b194e3c4e25 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -622,8 +622,9 @@ nf_conntrack_in(int pf, unsigned int hooknum, struct sk_buff **pskb)
622 622
623 /* rcu_read_lock()ed by nf_hook_slow */ 623 /* rcu_read_lock()ed by nf_hook_slow */
624 l3proto = __nf_ct_l3proto_find((u_int16_t)pf); 624 l3proto = __nf_ct_l3proto_find((u_int16_t)pf);
625 625 ret = l3proto->get_l4proto(*pskb, skb_network_offset(*pskb),
626 if ((ret = l3proto->prepare(pskb, hooknum, &dataoff, &protonum)) <= 0) { 626 &dataoff, &protonum);
627 if (ret <= 0) {
627 pr_debug("not prepared to track yet or error occured\n"); 628 pr_debug("not prepared to track yet or error occured\n");
628 NF_CT_STAT_INC_ATOMIC(error); 629 NF_CT_STAT_INC_ATOMIC(error);
629 NF_CT_STAT_INC_ATOMIC(invalid); 630 NF_CT_STAT_INC_ATOMIC(invalid);
diff --git a/net/netfilter/nf_conntrack_l3proto_generic.c b/net/netfilter/nf_conntrack_l3proto_generic.c
index b1bfa207a850..0691642b7724 100644
--- a/net/netfilter/nf_conntrack_l3proto_generic.c
+++ b/net/netfilter/nf_conntrack_l3proto_generic.c
@@ -61,9 +61,8 @@ static int generic_print_conntrack(struct seq_file *s,
61 return 0; 61 return 0;
62} 62}
63 63
64static int 64static int generic_get_l4proto(const struct sk_buff *skb, unsigned int nhoff,
65generic_prepare(struct sk_buff **pskb, unsigned int hooknum, 65 unsigned int *dataoff, u_int8_t *protonum)
66 unsigned int *dataoff, u_int8_t *protonum)
67{ 66{
68 /* Never track !!! */ 67 /* Never track !!! */
69 return -NF_ACCEPT; 68 return -NF_ACCEPT;
@@ -77,6 +76,6 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_generic = {
77 .invert_tuple = generic_invert_tuple, 76 .invert_tuple = generic_invert_tuple,
78 .print_tuple = generic_print_tuple, 77 .print_tuple = generic_print_tuple,
79 .print_conntrack = generic_print_conntrack, 78 .print_conntrack = generic_print_conntrack,
80 .prepare = generic_prepare, 79 .get_l4proto = generic_get_l4proto,
81}; 80};
82EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_generic); 81EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_generic);