diff options
-rw-r--r-- | include/linux/netfilter/xt_LED.h | 2 | ||||
-rw-r--r-- | include/linux/netfilter/xt_cluster.h | 2 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_ipv6header.c | 6 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_netlink.c | 48 | ||||
-rw-r--r-- | net/netfilter/xt_cluster.c | 8 |
5 files changed, 34 insertions, 32 deletions
diff --git a/include/linux/netfilter/xt_LED.h b/include/linux/netfilter/xt_LED.h index 4c91a0d770d0..f5509e7524d3 100644 --- a/include/linux/netfilter/xt_LED.h +++ b/include/linux/netfilter/xt_LED.h | |||
@@ -1,6 +1,8 @@ | |||
1 | #ifndef _XT_LED_H | 1 | #ifndef _XT_LED_H |
2 | #define _XT_LED_H | 2 | #define _XT_LED_H |
3 | 3 | ||
4 | #include <linux/types.h> | ||
5 | |||
4 | struct xt_led_info { | 6 | struct xt_led_info { |
5 | char id[27]; /* Unique ID for this trigger in the LED class */ | 7 | char id[27]; /* Unique ID for this trigger in the LED class */ |
6 | __u8 always_blink; /* Blink even if the LED is already on */ | 8 | __u8 always_blink; /* Blink even if the LED is already on */ |
diff --git a/include/linux/netfilter/xt_cluster.h b/include/linux/netfilter/xt_cluster.h index 5e0a0d07b526..886682656f09 100644 --- a/include/linux/netfilter/xt_cluster.h +++ b/include/linux/netfilter/xt_cluster.h | |||
@@ -12,4 +12,6 @@ struct xt_cluster_match_info { | |||
12 | u_int32_t flags; | 12 | u_int32_t flags; |
13 | }; | 13 | }; |
14 | 14 | ||
15 | #define XT_CLUSTER_NODES_MAX 32 | ||
16 | |||
15 | #endif /* _XT_CLUSTER_MATCH_H */ | 17 | #endif /* _XT_CLUSTER_MATCH_H */ |
diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c index 14e6724d5672..91490ad9302c 100644 --- a/net/ipv6/netfilter/ip6t_ipv6header.c +++ b/net/ipv6/netfilter/ip6t_ipv6header.c | |||
@@ -50,14 +50,14 @@ ipv6header_mt6(const struct sk_buff *skb, const struct xt_match_param *par) | |||
50 | struct ipv6_opt_hdr _hdr; | 50 | struct ipv6_opt_hdr _hdr; |
51 | int hdrlen; | 51 | int hdrlen; |
52 | 52 | ||
53 | /* Is there enough space for the next ext header? */ | ||
54 | if (len < (int)sizeof(struct ipv6_opt_hdr)) | ||
55 | return false; | ||
56 | /* No more exthdr -> evaluate */ | 53 | /* No more exthdr -> evaluate */ |
57 | if (nexthdr == NEXTHDR_NONE) { | 54 | if (nexthdr == NEXTHDR_NONE) { |
58 | temp |= MASK_NONE; | 55 | temp |= MASK_NONE; |
59 | break; | 56 | break; |
60 | } | 57 | } |
58 | /* Is there enough space for the next ext header? */ | ||
59 | if (len < (int)sizeof(struct ipv6_opt_hdr)) | ||
60 | return false; | ||
61 | /* ESP -> evaluate */ | 61 | /* ESP -> evaluate */ |
62 | if (nexthdr == NEXTHDR_ESP) { | 62 | if (nexthdr == NEXTHDR_ESP) { |
63 | temp |= MASK_ESP; | 63 | temp |= MASK_ESP; |
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index f13fc57e1ecb..c523f0b8cee5 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c | |||
@@ -1186,28 +1186,6 @@ ctnetlink_change_conntrack(struct nf_conn *ct, struct nlattr *cda[]) | |||
1186 | return 0; | 1186 | return 0; |
1187 | } | 1187 | } |
1188 | 1188 | ||
1189 | static inline void | ||
1190 | ctnetlink_event_report(struct nf_conn *ct, u32 pid, int report) | ||
1191 | { | ||
1192 | unsigned int events = 0; | ||
1193 | |||
1194 | if (test_bit(IPS_EXPECTED_BIT, &ct->status)) | ||
1195 | events |= IPCT_RELATED; | ||
1196 | else | ||
1197 | events |= IPCT_NEW; | ||
1198 | |||
1199 | nf_conntrack_event_report(IPCT_STATUS | | ||
1200 | IPCT_HELPER | | ||
1201 | IPCT_REFRESH | | ||
1202 | IPCT_PROTOINFO | | ||
1203 | IPCT_NATSEQADJ | | ||
1204 | IPCT_MARK | | ||
1205 | events, | ||
1206 | ct, | ||
1207 | pid, | ||
1208 | report); | ||
1209 | } | ||
1210 | |||
1211 | static struct nf_conn * | 1189 | static struct nf_conn * |
1212 | ctnetlink_create_conntrack(struct nlattr *cda[], | 1190 | ctnetlink_create_conntrack(struct nlattr *cda[], |
1213 | struct nf_conntrack_tuple *otuple, | 1191 | struct nf_conntrack_tuple *otuple, |
@@ -1373,6 +1351,7 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, | |||
1373 | err = -ENOENT; | 1351 | err = -ENOENT; |
1374 | if (nlh->nlmsg_flags & NLM_F_CREATE) { | 1352 | if (nlh->nlmsg_flags & NLM_F_CREATE) { |
1375 | struct nf_conn *ct; | 1353 | struct nf_conn *ct; |
1354 | enum ip_conntrack_events events; | ||
1376 | 1355 | ||
1377 | ct = ctnetlink_create_conntrack(cda, &otuple, | 1356 | ct = ctnetlink_create_conntrack(cda, &otuple, |
1378 | &rtuple, u3); | 1357 | &rtuple, u3); |
@@ -1383,9 +1362,18 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, | |||
1383 | err = 0; | 1362 | err = 0; |
1384 | nf_conntrack_get(&ct->ct_general); | 1363 | nf_conntrack_get(&ct->ct_general); |
1385 | spin_unlock_bh(&nf_conntrack_lock); | 1364 | spin_unlock_bh(&nf_conntrack_lock); |
1386 | ctnetlink_event_report(ct, | 1365 | if (test_bit(IPS_EXPECTED_BIT, &ct->status)) |
1387 | NETLINK_CB(skb).pid, | 1366 | events = IPCT_RELATED; |
1388 | nlmsg_report(nlh)); | 1367 | else |
1368 | events = IPCT_NEW; | ||
1369 | |||
1370 | nf_conntrack_event_report(IPCT_STATUS | | ||
1371 | IPCT_HELPER | | ||
1372 | IPCT_PROTOINFO | | ||
1373 | IPCT_NATSEQADJ | | ||
1374 | IPCT_MARK | events, | ||
1375 | ct, NETLINK_CB(skb).pid, | ||
1376 | nlmsg_report(nlh)); | ||
1389 | nf_ct_put(ct); | 1377 | nf_ct_put(ct); |
1390 | } else | 1378 | } else |
1391 | spin_unlock_bh(&nf_conntrack_lock); | 1379 | spin_unlock_bh(&nf_conntrack_lock); |
@@ -1404,9 +1392,13 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, | |||
1404 | if (err == 0) { | 1392 | if (err == 0) { |
1405 | nf_conntrack_get(&ct->ct_general); | 1393 | nf_conntrack_get(&ct->ct_general); |
1406 | spin_unlock_bh(&nf_conntrack_lock); | 1394 | spin_unlock_bh(&nf_conntrack_lock); |
1407 | ctnetlink_event_report(ct, | 1395 | nf_conntrack_event_report(IPCT_STATUS | |
1408 | NETLINK_CB(skb).pid, | 1396 | IPCT_HELPER | |
1409 | nlmsg_report(nlh)); | 1397 | IPCT_PROTOINFO | |
1398 | IPCT_NATSEQADJ | | ||
1399 | IPCT_MARK, | ||
1400 | ct, NETLINK_CB(skb).pid, | ||
1401 | nlmsg_report(nlh)); | ||
1410 | nf_ct_put(ct); | 1402 | nf_ct_put(ct); |
1411 | } else | 1403 | } else |
1412 | spin_unlock_bh(&nf_conntrack_lock); | 1404 | spin_unlock_bh(&nf_conntrack_lock); |
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c index 6c4847662b85..69a639f35403 100644 --- a/net/netfilter/xt_cluster.c +++ b/net/netfilter/xt_cluster.c | |||
@@ -135,7 +135,13 @@ static bool xt_cluster_mt_checkentry(const struct xt_mtchk_param *par) | |||
135 | { | 135 | { |
136 | struct xt_cluster_match_info *info = par->matchinfo; | 136 | struct xt_cluster_match_info *info = par->matchinfo; |
137 | 137 | ||
138 | if (info->node_mask >= (1 << info->total_nodes)) { | 138 | if (info->total_nodes > XT_CLUSTER_NODES_MAX) { |
139 | printk(KERN_ERR "xt_cluster: you have exceeded the maximum " | ||
140 | "number of cluster nodes (%u > %u)\n", | ||
141 | info->total_nodes, XT_CLUSTER_NODES_MAX); | ||
142 | return false; | ||
143 | } | ||
144 | if (info->node_mask >= (1ULL << info->total_nodes)) { | ||
139 | printk(KERN_ERR "xt_cluster: this node mask cannot be " | 145 | printk(KERN_ERR "xt_cluster: this node mask cannot be " |
140 | "higher than the total number of nodes\n"); | 146 | "higher than the total number of nodes\n"); |
141 | return false; | 147 | return false; |