diff options
Diffstat (limited to 'net/ipv4')
-rw-r--r-- | net/ipv4/netfilter/arp_tables.c | 22 | ||||
-rw-r--r-- | net/ipv4/netfilter/ip_queue.c | 5 | ||||
-rw-r--r-- | net/ipv4/netfilter/ip_tables.c | 46 | ||||
-rw-r--r-- | net/ipv4/netfilter/ipt_CLUSTERIP.c | 20 | ||||
-rw-r--r-- | net/ipv4/netfilter/ipt_ECN.c | 8 | ||||
-rw-r--r-- | net/ipv4/netfilter/ipt_LOG.c | 22 | ||||
-rw-r--r-- | net/ipv4/netfilter/ipt_MASQUERADE.c | 4 | ||||
-rw-r--r-- | net/ipv4/netfilter/ipt_REJECT.c | 4 | ||||
-rw-r--r-- | net/ipv4/netfilter/ipt_ULOG.c | 6 | ||||
-rw-r--r-- | net/ipv4/netfilter/ipt_ecn.c | 4 | ||||
-rw-r--r-- | net/ipv4/netfilter/iptable_mangle.c | 4 | ||||
-rw-r--r-- | net/ipv4/netfilter/iptable_security.c | 4 | ||||
-rw-r--r-- | net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 28 | ||||
-rw-r--r-- | net/ipv4/netfilter/nf_nat_helper.c | 22 | ||||
-rw-r--r-- | net/ipv4/netfilter/nf_nat_standalone.c | 10 |
15 files changed, 102 insertions, 107 deletions
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index 27774c99d888..06632762ba5f 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c | |||
@@ -384,11 +384,11 @@ static int mark_source_chains(struct xt_table_info *newinfo, | |||
384 | |= ((1 << hook) | (1 << NF_ARP_NUMHOOKS)); | 384 | |= ((1 << hook) | (1 << NF_ARP_NUMHOOKS)); |
385 | 385 | ||
386 | /* Unconditional return/END. */ | 386 | /* Unconditional return/END. */ |
387 | if ((e->target_offset == sizeof(struct arpt_entry) | 387 | if ((e->target_offset == sizeof(struct arpt_entry) && |
388 | && (strcmp(t->target.u.user.name, | 388 | (strcmp(t->target.u.user.name, |
389 | ARPT_STANDARD_TARGET) == 0) | 389 | ARPT_STANDARD_TARGET) == 0) && |
390 | && t->verdict < 0 | 390 | t->verdict < 0 && unconditional(&e->arp)) || |
391 | && unconditional(&e->arp)) || visited) { | 391 | visited) { |
392 | unsigned int oldpos, size; | 392 | unsigned int oldpos, size; |
393 | 393 | ||
394 | if ((strcmp(t->target.u.user.name, | 394 | if ((strcmp(t->target.u.user.name, |
@@ -427,8 +427,8 @@ static int mark_source_chains(struct xt_table_info *newinfo, | |||
427 | int newpos = t->verdict; | 427 | int newpos = t->verdict; |
428 | 428 | ||
429 | if (strcmp(t->target.u.user.name, | 429 | if (strcmp(t->target.u.user.name, |
430 | ARPT_STANDARD_TARGET) == 0 | 430 | ARPT_STANDARD_TARGET) == 0 && |
431 | && newpos >= 0) { | 431 | newpos >= 0) { |
432 | if (newpos > newinfo->size - | 432 | if (newpos > newinfo->size - |
433 | sizeof(struct arpt_entry)) { | 433 | sizeof(struct arpt_entry)) { |
434 | duprintf("mark_source_chains: " | 434 | duprintf("mark_source_chains: " |
@@ -559,8 +559,8 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e, | |||
559 | { | 559 | { |
560 | unsigned int h; | 560 | unsigned int h; |
561 | 561 | ||
562 | if ((unsigned long)e % __alignof__(struct arpt_entry) != 0 | 562 | if ((unsigned long)e % __alignof__(struct arpt_entry) != 0 || |
563 | || (unsigned char *)e + sizeof(struct arpt_entry) >= limit) { | 563 | (unsigned char *)e + sizeof(struct arpt_entry) >= limit) { |
564 | duprintf("Bad offset %p\n", e); | 564 | duprintf("Bad offset %p\n", e); |
565 | return -EINVAL; | 565 | return -EINVAL; |
566 | } | 566 | } |
@@ -1251,8 +1251,8 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e, | |||
1251 | int ret, off, h; | 1251 | int ret, off, h; |
1252 | 1252 | ||
1253 | duprintf("check_compat_entry_size_and_hooks %p\n", e); | 1253 | duprintf("check_compat_entry_size_and_hooks %p\n", e); |
1254 | if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0 | 1254 | if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0 || |
1255 | || (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit) { | 1255 | (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit) { |
1256 | duprintf("Bad offset %p, limit = %p\n", e, limit); | 1256 | duprintf("Bad offset %p, limit = %p\n", e, limit); |
1257 | return -EINVAL; | 1257 | return -EINVAL; |
1258 | } | 1258 | } |
diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c index 884f0859cb3b..49ad44712f46 100644 --- a/net/ipv4/netfilter/ip_queue.c +++ b/net/ipv4/netfilter/ip_queue.c | |||
@@ -497,8 +497,7 @@ ipq_rcv_nl_event(struct notifier_block *this, | |||
497 | { | 497 | { |
498 | struct netlink_notify *n = ptr; | 498 | struct netlink_notify *n = ptr; |
499 | 499 | ||
500 | if (event == NETLINK_URELEASE && | 500 | if (event == NETLINK_URELEASE && n->protocol == NETLINK_FIREWALL) { |
501 | n->protocol == NETLINK_FIREWALL && n->pid) { | ||
502 | write_lock_bh(&queue_lock); | 501 | write_lock_bh(&queue_lock); |
503 | if ((net_eq(n->net, &init_net)) && (n->pid == peer_pid)) | 502 | if ((net_eq(n->net, &init_net)) && (n->pid == peer_pid)) |
504 | __ipq_reset(); | 503 | __ipq_reset(); |
@@ -622,7 +621,7 @@ cleanup_netlink_notifier: | |||
622 | static void __exit ip_queue_fini(void) | 621 | static void __exit ip_queue_fini(void) |
623 | { | 622 | { |
624 | nf_unregister_queue_handlers(&nfqh); | 623 | nf_unregister_queue_handlers(&nfqh); |
625 | synchronize_net(); | 624 | |
626 | ipq_flush(NULL, 0); | 625 | ipq_flush(NULL, 0); |
627 | 626 | ||
628 | #ifdef CONFIG_SYSCTL | 627 | #ifdef CONFIG_SYSCTL |
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index cde755d5eeab..572330a552ef 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c | |||
@@ -89,9 +89,9 @@ ip_packet_match(const struct iphdr *ip, | |||
89 | #define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg))) | 89 | #define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg))) |
90 | 90 | ||
91 | if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr, | 91 | if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr, |
92 | IPT_INV_SRCIP) | 92 | IPT_INV_SRCIP) || |
93 | || FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr, | 93 | FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr, |
94 | IPT_INV_DSTIP)) { | 94 | IPT_INV_DSTIP)) { |
95 | dprintf("Source or dest mismatch.\n"); | 95 | dprintf("Source or dest mismatch.\n"); |
96 | 96 | ||
97 | dprintf("SRC: %pI4. Mask: %pI4. Target: %pI4.%s\n", | 97 | dprintf("SRC: %pI4. Mask: %pI4. Target: %pI4.%s\n", |
@@ -122,8 +122,8 @@ ip_packet_match(const struct iphdr *ip, | |||
122 | } | 122 | } |
123 | 123 | ||
124 | /* Check specific protocol */ | 124 | /* Check specific protocol */ |
125 | if (ipinfo->proto | 125 | if (ipinfo->proto && |
126 | && FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO)) { | 126 | FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO)) { |
127 | dprintf("Packet protocol %hi does not match %hi.%s\n", | 127 | dprintf("Packet protocol %hi does not match %hi.%s\n", |
128 | ip->protocol, ipinfo->proto, | 128 | ip->protocol, ipinfo->proto, |
129 | ipinfo->invflags&IPT_INV_PROTO ? " (INV)":""); | 129 | ipinfo->invflags&IPT_INV_PROTO ? " (INV)":""); |
@@ -246,11 +246,11 @@ get_chainname_rulenum(struct ipt_entry *s, struct ipt_entry *e, | |||
246 | } else if (s == e) { | 246 | } else if (s == e) { |
247 | (*rulenum)++; | 247 | (*rulenum)++; |
248 | 248 | ||
249 | if (s->target_offset == sizeof(struct ipt_entry) | 249 | if (s->target_offset == sizeof(struct ipt_entry) && |
250 | && strcmp(t->target.u.kernel.target->name, | 250 | strcmp(t->target.u.kernel.target->name, |
251 | IPT_STANDARD_TARGET) == 0 | 251 | IPT_STANDARD_TARGET) == 0 && |
252 | && t->verdict < 0 | 252 | t->verdict < 0 && |
253 | && unconditional(&s->ip)) { | 253 | unconditional(&s->ip)) { |
254 | /* Tail of chains: STANDARD target (return/policy) */ | 254 | /* Tail of chains: STANDARD target (return/policy) */ |
255 | *comment = *chainname == hookname | 255 | *comment = *chainname == hookname |
256 | ? comments[NF_IP_TRACE_COMMENT_POLICY] | 256 | ? comments[NF_IP_TRACE_COMMENT_POLICY] |
@@ -388,8 +388,8 @@ ipt_do_table(struct sk_buff *skb, | |||
388 | back = get_entry(table_base, back->comefrom); | 388 | back = get_entry(table_base, back->comefrom); |
389 | continue; | 389 | continue; |
390 | } | 390 | } |
391 | if (table_base + v != ipt_next_entry(e) | 391 | if (table_base + v != ipt_next_entry(e) && |
392 | && !(e->ip.flags & IPT_F_GOTO)) { | 392 | !(e->ip.flags & IPT_F_GOTO)) { |
393 | /* Save old back ptr in next entry */ | 393 | /* Save old back ptr in next entry */ |
394 | struct ipt_entry *next = ipt_next_entry(e); | 394 | struct ipt_entry *next = ipt_next_entry(e); |
395 | next->comefrom = (void *)back - table_base; | 395 | next->comefrom = (void *)back - table_base; |
@@ -473,11 +473,11 @@ mark_source_chains(struct xt_table_info *newinfo, | |||
473 | e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS)); | 473 | e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS)); |
474 | 474 | ||
475 | /* Unconditional return/END. */ | 475 | /* Unconditional return/END. */ |
476 | if ((e->target_offset == sizeof(struct ipt_entry) | 476 | if ((e->target_offset == sizeof(struct ipt_entry) && |
477 | && (strcmp(t->target.u.user.name, | 477 | (strcmp(t->target.u.user.name, |
478 | IPT_STANDARD_TARGET) == 0) | 478 | IPT_STANDARD_TARGET) == 0) && |
479 | && t->verdict < 0 | 479 | t->verdict < 0 && unconditional(&e->ip)) || |
480 | && unconditional(&e->ip)) || visited) { | 480 | visited) { |
481 | unsigned int oldpos, size; | 481 | unsigned int oldpos, size; |
482 | 482 | ||
483 | if ((strcmp(t->target.u.user.name, | 483 | if ((strcmp(t->target.u.user.name, |
@@ -524,8 +524,8 @@ mark_source_chains(struct xt_table_info *newinfo, | |||
524 | int newpos = t->verdict; | 524 | int newpos = t->verdict; |
525 | 525 | ||
526 | if (strcmp(t->target.u.user.name, | 526 | if (strcmp(t->target.u.user.name, |
527 | IPT_STANDARD_TARGET) == 0 | 527 | IPT_STANDARD_TARGET) == 0 && |
528 | && newpos >= 0) { | 528 | newpos >= 0) { |
529 | if (newpos > newinfo->size - | 529 | if (newpos > newinfo->size - |
530 | sizeof(struct ipt_entry)) { | 530 | sizeof(struct ipt_entry)) { |
531 | duprintf("mark_source_chains: " | 531 | duprintf("mark_source_chains: " |
@@ -735,8 +735,8 @@ check_entry_size_and_hooks(struct ipt_entry *e, | |||
735 | { | 735 | { |
736 | unsigned int h; | 736 | unsigned int h; |
737 | 737 | ||
738 | if ((unsigned long)e % __alignof__(struct ipt_entry) != 0 | 738 | if ((unsigned long)e % __alignof__(struct ipt_entry) != 0 || |
739 | || (unsigned char *)e + sizeof(struct ipt_entry) >= limit) { | 739 | (unsigned char *)e + sizeof(struct ipt_entry) >= limit) { |
740 | duprintf("Bad offset %p\n", e); | 740 | duprintf("Bad offset %p\n", e); |
741 | return -EINVAL; | 741 | return -EINVAL; |
742 | } | 742 | } |
@@ -1548,8 +1548,8 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e, | |||
1548 | int ret, off, h; | 1548 | int ret, off, h; |
1549 | 1549 | ||
1550 | duprintf("check_compat_entry_size_and_hooks %p\n", e); | 1550 | duprintf("check_compat_entry_size_and_hooks %p\n", e); |
1551 | if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 | 1551 | if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 || |
1552 | || (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) { | 1552 | (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) { |
1553 | duprintf("Bad offset %p, limit = %p\n", e, limit); | 1553 | duprintf("Bad offset %p, limit = %p\n", e, limit); |
1554 | return -EINVAL; | 1554 | return -EINVAL; |
1555 | } | 1555 | } |
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 2e4f98b85524..40ca2d240abb 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c | |||
@@ -303,9 +303,9 @@ clusterip_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
303 | 303 | ||
304 | /* special case: ICMP error handling. conntrack distinguishes between | 304 | /* special case: ICMP error handling. conntrack distinguishes between |
305 | * error messages (RELATED) and information requests (see below) */ | 305 | * error messages (RELATED) and information requests (see below) */ |
306 | if (ip_hdr(skb)->protocol == IPPROTO_ICMP | 306 | if (ip_hdr(skb)->protocol == IPPROTO_ICMP && |
307 | && (ctinfo == IP_CT_RELATED | 307 | (ctinfo == IP_CT_RELATED || |
308 | || ctinfo == IP_CT_RELATED+IP_CT_IS_REPLY)) | 308 | ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY)) |
309 | return XT_CONTINUE; | 309 | return XT_CONTINUE; |
310 | 310 | ||
311 | /* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO, | 311 | /* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO, |
@@ -362,8 +362,8 @@ static bool clusterip_tg_check(const struct xt_tgchk_param *par) | |||
362 | return false; | 362 | return false; |
363 | 363 | ||
364 | } | 364 | } |
365 | if (e->ip.dmsk.s_addr != htonl(0xffffffff) | 365 | if (e->ip.dmsk.s_addr != htonl(0xffffffff) || |
366 | || e->ip.dst.s_addr == 0) { | 366 | e->ip.dst.s_addr == 0) { |
367 | printk(KERN_ERR "CLUSTERIP: Please specify destination IP\n"); | 367 | printk(KERN_ERR "CLUSTERIP: Please specify destination IP\n"); |
368 | return false; | 368 | return false; |
369 | } | 369 | } |
@@ -495,14 +495,14 @@ arp_mangle(unsigned int hook, | |||
495 | struct clusterip_config *c; | 495 | struct clusterip_config *c; |
496 | 496 | ||
497 | /* we don't care about non-ethernet and non-ipv4 ARP */ | 497 | /* we don't care about non-ethernet and non-ipv4 ARP */ |
498 | if (arp->ar_hrd != htons(ARPHRD_ETHER) | 498 | if (arp->ar_hrd != htons(ARPHRD_ETHER) || |
499 | || arp->ar_pro != htons(ETH_P_IP) | 499 | arp->ar_pro != htons(ETH_P_IP) || |
500 | || arp->ar_pln != 4 || arp->ar_hln != ETH_ALEN) | 500 | arp->ar_pln != 4 || arp->ar_hln != ETH_ALEN) |
501 | return NF_ACCEPT; | 501 | return NF_ACCEPT; |
502 | 502 | ||
503 | /* we only want to mangle arp requests and replies */ | 503 | /* we only want to mangle arp requests and replies */ |
504 | if (arp->ar_op != htons(ARPOP_REPLY) | 504 | if (arp->ar_op != htons(ARPOP_REPLY) && |
505 | && arp->ar_op != htons(ARPOP_REQUEST)) | 505 | arp->ar_op != htons(ARPOP_REQUEST)) |
506 | return NF_ACCEPT; | 506 | return NF_ACCEPT; |
507 | 507 | ||
508 | payload = (void *)(arp+1); | 508 | payload = (void *)(arp+1); |
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c index f7e2fa0974dc..549e206cdd42 100644 --- a/net/ipv4/netfilter/ipt_ECN.c +++ b/net/ipv4/netfilter/ipt_ECN.c | |||
@@ -85,8 +85,8 @@ ecn_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
85 | if (!set_ect_ip(skb, einfo)) | 85 | if (!set_ect_ip(skb, einfo)) |
86 | return NF_DROP; | 86 | return NF_DROP; |
87 | 87 | ||
88 | if (einfo->operation & (IPT_ECN_OP_SET_ECE | IPT_ECN_OP_SET_CWR) | 88 | if (einfo->operation & (IPT_ECN_OP_SET_ECE | IPT_ECN_OP_SET_CWR) && |
89 | && ip_hdr(skb)->protocol == IPPROTO_TCP) | 89 | ip_hdr(skb)->protocol == IPPROTO_TCP) |
90 | if (!set_ect_tcp(skb, einfo)) | 90 | if (!set_ect_tcp(skb, einfo)) |
91 | return NF_DROP; | 91 | return NF_DROP; |
92 | 92 | ||
@@ -108,8 +108,8 @@ static bool ecn_tg_check(const struct xt_tgchk_param *par) | |||
108 | einfo->ip_ect); | 108 | einfo->ip_ect); |
109 | return false; | 109 | return false; |
110 | } | 110 | } |
111 | if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) | 111 | if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) && |
112 | && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) { | 112 | (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) { |
113 | printk(KERN_WARNING "ECN: cannot use TCP operations on a " | 113 | printk(KERN_WARNING "ECN: cannot use TCP operations on a " |
114 | "non-tcp rule\n"); | 114 | "non-tcp rule\n"); |
115 | return false; | 115 | return false; |
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c index acc44c69eb68..ee128efa1c8d 100644 --- a/net/ipv4/netfilter/ipt_LOG.c +++ b/net/ipv4/netfilter/ipt_LOG.c | |||
@@ -74,8 +74,8 @@ static void dump_packet(const struct nf_loginfo *info, | |||
74 | if (ntohs(ih->frag_off) & IP_OFFSET) | 74 | if (ntohs(ih->frag_off) & IP_OFFSET) |
75 | printk("FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET); | 75 | printk("FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET); |
76 | 76 | ||
77 | if ((logflags & IPT_LOG_IPOPT) | 77 | if ((logflags & IPT_LOG_IPOPT) && |
78 | && ih->ihl * 4 > sizeof(struct iphdr)) { | 78 | ih->ihl * 4 > sizeof(struct iphdr)) { |
79 | const unsigned char *op; | 79 | const unsigned char *op; |
80 | unsigned char _opt[4 * 15 - sizeof(struct iphdr)]; | 80 | unsigned char _opt[4 * 15 - sizeof(struct iphdr)]; |
81 | unsigned int i, optsize; | 81 | unsigned int i, optsize; |
@@ -146,8 +146,8 @@ static void dump_packet(const struct nf_loginfo *info, | |||
146 | /* Max length: 11 "URGP=65535 " */ | 146 | /* Max length: 11 "URGP=65535 " */ |
147 | printk("URGP=%u ", ntohs(th->urg_ptr)); | 147 | printk("URGP=%u ", ntohs(th->urg_ptr)); |
148 | 148 | ||
149 | if ((logflags & IPT_LOG_TCPOPT) | 149 | if ((logflags & IPT_LOG_TCPOPT) && |
150 | && th->doff * 4 > sizeof(struct tcphdr)) { | 150 | th->doff * 4 > sizeof(struct tcphdr)) { |
151 | unsigned char _opt[4 * 15 - sizeof(struct tcphdr)]; | 151 | unsigned char _opt[4 * 15 - sizeof(struct tcphdr)]; |
152 | const unsigned char *op; | 152 | const unsigned char *op; |
153 | unsigned int i, optsize; | 153 | unsigned int i, optsize; |
@@ -238,9 +238,9 @@ static void dump_packet(const struct nf_loginfo *info, | |||
238 | printk("TYPE=%u CODE=%u ", ich->type, ich->code); | 238 | printk("TYPE=%u CODE=%u ", ich->type, ich->code); |
239 | 239 | ||
240 | /* Max length: 25 "INCOMPLETE [65535 bytes] " */ | 240 | /* Max length: 25 "INCOMPLETE [65535 bytes] " */ |
241 | if (ich->type <= NR_ICMP_TYPES | 241 | if (ich->type <= NR_ICMP_TYPES && |
242 | && required_len[ich->type] | 242 | required_len[ich->type] && |
243 | && skb->len-iphoff-ih->ihl*4 < required_len[ich->type]) { | 243 | skb->len-iphoff-ih->ihl*4 < required_len[ich->type]) { |
244 | printk("INCOMPLETE [%u bytes] ", | 244 | printk("INCOMPLETE [%u bytes] ", |
245 | skb->len - iphoff - ih->ihl*4); | 245 | skb->len - iphoff - ih->ihl*4); |
246 | break; | 246 | break; |
@@ -276,8 +276,8 @@ static void dump_packet(const struct nf_loginfo *info, | |||
276 | } | 276 | } |
277 | 277 | ||
278 | /* Max length: 10 "MTU=65535 " */ | 278 | /* Max length: 10 "MTU=65535 " */ |
279 | if (ich->type == ICMP_DEST_UNREACH | 279 | if (ich->type == ICMP_DEST_UNREACH && |
280 | && ich->code == ICMP_FRAG_NEEDED) | 280 | ich->code == ICMP_FRAG_NEEDED) |
281 | printk("MTU=%u ", ntohs(ich->un.frag.mtu)); | 281 | printk("MTU=%u ", ntohs(ich->un.frag.mtu)); |
282 | } | 282 | } |
283 | break; | 283 | break; |
@@ -407,8 +407,8 @@ ipt_log_packet(u_int8_t pf, | |||
407 | if (in && !out) { | 407 | if (in && !out) { |
408 | /* MAC logging for input chain only. */ | 408 | /* MAC logging for input chain only. */ |
409 | printk("MAC="); | 409 | printk("MAC="); |
410 | if (skb->dev && skb->dev->hard_header_len | 410 | if (skb->dev && skb->dev->hard_header_len && |
411 | && skb->mac_header != skb->network_header) { | 411 | skb->mac_header != skb->network_header) { |
412 | int i; | 412 | int i; |
413 | const unsigned char *p = skb_mac_header(skb); | 413 | const unsigned char *p = skb_mac_header(skb); |
414 | for (i = 0; i < skb->dev->hard_header_len; i++,p++) | 414 | for (i = 0; i < skb->dev->hard_header_len; i++,p++) |
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c index dada0863946d..650b54042b01 100644 --- a/net/ipv4/netfilter/ipt_MASQUERADE.c +++ b/net/ipv4/netfilter/ipt_MASQUERADE.c | |||
@@ -59,8 +59,8 @@ masquerade_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
59 | ct = nf_ct_get(skb, &ctinfo); | 59 | ct = nf_ct_get(skb, &ctinfo); |
60 | nat = nfct_nat(ct); | 60 | nat = nfct_nat(ct); |
61 | 61 | ||
62 | NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED | 62 | NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED || |
63 | || ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY)); | 63 | ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY)); |
64 | 64 | ||
65 | /* Source address is 0.0.0.0 - locally generated packet that is | 65 | /* Source address is 0.0.0.0 - locally generated packet that is |
66 | * probably not supposed to be masqueraded. | 66 | * probably not supposed to be masqueraded. |
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c index c93ae44bff2a..5113b8f1a379 100644 --- a/net/ipv4/netfilter/ipt_REJECT.c +++ b/net/ipv4/netfilter/ipt_REJECT.c | |||
@@ -184,8 +184,8 @@ static bool reject_tg_check(const struct xt_tgchk_param *par) | |||
184 | return false; | 184 | return false; |
185 | } else if (rejinfo->with == IPT_TCP_RESET) { | 185 | } else if (rejinfo->with == IPT_TCP_RESET) { |
186 | /* Must specify that it's a TCP packet */ | 186 | /* Must specify that it's a TCP packet */ |
187 | if (e->ip.proto != IPPROTO_TCP | 187 | if (e->ip.proto != IPPROTO_TCP || |
188 | || (e->ip.invflags & XT_INV_PROTO)) { | 188 | (e->ip.invflags & XT_INV_PROTO)) { |
189 | printk("ipt_REJECT: TCP_RESET invalid for non-tcp\n"); | 189 | printk("ipt_REJECT: TCP_RESET invalid for non-tcp\n"); |
190 | return false; | 190 | return false; |
191 | } | 191 | } |
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c index d32cc4bb328a..399061c3fd7d 100644 --- a/net/ipv4/netfilter/ipt_ULOG.c +++ b/net/ipv4/netfilter/ipt_ULOG.c | |||
@@ -226,9 +226,9 @@ static void ipt_ulog_packet(unsigned int hooknum, | |||
226 | else | 226 | else |
227 | *(pm->prefix) = '\0'; | 227 | *(pm->prefix) = '\0'; |
228 | 228 | ||
229 | if (in && in->hard_header_len > 0 | 229 | if (in && in->hard_header_len > 0 && |
230 | && skb->mac_header != skb->network_header | 230 | skb->mac_header != skb->network_header && |
231 | && in->hard_header_len <= ULOG_MAC_LEN) { | 231 | in->hard_header_len <= ULOG_MAC_LEN) { |
232 | memcpy(pm->mac, skb_mac_header(skb), in->hard_header_len); | 232 | memcpy(pm->mac, skb_mac_header(skb), in->hard_header_len); |
233 | pm->mac_len = in->hard_header_len; | 233 | pm->mac_len = in->hard_header_len; |
234 | } else | 234 | } else |
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c index 6289b64144c6..2a1e56b71908 100644 --- a/net/ipv4/netfilter/ipt_ecn.c +++ b/net/ipv4/netfilter/ipt_ecn.c | |||
@@ -96,8 +96,8 @@ static bool ecn_mt_check(const struct xt_mtchk_param *par) | |||
96 | if (info->invert & IPT_ECN_OP_MATCH_MASK) | 96 | if (info->invert & IPT_ECN_OP_MATCH_MASK) |
97 | return false; | 97 | return false; |
98 | 98 | ||
99 | if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) | 99 | if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) && |
100 | && ip->proto != IPPROTO_TCP) { | 100 | ip->proto != IPPROTO_TCP) { |
101 | printk(KERN_WARNING "ipt_ecn: can't match TCP bits in rule for" | 101 | printk(KERN_WARNING "ipt_ecn: can't match TCP bits in rule for" |
102 | " non-tcp packets\n"); | 102 | " non-tcp packets\n"); |
103 | return false; | 103 | return false; |
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c index 036047f9b0f2..fae78c3076c4 100644 --- a/net/ipv4/netfilter/iptable_mangle.c +++ b/net/ipv4/netfilter/iptable_mangle.c | |||
@@ -130,8 +130,8 @@ ipt_local_hook(unsigned int hook, | |||
130 | u_int32_t mark; | 130 | u_int32_t mark; |
131 | 131 | ||
132 | /* root is playing with raw sockets. */ | 132 | /* root is playing with raw sockets. */ |
133 | if (skb->len < sizeof(struct iphdr) | 133 | if (skb->len < sizeof(struct iphdr) || |
134 | || ip_hdrlen(skb) < sizeof(struct iphdr)) | 134 | ip_hdrlen(skb) < sizeof(struct iphdr)) |
135 | return NF_ACCEPT; | 135 | return NF_ACCEPT; |
136 | 136 | ||
137 | /* Save things which could affect route */ | 137 | /* Save things which could affect route */ |
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c index 99eb76c65d25..3bd3d6388da5 100644 --- a/net/ipv4/netfilter/iptable_security.c +++ b/net/ipv4/netfilter/iptable_security.c | |||
@@ -94,8 +94,8 @@ ipt_local_out_hook(unsigned int hook, | |||
94 | int (*okfn)(struct sk_buff *)) | 94 | int (*okfn)(struct sk_buff *)) |
95 | { | 95 | { |
96 | /* Somebody is playing with raw sockets. */ | 96 | /* Somebody is playing with raw sockets. */ |
97 | if (skb->len < sizeof(struct iphdr) | 97 | if (skb->len < sizeof(struct iphdr) || |
98 | || ip_hdrlen(skb) < sizeof(struct iphdr)) | 98 | ip_hdrlen(skb) < sizeof(struct iphdr)) |
99 | return NF_ACCEPT; | 99 | return NF_ACCEPT; |
100 | return ipt_do_table(skb, hook, in, out, | 100 | return ipt_do_table(skb, hook, in, out, |
101 | dev_net(out)->ipv4.iptable_security); | 101 | dev_net(out)->ipv4.iptable_security); |
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c index d71ba7677344..e3dd93623df8 100644 --- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c +++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c | |||
@@ -54,8 +54,8 @@ static const u_int8_t invmap[] = { | |||
54 | static bool icmp_invert_tuple(struct nf_conntrack_tuple *tuple, | 54 | static bool icmp_invert_tuple(struct nf_conntrack_tuple *tuple, |
55 | const struct nf_conntrack_tuple *orig) | 55 | const struct nf_conntrack_tuple *orig) |
56 | { | 56 | { |
57 | if (orig->dst.u.icmp.type >= sizeof(invmap) | 57 | if (orig->dst.u.icmp.type >= sizeof(invmap) || |
58 | || !invmap[orig->dst.u.icmp.type]) | 58 | !invmap[orig->dst.u.icmp.type]) |
59 | return false; | 59 | return false; |
60 | 60 | ||
61 | tuple->src.u.icmp.id = orig->src.u.icmp.id; | 61 | tuple->src.u.icmp.id = orig->src.u.icmp.id; |
@@ -101,8 +101,8 @@ static bool icmp_new(struct nf_conn *ct, const struct sk_buff *skb, | |||
101 | [ICMP_ADDRESS] = 1 | 101 | [ICMP_ADDRESS] = 1 |
102 | }; | 102 | }; |
103 | 103 | ||
104 | if (ct->tuplehash[0].tuple.dst.u.icmp.type >= sizeof(valid_new) | 104 | if (ct->tuplehash[0].tuple.dst.u.icmp.type >= sizeof(valid_new) || |
105 | || !valid_new[ct->tuplehash[0].tuple.dst.u.icmp.type]) { | 105 | !valid_new[ct->tuplehash[0].tuple.dst.u.icmp.type]) { |
106 | /* Can't create a new ICMP `conn' with this. */ | 106 | /* Can't create a new ICMP `conn' with this. */ |
107 | pr_debug("icmp: can't create new conn with type %u\n", | 107 | pr_debug("icmp: can't create new conn with type %u\n", |
108 | ct->tuplehash[0].tuple.dst.u.icmp.type); | 108 | ct->tuplehash[0].tuple.dst.u.icmp.type); |
@@ -201,11 +201,11 @@ icmp_error(struct net *net, struct sk_buff *skb, unsigned int dataoff, | |||
201 | } | 201 | } |
202 | 202 | ||
203 | /* Need to track icmp error message? */ | 203 | /* Need to track icmp error message? */ |
204 | if (icmph->type != ICMP_DEST_UNREACH | 204 | if (icmph->type != ICMP_DEST_UNREACH && |
205 | && icmph->type != ICMP_SOURCE_QUENCH | 205 | icmph->type != ICMP_SOURCE_QUENCH && |
206 | && icmph->type != ICMP_TIME_EXCEEDED | 206 | icmph->type != ICMP_TIME_EXCEEDED && |
207 | && icmph->type != ICMP_PARAMETERPROB | 207 | icmph->type != ICMP_PARAMETERPROB && |
208 | && icmph->type != ICMP_REDIRECT) | 208 | icmph->type != ICMP_REDIRECT) |
209 | return NF_ACCEPT; | 209 | return NF_ACCEPT; |
210 | 210 | ||
211 | return icmp_error_message(net, skb, ctinfo, hooknum); | 211 | return icmp_error_message(net, skb, ctinfo, hooknum); |
@@ -238,17 +238,17 @@ static const struct nla_policy icmp_nla_policy[CTA_PROTO_MAX+1] = { | |||
238 | static int icmp_nlattr_to_tuple(struct nlattr *tb[], | 238 | static int icmp_nlattr_to_tuple(struct nlattr *tb[], |
239 | struct nf_conntrack_tuple *tuple) | 239 | struct nf_conntrack_tuple *tuple) |
240 | { | 240 | { |
241 | if (!tb[CTA_PROTO_ICMP_TYPE] | 241 | if (!tb[CTA_PROTO_ICMP_TYPE] || |
242 | || !tb[CTA_PROTO_ICMP_CODE] | 242 | !tb[CTA_PROTO_ICMP_CODE] || |
243 | || !tb[CTA_PROTO_ICMP_ID]) | 243 | !tb[CTA_PROTO_ICMP_ID]) |
244 | return -EINVAL; | 244 | return -EINVAL; |
245 | 245 | ||
246 | tuple->dst.u.icmp.type = nla_get_u8(tb[CTA_PROTO_ICMP_TYPE]); | 246 | tuple->dst.u.icmp.type = nla_get_u8(tb[CTA_PROTO_ICMP_TYPE]); |
247 | tuple->dst.u.icmp.code = nla_get_u8(tb[CTA_PROTO_ICMP_CODE]); | 247 | tuple->dst.u.icmp.code = nla_get_u8(tb[CTA_PROTO_ICMP_CODE]); |
248 | tuple->src.u.icmp.id = nla_get_be16(tb[CTA_PROTO_ICMP_ID]); | 248 | tuple->src.u.icmp.id = nla_get_be16(tb[CTA_PROTO_ICMP_ID]); |
249 | 249 | ||
250 | if (tuple->dst.u.icmp.type >= sizeof(invmap) | 250 | if (tuple->dst.u.icmp.type >= sizeof(invmap) || |
251 | || !invmap[tuple->dst.u.icmp.type]) | 251 | !invmap[tuple->dst.u.icmp.type]) |
252 | return -EINVAL; | 252 | return -EINVAL; |
253 | 253 | ||
254 | return 0; | 254 | return 0; |
diff --git a/net/ipv4/netfilter/nf_nat_helper.c b/net/ipv4/netfilter/nf_nat_helper.c index f9520fa3aba9..7f10a6be0191 100644 --- a/net/ipv4/netfilter/nf_nat_helper.c +++ b/net/ipv4/netfilter/nf_nat_helper.c | |||
@@ -41,18 +41,14 @@ adjust_tcp_sequence(u32 seq, | |||
41 | struct nf_conn *ct, | 41 | struct nf_conn *ct, |
42 | enum ip_conntrack_info ctinfo) | 42 | enum ip_conntrack_info ctinfo) |
43 | { | 43 | { |
44 | int dir; | 44 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); |
45 | struct nf_nat_seq *this_way, *other_way; | ||
46 | struct nf_conn_nat *nat = nfct_nat(ct); | 45 | struct nf_conn_nat *nat = nfct_nat(ct); |
46 | struct nf_nat_seq *this_way = &nat->seq[dir]; | ||
47 | 47 | ||
48 | pr_debug("adjust_tcp_sequence: seq = %u, sizediff = %d\n", seq, seq); | 48 | pr_debug("adjust_tcp_sequence: seq = %u, sizediff = %d\n", |
49 | 49 | seq, sizediff); | |
50 | dir = CTINFO2DIR(ctinfo); | ||
51 | |||
52 | this_way = &nat->seq[dir]; | ||
53 | other_way = &nat->seq[!dir]; | ||
54 | 50 | ||
55 | pr_debug("nf_nat_resize_packet: Seq_offset before: "); | 51 | pr_debug("adjust_tcp_sequence: Seq_offset before: "); |
56 | DUMP_OFFSET(this_way); | 52 | DUMP_OFFSET(this_way); |
57 | 53 | ||
58 | spin_lock_bh(&nf_nat_seqofs_lock); | 54 | spin_lock_bh(&nf_nat_seqofs_lock); |
@@ -63,13 +59,13 @@ adjust_tcp_sequence(u32 seq, | |||
63 | * retransmit */ | 59 | * retransmit */ |
64 | if (this_way->offset_before == this_way->offset_after || | 60 | if (this_way->offset_before == this_way->offset_after || |
65 | before(this_way->correction_pos, seq)) { | 61 | before(this_way->correction_pos, seq)) { |
66 | this_way->correction_pos = seq; | 62 | this_way->correction_pos = seq; |
67 | this_way->offset_before = this_way->offset_after; | 63 | this_way->offset_before = this_way->offset_after; |
68 | this_way->offset_after += sizediff; | 64 | this_way->offset_after += sizediff; |
69 | } | 65 | } |
70 | spin_unlock_bh(&nf_nat_seqofs_lock); | 66 | spin_unlock_bh(&nf_nat_seqofs_lock); |
71 | 67 | ||
72 | pr_debug("nf_nat_resize_packet: Seq_offset after: "); | 68 | pr_debug("adjust_tcp_sequence: Seq_offset after: "); |
73 | DUMP_OFFSET(this_way); | 69 | DUMP_OFFSET(this_way); |
74 | } | 70 | } |
75 | 71 | ||
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c index 5f41d017ddd8..5678e9562c15 100644 --- a/net/ipv4/netfilter/nf_nat_standalone.c +++ b/net/ipv4/netfilter/nf_nat_standalone.c | |||
@@ -197,11 +197,11 @@ nf_nat_out(unsigned int hooknum, | |||
197 | (ct = nf_ct_get(skb, &ctinfo)) != NULL) { | 197 | (ct = nf_ct_get(skb, &ctinfo)) != NULL) { |
198 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); | 198 | enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); |
199 | 199 | ||
200 | if (ct->tuplehash[dir].tuple.src.u3.ip != | 200 | if ((ct->tuplehash[dir].tuple.src.u3.ip != |
201 | ct->tuplehash[!dir].tuple.dst.u3.ip | 201 | ct->tuplehash[!dir].tuple.dst.u3.ip) || |
202 | || ct->tuplehash[dir].tuple.src.u.all != | 202 | (ct->tuplehash[dir].tuple.src.u.all != |
203 | ct->tuplehash[!dir].tuple.dst.u.all | 203 | ct->tuplehash[!dir].tuple.dst.u.all) |
204 | ) | 204 | ) |
205 | return ip_xfrm_me_harder(skb) == 0 ? ret : NF_DROP; | 205 | return ip_xfrm_me_harder(skb) == 0 ? ret : NF_DROP; |
206 | } | 206 | } |
207 | #endif | 207 | #endif |