diff options
Diffstat (limited to 'net/ipv6')
-rw-r--r-- | net/ipv6/netfilter/ip6_tables.c | 27 | ||||
-rw-r--r-- | net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 6 | ||||
-rw-r--r-- | net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 6 |
3 files changed, 17 insertions, 22 deletions
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 34af7bb8df5f..e89cfa3a8f25 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c | |||
@@ -89,25 +89,6 @@ ip6t_ext_hdr(u8 nexthdr) | |||
89 | (nexthdr == IPPROTO_DSTOPTS) ); | 89 | (nexthdr == IPPROTO_DSTOPTS) ); |
90 | } | 90 | } |
91 | 91 | ||
92 | static unsigned long ifname_compare(const char *_a, const char *_b, | ||
93 | const unsigned char *_mask) | ||
94 | { | ||
95 | const unsigned long *a = (const unsigned long *)_a; | ||
96 | const unsigned long *b = (const unsigned long *)_b; | ||
97 | const unsigned long *mask = (const unsigned long *)_mask; | ||
98 | unsigned long ret; | ||
99 | |||
100 | ret = (a[0] ^ b[0]) & mask[0]; | ||
101 | if (IFNAMSIZ > sizeof(unsigned long)) | ||
102 | ret |= (a[1] ^ b[1]) & mask[1]; | ||
103 | if (IFNAMSIZ > 2 * sizeof(unsigned long)) | ||
104 | ret |= (a[2] ^ b[2]) & mask[2]; | ||
105 | if (IFNAMSIZ > 3 * sizeof(unsigned long)) | ||
106 | ret |= (a[3] ^ b[3]) & mask[3]; | ||
107 | BUILD_BUG_ON(IFNAMSIZ > 4 * sizeof(unsigned long)); | ||
108 | return ret; | ||
109 | } | ||
110 | |||
111 | /* Returns whether matches rule or not. */ | 92 | /* Returns whether matches rule or not. */ |
112 | /* Performance critical - called for every packet */ | 93 | /* Performance critical - called for every packet */ |
113 | static inline bool | 94 | static inline bool |
@@ -138,7 +119,7 @@ ip6_packet_match(const struct sk_buff *skb, | |||
138 | return false; | 119 | return false; |
139 | } | 120 | } |
140 | 121 | ||
141 | ret = ifname_compare(indev, ip6info->iniface, ip6info->iniface_mask); | 122 | ret = ifname_compare_aligned(indev, ip6info->iniface, ip6info->iniface_mask); |
142 | 123 | ||
143 | if (FWINV(ret != 0, IP6T_INV_VIA_IN)) { | 124 | if (FWINV(ret != 0, IP6T_INV_VIA_IN)) { |
144 | dprintf("VIA in mismatch (%s vs %s).%s\n", | 125 | dprintf("VIA in mismatch (%s vs %s).%s\n", |
@@ -147,7 +128,7 @@ ip6_packet_match(const struct sk_buff *skb, | |||
147 | return false; | 128 | return false; |
148 | } | 129 | } |
149 | 130 | ||
150 | ret = ifname_compare(outdev, ip6info->outiface, ip6info->outiface_mask); | 131 | ret = ifname_compare_aligned(outdev, ip6info->outiface, ip6info->outiface_mask); |
151 | 132 | ||
152 | if (FWINV(ret != 0, IP6T_INV_VIA_OUT)) { | 133 | if (FWINV(ret != 0, IP6T_INV_VIA_OUT)) { |
153 | dprintf("VIA out mismatch (%s vs %s).%s\n", | 134 | dprintf("VIA out mismatch (%s vs %s).%s\n", |
@@ -536,7 +517,9 @@ mark_source_chains(struct xt_table_info *newinfo, | |||
536 | && unconditional(&e->ipv6)) || visited) { | 517 | && unconditional(&e->ipv6)) || visited) { |
537 | unsigned int oldpos, size; | 518 | unsigned int oldpos, size; |
538 | 519 | ||
539 | if (t->verdict < -NF_MAX_VERDICT - 1) { | 520 | if ((strcmp(t->target.u.user.name, |
521 | IP6T_STANDARD_TARGET) == 0) && | ||
522 | t->verdict < -NF_MAX_VERDICT - 1) { | ||
540 | duprintf("mark_source_chains: bad " | 523 | duprintf("mark_source_chains: bad " |
541 | "negative verdict (%i)\n", | 524 | "negative verdict (%i)\n", |
542 | t->verdict); | 525 | t->verdict); |
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c index e6852f617217..2a15c2d66c69 100644 --- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c +++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | |||
@@ -342,6 +342,11 @@ static int ipv6_nlattr_to_tuple(struct nlattr *tb[], | |||
342 | 342 | ||
343 | return 0; | 343 | return 0; |
344 | } | 344 | } |
345 | |||
346 | static int ipv6_nlattr_tuple_size(void) | ||
347 | { | ||
348 | return nla_policy_len(ipv6_nla_policy, CTA_IP_MAX + 1); | ||
349 | } | ||
345 | #endif | 350 | #endif |
346 | 351 | ||
347 | struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv6 __read_mostly = { | 352 | struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv6 __read_mostly = { |
@@ -353,6 +358,7 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv6 __read_mostly = { | |||
353 | .get_l4proto = ipv6_get_l4proto, | 358 | .get_l4proto = ipv6_get_l4proto, |
354 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) | 359 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) |
355 | .tuple_to_nlattr = ipv6_tuple_to_nlattr, | 360 | .tuple_to_nlattr = ipv6_tuple_to_nlattr, |
361 | .nlattr_tuple_size = ipv6_nlattr_tuple_size, | ||
356 | .nlattr_to_tuple = ipv6_nlattr_to_tuple, | 362 | .nlattr_to_tuple = ipv6_nlattr_to_tuple, |
357 | .nla_policy = ipv6_nla_policy, | 363 | .nla_policy = ipv6_nla_policy, |
358 | #endif | 364 | #endif |
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c index 41b8a956e1be..9903227bf37c 100644 --- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c +++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | |||
@@ -269,6 +269,11 @@ static int icmpv6_nlattr_to_tuple(struct nlattr *tb[], | |||
269 | 269 | ||
270 | return 0; | 270 | return 0; |
271 | } | 271 | } |
272 | |||
273 | static int icmpv6_nlattr_tuple_size(void) | ||
274 | { | ||
275 | return nla_policy_len(icmpv6_nla_policy, CTA_PROTO_MAX + 1); | ||
276 | } | ||
272 | #endif | 277 | #endif |
273 | 278 | ||
274 | #ifdef CONFIG_SYSCTL | 279 | #ifdef CONFIG_SYSCTL |
@@ -300,6 +305,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 __read_mostly = | |||
300 | .error = icmpv6_error, | 305 | .error = icmpv6_error, |
301 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) | 306 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) |
302 | .tuple_to_nlattr = icmpv6_tuple_to_nlattr, | 307 | .tuple_to_nlattr = icmpv6_tuple_to_nlattr, |
308 | .nlattr_tuple_size = icmpv6_nlattr_tuple_size, | ||
303 | .nlattr_to_tuple = icmpv6_nlattr_to_tuple, | 309 | .nlattr_to_tuple = icmpv6_nlattr_to_tuple, |
304 | .nla_policy = icmpv6_nla_policy, | 310 | .nla_policy = icmpv6_nla_policy, |
305 | #endif | 311 | #endif |