aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/linux/netfilter/xt_LED.h2
-rw-r--r--include/linux/netfilter/xt_cluster.h2
-rw-r--r--net/ipv6/netfilter/ip6t_ipv6header.c6
-rw-r--r--net/netfilter/nf_conntrack_netlink.c48
-rw-r--r--net/netfilter/xt_cluster.c8
5 files changed, 34 insertions, 32 deletions
diff --git a/include/linux/netfilter/xt_LED.h b/include/linux/netfilter/xt_LED.h
index 4c91a0d770d0..f5509e7524d3 100644
--- a/include/linux/netfilter/xt_LED.h
+++ b/include/linux/netfilter/xt_LED.h
@@ -1,6 +1,8 @@
1#ifndef _XT_LED_H 1#ifndef _XT_LED_H
2#define _XT_LED_H 2#define _XT_LED_H
3 3
4#include <linux/types.h>
5
4struct xt_led_info { 6struct xt_led_info {
5 char id[27]; /* Unique ID for this trigger in the LED class */ 7 char id[27]; /* Unique ID for this trigger in the LED class */
6 __u8 always_blink; /* Blink even if the LED is already on */ 8 __u8 always_blink; /* Blink even if the LED is already on */
diff --git a/include/linux/netfilter/xt_cluster.h b/include/linux/netfilter/xt_cluster.h
index 5e0a0d07b526..886682656f09 100644
--- a/include/linux/netfilter/xt_cluster.h
+++ b/include/linux/netfilter/xt_cluster.h
@@ -12,4 +12,6 @@ struct xt_cluster_match_info {
12 u_int32_t flags; 12 u_int32_t flags;
13}; 13};
14 14
15#define XT_CLUSTER_NODES_MAX 32
16
15#endif /* _XT_CLUSTER_MATCH_H */ 17#endif /* _XT_CLUSTER_MATCH_H */
diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index 14e6724d5672..91490ad9302c 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -50,14 +50,14 @@ ipv6header_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
50 struct ipv6_opt_hdr _hdr; 50 struct ipv6_opt_hdr _hdr;
51 int hdrlen; 51 int hdrlen;
52 52
53 /* Is there enough space for the next ext header? */
54 if (len < (int)sizeof(struct ipv6_opt_hdr))
55 return false;
56 /* No more exthdr -> evaluate */ 53 /* No more exthdr -> evaluate */
57 if (nexthdr == NEXTHDR_NONE) { 54 if (nexthdr == NEXTHDR_NONE) {
58 temp |= MASK_NONE; 55 temp |= MASK_NONE;
59 break; 56 break;
60 } 57 }
58 /* Is there enough space for the next ext header? */
59 if (len < (int)sizeof(struct ipv6_opt_hdr))
60 return false;
61 /* ESP -> evaluate */ 61 /* ESP -> evaluate */
62 if (nexthdr == NEXTHDR_ESP) { 62 if (nexthdr == NEXTHDR_ESP) {
63 temp |= MASK_ESP; 63 temp |= MASK_ESP;
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index f13fc57e1ecb..c523f0b8cee5 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1186,28 +1186,6 @@ ctnetlink_change_conntrack(struct nf_conn *ct, struct nlattr *cda[])
1186 return 0; 1186 return 0;
1187} 1187}
1188 1188
1189static inline void
1190ctnetlink_event_report(struct nf_conn *ct, u32 pid, int report)
1191{
1192 unsigned int events = 0;
1193
1194 if (test_bit(IPS_EXPECTED_BIT, &ct->status))
1195 events |= IPCT_RELATED;
1196 else
1197 events |= IPCT_NEW;
1198
1199 nf_conntrack_event_report(IPCT_STATUS |
1200 IPCT_HELPER |
1201 IPCT_REFRESH |
1202 IPCT_PROTOINFO |
1203 IPCT_NATSEQADJ |
1204 IPCT_MARK |
1205 events,
1206 ct,
1207 pid,
1208 report);
1209}
1210
1211static struct nf_conn * 1189static struct nf_conn *
1212ctnetlink_create_conntrack(struct nlattr *cda[], 1190ctnetlink_create_conntrack(struct nlattr *cda[],
1213 struct nf_conntrack_tuple *otuple, 1191 struct nf_conntrack_tuple *otuple,
@@ -1373,6 +1351,7 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
1373 err = -ENOENT; 1351 err = -ENOENT;
1374 if (nlh->nlmsg_flags & NLM_F_CREATE) { 1352 if (nlh->nlmsg_flags & NLM_F_CREATE) {
1375 struct nf_conn *ct; 1353 struct nf_conn *ct;
1354 enum ip_conntrack_events events;
1376 1355
1377 ct = ctnetlink_create_conntrack(cda, &otuple, 1356 ct = ctnetlink_create_conntrack(cda, &otuple,
1378 &rtuple, u3); 1357 &rtuple, u3);
@@ -1383,9 +1362,18 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
1383 err = 0; 1362 err = 0;
1384 nf_conntrack_get(&ct->ct_general); 1363 nf_conntrack_get(&ct->ct_general);
1385 spin_unlock_bh(&nf_conntrack_lock); 1364 spin_unlock_bh(&nf_conntrack_lock);
1386 ctnetlink_event_report(ct, 1365 if (test_bit(IPS_EXPECTED_BIT, &ct->status))
1387 NETLINK_CB(skb).pid, 1366 events = IPCT_RELATED;
1388 nlmsg_report(nlh)); 1367 else
1368 events = IPCT_NEW;
1369
1370 nf_conntrack_event_report(IPCT_STATUS |
1371 IPCT_HELPER |
1372 IPCT_PROTOINFO |
1373 IPCT_NATSEQADJ |
1374 IPCT_MARK | events,
1375 ct, NETLINK_CB(skb).pid,
1376 nlmsg_report(nlh));
1389 nf_ct_put(ct); 1377 nf_ct_put(ct);
1390 } else 1378 } else
1391 spin_unlock_bh(&nf_conntrack_lock); 1379 spin_unlock_bh(&nf_conntrack_lock);
@@ -1404,9 +1392,13 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
1404 if (err == 0) { 1392 if (err == 0) {
1405 nf_conntrack_get(&ct->ct_general); 1393 nf_conntrack_get(&ct->ct_general);
1406 spin_unlock_bh(&nf_conntrack_lock); 1394 spin_unlock_bh(&nf_conntrack_lock);
1407 ctnetlink_event_report(ct, 1395 nf_conntrack_event_report(IPCT_STATUS |
1408 NETLINK_CB(skb).pid, 1396 IPCT_HELPER |
1409 nlmsg_report(nlh)); 1397 IPCT_PROTOINFO |
1398 IPCT_NATSEQADJ |
1399 IPCT_MARK,
1400 ct, NETLINK_CB(skb).pid,
1401 nlmsg_report(nlh));
1410 nf_ct_put(ct); 1402 nf_ct_put(ct);
1411 } else 1403 } else
1412 spin_unlock_bh(&nf_conntrack_lock); 1404 spin_unlock_bh(&nf_conntrack_lock);
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
index 6c4847662b85..69a639f35403 100644
--- a/net/netfilter/xt_cluster.c
+++ b/net/netfilter/xt_cluster.c
@@ -135,7 +135,13 @@ static bool xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
135{ 135{
136 struct xt_cluster_match_info *info = par->matchinfo; 136 struct xt_cluster_match_info *info = par->matchinfo;
137 137
138 if (info->node_mask >= (1 << info->total_nodes)) { 138 if (info->total_nodes > XT_CLUSTER_NODES_MAX) {
139 printk(KERN_ERR "xt_cluster: you have exceeded the maximum "
140 "number of cluster nodes (%u > %u)\n",
141 info->total_nodes, XT_CLUSTER_NODES_MAX);
142 return false;
143 }
144 if (info->node_mask >= (1ULL << info->total_nodes)) {
139 printk(KERN_ERR "xt_cluster: this node mask cannot be " 145 printk(KERN_ERR "xt_cluster: this node mask cannot be "
140 "higher than the total number of nodes\n"); 146 "higher than the total number of nodes\n");
141 return false; 147 return false;