diff options
Diffstat (limited to 'net')
137 files changed, 1911 insertions, 2045 deletions
diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c index 074c59690fc5..f15f9c4a0dd2 100644 --- a/net/bridge/br_device.c +++ b/net/bridge/br_device.c | |||
@@ -17,6 +17,7 @@ | |||
17 | #include <linux/etherdevice.h> | 17 | #include <linux/etherdevice.h> |
18 | #include <linux/ethtool.h> | 18 | #include <linux/ethtool.h> |
19 | #include <linux/list.h> | 19 | #include <linux/list.h> |
20 | #include <linux/netfilter_bridge.h> | ||
20 | 21 | ||
21 | #include <asm/uaccess.h> | 22 | #include <asm/uaccess.h> |
22 | #include "br_private.h" | 23 | #include "br_private.h" |
@@ -30,6 +31,13 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev) | |||
30 | struct net_bridge_mdb_entry *mdst; | 31 | struct net_bridge_mdb_entry *mdst; |
31 | struct br_cpu_netstats *brstats = this_cpu_ptr(br->stats); | 32 | struct br_cpu_netstats *brstats = this_cpu_ptr(br->stats); |
32 | 33 | ||
34 | #ifdef CONFIG_BRIDGE_NETFILTER | ||
35 | if (skb->nf_bridge && (skb->nf_bridge->mask & BRNF_BRIDGED_DNAT)) { | ||
36 | br_nf_pre_routing_finish_bridge_slow(skb); | ||
37 | return NETDEV_TX_OK; | ||
38 | } | ||
39 | #endif | ||
40 | |||
33 | brstats->tx_packets++; | 41 | brstats->tx_packets++; |
34 | brstats->tx_bytes += skb->len; | 42 | brstats->tx_bytes += skb->len; |
35 | 43 | ||
diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c index 92ad9feb199d..a98ef1393097 100644 --- a/net/bridge/br_forward.c +++ b/net/bridge/br_forward.c | |||
@@ -45,7 +45,7 @@ int br_dev_queue_push_xmit(struct sk_buff *skb) | |||
45 | if (packet_length(skb) > skb->dev->mtu && !skb_is_gso(skb)) | 45 | if (packet_length(skb) > skb->dev->mtu && !skb_is_gso(skb)) |
46 | kfree_skb(skb); | 46 | kfree_skb(skb); |
47 | else { | 47 | else { |
48 | /* ip_refrag calls ip_fragment, doesn't copy the MAC header. */ | 48 | /* ip_fragment doesn't copy the MAC header */ |
49 | if (nf_bridge_maybe_copy_header(skb)) | 49 | if (nf_bridge_maybe_copy_header(skb)) |
50 | kfree_skb(skb); | 50 | kfree_skb(skb); |
51 | else { | 51 | else { |
@@ -66,7 +66,7 @@ int br_dev_queue_push_xmit(struct sk_buff *skb) | |||
66 | 66 | ||
67 | int br_forward_finish(struct sk_buff *skb) | 67 | int br_forward_finish(struct sk_buff *skb) |
68 | { | 68 | { |
69 | return NF_HOOK(PF_BRIDGE, NF_BR_POST_ROUTING, skb, NULL, skb->dev, | 69 | return NF_HOOK(NFPROTO_BRIDGE, NF_BR_POST_ROUTING, skb, NULL, skb->dev, |
70 | br_dev_queue_push_xmit); | 70 | br_dev_queue_push_xmit); |
71 | 71 | ||
72 | } | 72 | } |
@@ -84,8 +84,8 @@ static void __br_deliver(const struct net_bridge_port *to, struct sk_buff *skb) | |||
84 | } | 84 | } |
85 | #endif | 85 | #endif |
86 | skb->dev = to->dev; | 86 | skb->dev = to->dev; |
87 | NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev, | 87 | NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev, |
88 | br_forward_finish); | 88 | br_forward_finish); |
89 | #ifdef CONFIG_NET_POLL_CONTROLLER | 89 | #ifdef CONFIG_NET_POLL_CONTROLLER |
90 | if (skb->dev->npinfo) | 90 | if (skb->dev->npinfo) |
91 | skb->dev->npinfo->netpoll->dev = br->dev; | 91 | skb->dev->npinfo->netpoll->dev = br->dev; |
@@ -105,8 +105,8 @@ static void __br_forward(const struct net_bridge_port *to, struct sk_buff *skb) | |||
105 | skb->dev = to->dev; | 105 | skb->dev = to->dev; |
106 | skb_forward_csum(skb); | 106 | skb_forward_csum(skb); |
107 | 107 | ||
108 | NF_HOOK(PF_BRIDGE, NF_BR_FORWARD, skb, indev, skb->dev, | 108 | NF_HOOK(NFPROTO_BRIDGE, NF_BR_FORWARD, skb, indev, skb->dev, |
109 | br_forward_finish); | 109 | br_forward_finish); |
110 | } | 110 | } |
111 | 111 | ||
112 | /* called with rcu_read_lock */ | 112 | /* called with rcu_read_lock */ |
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c index e7f4c1d02f57..d36e700f7a26 100644 --- a/net/bridge/br_input.c +++ b/net/bridge/br_input.c | |||
@@ -33,7 +33,7 @@ static int br_pass_frame_up(struct sk_buff *skb) | |||
33 | indev = skb->dev; | 33 | indev = skb->dev; |
34 | skb->dev = brdev; | 34 | skb->dev = brdev; |
35 | 35 | ||
36 | return NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, indev, NULL, | 36 | return NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, indev, NULL, |
37 | netif_receive_skb); | 37 | netif_receive_skb); |
38 | } | 38 | } |
39 | 39 | ||
@@ -156,7 +156,7 @@ struct sk_buff *br_handle_frame(struct net_bridge_port *p, struct sk_buff *skb) | |||
156 | if (p->br->stp_enabled == BR_NO_STP && dest[5] == 0) | 156 | if (p->br->stp_enabled == BR_NO_STP && dest[5] == 0) |
157 | goto forward; | 157 | goto forward; |
158 | 158 | ||
159 | if (NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev, | 159 | if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev, |
160 | NULL, br_handle_local_finish)) | 160 | NULL, br_handle_local_finish)) |
161 | return NULL; /* frame consumed by filter */ | 161 | return NULL; /* frame consumed by filter */ |
162 | else | 162 | else |
@@ -177,7 +177,7 @@ forward: | |||
177 | if (!compare_ether_addr(p->br->dev->dev_addr, dest)) | 177 | if (!compare_ether_addr(p->br->dev->dev_addr, dest)) |
178 | skb->pkt_type = PACKET_HOST; | 178 | skb->pkt_type = PACKET_HOST; |
179 | 179 | ||
180 | NF_HOOK(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL, | 180 | NF_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL, |
181 | br_handle_frame_finish); | 181 | br_handle_frame_finish); |
182 | break; | 182 | break; |
183 | default: | 183 | default: |
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c index 7128abdce45f..c8419e240316 100644 --- a/net/bridge/br_multicast.c +++ b/net/bridge/br_multicast.c | |||
@@ -814,7 +814,7 @@ static void __br_multicast_send_query(struct net_bridge *br, | |||
814 | if (port) { | 814 | if (port) { |
815 | __skb_push(skb, sizeof(struct ethhdr)); | 815 | __skb_push(skb, sizeof(struct ethhdr)); |
816 | skb->dev = port->dev; | 816 | skb->dev = port->dev; |
817 | NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev, | 817 | NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev, |
818 | dev_queue_xmit); | 818 | dev_queue_xmit); |
819 | } else | 819 | } else |
820 | netif_rx(skb); | 820 | netif_rx(skb); |
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c index 4c4977d12fd6..93f80fefa496 100644 --- a/net/bridge/br_netfilter.c +++ b/net/bridge/br_netfilter.c | |||
@@ -3,15 +3,8 @@ | |||
3 | * Linux ethernet bridge | 3 | * Linux ethernet bridge |
4 | * | 4 | * |
5 | * Authors: | 5 | * Authors: |
6 | * Lennert Buytenhek <buytenh@gnu.org> | 6 | * Lennert Buytenhek <buytenh@gnu.org> |
7 | * Bart De Schuymer (maintainer) <bdschuym@pandora.be> | 7 | * Bart De Schuymer <bdschuym@pandora.be> |
8 | * | ||
9 | * Changes: | ||
10 | * Apr 29 2003: physdev module support (bdschuym) | ||
11 | * Jun 19 2003: let arptables see bridged ARP traffic (bdschuym) | ||
12 | * Oct 06 2003: filter encapsulated IP/ARP VLAN traffic on untagged bridge | ||
13 | * (bdschuym) | ||
14 | * Sep 01 2004: add IPv6 filtering (bdschuym) | ||
15 | * | 8 | * |
16 | * This program is free software; you can redistribute it and/or | 9 | * This program is free software; you can redistribute it and/or |
17 | * modify it under the terms of the GNU General Public License | 10 | * modify it under the terms of the GNU General Public License |
@@ -204,15 +197,24 @@ static inline void nf_bridge_save_header(struct sk_buff *skb) | |||
204 | skb->nf_bridge->data, header_size); | 197 | skb->nf_bridge->data, header_size); |
205 | } | 198 | } |
206 | 199 | ||
207 | /* | 200 | static inline void nf_bridge_update_protocol(struct sk_buff *skb) |
208 | * When forwarding bridge frames, we save a copy of the original | 201 | { |
209 | * header before processing. | 202 | if (skb->nf_bridge->mask & BRNF_8021Q) |
203 | skb->protocol = htons(ETH_P_8021Q); | ||
204 | else if (skb->nf_bridge->mask & BRNF_PPPoE) | ||
205 | skb->protocol = htons(ETH_P_PPP_SES); | ||
206 | } | ||
207 | |||
208 | /* Fill in the header for fragmented IP packets handled by | ||
209 | * the IPv4 connection tracking code. | ||
210 | */ | 210 | */ |
211 | int nf_bridge_copy_header(struct sk_buff *skb) | 211 | int nf_bridge_copy_header(struct sk_buff *skb) |
212 | { | 212 | { |
213 | int err; | 213 | int err; |
214 | int header_size = ETH_HLEN + nf_bridge_encap_header_len(skb); | 214 | unsigned int header_size; |
215 | 215 | ||
216 | nf_bridge_update_protocol(skb); | ||
217 | header_size = ETH_HLEN + nf_bridge_encap_header_len(skb); | ||
216 | err = skb_cow_head(skb, header_size); | 218 | err = skb_cow_head(skb, header_size); |
217 | if (err) | 219 | if (err) |
218 | return err; | 220 | return err; |
@@ -246,27 +248,48 @@ static int br_nf_pre_routing_finish_ipv6(struct sk_buff *skb) | |||
246 | skb_dst_set(skb, &rt->u.dst); | 248 | skb_dst_set(skb, &rt->u.dst); |
247 | 249 | ||
248 | skb->dev = nf_bridge->physindev; | 250 | skb->dev = nf_bridge->physindev; |
251 | nf_bridge_update_protocol(skb); | ||
249 | nf_bridge_push_encap_header(skb); | 252 | nf_bridge_push_encap_header(skb); |
250 | NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL, | 253 | NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL, |
251 | br_handle_frame_finish, 1); | 254 | br_handle_frame_finish, 1); |
252 | 255 | ||
253 | return 0; | 256 | return 0; |
254 | } | 257 | } |
255 | 258 | ||
256 | static void __br_dnat_complain(void) | 259 | /* Obtain the correct destination MAC address, while preserving the original |
260 | * source MAC address. If we already know this address, we just copy it. If we | ||
261 | * don't, we use the neighbour framework to find out. In both cases, we make | ||
262 | * sure that br_handle_frame_finish() is called afterwards. | ||
263 | */ | ||
264 | static int br_nf_pre_routing_finish_bridge(struct sk_buff *skb) | ||
257 | { | 265 | { |
258 | static unsigned long last_complaint; | 266 | struct nf_bridge_info *nf_bridge = skb->nf_bridge; |
267 | struct dst_entry *dst; | ||
259 | 268 | ||
260 | if (jiffies - last_complaint >= 5 * HZ) { | 269 | skb->dev = bridge_parent(skb->dev); |
261 | printk(KERN_WARNING "Performing cross-bridge DNAT requires IP " | 270 | if (!skb->dev) |
262 | "forwarding to be enabled\n"); | 271 | goto free_skb; |
263 | last_complaint = jiffies; | 272 | dst = skb_dst(skb); |
273 | if (dst->hh) { | ||
274 | neigh_hh_bridge(dst->hh, skb); | ||
275 | skb->dev = nf_bridge->physindev; | ||
276 | return br_handle_frame_finish(skb); | ||
277 | } else if (dst->neighbour) { | ||
278 | /* the neighbour function below overwrites the complete | ||
279 | * MAC header, so we save the Ethernet source address and | ||
280 | * protocol number. */ | ||
281 | skb_copy_from_linear_data_offset(skb, -(ETH_HLEN-ETH_ALEN), skb->nf_bridge->data, ETH_HLEN-ETH_ALEN); | ||
282 | /* tell br_dev_xmit to continue with forwarding */ | ||
283 | nf_bridge->mask |= BRNF_BRIDGED_DNAT; | ||
284 | return dst->neighbour->output(skb); | ||
264 | } | 285 | } |
286 | free_skb: | ||
287 | kfree_skb(skb); | ||
288 | return 0; | ||
265 | } | 289 | } |
266 | 290 | ||
267 | /* This requires some explaining. If DNAT has taken place, | 291 | /* This requires some explaining. If DNAT has taken place, |
268 | * we will need to fix up the destination Ethernet address, | 292 | * we will need to fix up the destination Ethernet address. |
269 | * and this is a tricky process. | ||
270 | * | 293 | * |
271 | * There are two cases to consider: | 294 | * There are two cases to consider: |
272 | * 1. The packet was DNAT'ed to a device in the same bridge | 295 | * 1. The packet was DNAT'ed to a device in the same bridge |
@@ -280,62 +303,29 @@ static void __br_dnat_complain(void) | |||
280 | * call ip_route_input() and to look at skb->dst->dev, which is | 303 | * call ip_route_input() and to look at skb->dst->dev, which is |
281 | * changed to the destination device if ip_route_input() succeeds. | 304 | * changed to the destination device if ip_route_input() succeeds. |
282 | * | 305 | * |
283 | * Let us first consider the case that ip_route_input() succeeds: | 306 | * Let's first consider the case that ip_route_input() succeeds: |
284 | * | ||
285 | * If skb->dst->dev equals the logical bridge device the packet | ||
286 | * came in on, we can consider this bridging. The packet is passed | ||
287 | * through the neighbour output function to build a new destination | ||
288 | * MAC address, which will make the packet enter br_nf_local_out() | ||
289 | * not much later. In that function it is assured that the iptables | ||
290 | * FORWARD chain is traversed for the packet. | ||
291 | * | 307 | * |
308 | * If the output device equals the logical bridge device the packet | ||
309 | * came in on, we can consider this bridging. The corresponding MAC | ||
310 | * address will be obtained in br_nf_pre_routing_finish_bridge. | ||
292 | * Otherwise, the packet is considered to be routed and we just | 311 | * Otherwise, the packet is considered to be routed and we just |
293 | * change the destination MAC address so that the packet will | 312 | * change the destination MAC address so that the packet will |
294 | * later be passed up to the IP stack to be routed. For a redirected | 313 | * later be passed up to the IP stack to be routed. For a redirected |
295 | * packet, ip_route_input() will give back the localhost as output device, | 314 | * packet, ip_route_input() will give back the localhost as output device, |
296 | * which differs from the bridge device. | 315 | * which differs from the bridge device. |
297 | * | 316 | * |
298 | * Let us now consider the case that ip_route_input() fails: | 317 | * Let's now consider the case that ip_route_input() fails: |
299 | * | 318 | * |
300 | * This can be because the destination address is martian, in which case | 319 | * This can be because the destination address is martian, in which case |
301 | * the packet will be dropped. | 320 | * the packet will be dropped. |
302 | * After a "echo '0' > /proc/sys/net/ipv4/ip_forward" ip_route_input() | 321 | * If IP forwarding is disabled, ip_route_input() will fail, while |
303 | * will fail, while __ip_route_output_key() will return success. The source | 322 | * ip_route_output_key() can return success. The source |
304 | * address for __ip_route_output_key() is set to zero, so __ip_route_output_key | 323 | * address for ip_route_output_key() is set to zero, so ip_route_output_key() |
305 | * thinks we're handling a locally generated packet and won't care | 324 | * thinks we're handling a locally generated packet and won't care |
306 | * if IP forwarding is allowed. We send a warning message to the users's | 325 | * if IP forwarding is enabled. If the output device equals the logical bridge |
307 | * log telling her to put IP forwarding on. | 326 | * device, we proceed as if ip_route_input() succeeded. If it differs from the |
308 | * | 327 | * logical bridge port or if ip_route_output_key() fails we drop the packet. |
309 | * ip_route_input() will also fail if there is no route available. | 328 | */ |
310 | * In that case we just drop the packet. | ||
311 | * | ||
312 | * --Lennert, 20020411 | ||
313 | * --Bart, 20020416 (updated) | ||
314 | * --Bart, 20021007 (updated) | ||
315 | * --Bart, 20062711 (updated) */ | ||
316 | static int br_nf_pre_routing_finish_bridge(struct sk_buff *skb) | ||
317 | { | ||
318 | if (skb->pkt_type == PACKET_OTHERHOST) { | ||
319 | skb->pkt_type = PACKET_HOST; | ||
320 | skb->nf_bridge->mask |= BRNF_PKT_TYPE; | ||
321 | } | ||
322 | skb->nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING; | ||
323 | |||
324 | skb->dev = bridge_parent(skb->dev); | ||
325 | if (skb->dev) { | ||
326 | struct dst_entry *dst = skb_dst(skb); | ||
327 | |||
328 | nf_bridge_pull_encap_header(skb); | ||
329 | |||
330 | if (dst->hh) | ||
331 | return neigh_hh_output(dst->hh, skb); | ||
332 | else if (dst->neighbour) | ||
333 | return dst->neighbour->output(skb); | ||
334 | } | ||
335 | kfree_skb(skb); | ||
336 | return 0; | ||
337 | } | ||
338 | |||
339 | static int br_nf_pre_routing_finish(struct sk_buff *skb) | 329 | static int br_nf_pre_routing_finish(struct sk_buff *skb) |
340 | { | 330 | { |
341 | struct net_device *dev = skb->dev; | 331 | struct net_device *dev = skb->dev; |
@@ -379,11 +369,6 @@ static int br_nf_pre_routing_finish(struct sk_buff *skb) | |||
379 | skb_dst_set(skb, (struct dst_entry *)rt); | 369 | skb_dst_set(skb, (struct dst_entry *)rt); |
380 | goto bridged_dnat; | 370 | goto bridged_dnat; |
381 | } | 371 | } |
382 | /* we are sure that forwarding is disabled, so printing | ||
383 | * this message is no problem. Note that the packet could | ||
384 | * still have a martian destination address, in which case | ||
385 | * the packet could be dropped even if forwarding were enabled */ | ||
386 | __br_dnat_complain(); | ||
387 | dst_release((struct dst_entry *)rt); | 372 | dst_release((struct dst_entry *)rt); |
388 | } | 373 | } |
389 | free_skb: | 374 | free_skb: |
@@ -392,12 +377,11 @@ free_skb: | |||
392 | } else { | 377 | } else { |
393 | if (skb_dst(skb)->dev == dev) { | 378 | if (skb_dst(skb)->dev == dev) { |
394 | bridged_dnat: | 379 | bridged_dnat: |
395 | /* Tell br_nf_local_out this is a | ||
396 | * bridged frame */ | ||
397 | nf_bridge->mask |= BRNF_BRIDGED_DNAT; | ||
398 | skb->dev = nf_bridge->physindev; | 380 | skb->dev = nf_bridge->physindev; |
381 | nf_bridge_update_protocol(skb); | ||
399 | nf_bridge_push_encap_header(skb); | 382 | nf_bridge_push_encap_header(skb); |
400 | NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, | 383 | NF_HOOK_THRESH(NFPROTO_BRIDGE, |
384 | NF_BR_PRE_ROUTING, | ||
401 | skb, skb->dev, NULL, | 385 | skb, skb->dev, NULL, |
402 | br_nf_pre_routing_finish_bridge, | 386 | br_nf_pre_routing_finish_bridge, |
403 | 1); | 387 | 1); |
@@ -417,8 +401,9 @@ bridged_dnat: | |||
417 | } | 401 | } |
418 | 402 | ||
419 | skb->dev = nf_bridge->physindev; | 403 | skb->dev = nf_bridge->physindev; |
404 | nf_bridge_update_protocol(skb); | ||
420 | nf_bridge_push_encap_header(skb); | 405 | nf_bridge_push_encap_header(skb); |
421 | NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL, | 406 | NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL, |
422 | br_handle_frame_finish, 1); | 407 | br_handle_frame_finish, 1); |
423 | 408 | ||
424 | return 0; | 409 | return 0; |
@@ -437,6 +422,10 @@ static struct net_device *setup_pre_routing(struct sk_buff *skb) | |||
437 | nf_bridge->mask |= BRNF_NF_BRIDGE_PREROUTING; | 422 | nf_bridge->mask |= BRNF_NF_BRIDGE_PREROUTING; |
438 | nf_bridge->physindev = skb->dev; | 423 | nf_bridge->physindev = skb->dev; |
439 | skb->dev = bridge_parent(skb->dev); | 424 | skb->dev = bridge_parent(skb->dev); |
425 | if (skb->protocol == htons(ETH_P_8021Q)) | ||
426 | nf_bridge->mask |= BRNF_8021Q; | ||
427 | else if (skb->protocol == htons(ETH_P_PPP_SES)) | ||
428 | nf_bridge->mask |= BRNF_PPPoE; | ||
440 | 429 | ||
441 | return skb->dev; | 430 | return skb->dev; |
442 | } | 431 | } |
@@ -535,7 +524,8 @@ static unsigned int br_nf_pre_routing_ipv6(unsigned int hook, | |||
535 | if (!setup_pre_routing(skb)) | 524 | if (!setup_pre_routing(skb)) |
536 | return NF_DROP; | 525 | return NF_DROP; |
537 | 526 | ||
538 | NF_HOOK(PF_INET6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL, | 527 | skb->protocol = htons(ETH_P_IPV6); |
528 | NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL, | ||
539 | br_nf_pre_routing_finish_ipv6); | 529 | br_nf_pre_routing_finish_ipv6); |
540 | 530 | ||
541 | return NF_STOLEN; | 531 | return NF_STOLEN; |
@@ -607,8 +597,9 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb, | |||
607 | if (!setup_pre_routing(skb)) | 597 | if (!setup_pre_routing(skb)) |
608 | return NF_DROP; | 598 | return NF_DROP; |
609 | store_orig_dstaddr(skb); | 599 | store_orig_dstaddr(skb); |
600 | skb->protocol = htons(ETH_P_IP); | ||
610 | 601 | ||
611 | NF_HOOK(PF_INET, NF_INET_PRE_ROUTING, skb, skb->dev, NULL, | 602 | NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, skb, skb->dev, NULL, |
612 | br_nf_pre_routing_finish); | 603 | br_nf_pre_routing_finish); |
613 | 604 | ||
614 | return NF_STOLEN; | 605 | return NF_STOLEN; |
@@ -655,8 +646,10 @@ static int br_nf_forward_finish(struct sk_buff *skb) | |||
655 | } else { | 646 | } else { |
656 | in = *((struct net_device **)(skb->cb)); | 647 | in = *((struct net_device **)(skb->cb)); |
657 | } | 648 | } |
649 | nf_bridge_update_protocol(skb); | ||
658 | nf_bridge_push_encap_header(skb); | 650 | nf_bridge_push_encap_header(skb); |
659 | NF_HOOK_THRESH(PF_BRIDGE, NF_BR_FORWARD, skb, in, | 651 | |
652 | NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_FORWARD, skb, in, | ||
660 | skb->dev, br_forward_finish, 1); | 653 | skb->dev, br_forward_finish, 1); |
661 | return 0; | 654 | return 0; |
662 | } | 655 | } |
@@ -707,6 +700,10 @@ static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff *skb, | |||
707 | /* The physdev module checks on this */ | 700 | /* The physdev module checks on this */ |
708 | nf_bridge->mask |= BRNF_BRIDGED; | 701 | nf_bridge->mask |= BRNF_BRIDGED; |
709 | nf_bridge->physoutdev = skb->dev; | 702 | nf_bridge->physoutdev = skb->dev; |
703 | if (pf == PF_INET) | ||
704 | skb->protocol = htons(ETH_P_IP); | ||
705 | else | ||
706 | skb->protocol = htons(ETH_P_IPV6); | ||
710 | 707 | ||
711 | NF_HOOK(pf, NF_INET_FORWARD, skb, bridge_parent(in), parent, | 708 | NF_HOOK(pf, NF_INET_FORWARD, skb, bridge_parent(in), parent, |
712 | br_nf_forward_finish); | 709 | br_nf_forward_finish); |
@@ -744,60 +741,11 @@ static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff *skb, | |||
744 | return NF_STOLEN; | 741 | return NF_STOLEN; |
745 | } | 742 | } |
746 | 743 | ||
747 | /* PF_BRIDGE/LOCAL_OUT *********************************************** | ||
748 | * | ||
749 | * This function sees both locally originated IP packets and forwarded | ||
750 | * IP packets (in both cases the destination device is a bridge | ||
751 | * device). It also sees bridged-and-DNAT'ed packets. | ||
752 | * | ||
753 | * If (nf_bridge->mask & BRNF_BRIDGED_DNAT) then the packet is bridged | ||
754 | * and we fake the PF_BRIDGE/FORWARD hook. The function br_nf_forward() | ||
755 | * will then fake the PF_INET/FORWARD hook. br_nf_local_out() has priority | ||
756 | * NF_BR_PRI_FIRST, so no relevant PF_BRIDGE/INPUT functions have been nor | ||
757 | * will be executed. | ||
758 | */ | ||
759 | static unsigned int br_nf_local_out(unsigned int hook, struct sk_buff *skb, | ||
760 | const struct net_device *in, | ||
761 | const struct net_device *out, | ||
762 | int (*okfn)(struct sk_buff *)) | ||
763 | { | ||
764 | struct net_device *realindev; | ||
765 | struct nf_bridge_info *nf_bridge; | ||
766 | |||
767 | if (!skb->nf_bridge) | ||
768 | return NF_ACCEPT; | ||
769 | |||
770 | /* Need exclusive nf_bridge_info since we might have multiple | ||
771 | * different physoutdevs. */ | ||
772 | if (!nf_bridge_unshare(skb)) | ||
773 | return NF_DROP; | ||
774 | |||
775 | nf_bridge = skb->nf_bridge; | ||
776 | if (!(nf_bridge->mask & BRNF_BRIDGED_DNAT)) | ||
777 | return NF_ACCEPT; | ||
778 | |||
779 | /* Bridged, take PF_BRIDGE/FORWARD. | ||
780 | * (see big note in front of br_nf_pre_routing_finish) */ | ||
781 | nf_bridge->physoutdev = skb->dev; | ||
782 | realindev = nf_bridge->physindev; | ||
783 | |||
784 | if (nf_bridge->mask & BRNF_PKT_TYPE) { | ||
785 | skb->pkt_type = PACKET_OTHERHOST; | ||
786 | nf_bridge->mask ^= BRNF_PKT_TYPE; | ||
787 | } | ||
788 | nf_bridge_push_encap_header(skb); | ||
789 | |||
790 | NF_HOOK(PF_BRIDGE, NF_BR_FORWARD, skb, realindev, skb->dev, | ||
791 | br_forward_finish); | ||
792 | return NF_STOLEN; | ||
793 | } | ||
794 | |||
795 | #if defined(CONFIG_NF_CONNTRACK_IPV4) || defined(CONFIG_NF_CONNTRACK_IPV4_MODULE) | 744 | #if defined(CONFIG_NF_CONNTRACK_IPV4) || defined(CONFIG_NF_CONNTRACK_IPV4_MODULE) |
796 | static int br_nf_dev_queue_xmit(struct sk_buff *skb) | 745 | static int br_nf_dev_queue_xmit(struct sk_buff *skb) |
797 | { | 746 | { |
798 | if (skb->nfct != NULL && | 747 | if (skb->nfct != NULL && skb->protocol == htons(ETH_P_IP) && |
799 | (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb)) && | 748 | skb->len + nf_bridge_mtu_reduction(skb) > skb->dev->mtu && |
800 | skb->len > skb->dev->mtu && | ||
801 | !skb_is_gso(skb)) | 749 | !skb_is_gso(skb)) |
802 | return ip_fragment(skb, br_dev_queue_push_xmit); | 750 | return ip_fragment(skb, br_dev_queue_push_xmit); |
803 | else | 751 | else |
@@ -820,21 +768,7 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb, | |||
820 | struct net_device *realoutdev = bridge_parent(skb->dev); | 768 | struct net_device *realoutdev = bridge_parent(skb->dev); |
821 | u_int8_t pf; | 769 | u_int8_t pf; |
822 | 770 | ||
823 | #ifdef CONFIG_NETFILTER_DEBUG | 771 | if (!nf_bridge || !(nf_bridge->mask & BRNF_BRIDGED)) |
824 | /* Be very paranoid. This probably won't happen anymore, but let's | ||
825 | * keep the check just to be sure... */ | ||
826 | if (skb_mac_header(skb) < skb->head || | ||
827 | skb_mac_header(skb) + ETH_HLEN > skb->data) { | ||
828 | printk(KERN_CRIT "br_netfilter: Argh!! br_nf_post_routing: " | ||
829 | "bad mac.raw pointer.\n"); | ||
830 | goto print_error; | ||
831 | } | ||
832 | #endif | ||
833 | |||
834 | if (!nf_bridge) | ||
835 | return NF_ACCEPT; | ||
836 | |||
837 | if (!(nf_bridge->mask & (BRNF_BRIDGED | BRNF_BRIDGED_DNAT))) | ||
838 | return NF_ACCEPT; | 772 | return NF_ACCEPT; |
839 | 773 | ||
840 | if (!realoutdev) | 774 | if (!realoutdev) |
@@ -849,13 +783,6 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb, | |||
849 | else | 783 | else |
850 | return NF_ACCEPT; | 784 | return NF_ACCEPT; |
851 | 785 | ||
852 | #ifdef CONFIG_NETFILTER_DEBUG | ||
853 | if (skb_dst(skb) == NULL) { | ||
854 | printk(KERN_INFO "br_netfilter post_routing: skb->dst == NULL\n"); | ||
855 | goto print_error; | ||
856 | } | ||
857 | #endif | ||
858 | |||
859 | /* We assume any code from br_dev_queue_push_xmit onwards doesn't care | 786 | /* We assume any code from br_dev_queue_push_xmit onwards doesn't care |
860 | * about the value of skb->pkt_type. */ | 787 | * about the value of skb->pkt_type. */ |
861 | if (skb->pkt_type == PACKET_OTHERHOST) { | 788 | if (skb->pkt_type == PACKET_OTHERHOST) { |
@@ -865,24 +792,15 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb, | |||
865 | 792 | ||
866 | nf_bridge_pull_encap_header(skb); | 793 | nf_bridge_pull_encap_header(skb); |
867 | nf_bridge_save_header(skb); | 794 | nf_bridge_save_header(skb); |
795 | if (pf == PF_INET) | ||
796 | skb->protocol = htons(ETH_P_IP); | ||
797 | else | ||
798 | skb->protocol = htons(ETH_P_IPV6); | ||
868 | 799 | ||
869 | NF_HOOK(pf, NF_INET_POST_ROUTING, skb, NULL, realoutdev, | 800 | NF_HOOK(pf, NF_INET_POST_ROUTING, skb, NULL, realoutdev, |
870 | br_nf_dev_queue_xmit); | 801 | br_nf_dev_queue_xmit); |
871 | 802 | ||
872 | return NF_STOLEN; | 803 | return NF_STOLEN; |
873 | |||
874 | #ifdef CONFIG_NETFILTER_DEBUG | ||
875 | print_error: | ||
876 | if (skb->dev != NULL) { | ||
877 | printk("[%s]", skb->dev->name); | ||
878 | if (realoutdev) | ||
879 | printk("[%s]", realoutdev->name); | ||
880 | } | ||
881 | printk(" head:%p, raw:%p, data:%p\n", skb->head, skb_mac_header(skb), | ||
882 | skb->data); | ||
883 | dump_stack(); | ||
884 | return NF_ACCEPT; | ||
885 | #endif | ||
886 | } | 804 | } |
887 | 805 | ||
888 | /* IP/SABOTAGE *****************************************************/ | 806 | /* IP/SABOTAGE *****************************************************/ |
@@ -901,10 +819,8 @@ static unsigned int ip_sabotage_in(unsigned int hook, struct sk_buff *skb, | |||
901 | return NF_ACCEPT; | 819 | return NF_ACCEPT; |
902 | } | 820 | } |
903 | 821 | ||
904 | /* For br_nf_local_out we need (prio = NF_BR_PRI_FIRST), to insure that innocent | 822 | /* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because |
905 | * PF_BRIDGE/NF_BR_LOCAL_OUT functions don't get bridged traffic as input. | 823 | * br_dev_queue_push_xmit is called afterwards */ |
906 | * For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because | ||
907 | * ip_refrag() can return NF_STOLEN. */ | ||
908 | static struct nf_hook_ops br_nf_ops[] __read_mostly = { | 824 | static struct nf_hook_ops br_nf_ops[] __read_mostly = { |
909 | { | 825 | { |
910 | .hook = br_nf_pre_routing, | 826 | .hook = br_nf_pre_routing, |
@@ -935,13 +851,6 @@ static struct nf_hook_ops br_nf_ops[] __read_mostly = { | |||
935 | .priority = NF_BR_PRI_BRNF, | 851 | .priority = NF_BR_PRI_BRNF, |
936 | }, | 852 | }, |
937 | { | 853 | { |
938 | .hook = br_nf_local_out, | ||
939 | .owner = THIS_MODULE, | ||
940 | .pf = PF_BRIDGE, | ||
941 | .hooknum = NF_BR_LOCAL_OUT, | ||
942 | .priority = NF_BR_PRI_FIRST, | ||
943 | }, | ||
944 | { | ||
945 | .hook = br_nf_post_routing, | 854 | .hook = br_nf_post_routing, |
946 | .owner = THIS_MODULE, | 855 | .owner = THIS_MODULE, |
947 | .pf = PF_BRIDGE, | 856 | .pf = PF_BRIDGE, |
diff --git a/net/bridge/br_stp_bpdu.c b/net/bridge/br_stp_bpdu.c index d66cce11f3bf..217bd225a42f 100644 --- a/net/bridge/br_stp_bpdu.c +++ b/net/bridge/br_stp_bpdu.c | |||
@@ -50,7 +50,7 @@ static void br_send_bpdu(struct net_bridge_port *p, | |||
50 | 50 | ||
51 | llc_mac_hdr_init(skb, p->dev->dev_addr, p->br->group_addr); | 51 | llc_mac_hdr_init(skb, p->dev->dev_addr, p->br->group_addr); |
52 | 52 | ||
53 | NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev, | 53 | NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev, |
54 | dev_queue_xmit); | 54 | dev_queue_xmit); |
55 | } | 55 | } |
56 | 56 | ||
diff --git a/net/bridge/netfilter/ebt_802_3.c b/net/bridge/netfilter/ebt_802_3.c index 5d1176758ca5..f7de8dbc3422 100644 --- a/net/bridge/netfilter/ebt_802_3.c +++ b/net/bridge/netfilter/ebt_802_3.c | |||
@@ -36,14 +36,14 @@ ebt_802_3_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
36 | return true; | 36 | return true; |
37 | } | 37 | } |
38 | 38 | ||
39 | static bool ebt_802_3_mt_check(const struct xt_mtchk_param *par) | 39 | static int ebt_802_3_mt_check(const struct xt_mtchk_param *par) |
40 | { | 40 | { |
41 | const struct ebt_802_3_info *info = par->matchinfo; | 41 | const struct ebt_802_3_info *info = par->matchinfo; |
42 | 42 | ||
43 | if (info->bitmask & ~EBT_802_3_MASK || info->invflags & ~EBT_802_3_MASK) | 43 | if (info->bitmask & ~EBT_802_3_MASK || info->invflags & ~EBT_802_3_MASK) |
44 | return false; | 44 | return -EINVAL; |
45 | 45 | ||
46 | return true; | 46 | return 0; |
47 | } | 47 | } |
48 | 48 | ||
49 | static struct xt_match ebt_802_3_mt_reg __read_mostly = { | 49 | static struct xt_match ebt_802_3_mt_reg __read_mostly = { |
diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c index b595f091f35b..20068e03fa81 100644 --- a/net/bridge/netfilter/ebt_among.c +++ b/net/bridge/netfilter/ebt_among.c | |||
@@ -7,6 +7,7 @@ | |||
7 | * August, 2003 | 7 | * August, 2003 |
8 | * | 8 | * |
9 | */ | 9 | */ |
10 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | ||
10 | #include <linux/ip.h> | 11 | #include <linux/ip.h> |
11 | #include <linux/if_arp.h> | 12 | #include <linux/if_arp.h> |
12 | #include <linux/module.h> | 13 | #include <linux/module.h> |
@@ -171,7 +172,7 @@ ebt_among_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
171 | return true; | 172 | return true; |
172 | } | 173 | } |
173 | 174 | ||
174 | static bool ebt_among_mt_check(const struct xt_mtchk_param *par) | 175 | static int ebt_among_mt_check(const struct xt_mtchk_param *par) |
175 | { | 176 | { |
176 | const struct ebt_among_info *info = par->matchinfo; | 177 | const struct ebt_among_info *info = par->matchinfo; |
177 | const struct ebt_entry_match *em = | 178 | const struct ebt_entry_match *em = |
@@ -186,24 +187,20 @@ static bool ebt_among_mt_check(const struct xt_mtchk_param *par) | |||
186 | expected_length += ebt_mac_wormhash_size(wh_src); | 187 | expected_length += ebt_mac_wormhash_size(wh_src); |
187 | 188 | ||
188 | if (em->match_size != EBT_ALIGN(expected_length)) { | 189 | if (em->match_size != EBT_ALIGN(expected_length)) { |
189 | printk(KERN_WARNING | 190 | pr_info("wrong size: %d against expected %d, rounded to %Zd\n", |
190 | "ebtables: among: wrong size: %d " | 191 | em->match_size, expected_length, |
191 | "against expected %d, rounded to %Zd\n", | 192 | EBT_ALIGN(expected_length)); |
192 | em->match_size, expected_length, | 193 | return -EINVAL; |
193 | EBT_ALIGN(expected_length)); | ||
194 | return false; | ||
195 | } | 194 | } |
196 | if (wh_dst && (err = ebt_mac_wormhash_check_integrity(wh_dst))) { | 195 | if (wh_dst && (err = ebt_mac_wormhash_check_integrity(wh_dst))) { |
197 | printk(KERN_WARNING | 196 | pr_info("dst integrity fail: %x\n", -err); |
198 | "ebtables: among: dst integrity fail: %x\n", -err); | 197 | return -EINVAL; |
199 | return false; | ||
200 | } | 198 | } |
201 | if (wh_src && (err = ebt_mac_wormhash_check_integrity(wh_src))) { | 199 | if (wh_src && (err = ebt_mac_wormhash_check_integrity(wh_src))) { |
202 | printk(KERN_WARNING | 200 | pr_info("src integrity fail: %x\n", -err); |
203 | "ebtables: among: src integrity fail: %x\n", -err); | 201 | return -EINVAL; |
204 | return false; | ||
205 | } | 202 | } |
206 | return true; | 203 | return 0; |
207 | } | 204 | } |
208 | 205 | ||
209 | static struct xt_match ebt_among_mt_reg __read_mostly = { | 206 | static struct xt_match ebt_among_mt_reg __read_mostly = { |
diff --git a/net/bridge/netfilter/ebt_arp.c b/net/bridge/netfilter/ebt_arp.c index e727697c5847..952150cd5e7d 100644 --- a/net/bridge/netfilter/ebt_arp.c +++ b/net/bridge/netfilter/ebt_arp.c | |||
@@ -100,7 +100,7 @@ ebt_arp_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
100 | return true; | 100 | return true; |
101 | } | 101 | } |
102 | 102 | ||
103 | static bool ebt_arp_mt_check(const struct xt_mtchk_param *par) | 103 | static int ebt_arp_mt_check(const struct xt_mtchk_param *par) |
104 | { | 104 | { |
105 | const struct ebt_arp_info *info = par->matchinfo; | 105 | const struct ebt_arp_info *info = par->matchinfo; |
106 | const struct ebt_entry *e = par->entryinfo; | 106 | const struct ebt_entry *e = par->entryinfo; |
@@ -108,10 +108,10 @@ static bool ebt_arp_mt_check(const struct xt_mtchk_param *par) | |||
108 | if ((e->ethproto != htons(ETH_P_ARP) && | 108 | if ((e->ethproto != htons(ETH_P_ARP) && |
109 | e->ethproto != htons(ETH_P_RARP)) || | 109 | e->ethproto != htons(ETH_P_RARP)) || |
110 | e->invflags & EBT_IPROTO) | 110 | e->invflags & EBT_IPROTO) |
111 | return false; | 111 | return -EINVAL; |
112 | if (info->bitmask & ~EBT_ARP_MASK || info->invflags & ~EBT_ARP_MASK) | 112 | if (info->bitmask & ~EBT_ARP_MASK || info->invflags & ~EBT_ARP_MASK) |
113 | return false; | 113 | return -EINVAL; |
114 | return true; | 114 | return 0; |
115 | } | 115 | } |
116 | 116 | ||
117 | static struct xt_match ebt_arp_mt_reg __read_mostly = { | 117 | static struct xt_match ebt_arp_mt_reg __read_mostly = { |
diff --git a/net/bridge/netfilter/ebt_arpreply.c b/net/bridge/netfilter/ebt_arpreply.c index f392e9d93f53..4581adb27583 100644 --- a/net/bridge/netfilter/ebt_arpreply.c +++ b/net/bridge/netfilter/ebt_arpreply.c | |||
@@ -57,17 +57,17 @@ ebt_arpreply_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
57 | return info->target; | 57 | return info->target; |
58 | } | 58 | } |
59 | 59 | ||
60 | static bool ebt_arpreply_tg_check(const struct xt_tgchk_param *par) | 60 | static int ebt_arpreply_tg_check(const struct xt_tgchk_param *par) |
61 | { | 61 | { |
62 | const struct ebt_arpreply_info *info = par->targinfo; | 62 | const struct ebt_arpreply_info *info = par->targinfo; |
63 | const struct ebt_entry *e = par->entryinfo; | 63 | const struct ebt_entry *e = par->entryinfo; |
64 | 64 | ||
65 | if (BASE_CHAIN && info->target == EBT_RETURN) | 65 | if (BASE_CHAIN && info->target == EBT_RETURN) |
66 | return false; | 66 | return -EINVAL; |
67 | if (e->ethproto != htons(ETH_P_ARP) || | 67 | if (e->ethproto != htons(ETH_P_ARP) || |
68 | e->invflags & EBT_IPROTO) | 68 | e->invflags & EBT_IPROTO) |
69 | return false; | 69 | return -EINVAL; |
70 | return true; | 70 | return 0; |
71 | } | 71 | } |
72 | 72 | ||
73 | static struct xt_target ebt_arpreply_tg_reg __read_mostly = { | 73 | static struct xt_target ebt_arpreply_tg_reg __read_mostly = { |
diff --git a/net/bridge/netfilter/ebt_dnat.c b/net/bridge/netfilter/ebt_dnat.c index 2bb40d728a35..59d5b7c8a557 100644 --- a/net/bridge/netfilter/ebt_dnat.c +++ b/net/bridge/netfilter/ebt_dnat.c | |||
@@ -26,13 +26,13 @@ ebt_dnat_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
26 | return info->target; | 26 | return info->target; |
27 | } | 27 | } |
28 | 28 | ||
29 | static bool ebt_dnat_tg_check(const struct xt_tgchk_param *par) | 29 | static int ebt_dnat_tg_check(const struct xt_tgchk_param *par) |
30 | { | 30 | { |
31 | const struct ebt_nat_info *info = par->targinfo; | 31 | const struct ebt_nat_info *info = par->targinfo; |
32 | unsigned int hook_mask; | 32 | unsigned int hook_mask; |
33 | 33 | ||
34 | if (BASE_CHAIN && info->target == EBT_RETURN) | 34 | if (BASE_CHAIN && info->target == EBT_RETURN) |
35 | return false; | 35 | return -EINVAL; |
36 | 36 | ||
37 | hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS); | 37 | hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS); |
38 | if ((strcmp(par->table, "nat") != 0 || | 38 | if ((strcmp(par->table, "nat") != 0 || |
@@ -40,10 +40,10 @@ static bool ebt_dnat_tg_check(const struct xt_tgchk_param *par) | |||
40 | (1 << NF_BR_LOCAL_OUT)))) && | 40 | (1 << NF_BR_LOCAL_OUT)))) && |
41 | (strcmp(par->table, "broute") != 0 || | 41 | (strcmp(par->table, "broute") != 0 || |
42 | hook_mask & ~(1 << NF_BR_BROUTING))) | 42 | hook_mask & ~(1 << NF_BR_BROUTING))) |
43 | return false; | 43 | return -EINVAL; |
44 | if (INVALID_TARGET) | 44 | if (INVALID_TARGET) |
45 | return false; | 45 | return -EINVAL; |
46 | return true; | 46 | return 0; |
47 | } | 47 | } |
48 | 48 | ||
49 | static struct xt_target ebt_dnat_tg_reg __read_mostly = { | 49 | static struct xt_target ebt_dnat_tg_reg __read_mostly = { |
diff --git a/net/bridge/netfilter/ebt_ip.c b/net/bridge/netfilter/ebt_ip.c index 5de6df6f86b8..a1c76c7e5219 100644 --- a/net/bridge/netfilter/ebt_ip.c +++ b/net/bridge/netfilter/ebt_ip.c | |||
@@ -77,31 +77,31 @@ ebt_ip_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
77 | return true; | 77 | return true; |
78 | } | 78 | } |
79 | 79 | ||
80 | static bool ebt_ip_mt_check(const struct xt_mtchk_param *par) | 80 | static int ebt_ip_mt_check(const struct xt_mtchk_param *par) |
81 | { | 81 | { |
82 | const struct ebt_ip_info *info = par->matchinfo; | 82 | const struct ebt_ip_info *info = par->matchinfo; |
83 | const struct ebt_entry *e = par->entryinfo; | 83 | const struct ebt_entry *e = par->entryinfo; |
84 | 84 | ||
85 | if (e->ethproto != htons(ETH_P_IP) || | 85 | if (e->ethproto != htons(ETH_P_IP) || |
86 | e->invflags & EBT_IPROTO) | 86 | e->invflags & EBT_IPROTO) |
87 | return false; | 87 | return -EINVAL; |
88 | if (info->bitmask & ~EBT_IP_MASK || info->invflags & ~EBT_IP_MASK) | 88 | if (info->bitmask & ~EBT_IP_MASK || info->invflags & ~EBT_IP_MASK) |
89 | return false; | 89 | return -EINVAL; |
90 | if (info->bitmask & (EBT_IP_DPORT | EBT_IP_SPORT)) { | 90 | if (info->bitmask & (EBT_IP_DPORT | EBT_IP_SPORT)) { |
91 | if (info->invflags & EBT_IP_PROTO) | 91 | if (info->invflags & EBT_IP_PROTO) |
92 | return false; | 92 | return -EINVAL; |
93 | if (info->protocol != IPPROTO_TCP && | 93 | if (info->protocol != IPPROTO_TCP && |
94 | info->protocol != IPPROTO_UDP && | 94 | info->protocol != IPPROTO_UDP && |
95 | info->protocol != IPPROTO_UDPLITE && | 95 | info->protocol != IPPROTO_UDPLITE && |
96 | info->protocol != IPPROTO_SCTP && | 96 | info->protocol != IPPROTO_SCTP && |
97 | info->protocol != IPPROTO_DCCP) | 97 | info->protocol != IPPROTO_DCCP) |
98 | return false; | 98 | return -EINVAL; |
99 | } | 99 | } |
100 | if (info->bitmask & EBT_IP_DPORT && info->dport[0] > info->dport[1]) | 100 | if (info->bitmask & EBT_IP_DPORT && info->dport[0] > info->dport[1]) |
101 | return false; | 101 | return -EINVAL; |
102 | if (info->bitmask & EBT_IP_SPORT && info->sport[0] > info->sport[1]) | 102 | if (info->bitmask & EBT_IP_SPORT && info->sport[0] > info->sport[1]) |
103 | return false; | 103 | return -EINVAL; |
104 | return true; | 104 | return 0; |
105 | } | 105 | } |
106 | 106 | ||
107 | static struct xt_match ebt_ip_mt_reg __read_mostly = { | 107 | static struct xt_match ebt_ip_mt_reg __read_mostly = { |
diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c index bbf2534ef026..33f8413f05ad 100644 --- a/net/bridge/netfilter/ebt_ip6.c +++ b/net/bridge/netfilter/ebt_ip6.c | |||
@@ -4,7 +4,7 @@ | |||
4 | * Authors: | 4 | * Authors: |
5 | * Manohar Castelino <manohar.r.castelino@intel.com> | 5 | * Manohar Castelino <manohar.r.castelino@intel.com> |
6 | * Kuo-Lang Tseng <kuo-lang.tseng@intel.com> | 6 | * Kuo-Lang Tseng <kuo-lang.tseng@intel.com> |
7 | * Jan Engelhardt <jengelh@computergmbh.de> | 7 | * Jan Engelhardt <jengelh@medozas.de> |
8 | * | 8 | * |
9 | * Summary: | 9 | * Summary: |
10 | * This is just a modification of the IPv4 code written by | 10 | * This is just a modification of the IPv4 code written by |
@@ -35,8 +35,6 @@ ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
35 | struct ipv6hdr _ip6h; | 35 | struct ipv6hdr _ip6h; |
36 | const struct tcpudphdr *pptr; | 36 | const struct tcpudphdr *pptr; |
37 | struct tcpudphdr _ports; | 37 | struct tcpudphdr _ports; |
38 | struct in6_addr tmp_addr; | ||
39 | int i; | ||
40 | 38 | ||
41 | ih6 = skb_header_pointer(skb, 0, sizeof(_ip6h), &_ip6h); | 39 | ih6 = skb_header_pointer(skb, 0, sizeof(_ip6h), &_ip6h); |
42 | if (ih6 == NULL) | 40 | if (ih6 == NULL) |
@@ -44,18 +42,10 @@ ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
44 | if (info->bitmask & EBT_IP6_TCLASS && | 42 | if (info->bitmask & EBT_IP6_TCLASS && |
45 | FWINV(info->tclass != ipv6_get_dsfield(ih6), EBT_IP6_TCLASS)) | 43 | FWINV(info->tclass != ipv6_get_dsfield(ih6), EBT_IP6_TCLASS)) |
46 | return false; | 44 | return false; |
47 | for (i = 0; i < 4; i++) | 45 | if (FWINV(ipv6_masked_addr_cmp(&ih6->saddr, &info->smsk, |
48 | tmp_addr.in6_u.u6_addr32[i] = ih6->saddr.in6_u.u6_addr32[i] & | 46 | &info->saddr), EBT_IP6_SOURCE) || |
49 | info->smsk.in6_u.u6_addr32[i]; | 47 | FWINV(ipv6_masked_addr_cmp(&ih6->daddr, &info->dmsk, |
50 | if (info->bitmask & EBT_IP6_SOURCE && | 48 | &info->daddr), EBT_IP6_DEST)) |
51 | FWINV((ipv6_addr_cmp(&tmp_addr, &info->saddr) != 0), | ||
52 | EBT_IP6_SOURCE)) | ||
53 | return false; | ||
54 | for (i = 0; i < 4; i++) | ||
55 | tmp_addr.in6_u.u6_addr32[i] = ih6->daddr.in6_u.u6_addr32[i] & | ||
56 | info->dmsk.in6_u.u6_addr32[i]; | ||
57 | if (info->bitmask & EBT_IP6_DEST && | ||
58 | FWINV((ipv6_addr_cmp(&tmp_addr, &info->daddr) != 0), EBT_IP6_DEST)) | ||
59 | return false; | 49 | return false; |
60 | if (info->bitmask & EBT_IP6_PROTO) { | 50 | if (info->bitmask & EBT_IP6_PROTO) { |
61 | uint8_t nexthdr = ih6->nexthdr; | 51 | uint8_t nexthdr = ih6->nexthdr; |
@@ -90,30 +80,30 @@ ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
90 | return true; | 80 | return true; |
91 | } | 81 | } |
92 | 82 | ||
93 | static bool ebt_ip6_mt_check(const struct xt_mtchk_param *par) | 83 | static int ebt_ip6_mt_check(const struct xt_mtchk_param *par) |
94 | { | 84 | { |
95 | const struct ebt_entry *e = par->entryinfo; | 85 | const struct ebt_entry *e = par->entryinfo; |
96 | struct ebt_ip6_info *info = par->matchinfo; | 86 | struct ebt_ip6_info *info = par->matchinfo; |
97 | 87 | ||
98 | if (e->ethproto != htons(ETH_P_IPV6) || e->invflags & EBT_IPROTO) | 88 | if (e->ethproto != htons(ETH_P_IPV6) || e->invflags & EBT_IPROTO) |
99 | return false; | 89 | return -EINVAL; |
100 | if (info->bitmask & ~EBT_IP6_MASK || info->invflags & ~EBT_IP6_MASK) | 90 | if (info->bitmask & ~EBT_IP6_MASK || info->invflags & ~EBT_IP6_MASK) |
101 | return false; | 91 | return -EINVAL; |
102 | if (info->bitmask & (EBT_IP6_DPORT | EBT_IP6_SPORT)) { | 92 | if (info->bitmask & (EBT_IP6_DPORT | EBT_IP6_SPORT)) { |
103 | if (info->invflags & EBT_IP6_PROTO) | 93 | if (info->invflags & EBT_IP6_PROTO) |
104 | return false; | 94 | return -EINVAL; |
105 | if (info->protocol != IPPROTO_TCP && | 95 | if (info->protocol != IPPROTO_TCP && |
106 | info->protocol != IPPROTO_UDP && | 96 | info->protocol != IPPROTO_UDP && |
107 | info->protocol != IPPROTO_UDPLITE && | 97 | info->protocol != IPPROTO_UDPLITE && |
108 | info->protocol != IPPROTO_SCTP && | 98 | info->protocol != IPPROTO_SCTP && |
109 | info->protocol != IPPROTO_DCCP) | 99 | info->protocol != IPPROTO_DCCP) |
110 | return false; | 100 | return -EINVAL; |
111 | } | 101 | } |
112 | if (info->bitmask & EBT_IP6_DPORT && info->dport[0] > info->dport[1]) | 102 | if (info->bitmask & EBT_IP6_DPORT && info->dport[0] > info->dport[1]) |
113 | return false; | 103 | return -EINVAL; |
114 | if (info->bitmask & EBT_IP6_SPORT && info->sport[0] > info->sport[1]) | 104 | if (info->bitmask & EBT_IP6_SPORT && info->sport[0] > info->sport[1]) |
115 | return false; | 105 | return -EINVAL; |
116 | return true; | 106 | return 0; |
117 | } | 107 | } |
118 | 108 | ||
119 | static struct xt_match ebt_ip6_mt_reg __read_mostly = { | 109 | static struct xt_match ebt_ip6_mt_reg __read_mostly = { |
@@ -139,4 +129,5 @@ static void __exit ebt_ip6_fini(void) | |||
139 | module_init(ebt_ip6_init); | 129 | module_init(ebt_ip6_init); |
140 | module_exit(ebt_ip6_fini); | 130 | module_exit(ebt_ip6_fini); |
141 | MODULE_DESCRIPTION("Ebtables: IPv6 protocol packet match"); | 131 | MODULE_DESCRIPTION("Ebtables: IPv6 protocol packet match"); |
132 | MODULE_AUTHOR("Kuo-Lang Tseng <kuo-lang.tseng@intel.com>"); | ||
142 | MODULE_LICENSE("GPL"); | 133 | MODULE_LICENSE("GPL"); |
diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c index 7a8182710eb3..4b0e2e53fa57 100644 --- a/net/bridge/netfilter/ebt_limit.c +++ b/net/bridge/netfilter/ebt_limit.c | |||
@@ -10,6 +10,7 @@ | |||
10 | * September, 2003 | 10 | * September, 2003 |
11 | * | 11 | * |
12 | */ | 12 | */ |
13 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | ||
13 | #include <linux/module.h> | 14 | #include <linux/module.h> |
14 | #include <linux/netdevice.h> | 15 | #include <linux/netdevice.h> |
15 | #include <linux/spinlock.h> | 16 | #include <linux/spinlock.h> |
@@ -64,16 +65,16 @@ user2credits(u_int32_t user) | |||
64 | return (user * HZ * CREDITS_PER_JIFFY) / EBT_LIMIT_SCALE; | 65 | return (user * HZ * CREDITS_PER_JIFFY) / EBT_LIMIT_SCALE; |
65 | } | 66 | } |
66 | 67 | ||
67 | static bool ebt_limit_mt_check(const struct xt_mtchk_param *par) | 68 | static int ebt_limit_mt_check(const struct xt_mtchk_param *par) |
68 | { | 69 | { |
69 | struct ebt_limit_info *info = par->matchinfo; | 70 | struct ebt_limit_info *info = par->matchinfo; |
70 | 71 | ||
71 | /* Check for overflow. */ | 72 | /* Check for overflow. */ |
72 | if (info->burst == 0 || | 73 | if (info->burst == 0 || |
73 | user2credits(info->avg * info->burst) < user2credits(info->avg)) { | 74 | user2credits(info->avg * info->burst) < user2credits(info->avg)) { |
74 | printk("Overflow in ebt_limit, try lower: %u/%u\n", | 75 | pr_info("overflow, try lower: %u/%u\n", |
75 | info->avg, info->burst); | 76 | info->avg, info->burst); |
76 | return false; | 77 | return -EINVAL; |
77 | } | 78 | } |
78 | 79 | ||
79 | /* User avg in seconds * EBT_LIMIT_SCALE: convert to jiffies * 128. */ | 80 | /* User avg in seconds * EBT_LIMIT_SCALE: convert to jiffies * 128. */ |
@@ -81,7 +82,7 @@ static bool ebt_limit_mt_check(const struct xt_mtchk_param *par) | |||
81 | info->credit = user2credits(info->avg * info->burst); | 82 | info->credit = user2credits(info->avg * info->burst); |
82 | info->credit_cap = user2credits(info->avg * info->burst); | 83 | info->credit_cap = user2credits(info->avg * info->burst); |
83 | info->cost = user2credits(info->avg); | 84 | info->cost = user2credits(info->avg); |
84 | return true; | 85 | return 0; |
85 | } | 86 | } |
86 | 87 | ||
87 | 88 | ||
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c index e873924ddb5d..c46024156539 100644 --- a/net/bridge/netfilter/ebt_log.c +++ b/net/bridge/netfilter/ebt_log.c | |||
@@ -24,16 +24,16 @@ | |||
24 | 24 | ||
25 | static DEFINE_SPINLOCK(ebt_log_lock); | 25 | static DEFINE_SPINLOCK(ebt_log_lock); |
26 | 26 | ||
27 | static bool ebt_log_tg_check(const struct xt_tgchk_param *par) | 27 | static int ebt_log_tg_check(const struct xt_tgchk_param *par) |
28 | { | 28 | { |
29 | struct ebt_log_info *info = par->targinfo; | 29 | struct ebt_log_info *info = par->targinfo; |
30 | 30 | ||
31 | if (info->bitmask & ~EBT_LOG_MASK) | 31 | if (info->bitmask & ~EBT_LOG_MASK) |
32 | return false; | 32 | return -EINVAL; |
33 | if (info->loglevel >= 8) | 33 | if (info->loglevel >= 8) |
34 | return false; | 34 | return -EINVAL; |
35 | info->prefix[EBT_LOG_PREFIX_SIZE - 1] = '\0'; | 35 | info->prefix[EBT_LOG_PREFIX_SIZE - 1] = '\0'; |
36 | return true; | 36 | return 0; |
37 | } | 37 | } |
38 | 38 | ||
39 | struct tcpudphdr | 39 | struct tcpudphdr |
diff --git a/net/bridge/netfilter/ebt_mark.c b/net/bridge/netfilter/ebt_mark.c index 2b5ce533d6b9..126e536ff8f4 100644 --- a/net/bridge/netfilter/ebt_mark.c +++ b/net/bridge/netfilter/ebt_mark.c | |||
@@ -36,21 +36,21 @@ ebt_mark_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
36 | return info->target | ~EBT_VERDICT_BITS; | 36 | return info->target | ~EBT_VERDICT_BITS; |
37 | } | 37 | } |
38 | 38 | ||
39 | static bool ebt_mark_tg_check(const struct xt_tgchk_param *par) | 39 | static int ebt_mark_tg_check(const struct xt_tgchk_param *par) |
40 | { | 40 | { |
41 | const struct ebt_mark_t_info *info = par->targinfo; | 41 | const struct ebt_mark_t_info *info = par->targinfo; |
42 | int tmp; | 42 | int tmp; |
43 | 43 | ||
44 | tmp = info->target | ~EBT_VERDICT_BITS; | 44 | tmp = info->target | ~EBT_VERDICT_BITS; |
45 | if (BASE_CHAIN && tmp == EBT_RETURN) | 45 | if (BASE_CHAIN && tmp == EBT_RETURN) |
46 | return false; | 46 | return -EINVAL; |
47 | if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0) | 47 | if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0) |
48 | return false; | 48 | return -EINVAL; |
49 | tmp = info->target & ~EBT_VERDICT_BITS; | 49 | tmp = info->target & ~EBT_VERDICT_BITS; |
50 | if (tmp != MARK_SET_VALUE && tmp != MARK_OR_VALUE && | 50 | if (tmp != MARK_SET_VALUE && tmp != MARK_OR_VALUE && |
51 | tmp != MARK_AND_VALUE && tmp != MARK_XOR_VALUE) | 51 | tmp != MARK_AND_VALUE && tmp != MARK_XOR_VALUE) |
52 | return false; | 52 | return -EINVAL; |
53 | return true; | 53 | return 0; |
54 | } | 54 | } |
55 | #ifdef CONFIG_COMPAT | 55 | #ifdef CONFIG_COMPAT |
56 | struct compat_ebt_mark_t_info { | 56 | struct compat_ebt_mark_t_info { |
diff --git a/net/bridge/netfilter/ebt_mark_m.c b/net/bridge/netfilter/ebt_mark_m.c index 8de8c396d913..e4366c0a1a43 100644 --- a/net/bridge/netfilter/ebt_mark_m.c +++ b/net/bridge/netfilter/ebt_mark_m.c | |||
@@ -22,17 +22,17 @@ ebt_mark_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
22 | return ((skb->mark & info->mask) == info->mark) ^ info->invert; | 22 | return ((skb->mark & info->mask) == info->mark) ^ info->invert; |
23 | } | 23 | } |
24 | 24 | ||
25 | static bool ebt_mark_mt_check(const struct xt_mtchk_param *par) | 25 | static int ebt_mark_mt_check(const struct xt_mtchk_param *par) |
26 | { | 26 | { |
27 | const struct ebt_mark_m_info *info = par->matchinfo; | 27 | const struct ebt_mark_m_info *info = par->matchinfo; |
28 | 28 | ||
29 | if (info->bitmask & ~EBT_MARK_MASK) | 29 | if (info->bitmask & ~EBT_MARK_MASK) |
30 | return false; | 30 | return -EINVAL; |
31 | if ((info->bitmask & EBT_MARK_OR) && (info->bitmask & EBT_MARK_AND)) | 31 | if ((info->bitmask & EBT_MARK_OR) && (info->bitmask & EBT_MARK_AND)) |
32 | return false; | 32 | return -EINVAL; |
33 | if (!info->bitmask) | 33 | if (!info->bitmask) |
34 | return false; | 34 | return -EINVAL; |
35 | return true; | 35 | return 0; |
36 | } | 36 | } |
37 | 37 | ||
38 | 38 | ||
diff --git a/net/bridge/netfilter/ebt_nflog.c b/net/bridge/netfilter/ebt_nflog.c index 40dbd248b9ae..22e2ad5f23e8 100644 --- a/net/bridge/netfilter/ebt_nflog.c +++ b/net/bridge/netfilter/ebt_nflog.c | |||
@@ -35,14 +35,14 @@ ebt_nflog_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
35 | return EBT_CONTINUE; | 35 | return EBT_CONTINUE; |
36 | } | 36 | } |
37 | 37 | ||
38 | static bool ebt_nflog_tg_check(const struct xt_tgchk_param *par) | 38 | static int ebt_nflog_tg_check(const struct xt_tgchk_param *par) |
39 | { | 39 | { |
40 | struct ebt_nflog_info *info = par->targinfo; | 40 | struct ebt_nflog_info *info = par->targinfo; |
41 | 41 | ||
42 | if (info->flags & ~EBT_NFLOG_MASK) | 42 | if (info->flags & ~EBT_NFLOG_MASK) |
43 | return false; | 43 | return -EINVAL; |
44 | info->prefix[EBT_NFLOG_PREFIX_SIZE - 1] = '\0'; | 44 | info->prefix[EBT_NFLOG_PREFIX_SIZE - 1] = '\0'; |
45 | return true; | 45 | return 0; |
46 | } | 46 | } |
47 | 47 | ||
48 | static struct xt_target ebt_nflog_tg_reg __read_mostly = { | 48 | static struct xt_target ebt_nflog_tg_reg __read_mostly = { |
diff --git a/net/bridge/netfilter/ebt_pkttype.c b/net/bridge/netfilter/ebt_pkttype.c index e2a07e6cbef3..f34bcc3197bd 100644 --- a/net/bridge/netfilter/ebt_pkttype.c +++ b/net/bridge/netfilter/ebt_pkttype.c | |||
@@ -20,14 +20,14 @@ ebt_pkttype_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
20 | return (skb->pkt_type == info->pkt_type) ^ info->invert; | 20 | return (skb->pkt_type == info->pkt_type) ^ info->invert; |
21 | } | 21 | } |
22 | 22 | ||
23 | static bool ebt_pkttype_mt_check(const struct xt_mtchk_param *par) | 23 | static int ebt_pkttype_mt_check(const struct xt_mtchk_param *par) |
24 | { | 24 | { |
25 | const struct ebt_pkttype_info *info = par->matchinfo; | 25 | const struct ebt_pkttype_info *info = par->matchinfo; |
26 | 26 | ||
27 | if (info->invert != 0 && info->invert != 1) | 27 | if (info->invert != 0 && info->invert != 1) |
28 | return false; | 28 | return -EINVAL; |
29 | /* Allow any pkt_type value */ | 29 | /* Allow any pkt_type value */ |
30 | return true; | 30 | return 0; |
31 | } | 31 | } |
32 | 32 | ||
33 | static struct xt_match ebt_pkttype_mt_reg __read_mostly = { | 33 | static struct xt_match ebt_pkttype_mt_reg __read_mostly = { |
diff --git a/net/bridge/netfilter/ebt_redirect.c b/net/bridge/netfilter/ebt_redirect.c index 9be8fbcd370b..a6044a6f2383 100644 --- a/net/bridge/netfilter/ebt_redirect.c +++ b/net/bridge/netfilter/ebt_redirect.c | |||
@@ -32,23 +32,23 @@ ebt_redirect_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
32 | return info->target; | 32 | return info->target; |
33 | } | 33 | } |
34 | 34 | ||
35 | static bool ebt_redirect_tg_check(const struct xt_tgchk_param *par) | 35 | static int ebt_redirect_tg_check(const struct xt_tgchk_param *par) |
36 | { | 36 | { |
37 | const struct ebt_redirect_info *info = par->targinfo; | 37 | const struct ebt_redirect_info *info = par->targinfo; |
38 | unsigned int hook_mask; | 38 | unsigned int hook_mask; |
39 | 39 | ||
40 | if (BASE_CHAIN && info->target == EBT_RETURN) | 40 | if (BASE_CHAIN && info->target == EBT_RETURN) |
41 | return false; | 41 | return -EINVAL; |
42 | 42 | ||
43 | hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS); | 43 | hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS); |
44 | if ((strcmp(par->table, "nat") != 0 || | 44 | if ((strcmp(par->table, "nat") != 0 || |
45 | hook_mask & ~(1 << NF_BR_PRE_ROUTING)) && | 45 | hook_mask & ~(1 << NF_BR_PRE_ROUTING)) && |
46 | (strcmp(par->table, "broute") != 0 || | 46 | (strcmp(par->table, "broute") != 0 || |
47 | hook_mask & ~(1 << NF_BR_BROUTING))) | 47 | hook_mask & ~(1 << NF_BR_BROUTING))) |
48 | return false; | 48 | return -EINVAL; |
49 | if (INVALID_TARGET) | 49 | if (INVALID_TARGET) |
50 | return false; | 50 | return -EINVAL; |
51 | return true; | 51 | return 0; |
52 | } | 52 | } |
53 | 53 | ||
54 | static struct xt_target ebt_redirect_tg_reg __read_mostly = { | 54 | static struct xt_target ebt_redirect_tg_reg __read_mostly = { |
diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c index 9c7b520765a2..79caca34ae2b 100644 --- a/net/bridge/netfilter/ebt_snat.c +++ b/net/bridge/netfilter/ebt_snat.c | |||
@@ -42,21 +42,21 @@ out: | |||
42 | return info->target | ~EBT_VERDICT_BITS; | 42 | return info->target | ~EBT_VERDICT_BITS; |
43 | } | 43 | } |
44 | 44 | ||
45 | static bool ebt_snat_tg_check(const struct xt_tgchk_param *par) | 45 | static int ebt_snat_tg_check(const struct xt_tgchk_param *par) |
46 | { | 46 | { |
47 | const struct ebt_nat_info *info = par->targinfo; | 47 | const struct ebt_nat_info *info = par->targinfo; |
48 | int tmp; | 48 | int tmp; |
49 | 49 | ||
50 | tmp = info->target | ~EBT_VERDICT_BITS; | 50 | tmp = info->target | ~EBT_VERDICT_BITS; |
51 | if (BASE_CHAIN && tmp == EBT_RETURN) | 51 | if (BASE_CHAIN && tmp == EBT_RETURN) |
52 | return false; | 52 | return -EINVAL; |
53 | 53 | ||
54 | if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0) | 54 | if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0) |
55 | return false; | 55 | return -EINVAL; |
56 | tmp = info->target | EBT_VERDICT_BITS; | 56 | tmp = info->target | EBT_VERDICT_BITS; |
57 | if ((tmp & ~NAT_ARP_BIT) != ~NAT_ARP_BIT) | 57 | if ((tmp & ~NAT_ARP_BIT) != ~NAT_ARP_BIT) |
58 | return false; | 58 | return -EINVAL; |
59 | return true; | 59 | return 0; |
60 | } | 60 | } |
61 | 61 | ||
62 | static struct xt_target ebt_snat_tg_reg __read_mostly = { | 62 | static struct xt_target ebt_snat_tg_reg __read_mostly = { |
diff --git a/net/bridge/netfilter/ebt_stp.c b/net/bridge/netfilter/ebt_stp.c index 92a93d363765..02f28fdda393 100644 --- a/net/bridge/netfilter/ebt_stp.c +++ b/net/bridge/netfilter/ebt_stp.c | |||
@@ -153,7 +153,7 @@ ebt_stp_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
153 | return true; | 153 | return true; |
154 | } | 154 | } |
155 | 155 | ||
156 | static bool ebt_stp_mt_check(const struct xt_mtchk_param *par) | 156 | static int ebt_stp_mt_check(const struct xt_mtchk_param *par) |
157 | { | 157 | { |
158 | const struct ebt_stp_info *info = par->matchinfo; | 158 | const struct ebt_stp_info *info = par->matchinfo; |
159 | const uint8_t bridge_ula[6] = {0x01, 0x80, 0xc2, 0x00, 0x00, 0x00}; | 159 | const uint8_t bridge_ula[6] = {0x01, 0x80, 0xc2, 0x00, 0x00, 0x00}; |
@@ -162,13 +162,13 @@ static bool ebt_stp_mt_check(const struct xt_mtchk_param *par) | |||
162 | 162 | ||
163 | if (info->bitmask & ~EBT_STP_MASK || info->invflags & ~EBT_STP_MASK || | 163 | if (info->bitmask & ~EBT_STP_MASK || info->invflags & ~EBT_STP_MASK || |
164 | !(info->bitmask & EBT_STP_MASK)) | 164 | !(info->bitmask & EBT_STP_MASK)) |
165 | return false; | 165 | return -EINVAL; |
166 | /* Make sure the match only receives stp frames */ | 166 | /* Make sure the match only receives stp frames */ |
167 | if (compare_ether_addr(e->destmac, bridge_ula) || | 167 | if (compare_ether_addr(e->destmac, bridge_ula) || |
168 | compare_ether_addr(e->destmsk, msk) || !(e->bitmask & EBT_DESTMAC)) | 168 | compare_ether_addr(e->destmsk, msk) || !(e->bitmask & EBT_DESTMAC)) |
169 | return false; | 169 | return -EINVAL; |
170 | 170 | ||
171 | return true; | 171 | return 0; |
172 | } | 172 | } |
173 | 173 | ||
174 | static struct xt_match ebt_stp_mt_reg __read_mostly = { | 174 | static struct xt_match ebt_stp_mt_reg __read_mostly = { |
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c index f9560f3dbdc7..852f37c27659 100644 --- a/net/bridge/netfilter/ebt_ulog.c +++ b/net/bridge/netfilter/ebt_ulog.c | |||
@@ -27,7 +27,7 @@ | |||
27 | * flushed even if it is not full yet. | 27 | * flushed even if it is not full yet. |
28 | * | 28 | * |
29 | */ | 29 | */ |
30 | 30 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
31 | #include <linux/module.h> | 31 | #include <linux/module.h> |
32 | #include <linux/slab.h> | 32 | #include <linux/slab.h> |
33 | #include <linux/spinlock.h> | 33 | #include <linux/spinlock.h> |
@@ -44,9 +44,6 @@ | |||
44 | #include <net/sock.h> | 44 | #include <net/sock.h> |
45 | #include "../br_private.h" | 45 | #include "../br_private.h" |
46 | 46 | ||
47 | #define PRINTR(format, args...) do { if (net_ratelimit()) \ | ||
48 | printk(format , ## args); } while (0) | ||
49 | |||
50 | static unsigned int nlbufsiz = NLMSG_GOODSIZE; | 47 | static unsigned int nlbufsiz = NLMSG_GOODSIZE; |
51 | module_param(nlbufsiz, uint, 0600); | 48 | module_param(nlbufsiz, uint, 0600); |
52 | MODULE_PARM_DESC(nlbufsiz, "netlink buffer size (number of bytes) " | 49 | MODULE_PARM_DESC(nlbufsiz, "netlink buffer size (number of bytes) " |
@@ -107,15 +104,14 @@ static struct sk_buff *ulog_alloc_skb(unsigned int size) | |||
107 | n = max(size, nlbufsiz); | 104 | n = max(size, nlbufsiz); |
108 | skb = alloc_skb(n, GFP_ATOMIC); | 105 | skb = alloc_skb(n, GFP_ATOMIC); |
109 | if (!skb) { | 106 | if (!skb) { |
110 | PRINTR(KERN_ERR "ebt_ulog: can't alloc whole buffer " | 107 | pr_debug("cannot alloc whole buffer of size %ub!\n", n); |
111 | "of size %ub!\n", n); | ||
112 | if (n > size) { | 108 | if (n > size) { |
113 | /* try to allocate only as much as we need for | 109 | /* try to allocate only as much as we need for |
114 | * current packet */ | 110 | * current packet */ |
115 | skb = alloc_skb(size, GFP_ATOMIC); | 111 | skb = alloc_skb(size, GFP_ATOMIC); |
116 | if (!skb) | 112 | if (!skb) |
117 | PRINTR(KERN_ERR "ebt_ulog: can't even allocate " | 113 | pr_debug("cannot even allocate " |
118 | "buffer of size %ub\n", size); | 114 | "buffer of size %ub\n", size); |
119 | } | 115 | } |
120 | } | 116 | } |
121 | 117 | ||
@@ -142,8 +138,7 @@ static void ebt_ulog_packet(unsigned int hooknr, const struct sk_buff *skb, | |||
142 | 138 | ||
143 | size = NLMSG_SPACE(sizeof(*pm) + copy_len); | 139 | size = NLMSG_SPACE(sizeof(*pm) + copy_len); |
144 | if (size > nlbufsiz) { | 140 | if (size > nlbufsiz) { |
145 | PRINTR("ebt_ulog: Size %Zd needed, but nlbufsiz=%d\n", | 141 | pr_debug("Size %Zd needed, but nlbufsiz=%d\n", size, nlbufsiz); |
146 | size, nlbufsiz); | ||
147 | return; | 142 | return; |
148 | } | 143 | } |
149 | 144 | ||
@@ -217,8 +212,8 @@ unlock: | |||
217 | return; | 212 | return; |
218 | 213 | ||
219 | nlmsg_failure: | 214 | nlmsg_failure: |
220 | printk(KERN_CRIT "ebt_ulog: error during NLMSG_PUT. This should " | 215 | pr_debug("error during NLMSG_PUT. This should " |
221 | "not happen, please report to author.\n"); | 216 | "not happen, please report to author.\n"); |
222 | goto unlock; | 217 | goto unlock; |
223 | alloc_failure: | 218 | alloc_failure: |
224 | goto unlock; | 219 | goto unlock; |
@@ -255,19 +250,19 @@ ebt_ulog_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
255 | return EBT_CONTINUE; | 250 | return EBT_CONTINUE; |
256 | } | 251 | } |
257 | 252 | ||
258 | static bool ebt_ulog_tg_check(const struct xt_tgchk_param *par) | 253 | static int ebt_ulog_tg_check(const struct xt_tgchk_param *par) |
259 | { | 254 | { |
260 | struct ebt_ulog_info *uloginfo = par->targinfo; | 255 | struct ebt_ulog_info *uloginfo = par->targinfo; |
261 | 256 | ||
262 | if (uloginfo->nlgroup > 31) | 257 | if (uloginfo->nlgroup > 31) |
263 | return false; | 258 | return -EINVAL; |
264 | 259 | ||
265 | uloginfo->prefix[EBT_ULOG_PREFIX_LEN - 1] = '\0'; | 260 | uloginfo->prefix[EBT_ULOG_PREFIX_LEN - 1] = '\0'; |
266 | 261 | ||
267 | if (uloginfo->qthreshold > EBT_ULOG_MAX_QLEN) | 262 | if (uloginfo->qthreshold > EBT_ULOG_MAX_QLEN) |
268 | uloginfo->qthreshold = EBT_ULOG_MAX_QLEN; | 263 | uloginfo->qthreshold = EBT_ULOG_MAX_QLEN; |
269 | 264 | ||
270 | return true; | 265 | return 0; |
271 | } | 266 | } |
272 | 267 | ||
273 | static struct xt_target ebt_ulog_tg_reg __read_mostly = { | 268 | static struct xt_target ebt_ulog_tg_reg __read_mostly = { |
@@ -292,8 +287,8 @@ static int __init ebt_ulog_init(void) | |||
292 | int i; | 287 | int i; |
293 | 288 | ||
294 | if (nlbufsiz >= 128*1024) { | 289 | if (nlbufsiz >= 128*1024) { |
295 | printk(KERN_NOTICE "ebt_ulog: Netlink buffer has to be <= 128kB," | 290 | pr_warning("Netlink buffer has to be <= 128kB," |
296 | " please try a smaller nlbufsiz parameter.\n"); | 291 | " please try a smaller nlbufsiz parameter.\n"); |
297 | return -EINVAL; | 292 | return -EINVAL; |
298 | } | 293 | } |
299 | 294 | ||
@@ -306,13 +301,10 @@ static int __init ebt_ulog_init(void) | |||
306 | ebtulognl = netlink_kernel_create(&init_net, NETLINK_NFLOG, | 301 | ebtulognl = netlink_kernel_create(&init_net, NETLINK_NFLOG, |
307 | EBT_ULOG_MAXNLGROUPS, NULL, NULL, | 302 | EBT_ULOG_MAXNLGROUPS, NULL, NULL, |
308 | THIS_MODULE); | 303 | THIS_MODULE); |
309 | if (!ebtulognl) { | 304 | if (!ebtulognl) |
310 | printk(KERN_WARNING KBUILD_MODNAME ": out of memory trying to " | ||
311 | "call netlink_kernel_create\n"); | ||
312 | ret = -ENOMEM; | 305 | ret = -ENOMEM; |
313 | } else if ((ret = xt_register_target(&ebt_ulog_tg_reg)) != 0) { | 306 | else if ((ret = xt_register_target(&ebt_ulog_tg_reg)) != 0) |
314 | netlink_kernel_release(ebtulognl); | 307 | netlink_kernel_release(ebtulognl); |
315 | } | ||
316 | 308 | ||
317 | if (ret == 0) | 309 | if (ret == 0) |
318 | nf_log_register(NFPROTO_BRIDGE, &ebt_ulog_logger); | 310 | nf_log_register(NFPROTO_BRIDGE, &ebt_ulog_logger); |
diff --git a/net/bridge/netfilter/ebt_vlan.c b/net/bridge/netfilter/ebt_vlan.c index be1dd2e1f615..bf8ae5c7a0c5 100644 --- a/net/bridge/netfilter/ebt_vlan.c +++ b/net/bridge/netfilter/ebt_vlan.c | |||
@@ -26,17 +26,12 @@ | |||
26 | #include <linux/netfilter_bridge/ebtables.h> | 26 | #include <linux/netfilter_bridge/ebtables.h> |
27 | #include <linux/netfilter_bridge/ebt_vlan.h> | 27 | #include <linux/netfilter_bridge/ebt_vlan.h> |
28 | 28 | ||
29 | static int debug; | ||
30 | #define MODULE_VERS "0.6" | 29 | #define MODULE_VERS "0.6" |
31 | 30 | ||
32 | module_param(debug, int, 0); | ||
33 | MODULE_PARM_DESC(debug, "debug=1 is turn on debug messages"); | ||
34 | MODULE_AUTHOR("Nick Fedchik <nick@fedchik.org.ua>"); | 31 | MODULE_AUTHOR("Nick Fedchik <nick@fedchik.org.ua>"); |
35 | MODULE_DESCRIPTION("Ebtables: 802.1Q VLAN tag match"); | 32 | MODULE_DESCRIPTION("Ebtables: 802.1Q VLAN tag match"); |
36 | MODULE_LICENSE("GPL"); | 33 | MODULE_LICENSE("GPL"); |
37 | 34 | ||
38 | |||
39 | #define DEBUG_MSG(args...) if (debug) printk (KERN_DEBUG "ebt_vlan: " args) | ||
40 | #define GET_BITMASK(_BIT_MASK_) info->bitmask & _BIT_MASK_ | 35 | #define GET_BITMASK(_BIT_MASK_) info->bitmask & _BIT_MASK_ |
41 | #define EXIT_ON_MISMATCH(_MATCH_,_MASK_) {if (!((info->_MATCH_ == _MATCH_)^!!(info->invflags & _MASK_))) return false; } | 36 | #define EXIT_ON_MISMATCH(_MATCH_,_MASK_) {if (!((info->_MATCH_ == _MATCH_)^!!(info->invflags & _MASK_))) return false; } |
42 | 37 | ||
@@ -84,32 +79,31 @@ ebt_vlan_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
84 | return true; | 79 | return true; |
85 | } | 80 | } |
86 | 81 | ||
87 | static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par) | 82 | static int ebt_vlan_mt_check(const struct xt_mtchk_param *par) |
88 | { | 83 | { |
89 | struct ebt_vlan_info *info = par->matchinfo; | 84 | struct ebt_vlan_info *info = par->matchinfo; |
90 | const struct ebt_entry *e = par->entryinfo; | 85 | const struct ebt_entry *e = par->entryinfo; |
91 | 86 | ||
92 | /* Is it 802.1Q frame checked? */ | 87 | /* Is it 802.1Q frame checked? */ |
93 | if (e->ethproto != htons(ETH_P_8021Q)) { | 88 | if (e->ethproto != htons(ETH_P_8021Q)) { |
94 | DEBUG_MSG | 89 | pr_debug("passed entry proto %2.4X is not 802.1Q (8100)\n", |
95 | ("passed entry proto %2.4X is not 802.1Q (8100)\n", | 90 | ntohs(e->ethproto)); |
96 | (unsigned short) ntohs(e->ethproto)); | 91 | return -EINVAL; |
97 | return false; | ||
98 | } | 92 | } |
99 | 93 | ||
100 | /* Check for bitmask range | 94 | /* Check for bitmask range |
101 | * True if even one bit is out of mask */ | 95 | * True if even one bit is out of mask */ |
102 | if (info->bitmask & ~EBT_VLAN_MASK) { | 96 | if (info->bitmask & ~EBT_VLAN_MASK) { |
103 | DEBUG_MSG("bitmask %2X is out of mask (%2X)\n", | 97 | pr_debug("bitmask %2X is out of mask (%2X)\n", |
104 | info->bitmask, EBT_VLAN_MASK); | 98 | info->bitmask, EBT_VLAN_MASK); |
105 | return false; | 99 | return -EINVAL; |
106 | } | 100 | } |
107 | 101 | ||
108 | /* Check for inversion flags range */ | 102 | /* Check for inversion flags range */ |
109 | if (info->invflags & ~EBT_VLAN_MASK) { | 103 | if (info->invflags & ~EBT_VLAN_MASK) { |
110 | DEBUG_MSG("inversion flags %2X is out of mask (%2X)\n", | 104 | pr_debug("inversion flags %2X is out of mask (%2X)\n", |
111 | info->invflags, EBT_VLAN_MASK); | 105 | info->invflags, EBT_VLAN_MASK); |
112 | return false; | 106 | return -EINVAL; |
113 | } | 107 | } |
114 | 108 | ||
115 | /* Reserved VLAN ID (VID) values | 109 | /* Reserved VLAN ID (VID) values |
@@ -121,10 +115,9 @@ static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par) | |||
121 | if (GET_BITMASK(EBT_VLAN_ID)) { | 115 | if (GET_BITMASK(EBT_VLAN_ID)) { |
122 | if (!!info->id) { /* if id!=0 => check vid range */ | 116 | if (!!info->id) { /* if id!=0 => check vid range */ |
123 | if (info->id > VLAN_GROUP_ARRAY_LEN) { | 117 | if (info->id > VLAN_GROUP_ARRAY_LEN) { |
124 | DEBUG_MSG | 118 | pr_debug("id %d is out of range (1-4096)\n", |
125 | ("id %d is out of range (1-4096)\n", | 119 | info->id); |
126 | info->id); | 120 | return -EINVAL; |
127 | return false; | ||
128 | } | 121 | } |
129 | /* Note: This is valid VLAN-tagged frame point. | 122 | /* Note: This is valid VLAN-tagged frame point. |
130 | * Any value of user_priority are acceptable, | 123 | * Any value of user_priority are acceptable, |
@@ -137,9 +130,9 @@ static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par) | |||
137 | 130 | ||
138 | if (GET_BITMASK(EBT_VLAN_PRIO)) { | 131 | if (GET_BITMASK(EBT_VLAN_PRIO)) { |
139 | if ((unsigned char) info->prio > 7) { | 132 | if ((unsigned char) info->prio > 7) { |
140 | DEBUG_MSG("prio %d is out of range (0-7)\n", | 133 | pr_debug("prio %d is out of range (0-7)\n", |
141 | info->prio); | 134 | info->prio); |
142 | return false; | 135 | return -EINVAL; |
143 | } | 136 | } |
144 | } | 137 | } |
145 | /* Check for encapsulated proto range - it is possible to be | 138 | /* Check for encapsulated proto range - it is possible to be |
@@ -147,14 +140,13 @@ static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par) | |||
147 | * if_ether.h: ETH_ZLEN 60 - Min. octets in frame sans FCS */ | 140 | * if_ether.h: ETH_ZLEN 60 - Min. octets in frame sans FCS */ |
148 | if (GET_BITMASK(EBT_VLAN_ENCAP)) { | 141 | if (GET_BITMASK(EBT_VLAN_ENCAP)) { |
149 | if ((unsigned short) ntohs(info->encap) < ETH_ZLEN) { | 142 | if ((unsigned short) ntohs(info->encap) < ETH_ZLEN) { |
150 | DEBUG_MSG | 143 | pr_debug("encap frame length %d is less than " |
151 | ("encap frame length %d is less than minimal\n", | 144 | "minimal\n", ntohs(info->encap)); |
152 | ntohs(info->encap)); | 145 | return -EINVAL; |
153 | return false; | ||
154 | } | 146 | } |
155 | } | 147 | } |
156 | 148 | ||
157 | return true; | 149 | return 0; |
158 | } | 150 | } |
159 | 151 | ||
160 | static struct xt_match ebt_vlan_mt_reg __read_mostly = { | 152 | static struct xt_match ebt_vlan_mt_reg __read_mostly = { |
@@ -169,9 +161,7 @@ static struct xt_match ebt_vlan_mt_reg __read_mostly = { | |||
169 | 161 | ||
170 | static int __init ebt_vlan_init(void) | 162 | static int __init ebt_vlan_init(void) |
171 | { | 163 | { |
172 | DEBUG_MSG("ebtables 802.1Q extension module v" | 164 | pr_debug("ebtables 802.1Q extension module v" MODULE_VERS "\n"); |
173 | MODULE_VERS "\n"); | ||
174 | DEBUG_MSG("module debug=%d\n", !!debug); | ||
175 | return xt_register_match(&ebt_vlan_mt_reg); | 165 | return xt_register_match(&ebt_vlan_mt_reg); |
176 | } | 166 | } |
177 | 167 | ||
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index f0865fd1e3ec..1d8c2c0a7470 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c | |||
@@ -14,8 +14,7 @@ | |||
14 | * as published by the Free Software Foundation; either version | 14 | * as published by the Free Software Foundation; either version |
15 | * 2 of the License, or (at your option) any later version. | 15 | * 2 of the License, or (at your option) any later version. |
16 | */ | 16 | */ |
17 | 17 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
18 | |||
19 | #include <linux/kmod.h> | 18 | #include <linux/kmod.h> |
20 | #include <linux/module.h> | 19 | #include <linux/module.h> |
21 | #include <linux/vmalloc.h> | 20 | #include <linux/vmalloc.h> |
@@ -363,12 +362,9 @@ ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par, | |||
363 | left - sizeof(struct ebt_entry_match) < m->match_size) | 362 | left - sizeof(struct ebt_entry_match) < m->match_size) |
364 | return -EINVAL; | 363 | return -EINVAL; |
365 | 364 | ||
366 | match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE, | 365 | match = xt_request_find_match(NFPROTO_BRIDGE, m->u.name, 0); |
367 | m->u.name, 0), "ebt_%s", m->u.name); | ||
368 | if (IS_ERR(match)) | 366 | if (IS_ERR(match)) |
369 | return PTR_ERR(match); | 367 | return PTR_ERR(match); |
370 | if (match == NULL) | ||
371 | return -ENOENT; | ||
372 | m->u.match = match; | 368 | m->u.match = match; |
373 | 369 | ||
374 | par->match = match; | 370 | par->match = match; |
@@ -397,13 +393,9 @@ ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par, | |||
397 | left - sizeof(struct ebt_entry_watcher) < w->watcher_size) | 393 | left - sizeof(struct ebt_entry_watcher) < w->watcher_size) |
398 | return -EINVAL; | 394 | return -EINVAL; |
399 | 395 | ||
400 | watcher = try_then_request_module( | 396 | watcher = xt_request_find_target(NFPROTO_BRIDGE, w->u.name, 0); |
401 | xt_find_target(NFPROTO_BRIDGE, w->u.name, 0), | ||
402 | "ebt_%s", w->u.name); | ||
403 | if (IS_ERR(watcher)) | 397 | if (IS_ERR(watcher)) |
404 | return PTR_ERR(watcher); | 398 | return PTR_ERR(watcher); |
405 | if (watcher == NULL) | ||
406 | return -ENOENT; | ||
407 | w->u.watcher = watcher; | 399 | w->u.watcher = watcher; |
408 | 400 | ||
409 | par->target = watcher; | 401 | par->target = watcher; |
@@ -716,15 +708,10 @@ ebt_check_entry(struct ebt_entry *e, struct net *net, | |||
716 | t = (struct ebt_entry_target *)(((char *)e) + e->target_offset); | 708 | t = (struct ebt_entry_target *)(((char *)e) + e->target_offset); |
717 | gap = e->next_offset - e->target_offset; | 709 | gap = e->next_offset - e->target_offset; |
718 | 710 | ||
719 | target = try_then_request_module( | 711 | target = xt_request_find_target(NFPROTO_BRIDGE, t->u.name, 0); |
720 | xt_find_target(NFPROTO_BRIDGE, t->u.name, 0), | ||
721 | "ebt_%s", t->u.name); | ||
722 | if (IS_ERR(target)) { | 712 | if (IS_ERR(target)) { |
723 | ret = PTR_ERR(target); | 713 | ret = PTR_ERR(target); |
724 | goto cleanup_watchers; | 714 | goto cleanup_watchers; |
725 | } else if (target == NULL) { | ||
726 | ret = -ENOENT; | ||
727 | goto cleanup_watchers; | ||
728 | } | 715 | } |
729 | 716 | ||
730 | t->u.target = target; | 717 | t->u.target = target; |
@@ -2128,7 +2115,7 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base, | |||
2128 | return ret; | 2115 | return ret; |
2129 | new_offset += ret; | 2116 | new_offset += ret; |
2130 | if (offsets_update && new_offset) { | 2117 | if (offsets_update && new_offset) { |
2131 | pr_debug("ebtables: change offset %d to %d\n", | 2118 | pr_debug("change offset %d to %d\n", |
2132 | offsets_update[i], offsets[j] + new_offset); | 2119 | offsets_update[i], offsets[j] + new_offset); |
2133 | offsets_update[i] = offsets[j] + new_offset; | 2120 | offsets_update[i] = offsets[j] + new_offset; |
2134 | } | 2121 | } |
diff --git a/net/decnet/dn_neigh.c b/net/decnet/dn_neigh.c index deb723dba44b..0363bb95cc7d 100644 --- a/net/decnet/dn_neigh.c +++ b/net/decnet/dn_neigh.c | |||
@@ -266,7 +266,8 @@ static int dn_long_output(struct sk_buff *skb) | |||
266 | 266 | ||
267 | skb_reset_network_header(skb); | 267 | skb_reset_network_header(skb); |
268 | 268 | ||
269 | return NF_HOOK(PF_DECnet, NF_DN_POST_ROUTING, skb, NULL, neigh->dev, dn_neigh_output_packet); | 269 | return NF_HOOK(NFPROTO_DECNET, NF_DN_POST_ROUTING, skb, NULL, |
270 | neigh->dev, dn_neigh_output_packet); | ||
270 | } | 271 | } |
271 | 272 | ||
272 | static int dn_short_output(struct sk_buff *skb) | 273 | static int dn_short_output(struct sk_buff *skb) |
@@ -305,7 +306,8 @@ static int dn_short_output(struct sk_buff *skb) | |||
305 | 306 | ||
306 | skb_reset_network_header(skb); | 307 | skb_reset_network_header(skb); |
307 | 308 | ||
308 | return NF_HOOK(PF_DECnet, NF_DN_POST_ROUTING, skb, NULL, neigh->dev, dn_neigh_output_packet); | 309 | return NF_HOOK(NFPROTO_DECNET, NF_DN_POST_ROUTING, skb, NULL, |
310 | neigh->dev, dn_neigh_output_packet); | ||
309 | } | 311 | } |
310 | 312 | ||
311 | /* | 313 | /* |
@@ -347,7 +349,8 @@ static int dn_phase3_output(struct sk_buff *skb) | |||
347 | 349 | ||
348 | skb_reset_network_header(skb); | 350 | skb_reset_network_header(skb); |
349 | 351 | ||
350 | return NF_HOOK(PF_DECnet, NF_DN_POST_ROUTING, skb, NULL, neigh->dev, dn_neigh_output_packet); | 352 | return NF_HOOK(NFPROTO_DECNET, NF_DN_POST_ROUTING, skb, NULL, |
353 | neigh->dev, dn_neigh_output_packet); | ||
351 | } | 354 | } |
352 | 355 | ||
353 | /* | 356 | /* |
diff --git a/net/decnet/dn_nsp_in.c b/net/decnet/dn_nsp_in.c index 25a37299bc65..b430549e2b91 100644 --- a/net/decnet/dn_nsp_in.c +++ b/net/decnet/dn_nsp_in.c | |||
@@ -810,7 +810,8 @@ free_out: | |||
810 | 810 | ||
811 | int dn_nsp_rx(struct sk_buff *skb) | 811 | int dn_nsp_rx(struct sk_buff *skb) |
812 | { | 812 | { |
813 | return NF_HOOK(PF_DECnet, NF_DN_LOCAL_IN, skb, skb->dev, NULL, dn_nsp_rx_packet); | 813 | return NF_HOOK(NFPROTO_DECNET, NF_DN_LOCAL_IN, skb, skb->dev, NULL, |
814 | dn_nsp_rx_packet); | ||
814 | } | 815 | } |
815 | 816 | ||
816 | /* | 817 | /* |
diff --git a/net/decnet/dn_route.c b/net/decnet/dn_route.c index 70ebe74027d5..a8432e399545 100644 --- a/net/decnet/dn_route.c +++ b/net/decnet/dn_route.c | |||
@@ -518,7 +518,8 @@ static int dn_route_rx_long(struct sk_buff *skb) | |||
518 | ptr++; | 518 | ptr++; |
519 | cb->hops = *ptr++; /* Visit Count */ | 519 | cb->hops = *ptr++; /* Visit Count */ |
520 | 520 | ||
521 | return NF_HOOK(PF_DECnet, NF_DN_PRE_ROUTING, skb, skb->dev, NULL, dn_route_rx_packet); | 521 | return NF_HOOK(NFPROTO_DECNET, NF_DN_PRE_ROUTING, skb, skb->dev, NULL, |
522 | dn_route_rx_packet); | ||
522 | 523 | ||
523 | drop_it: | 524 | drop_it: |
524 | kfree_skb(skb); | 525 | kfree_skb(skb); |
@@ -544,7 +545,8 @@ static int dn_route_rx_short(struct sk_buff *skb) | |||
544 | ptr += 2; | 545 | ptr += 2; |
545 | cb->hops = *ptr & 0x3f; | 546 | cb->hops = *ptr & 0x3f; |
546 | 547 | ||
547 | return NF_HOOK(PF_DECnet, NF_DN_PRE_ROUTING, skb, skb->dev, NULL, dn_route_rx_packet); | 548 | return NF_HOOK(NFPROTO_DECNET, NF_DN_PRE_ROUTING, skb, skb->dev, NULL, |
549 | dn_route_rx_packet); | ||
548 | 550 | ||
549 | drop_it: | 551 | drop_it: |
550 | kfree_skb(skb); | 552 | kfree_skb(skb); |
@@ -646,16 +648,24 @@ int dn_route_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type | |||
646 | 648 | ||
647 | switch(flags & DN_RT_CNTL_MSK) { | 649 | switch(flags & DN_RT_CNTL_MSK) { |
648 | case DN_RT_PKT_HELO: | 650 | case DN_RT_PKT_HELO: |
649 | return NF_HOOK(PF_DECnet, NF_DN_HELLO, skb, skb->dev, NULL, dn_route_ptp_hello); | 651 | return NF_HOOK(NFPROTO_DECNET, NF_DN_HELLO, |
652 | skb, skb->dev, NULL, | ||
653 | dn_route_ptp_hello); | ||
650 | 654 | ||
651 | case DN_RT_PKT_L1RT: | 655 | case DN_RT_PKT_L1RT: |
652 | case DN_RT_PKT_L2RT: | 656 | case DN_RT_PKT_L2RT: |
653 | return NF_HOOK(PF_DECnet, NF_DN_ROUTE, skb, skb->dev, NULL, dn_route_discard); | 657 | return NF_HOOK(NFPROTO_DECNET, NF_DN_ROUTE, |
658 | skb, skb->dev, NULL, | ||
659 | dn_route_discard); | ||
654 | case DN_RT_PKT_ERTH: | 660 | case DN_RT_PKT_ERTH: |
655 | return NF_HOOK(PF_DECnet, NF_DN_HELLO, skb, skb->dev, NULL, dn_neigh_router_hello); | 661 | return NF_HOOK(NFPROTO_DECNET, NF_DN_HELLO, |
662 | skb, skb->dev, NULL, | ||
663 | dn_neigh_router_hello); | ||
656 | 664 | ||
657 | case DN_RT_PKT_EEDH: | 665 | case DN_RT_PKT_EEDH: |
658 | return NF_HOOK(PF_DECnet, NF_DN_HELLO, skb, skb->dev, NULL, dn_neigh_endnode_hello); | 666 | return NF_HOOK(NFPROTO_DECNET, NF_DN_HELLO, |
667 | skb, skb->dev, NULL, | ||
668 | dn_neigh_endnode_hello); | ||
659 | } | 669 | } |
660 | } else { | 670 | } else { |
661 | if (dn->parms.state != DN_DEV_S_RU) | 671 | if (dn->parms.state != DN_DEV_S_RU) |
@@ -704,7 +714,8 @@ static int dn_output(struct sk_buff *skb) | |||
704 | cb->rt_flags |= DN_RT_F_IE; | 714 | cb->rt_flags |= DN_RT_F_IE; |
705 | cb->hops = 0; | 715 | cb->hops = 0; |
706 | 716 | ||
707 | return NF_HOOK(PF_DECnet, NF_DN_LOCAL_OUT, skb, NULL, dev, neigh->output); | 717 | return NF_HOOK(NFPROTO_DECNET, NF_DN_LOCAL_OUT, skb, NULL, dev, |
718 | neigh->output); | ||
708 | 719 | ||
709 | error: | 720 | error: |
710 | if (net_ratelimit()) | 721 | if (net_ratelimit()) |
@@ -753,7 +764,8 @@ static int dn_forward(struct sk_buff *skb) | |||
753 | if (rt->rt_flags & RTCF_DOREDIRECT) | 764 | if (rt->rt_flags & RTCF_DOREDIRECT) |
754 | cb->rt_flags |= DN_RT_F_IE; | 765 | cb->rt_flags |= DN_RT_F_IE; |
755 | 766 | ||
756 | return NF_HOOK(PF_DECnet, NF_DN_FORWARD, skb, dev, skb->dev, neigh->output); | 767 | return NF_HOOK(NFPROTO_DECNET, NF_DN_FORWARD, skb, dev, skb->dev, |
768 | neigh->output); | ||
757 | 769 | ||
758 | drop: | 770 | drop: |
759 | kfree_skb(skb); | 771 | kfree_skb(skb); |
diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c index af10942b326c..56cdf68a074c 100644 --- a/net/ipv4/ip_forward.c +++ b/net/ipv4/ip_forward.c | |||
@@ -112,8 +112,8 @@ int ip_forward(struct sk_buff *skb) | |||
112 | 112 | ||
113 | skb->priority = rt_tos2priority(iph->tos); | 113 | skb->priority = rt_tos2priority(iph->tos); |
114 | 114 | ||
115 | return NF_HOOK(PF_INET, NF_INET_FORWARD, skb, skb->dev, rt->u.dst.dev, | 115 | return NF_HOOK(NFPROTO_IPV4, NF_INET_FORWARD, skb, skb->dev, |
116 | ip_forward_finish); | 116 | rt->u.dst.dev, ip_forward_finish); |
117 | 117 | ||
118 | sr_failed: | 118 | sr_failed: |
119 | /* | 119 | /* |
diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c index f8ab7a380d4a..af76de5f76de 100644 --- a/net/ipv4/ip_input.c +++ b/net/ipv4/ip_input.c | |||
@@ -266,7 +266,7 @@ int ip_local_deliver(struct sk_buff *skb) | |||
266 | return 0; | 266 | return 0; |
267 | } | 267 | } |
268 | 268 | ||
269 | return NF_HOOK(PF_INET, NF_INET_LOCAL_IN, skb, skb->dev, NULL, | 269 | return NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_IN, skb, skb->dev, NULL, |
270 | ip_local_deliver_finish); | 270 | ip_local_deliver_finish); |
271 | } | 271 | } |
272 | 272 | ||
@@ -444,7 +444,7 @@ int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, | |||
444 | /* Must drop socket now because of tproxy. */ | 444 | /* Must drop socket now because of tproxy. */ |
445 | skb_orphan(skb); | 445 | skb_orphan(skb); |
446 | 446 | ||
447 | return NF_HOOK(PF_INET, NF_INET_PRE_ROUTING, skb, dev, NULL, | 447 | return NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, skb, dev, NULL, |
448 | ip_rcv_finish); | 448 | ip_rcv_finish); |
449 | 449 | ||
450 | inhdr_error: | 450 | inhdr_error: |
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index f0392191740b..252897443ef9 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c | |||
@@ -96,8 +96,8 @@ int __ip_local_out(struct sk_buff *skb) | |||
96 | 96 | ||
97 | iph->tot_len = htons(skb->len); | 97 | iph->tot_len = htons(skb->len); |
98 | ip_send_check(iph); | 98 | ip_send_check(iph); |
99 | return nf_hook(PF_INET, NF_INET_LOCAL_OUT, skb, NULL, skb_dst(skb)->dev, | 99 | return nf_hook(NFPROTO_IPV4, NF_INET_LOCAL_OUT, skb, NULL, |
100 | dst_output); | 100 | skb_dst(skb)->dev, dst_output); |
101 | } | 101 | } |
102 | 102 | ||
103 | int ip_local_out(struct sk_buff *skb) | 103 | int ip_local_out(struct sk_buff *skb) |
@@ -272,8 +272,8 @@ int ip_mc_output(struct sk_buff *skb) | |||
272 | ) { | 272 | ) { |
273 | struct sk_buff *newskb = skb_clone(skb, GFP_ATOMIC); | 273 | struct sk_buff *newskb = skb_clone(skb, GFP_ATOMIC); |
274 | if (newskb) | 274 | if (newskb) |
275 | NF_HOOK(PF_INET, NF_INET_POST_ROUTING, newskb, | 275 | NF_HOOK(NFPROTO_IPV4, NF_INET_POST_ROUTING, |
276 | NULL, newskb->dev, | 276 | newskb, NULL, newskb->dev, |
277 | ip_dev_loopback_xmit); | 277 | ip_dev_loopback_xmit); |
278 | } | 278 | } |
279 | 279 | ||
@@ -288,12 +288,12 @@ int ip_mc_output(struct sk_buff *skb) | |||
288 | if (rt->rt_flags&RTCF_BROADCAST) { | 288 | if (rt->rt_flags&RTCF_BROADCAST) { |
289 | struct sk_buff *newskb = skb_clone(skb, GFP_ATOMIC); | 289 | struct sk_buff *newskb = skb_clone(skb, GFP_ATOMIC); |
290 | if (newskb) | 290 | if (newskb) |
291 | NF_HOOK(PF_INET, NF_INET_POST_ROUTING, newskb, NULL, | 291 | NF_HOOK(NFPROTO_IPV4, NF_INET_POST_ROUTING, newskb, |
292 | newskb->dev, ip_dev_loopback_xmit); | 292 | NULL, newskb->dev, ip_dev_loopback_xmit); |
293 | } | 293 | } |
294 | 294 | ||
295 | return NF_HOOK_COND(PF_INET, NF_INET_POST_ROUTING, skb, NULL, skb->dev, | 295 | return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, skb, NULL, |
296 | ip_finish_output, | 296 | skb->dev, ip_finish_output, |
297 | !(IPCB(skb)->flags & IPSKB_REROUTED)); | 297 | !(IPCB(skb)->flags & IPSKB_REROUTED)); |
298 | } | 298 | } |
299 | 299 | ||
@@ -306,7 +306,7 @@ int ip_output(struct sk_buff *skb) | |||
306 | skb->dev = dev; | 306 | skb->dev = dev; |
307 | skb->protocol = htons(ETH_P_IP); | 307 | skb->protocol = htons(ETH_P_IP); |
308 | 308 | ||
309 | return NF_HOOK_COND(PF_INET, NF_INET_POST_ROUTING, skb, NULL, dev, | 309 | return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, skb, NULL, dev, |
310 | ip_finish_output, | 310 | ip_finish_output, |
311 | !(IPCB(skb)->flags & IPSKB_REROUTED)); | 311 | !(IPCB(skb)->flags & IPSKB_REROUTED)); |
312 | } | 312 | } |
@@ -469,6 +469,10 @@ int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *)) | |||
469 | 469 | ||
470 | hlen = iph->ihl * 4; | 470 | hlen = iph->ihl * 4; |
471 | mtu = dst_mtu(&rt->u.dst) - hlen; /* Size of data space */ | 471 | mtu = dst_mtu(&rt->u.dst) - hlen; /* Size of data space */ |
472 | #ifdef CONFIG_BRIDGE_NETFILTER | ||
473 | if (skb->nf_bridge) | ||
474 | mtu -= nf_bridge_mtu_reduction(skb); | ||
475 | #endif | ||
472 | IPCB(skb)->flags |= IPSKB_FRAG_COMPLETE; | 476 | IPCB(skb)->flags |= IPSKB_FRAG_COMPLETE; |
473 | 477 | ||
474 | /* When frag_list is given, use it. First, check its validity: | 478 | /* When frag_list is given, use it. First, check its validity: |
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c index eddfd12f55b8..f3f1c6b5c70c 100644 --- a/net/ipv4/ipmr.c +++ b/net/ipv4/ipmr.c | |||
@@ -1599,7 +1599,7 @@ static void ipmr_queue_xmit(struct net *net, struct mr_table *mrt, | |||
1599 | * not mrouter) cannot join to more than one interface - it will | 1599 | * not mrouter) cannot join to more than one interface - it will |
1600 | * result in receiving multiple packets. | 1600 | * result in receiving multiple packets. |
1601 | */ | 1601 | */ |
1602 | NF_HOOK(PF_INET, NF_INET_FORWARD, skb, skb->dev, dev, | 1602 | NF_HOOK(NFPROTO_IPV4, NF_INET_FORWARD, skb, skb->dev, dev, |
1603 | ipmr_forward_finish); | 1603 | ipmr_forward_finish); |
1604 | return; | 1604 | return; |
1605 | 1605 | ||
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index f07d77f65751..07a699059390 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c | |||
@@ -523,13 +523,11 @@ find_check_entry(struct arpt_entry *e, const char *name, unsigned int size) | |||
523 | return ret; | 523 | return ret; |
524 | 524 | ||
525 | t = arpt_get_target(e); | 525 | t = arpt_get_target(e); |
526 | target = try_then_request_module(xt_find_target(NFPROTO_ARP, | 526 | target = xt_request_find_target(NFPROTO_ARP, t->u.user.name, |
527 | t->u.user.name, | 527 | t->u.user.revision); |
528 | t->u.user.revision), | 528 | if (IS_ERR(target)) { |
529 | "arpt_%s", t->u.user.name); | ||
530 | if (IS_ERR(target) || !target) { | ||
531 | duprintf("find_check_entry: `%s' not found\n", t->u.user.name); | 529 | duprintf("find_check_entry: `%s' not found\n", t->u.user.name); |
532 | ret = target ? PTR_ERR(target) : -ENOENT; | 530 | ret = PTR_ERR(target); |
533 | goto out; | 531 | goto out; |
534 | } | 532 | } |
535 | t->u.kernel.target = target; | 533 | t->u.kernel.target = target; |
@@ -651,6 +649,9 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0, | |||
651 | if (ret != 0) | 649 | if (ret != 0) |
652 | break; | 650 | break; |
653 | ++i; | 651 | ++i; |
652 | if (strcmp(arpt_get_target(iter)->u.user.name, | ||
653 | XT_ERROR_TARGET) == 0) | ||
654 | ++newinfo->stacksize; | ||
654 | } | 655 | } |
655 | duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret); | 656 | duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret); |
656 | if (ret != 0) | 657 | if (ret != 0) |
@@ -1252,14 +1253,12 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e, | |||
1252 | entry_offset = (void *)e - (void *)base; | 1253 | entry_offset = (void *)e - (void *)base; |
1253 | 1254 | ||
1254 | t = compat_arpt_get_target(e); | 1255 | t = compat_arpt_get_target(e); |
1255 | target = try_then_request_module(xt_find_target(NFPROTO_ARP, | 1256 | target = xt_request_find_target(NFPROTO_ARP, t->u.user.name, |
1256 | t->u.user.name, | 1257 | t->u.user.revision); |
1257 | t->u.user.revision), | 1258 | if (IS_ERR(target)) { |
1258 | "arpt_%s", t->u.user.name); | ||
1259 | if (IS_ERR(target) || !target) { | ||
1260 | duprintf("check_compat_entry_size_and_hooks: `%s' not found\n", | 1259 | duprintf("check_compat_entry_size_and_hooks: `%s' not found\n", |
1261 | t->u.user.name); | 1260 | t->u.user.name); |
1262 | ret = target ? PTR_ERR(target) : -ENOENT; | 1261 | ret = PTR_ERR(target); |
1263 | goto out; | 1262 | goto out; |
1264 | } | 1263 | } |
1265 | t->u.kernel.target = target; | 1264 | t->u.kernel.target = target; |
@@ -1778,8 +1777,7 @@ struct xt_table *arpt_register_table(struct net *net, | |||
1778 | { | 1777 | { |
1779 | int ret; | 1778 | int ret; |
1780 | struct xt_table_info *newinfo; | 1779 | struct xt_table_info *newinfo; |
1781 | struct xt_table_info bootstrap | 1780 | struct xt_table_info bootstrap = {0}; |
1782 | = { 0, 0, 0, { 0 }, { 0 }, { } }; | ||
1783 | void *loc_cpu_entry; | 1781 | void *loc_cpu_entry; |
1784 | struct xt_table *new_table; | 1782 | struct xt_table *new_table; |
1785 | 1783 | ||
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c index b0d5b1d0a769..4b51a027f307 100644 --- a/net/ipv4/netfilter/arpt_mangle.c +++ b/net/ipv4/netfilter/arpt_mangle.c | |||
@@ -54,7 +54,7 @@ target(struct sk_buff *skb, const struct xt_target_param *par) | |||
54 | return mangle->target; | 54 | return mangle->target; |
55 | } | 55 | } |
56 | 56 | ||
57 | static bool checkentry(const struct xt_tgchk_param *par) | 57 | static int checkentry(const struct xt_tgchk_param *par) |
58 | { | 58 | { |
59 | const struct arpt_mangle *mangle = par->targinfo; | 59 | const struct arpt_mangle *mangle = par->targinfo; |
60 | 60 | ||
diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c index e2787048aa0a..c838238104f5 100644 --- a/net/ipv4/netfilter/ip_queue.c +++ b/net/ipv4/netfilter/ip_queue.c | |||
@@ -161,8 +161,7 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp) | |||
161 | break; | 161 | break; |
162 | 162 | ||
163 | case IPQ_COPY_PACKET: | 163 | case IPQ_COPY_PACKET: |
164 | if ((entry->skb->ip_summed == CHECKSUM_PARTIAL || | 164 | if (entry->skb->ip_summed == CHECKSUM_PARTIAL && |
165 | entry->skb->ip_summed == CHECKSUM_COMPLETE) && | ||
166 | (*errp = skb_checksum_help(entry->skb))) { | 165 | (*errp = skb_checksum_help(entry->skb))) { |
167 | read_unlock_bh(&queue_lock); | 166 | read_unlock_bh(&queue_lock); |
168 | return NULL; | 167 | return NULL; |
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index b29c66df8d1f..3e6af1036fbc 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c | |||
@@ -39,13 +39,13 @@ MODULE_DESCRIPTION("IPv4 packet filter"); | |||
39 | /*#define DEBUG_IP_FIREWALL_USER*/ | 39 | /*#define DEBUG_IP_FIREWALL_USER*/ |
40 | 40 | ||
41 | #ifdef DEBUG_IP_FIREWALL | 41 | #ifdef DEBUG_IP_FIREWALL |
42 | #define dprintf(format, args...) printk(format , ## args) | 42 | #define dprintf(format, args...) pr_info(format , ## args) |
43 | #else | 43 | #else |
44 | #define dprintf(format, args...) | 44 | #define dprintf(format, args...) |
45 | #endif | 45 | #endif |
46 | 46 | ||
47 | #ifdef DEBUG_IP_FIREWALL_USER | 47 | #ifdef DEBUG_IP_FIREWALL_USER |
48 | #define duprintf(format, args...) printk(format , ## args) | 48 | #define duprintf(format, args...) pr_info(format , ## args) |
49 | #else | 49 | #else |
50 | #define duprintf(format, args...) | 50 | #define duprintf(format, args...) |
51 | #endif | 51 | #endif |
@@ -168,8 +168,7 @@ static unsigned int | |||
168 | ipt_error(struct sk_buff *skb, const struct xt_target_param *par) | 168 | ipt_error(struct sk_buff *skb, const struct xt_target_param *par) |
169 | { | 169 | { |
170 | if (net_ratelimit()) | 170 | if (net_ratelimit()) |
171 | printk("ip_tables: error: `%s'\n", | 171 | pr_info("error: `%s'\n", (const char *)par->targinfo); |
172 | (const char *)par->targinfo); | ||
173 | 172 | ||
174 | return NF_DROP; | 173 | return NF_DROP; |
175 | } | 174 | } |
@@ -322,8 +321,6 @@ ipt_do_table(struct sk_buff *skb, | |||
322 | const struct net_device *out, | 321 | const struct net_device *out, |
323 | struct xt_table *table) | 322 | struct xt_table *table) |
324 | { | 323 | { |
325 | #define tb_comefrom ((struct ipt_entry *)table_base)->comefrom | ||
326 | |||
327 | static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); | 324 | static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); |
328 | const struct iphdr *ip; | 325 | const struct iphdr *ip; |
329 | bool hotdrop = false; | 326 | bool hotdrop = false; |
@@ -331,7 +328,8 @@ ipt_do_table(struct sk_buff *skb, | |||
331 | unsigned int verdict = NF_DROP; | 328 | unsigned int verdict = NF_DROP; |
332 | const char *indev, *outdev; | 329 | const char *indev, *outdev; |
333 | const void *table_base; | 330 | const void *table_base; |
334 | struct ipt_entry *e, *back; | 331 | struct ipt_entry *e, **jumpstack; |
332 | unsigned int *stackptr, origptr, cpu; | ||
335 | const struct xt_table_info *private; | 333 | const struct xt_table_info *private; |
336 | struct xt_match_param mtpar; | 334 | struct xt_match_param mtpar; |
337 | struct xt_target_param tgpar; | 335 | struct xt_target_param tgpar; |
@@ -357,19 +355,23 @@ ipt_do_table(struct sk_buff *skb, | |||
357 | IP_NF_ASSERT(table->valid_hooks & (1 << hook)); | 355 | IP_NF_ASSERT(table->valid_hooks & (1 << hook)); |
358 | xt_info_rdlock_bh(); | 356 | xt_info_rdlock_bh(); |
359 | private = table->private; | 357 | private = table->private; |
360 | table_base = private->entries[smp_processor_id()]; | 358 | cpu = smp_processor_id(); |
359 | table_base = private->entries[cpu]; | ||
360 | jumpstack = (struct ipt_entry **)private->jumpstack[cpu]; | ||
361 | stackptr = &private->stackptr[cpu]; | ||
362 | origptr = *stackptr; | ||
361 | 363 | ||
362 | e = get_entry(table_base, private->hook_entry[hook]); | 364 | e = get_entry(table_base, private->hook_entry[hook]); |
363 | 365 | ||
364 | /* For return from builtin chain */ | 366 | pr_debug("Entering %s(hook %u); sp at %u (UF %p)\n", |
365 | back = get_entry(table_base, private->underflow[hook]); | 367 | table->name, hook, origptr, |
368 | get_entry(table_base, private->underflow[hook])); | ||
366 | 369 | ||
367 | do { | 370 | do { |
368 | const struct ipt_entry_target *t; | 371 | const struct ipt_entry_target *t; |
369 | const struct xt_entry_match *ematch; | 372 | const struct xt_entry_match *ematch; |
370 | 373 | ||
371 | IP_NF_ASSERT(e); | 374 | IP_NF_ASSERT(e); |
372 | IP_NF_ASSERT(back); | ||
373 | if (!ip_packet_match(ip, indev, outdev, | 375 | if (!ip_packet_match(ip, indev, outdev, |
374 | &e->ip, mtpar.fragoff)) { | 376 | &e->ip, mtpar.fragoff)) { |
375 | no_match: | 377 | no_match: |
@@ -404,41 +406,39 @@ ipt_do_table(struct sk_buff *skb, | |||
404 | verdict = (unsigned)(-v) - 1; | 406 | verdict = (unsigned)(-v) - 1; |
405 | break; | 407 | break; |
406 | } | 408 | } |
407 | e = back; | 409 | if (*stackptr == 0) { |
408 | back = get_entry(table_base, back->comefrom); | 410 | e = get_entry(table_base, |
411 | private->underflow[hook]); | ||
412 | pr_debug("Underflow (this is normal) " | ||
413 | "to %p\n", e); | ||
414 | } else { | ||
415 | e = jumpstack[--*stackptr]; | ||
416 | pr_debug("Pulled %p out from pos %u\n", | ||
417 | e, *stackptr); | ||
418 | e = ipt_next_entry(e); | ||
419 | } | ||
409 | continue; | 420 | continue; |
410 | } | 421 | } |
411 | if (table_base + v != ipt_next_entry(e) && | 422 | if (table_base + v != ipt_next_entry(e) && |
412 | !(e->ip.flags & IPT_F_GOTO)) { | 423 | !(e->ip.flags & IPT_F_GOTO)) { |
413 | /* Save old back ptr in next entry */ | 424 | if (*stackptr >= private->stacksize) { |
414 | struct ipt_entry *next = ipt_next_entry(e); | 425 | verdict = NF_DROP; |
415 | next->comefrom = (void *)back - table_base; | 426 | break; |
416 | /* set back pointer to next entry */ | 427 | } |
417 | back = next; | 428 | jumpstack[(*stackptr)++] = e; |
429 | pr_debug("Pushed %p into pos %u\n", | ||
430 | e, *stackptr - 1); | ||
418 | } | 431 | } |
419 | 432 | ||
420 | e = get_entry(table_base, v); | 433 | e = get_entry(table_base, v); |
421 | continue; | 434 | continue; |
422 | } | 435 | } |
423 | 436 | ||
424 | /* Targets which reenter must return | ||
425 | abs. verdicts */ | ||
426 | tgpar.target = t->u.kernel.target; | 437 | tgpar.target = t->u.kernel.target; |
427 | tgpar.targinfo = t->data; | 438 | tgpar.targinfo = t->data; |
428 | 439 | ||
429 | 440 | ||
430 | #ifdef CONFIG_NETFILTER_DEBUG | ||
431 | tb_comefrom = 0xeeeeeeec; | ||
432 | #endif | ||
433 | verdict = t->u.kernel.target->target(skb, &tgpar); | 441 | verdict = t->u.kernel.target->target(skb, &tgpar); |
434 | #ifdef CONFIG_NETFILTER_DEBUG | ||
435 | if (tb_comefrom != 0xeeeeeeec && verdict == IPT_CONTINUE) { | ||
436 | printk("Target %s reentered!\n", | ||
437 | t->u.kernel.target->name); | ||
438 | verdict = NF_DROP; | ||
439 | } | ||
440 | tb_comefrom = 0x57acc001; | ||
441 | #endif | ||
442 | /* Target might have changed stuff. */ | 442 | /* Target might have changed stuff. */ |
443 | ip = ip_hdr(skb); | 443 | ip = ip_hdr(skb); |
444 | if (verdict == IPT_CONTINUE) | 444 | if (verdict == IPT_CONTINUE) |
@@ -448,7 +448,9 @@ ipt_do_table(struct sk_buff *skb, | |||
448 | break; | 448 | break; |
449 | } while (!hotdrop); | 449 | } while (!hotdrop); |
450 | xt_info_rdunlock_bh(); | 450 | xt_info_rdunlock_bh(); |
451 | 451 | pr_debug("Exiting %s; resetting sp from %u to %u\n", | |
452 | __func__, *stackptr, origptr); | ||
453 | *stackptr = origptr; | ||
452 | #ifdef DEBUG_ALLOW_ALL | 454 | #ifdef DEBUG_ALLOW_ALL |
453 | return NF_ACCEPT; | 455 | return NF_ACCEPT; |
454 | #else | 456 | #else |
@@ -456,8 +458,6 @@ ipt_do_table(struct sk_buff *skb, | |||
456 | return NF_DROP; | 458 | return NF_DROP; |
457 | else return verdict; | 459 | else return verdict; |
458 | #endif | 460 | #endif |
459 | |||
460 | #undef tb_comefrom | ||
461 | } | 461 | } |
462 | 462 | ||
463 | /* Figures out from what hook each rule can be called: returns 0 if | 463 | /* Figures out from what hook each rule can be called: returns 0 if |
@@ -591,7 +591,7 @@ check_entry(const struct ipt_entry *e, const char *name) | |||
591 | const struct ipt_entry_target *t; | 591 | const struct ipt_entry_target *t; |
592 | 592 | ||
593 | if (!ip_checkentry(&e->ip)) { | 593 | if (!ip_checkentry(&e->ip)) { |
594 | duprintf("ip_tables: ip check failed %p %s.\n", e, name); | 594 | duprintf("ip check failed %p %s.\n", e, name); |
595 | return -EINVAL; | 595 | return -EINVAL; |
596 | } | 596 | } |
597 | 597 | ||
@@ -618,8 +618,7 @@ check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par) | |||
618 | ret = xt_check_match(par, m->u.match_size - sizeof(*m), | 618 | ret = xt_check_match(par, m->u.match_size - sizeof(*m), |
619 | ip->proto, ip->invflags & IPT_INV_PROTO); | 619 | ip->proto, ip->invflags & IPT_INV_PROTO); |
620 | if (ret < 0) { | 620 | if (ret < 0) { |
621 | duprintf("ip_tables: check failed for `%s'.\n", | 621 | duprintf("check failed for `%s'.\n", par.match->name); |
622 | par.match->name); | ||
623 | return ret; | 622 | return ret; |
624 | } | 623 | } |
625 | return 0; | 624 | return 0; |
@@ -631,12 +630,11 @@ find_check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par) | |||
631 | struct xt_match *match; | 630 | struct xt_match *match; |
632 | int ret; | 631 | int ret; |
633 | 632 | ||
634 | match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name, | 633 | match = xt_request_find_match(NFPROTO_IPV4, m->u.user.name, |
635 | m->u.user.revision), | 634 | m->u.user.revision); |
636 | "ipt_%s", m->u.user.name); | 635 | if (IS_ERR(match)) { |
637 | if (IS_ERR(match) || !match) { | ||
638 | duprintf("find_check_match: `%s' not found\n", m->u.user.name); | 636 | duprintf("find_check_match: `%s' not found\n", m->u.user.name); |
639 | return match ? PTR_ERR(match) : -ENOENT; | 637 | return PTR_ERR(match); |
640 | } | 638 | } |
641 | m->u.kernel.match = match; | 639 | m->u.kernel.match = match; |
642 | 640 | ||
@@ -667,7 +665,7 @@ static int check_target(struct ipt_entry *e, struct net *net, const char *name) | |||
667 | ret = xt_check_target(&par, t->u.target_size - sizeof(*t), | 665 | ret = xt_check_target(&par, t->u.target_size - sizeof(*t), |
668 | e->ip.proto, e->ip.invflags & IPT_INV_PROTO); | 666 | e->ip.proto, e->ip.invflags & IPT_INV_PROTO); |
669 | if (ret < 0) { | 667 | if (ret < 0) { |
670 | duprintf("ip_tables: check failed for `%s'.\n", | 668 | duprintf("check failed for `%s'.\n", |
671 | t->u.kernel.target->name); | 669 | t->u.kernel.target->name); |
672 | return ret; | 670 | return ret; |
673 | } | 671 | } |
@@ -703,13 +701,11 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name, | |||
703 | } | 701 | } |
704 | 702 | ||
705 | t = ipt_get_target(e); | 703 | t = ipt_get_target(e); |
706 | target = try_then_request_module(xt_find_target(AF_INET, | 704 | target = xt_request_find_target(NFPROTO_IPV4, t->u.user.name, |
707 | t->u.user.name, | 705 | t->u.user.revision); |
708 | t->u.user.revision), | 706 | if (IS_ERR(target)) { |
709 | "ipt_%s", t->u.user.name); | ||
710 | if (IS_ERR(target) || !target) { | ||
711 | duprintf("find_check_entry: `%s' not found\n", t->u.user.name); | 707 | duprintf("find_check_entry: `%s' not found\n", t->u.user.name); |
712 | ret = target ? PTR_ERR(target) : -ENOENT; | 708 | ret = PTR_ERR(target); |
713 | goto cleanup_matches; | 709 | goto cleanup_matches; |
714 | } | 710 | } |
715 | t->u.kernel.target = target; | 711 | t->u.kernel.target = target; |
@@ -843,6 +839,9 @@ translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0, | |||
843 | if (ret != 0) | 839 | if (ret != 0) |
844 | return ret; | 840 | return ret; |
845 | ++i; | 841 | ++i; |
842 | if (strcmp(ipt_get_target(iter)->u.user.name, | ||
843 | XT_ERROR_TARGET) == 0) | ||
844 | ++newinfo->stacksize; | ||
846 | } | 845 | } |
847 | 846 | ||
848 | if (i != repl->num_entries) { | 847 | if (i != repl->num_entries) { |
@@ -1311,7 +1310,7 @@ do_replace(struct net *net, const void __user *user, unsigned int len) | |||
1311 | if (ret != 0) | 1310 | if (ret != 0) |
1312 | goto free_newinfo; | 1311 | goto free_newinfo; |
1313 | 1312 | ||
1314 | duprintf("ip_tables: Translated table\n"); | 1313 | duprintf("Translated table\n"); |
1315 | 1314 | ||
1316 | ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo, | 1315 | ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo, |
1317 | tmp.num_counters, tmp.counters); | 1316 | tmp.num_counters, tmp.counters); |
@@ -1476,13 +1475,12 @@ compat_find_calc_match(struct ipt_entry_match *m, | |||
1476 | { | 1475 | { |
1477 | struct xt_match *match; | 1476 | struct xt_match *match; |
1478 | 1477 | ||
1479 | match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name, | 1478 | match = xt_request_find_match(NFPROTO_IPV4, m->u.user.name, |
1480 | m->u.user.revision), | 1479 | m->u.user.revision); |
1481 | "ipt_%s", m->u.user.name); | 1480 | if (IS_ERR(match)) { |
1482 | if (IS_ERR(match) || !match) { | ||
1483 | duprintf("compat_check_calc_match: `%s' not found\n", | 1481 | duprintf("compat_check_calc_match: `%s' not found\n", |
1484 | m->u.user.name); | 1482 | m->u.user.name); |
1485 | return match ? PTR_ERR(match) : -ENOENT; | 1483 | return PTR_ERR(match); |
1486 | } | 1484 | } |
1487 | m->u.kernel.match = match; | 1485 | m->u.kernel.match = match; |
1488 | *size += xt_compat_match_offset(match); | 1486 | *size += xt_compat_match_offset(match); |
@@ -1549,14 +1547,12 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e, | |||
1549 | } | 1547 | } |
1550 | 1548 | ||
1551 | t = compat_ipt_get_target(e); | 1549 | t = compat_ipt_get_target(e); |
1552 | target = try_then_request_module(xt_find_target(AF_INET, | 1550 | target = xt_request_find_target(NFPROTO_IPV4, t->u.user.name, |
1553 | t->u.user.name, | 1551 | t->u.user.revision); |
1554 | t->u.user.revision), | 1552 | if (IS_ERR(target)) { |
1555 | "ipt_%s", t->u.user.name); | ||
1556 | if (IS_ERR(target) || !target) { | ||
1557 | duprintf("check_compat_entry_size_and_hooks: `%s' not found\n", | 1553 | duprintf("check_compat_entry_size_and_hooks: `%s' not found\n", |
1558 | t->u.user.name); | 1554 | t->u.user.name); |
1559 | ret = target ? PTR_ERR(target) : -ENOENT; | 1555 | ret = PTR_ERR(target); |
1560 | goto release_matches; | 1556 | goto release_matches; |
1561 | } | 1557 | } |
1562 | t->u.kernel.target = target; | 1558 | t->u.kernel.target = target; |
@@ -2094,8 +2090,7 @@ struct xt_table *ipt_register_table(struct net *net, | |||
2094 | { | 2090 | { |
2095 | int ret; | 2091 | int ret; |
2096 | struct xt_table_info *newinfo; | 2092 | struct xt_table_info *newinfo; |
2097 | struct xt_table_info bootstrap | 2093 | struct xt_table_info bootstrap = {0}; |
2098 | = { 0, 0, 0, { 0 }, { 0 }, { } }; | ||
2099 | void *loc_cpu_entry; | 2094 | void *loc_cpu_entry; |
2100 | struct xt_table *new_table; | 2095 | struct xt_table *new_table; |
2101 | 2096 | ||
@@ -2184,12 +2179,12 @@ icmp_match(const struct sk_buff *skb, const struct xt_match_param *par) | |||
2184 | !!(icmpinfo->invflags&IPT_ICMP_INV)); | 2179 | !!(icmpinfo->invflags&IPT_ICMP_INV)); |
2185 | } | 2180 | } |
2186 | 2181 | ||
2187 | static bool icmp_checkentry(const struct xt_mtchk_param *par) | 2182 | static int icmp_checkentry(const struct xt_mtchk_param *par) |
2188 | { | 2183 | { |
2189 | const struct ipt_icmp *icmpinfo = par->matchinfo; | 2184 | const struct ipt_icmp *icmpinfo = par->matchinfo; |
2190 | 2185 | ||
2191 | /* Must specify no unknown invflags */ | 2186 | /* Must specify no unknown invflags */ |
2192 | return !(icmpinfo->invflags & ~IPT_ICMP_INV); | 2187 | return (icmpinfo->invflags & ~IPT_ICMP_INV) ? -EINVAL : 0; |
2193 | } | 2188 | } |
2194 | 2189 | ||
2195 | /* The built-in targets: standard (NULL) and error. */ | 2190 | /* The built-in targets: standard (NULL) and error. */ |
@@ -2276,7 +2271,7 @@ static int __init ip_tables_init(void) | |||
2276 | if (ret < 0) | 2271 | if (ret < 0) |
2277 | goto err5; | 2272 | goto err5; |
2278 | 2273 | ||
2279 | printk(KERN_INFO "ip_tables: (C) 2000-2006 Netfilter Core Team\n"); | 2274 | pr_info("(C) 2000-2006 Netfilter Core Team\n"); |
2280 | return 0; | 2275 | return 0; |
2281 | 2276 | ||
2282 | err5: | 2277 | err5: |
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index a992dc826f1c..8815d458de46 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c | |||
@@ -9,6 +9,7 @@ | |||
9 | * published by the Free Software Foundation. | 9 | * published by the Free Software Foundation. |
10 | * | 10 | * |
11 | */ | 11 | */ |
12 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | ||
12 | #include <linux/module.h> | 13 | #include <linux/module.h> |
13 | #include <linux/proc_fs.h> | 14 | #include <linux/proc_fs.h> |
14 | #include <linux/jhash.h> | 15 | #include <linux/jhash.h> |
@@ -239,8 +240,7 @@ clusterip_hashfn(const struct sk_buff *skb, | |||
239 | break; | 240 | break; |
240 | default: | 241 | default: |
241 | if (net_ratelimit()) | 242 | if (net_ratelimit()) |
242 | printk(KERN_NOTICE "CLUSTERIP: unknown protocol `%u'\n", | 243 | pr_info("unknown protocol %u\n", iph->protocol); |
243 | iph->protocol); | ||
244 | sport = dport = 0; | 244 | sport = dport = 0; |
245 | } | 245 | } |
246 | 246 | ||
@@ -262,7 +262,7 @@ clusterip_hashfn(const struct sk_buff *skb, | |||
262 | hashval = 0; | 262 | hashval = 0; |
263 | /* This cannot happen, unless the check function wasn't called | 263 | /* This cannot happen, unless the check function wasn't called |
264 | * at rule load time */ | 264 | * at rule load time */ |
265 | printk("CLUSTERIP: unknown mode `%u'\n", config->hash_mode); | 265 | pr_info("unknown mode %u\n", config->hash_mode); |
266 | BUG(); | 266 | BUG(); |
267 | break; | 267 | break; |
268 | } | 268 | } |
@@ -295,7 +295,7 @@ clusterip_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
295 | 295 | ||
296 | ct = nf_ct_get(skb, &ctinfo); | 296 | ct = nf_ct_get(skb, &ctinfo); |
297 | if (ct == NULL) { | 297 | if (ct == NULL) { |
298 | printk(KERN_ERR "CLUSTERIP: no conntrack!\n"); | 298 | pr_info("no conntrack!\n"); |
299 | /* FIXME: need to drop invalid ones, since replies | 299 | /* FIXME: need to drop invalid ones, since replies |
300 | * to outgoing connections of other nodes will be | 300 | * to outgoing connections of other nodes will be |
301 | * marked as INVALID */ | 301 | * marked as INVALID */ |
@@ -348,25 +348,24 @@ clusterip_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
348 | return XT_CONTINUE; | 348 | return XT_CONTINUE; |
349 | } | 349 | } |
350 | 350 | ||
351 | static bool clusterip_tg_check(const struct xt_tgchk_param *par) | 351 | static int clusterip_tg_check(const struct xt_tgchk_param *par) |
352 | { | 352 | { |
353 | struct ipt_clusterip_tgt_info *cipinfo = par->targinfo; | 353 | struct ipt_clusterip_tgt_info *cipinfo = par->targinfo; |
354 | const struct ipt_entry *e = par->entryinfo; | 354 | const struct ipt_entry *e = par->entryinfo; |
355 | |||
356 | struct clusterip_config *config; | 355 | struct clusterip_config *config; |
356 | int ret; | ||
357 | 357 | ||
358 | if (cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP && | 358 | if (cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP && |
359 | cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT && | 359 | cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT && |
360 | cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT_DPT) { | 360 | cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT_DPT) { |
361 | printk(KERN_WARNING "CLUSTERIP: unknown mode `%u'\n", | 361 | pr_info("unknown mode %u\n", cipinfo->hash_mode); |
362 | cipinfo->hash_mode); | 362 | return -EINVAL; |
363 | return false; | ||
364 | 363 | ||
365 | } | 364 | } |
366 | if (e->ip.dmsk.s_addr != htonl(0xffffffff) || | 365 | if (e->ip.dmsk.s_addr != htonl(0xffffffff) || |
367 | e->ip.dst.s_addr == 0) { | 366 | e->ip.dst.s_addr == 0) { |
368 | printk(KERN_ERR "CLUSTERIP: Please specify destination IP\n"); | 367 | pr_info("Please specify destination IP\n"); |
369 | return false; | 368 | return -EINVAL; |
370 | } | 369 | } |
371 | 370 | ||
372 | /* FIXME: further sanity checks */ | 371 | /* FIXME: further sanity checks */ |
@@ -374,41 +373,41 @@ static bool clusterip_tg_check(const struct xt_tgchk_param *par) | |||
374 | config = clusterip_config_find_get(e->ip.dst.s_addr, 1); | 373 | config = clusterip_config_find_get(e->ip.dst.s_addr, 1); |
375 | if (!config) { | 374 | if (!config) { |
376 | if (!(cipinfo->flags & CLUSTERIP_FLAG_NEW)) { | 375 | if (!(cipinfo->flags & CLUSTERIP_FLAG_NEW)) { |
377 | printk(KERN_WARNING "CLUSTERIP: no config found for %pI4, need 'new'\n", &e->ip.dst.s_addr); | 376 | pr_info("no config found for %pI4, need 'new'\n", |
378 | return false; | 377 | &e->ip.dst.s_addr); |
378 | return -EINVAL; | ||
379 | } else { | 379 | } else { |
380 | struct net_device *dev; | 380 | struct net_device *dev; |
381 | 381 | ||
382 | if (e->ip.iniface[0] == '\0') { | 382 | if (e->ip.iniface[0] == '\0') { |
383 | printk(KERN_WARNING "CLUSTERIP: Please specify an interface name\n"); | 383 | pr_info("Please specify an interface name\n"); |
384 | return false; | 384 | return -EINVAL; |
385 | } | 385 | } |
386 | 386 | ||
387 | dev = dev_get_by_name(&init_net, e->ip.iniface); | 387 | dev = dev_get_by_name(&init_net, e->ip.iniface); |
388 | if (!dev) { | 388 | if (!dev) { |
389 | printk(KERN_WARNING "CLUSTERIP: no such interface %s\n", e->ip.iniface); | 389 | pr_info("no such interface %s\n", |
390 | return false; | 390 | e->ip.iniface); |
391 | return -ENOENT; | ||
391 | } | 392 | } |
392 | 393 | ||
393 | config = clusterip_config_init(cipinfo, | 394 | config = clusterip_config_init(cipinfo, |
394 | e->ip.dst.s_addr, dev); | 395 | e->ip.dst.s_addr, dev); |
395 | if (!config) { | 396 | if (!config) { |
396 | printk(KERN_WARNING "CLUSTERIP: cannot allocate config\n"); | 397 | pr_info("cannot allocate config\n"); |
397 | dev_put(dev); | 398 | dev_put(dev); |
398 | return false; | 399 | return -ENOMEM; |
399 | } | 400 | } |
400 | dev_mc_add(config->dev, config->clustermac); | 401 | dev_mc_add(config->dev, config->clustermac); |
401 | } | 402 | } |
402 | } | 403 | } |
403 | cipinfo->config = config; | 404 | cipinfo->config = config; |
404 | 405 | ||
405 | if (nf_ct_l3proto_try_module_get(par->target->family) < 0) { | 406 | ret = nf_ct_l3proto_try_module_get(par->family); |
406 | printk(KERN_WARNING "can't load conntrack support for " | 407 | if (ret < 0) |
407 | "proto=%u\n", par->target->family); | 408 | pr_info("cannot load conntrack support for proto=%u\n", |
408 | return false; | 409 | par->family); |
409 | } | 410 | return ret; |
410 | |||
411 | return true; | ||
412 | } | 411 | } |
413 | 412 | ||
414 | /* drop reference count of cluster config when rule is deleted */ | 413 | /* drop reference count of cluster config when rule is deleted */ |
@@ -422,7 +421,7 @@ static void clusterip_tg_destroy(const struct xt_tgdtor_param *par) | |||
422 | 421 | ||
423 | clusterip_config_put(cipinfo->config); | 422 | clusterip_config_put(cipinfo->config); |
424 | 423 | ||
425 | nf_ct_l3proto_module_put(par->target->family); | 424 | nf_ct_l3proto_module_put(par->family); |
426 | } | 425 | } |
427 | 426 | ||
428 | #ifdef CONFIG_COMPAT | 427 | #ifdef CONFIG_COMPAT |
@@ -479,8 +478,8 @@ static void arp_print(struct arp_payload *payload) | |||
479 | } | 478 | } |
480 | hbuffer[--k]='\0'; | 479 | hbuffer[--k]='\0'; |
481 | 480 | ||
482 | printk("src %pI4@%s, dst %pI4\n", | 481 | pr_debug("src %pI4@%s, dst %pI4\n", |
483 | &payload->src_ip, hbuffer, &payload->dst_ip); | 482 | &payload->src_ip, hbuffer, &payload->dst_ip); |
484 | } | 483 | } |
485 | #endif | 484 | #endif |
486 | 485 | ||
@@ -519,7 +518,7 @@ arp_mangle(unsigned int hook, | |||
519 | * this wouldn't work, since we didn't subscribe the mcast group on | 518 | * this wouldn't work, since we didn't subscribe the mcast group on |
520 | * other interfaces */ | 519 | * other interfaces */ |
521 | if (c->dev != out) { | 520 | if (c->dev != out) { |
522 | pr_debug("CLUSTERIP: not mangling arp reply on different " | 521 | pr_debug("not mangling arp reply on different " |
523 | "interface: cip'%s'-skb'%s'\n", | 522 | "interface: cip'%s'-skb'%s'\n", |
524 | c->dev->name, out->name); | 523 | c->dev->name, out->name); |
525 | clusterip_config_put(c); | 524 | clusterip_config_put(c); |
@@ -530,7 +529,7 @@ arp_mangle(unsigned int hook, | |||
530 | memcpy(payload->src_hw, c->clustermac, arp->ar_hln); | 529 | memcpy(payload->src_hw, c->clustermac, arp->ar_hln); |
531 | 530 | ||
532 | #ifdef DEBUG | 531 | #ifdef DEBUG |
533 | pr_debug(KERN_DEBUG "CLUSTERIP mangled arp reply: "); | 532 | pr_debug("mangled arp reply: "); |
534 | arp_print(payload); | 533 | arp_print(payload); |
535 | #endif | 534 | #endif |
536 | 535 | ||
@@ -601,7 +600,8 @@ static void *clusterip_seq_next(struct seq_file *s, void *v, loff_t *pos) | |||
601 | 600 | ||
602 | static void clusterip_seq_stop(struct seq_file *s, void *v) | 601 | static void clusterip_seq_stop(struct seq_file *s, void *v) |
603 | { | 602 | { |
604 | kfree(v); | 603 | if (!IS_ERR(v)) |
604 | kfree(v); | ||
605 | } | 605 | } |
606 | 606 | ||
607 | static int clusterip_seq_show(struct seq_file *s, void *v) | 607 | static int clusterip_seq_show(struct seq_file *s, void *v) |
@@ -706,13 +706,13 @@ static int __init clusterip_tg_init(void) | |||
706 | #ifdef CONFIG_PROC_FS | 706 | #ifdef CONFIG_PROC_FS |
707 | clusterip_procdir = proc_mkdir("ipt_CLUSTERIP", init_net.proc_net); | 707 | clusterip_procdir = proc_mkdir("ipt_CLUSTERIP", init_net.proc_net); |
708 | if (!clusterip_procdir) { | 708 | if (!clusterip_procdir) { |
709 | printk(KERN_ERR "CLUSTERIP: Unable to proc dir entry\n"); | 709 | pr_err("Unable to proc dir entry\n"); |
710 | ret = -ENOMEM; | 710 | ret = -ENOMEM; |
711 | goto cleanup_hook; | 711 | goto cleanup_hook; |
712 | } | 712 | } |
713 | #endif /* CONFIG_PROC_FS */ | 713 | #endif /* CONFIG_PROC_FS */ |
714 | 714 | ||
715 | printk(KERN_NOTICE "ClusterIP Version %s loaded successfully\n", | 715 | pr_info("ClusterIP Version %s loaded successfully\n", |
716 | CLUSTERIP_VERSION); | 716 | CLUSTERIP_VERSION); |
717 | return 0; | 717 | return 0; |
718 | 718 | ||
@@ -727,8 +727,7 @@ cleanup_target: | |||
727 | 727 | ||
728 | static void __exit clusterip_tg_exit(void) | 728 | static void __exit clusterip_tg_exit(void) |
729 | { | 729 | { |
730 | printk(KERN_NOTICE "ClusterIP Version %s unloading\n", | 730 | pr_info("ClusterIP Version %s unloading\n", CLUSTERIP_VERSION); |
731 | CLUSTERIP_VERSION); | ||
732 | #ifdef CONFIG_PROC_FS | 731 | #ifdef CONFIG_PROC_FS |
733 | remove_proc_entry(clusterip_procdir->name, clusterip_procdir->parent); | 732 | remove_proc_entry(clusterip_procdir->name, clusterip_procdir->parent); |
734 | #endif | 733 | #endif |
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c index ea5cea2415c1..563049f31aef 100644 --- a/net/ipv4/netfilter/ipt_ECN.c +++ b/net/ipv4/netfilter/ipt_ECN.c | |||
@@ -6,7 +6,7 @@ | |||
6 | * it under the terms of the GNU General Public License version 2 as | 6 | * it under the terms of the GNU General Public License version 2 as |
7 | * published by the Free Software Foundation. | 7 | * published by the Free Software Foundation. |
8 | */ | 8 | */ |
9 | 9 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
10 | #include <linux/in.h> | 10 | #include <linux/in.h> |
11 | #include <linux/module.h> | 11 | #include <linux/module.h> |
12 | #include <linux/skbuff.h> | 12 | #include <linux/skbuff.h> |
@@ -93,28 +93,25 @@ ecn_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
93 | return XT_CONTINUE; | 93 | return XT_CONTINUE; |
94 | } | 94 | } |
95 | 95 | ||
96 | static bool ecn_tg_check(const struct xt_tgchk_param *par) | 96 | static int ecn_tg_check(const struct xt_tgchk_param *par) |
97 | { | 97 | { |
98 | const struct ipt_ECN_info *einfo = par->targinfo; | 98 | const struct ipt_ECN_info *einfo = par->targinfo; |
99 | const struct ipt_entry *e = par->entryinfo; | 99 | const struct ipt_entry *e = par->entryinfo; |
100 | 100 | ||
101 | if (einfo->operation & IPT_ECN_OP_MASK) { | 101 | if (einfo->operation & IPT_ECN_OP_MASK) { |
102 | printk(KERN_WARNING "ECN: unsupported ECN operation %x\n", | 102 | pr_info("unsupported ECN operation %x\n", einfo->operation); |
103 | einfo->operation); | 103 | return -EINVAL; |
104 | return false; | ||
105 | } | 104 | } |
106 | if (einfo->ip_ect & ~IPT_ECN_IP_MASK) { | 105 | if (einfo->ip_ect & ~IPT_ECN_IP_MASK) { |
107 | printk(KERN_WARNING "ECN: new ECT codepoint %x out of mask\n", | 106 | pr_info("new ECT codepoint %x out of mask\n", einfo->ip_ect); |
108 | einfo->ip_ect); | 107 | return -EINVAL; |
109 | return false; | ||
110 | } | 108 | } |
111 | if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) && | 109 | if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) && |
112 | (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) { | 110 | (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) { |
113 | printk(KERN_WARNING "ECN: cannot use TCP operations on a " | 111 | pr_info("cannot use TCP operations on a non-tcp rule\n"); |
114 | "non-tcp rule\n"); | 112 | return -EINVAL; |
115 | return false; | ||
116 | } | 113 | } |
117 | return true; | 114 | return 0; |
118 | } | 115 | } |
119 | 116 | ||
120 | static struct xt_target ecn_tg_reg __read_mostly = { | 117 | static struct xt_target ecn_tg_reg __read_mostly = { |
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c index ee128efa1c8d..3bd35f370817 100644 --- a/net/ipv4/netfilter/ipt_LOG.c +++ b/net/ipv4/netfilter/ipt_LOG.c | |||
@@ -9,7 +9,7 @@ | |||
9 | * it under the terms of the GNU General Public License version 2 as | 9 | * it under the terms of the GNU General Public License version 2 as |
10 | * published by the Free Software Foundation. | 10 | * published by the Free Software Foundation. |
11 | */ | 11 | */ |
12 | 12 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
13 | #include <linux/module.h> | 13 | #include <linux/module.h> |
14 | #include <linux/spinlock.h> | 14 | #include <linux/spinlock.h> |
15 | #include <linux/skbuff.h> | 15 | #include <linux/skbuff.h> |
@@ -367,7 +367,7 @@ static struct nf_loginfo default_loginfo = { | |||
367 | .type = NF_LOG_TYPE_LOG, | 367 | .type = NF_LOG_TYPE_LOG, |
368 | .u = { | 368 | .u = { |
369 | .log = { | 369 | .log = { |
370 | .level = 0, | 370 | .level = 5, |
371 | .logflags = NF_LOG_MASK, | 371 | .logflags = NF_LOG_MASK, |
372 | }, | 372 | }, |
373 | }, | 373 | }, |
@@ -439,20 +439,19 @@ log_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
439 | return XT_CONTINUE; | 439 | return XT_CONTINUE; |
440 | } | 440 | } |
441 | 441 | ||
442 | static bool log_tg_check(const struct xt_tgchk_param *par) | 442 | static int log_tg_check(const struct xt_tgchk_param *par) |
443 | { | 443 | { |
444 | const struct ipt_log_info *loginfo = par->targinfo; | 444 | const struct ipt_log_info *loginfo = par->targinfo; |
445 | 445 | ||
446 | if (loginfo->level >= 8) { | 446 | if (loginfo->level >= 8) { |
447 | pr_debug("LOG: level %u >= 8\n", loginfo->level); | 447 | pr_debug("level %u >= 8\n", loginfo->level); |
448 | return false; | 448 | return -EINVAL; |
449 | } | 449 | } |
450 | if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') { | 450 | if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') { |
451 | pr_debug("LOG: prefix term %i\n", | 451 | pr_debug("prefix is not null-terminated\n"); |
452 | loginfo->prefix[sizeof(loginfo->prefix)-1]); | 452 | return -EINVAL; |
453 | return false; | ||
454 | } | 453 | } |
455 | return true; | 454 | return 0; |
456 | } | 455 | } |
457 | 456 | ||
458 | static struct xt_target log_tg_reg __read_mostly = { | 457 | static struct xt_target log_tg_reg __read_mostly = { |
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c index 650b54042b01..02b1bc477998 100644 --- a/net/ipv4/netfilter/ipt_MASQUERADE.c +++ b/net/ipv4/netfilter/ipt_MASQUERADE.c | |||
@@ -8,7 +8,7 @@ | |||
8 | * it under the terms of the GNU General Public License version 2 as | 8 | * it under the terms of the GNU General Public License version 2 as |
9 | * published by the Free Software Foundation. | 9 | * published by the Free Software Foundation. |
10 | */ | 10 | */ |
11 | 11 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
12 | #include <linux/types.h> | 12 | #include <linux/types.h> |
13 | #include <linux/inetdevice.h> | 13 | #include <linux/inetdevice.h> |
14 | #include <linux/ip.h> | 14 | #include <linux/ip.h> |
@@ -28,19 +28,19 @@ MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); | |||
28 | MODULE_DESCRIPTION("Xtables: automatic-address SNAT"); | 28 | MODULE_DESCRIPTION("Xtables: automatic-address SNAT"); |
29 | 29 | ||
30 | /* FIXME: Multiple targets. --RR */ | 30 | /* FIXME: Multiple targets. --RR */ |
31 | static bool masquerade_tg_check(const struct xt_tgchk_param *par) | 31 | static int masquerade_tg_check(const struct xt_tgchk_param *par) |
32 | { | 32 | { |
33 | const struct nf_nat_multi_range_compat *mr = par->targinfo; | 33 | const struct nf_nat_multi_range_compat *mr = par->targinfo; |
34 | 34 | ||
35 | if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { | 35 | if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { |
36 | pr_debug("masquerade_check: bad MAP_IPS.\n"); | 36 | pr_debug("bad MAP_IPS.\n"); |
37 | return false; | 37 | return -EINVAL; |
38 | } | 38 | } |
39 | if (mr->rangesize != 1) { | 39 | if (mr->rangesize != 1) { |
40 | pr_debug("masquerade_check: bad rangesize %u\n", mr->rangesize); | 40 | pr_debug("bad rangesize %u\n", mr->rangesize); |
41 | return false; | 41 | return -EINVAL; |
42 | } | 42 | } |
43 | return true; | 43 | return 0; |
44 | } | 44 | } |
45 | 45 | ||
46 | static unsigned int | 46 | static unsigned int |
@@ -72,7 +72,7 @@ masquerade_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
72 | rt = skb_rtable(skb); | 72 | rt = skb_rtable(skb); |
73 | newsrc = inet_select_addr(par->out, rt->rt_gateway, RT_SCOPE_UNIVERSE); | 73 | newsrc = inet_select_addr(par->out, rt->rt_gateway, RT_SCOPE_UNIVERSE); |
74 | if (!newsrc) { | 74 | if (!newsrc) { |
75 | printk("MASQUERADE: %s ate my IP address\n", par->out->name); | 75 | pr_info("%s ate my IP address\n", par->out->name); |
76 | return NF_DROP; | 76 | return NF_DROP; |
77 | } | 77 | } |
78 | 78 | ||
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c index 7c29582d4ec8..708c7f8f7eea 100644 --- a/net/ipv4/netfilter/ipt_NETMAP.c +++ b/net/ipv4/netfilter/ipt_NETMAP.c | |||
@@ -9,7 +9,7 @@ | |||
9 | * it under the terms of the GNU General Public License version 2 as | 9 | * it under the terms of the GNU General Public License version 2 as |
10 | * published by the Free Software Foundation. | 10 | * published by the Free Software Foundation. |
11 | */ | 11 | */ |
12 | 12 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
13 | #include <linux/ip.h> | 13 | #include <linux/ip.h> |
14 | #include <linux/module.h> | 14 | #include <linux/module.h> |
15 | #include <linux/netdevice.h> | 15 | #include <linux/netdevice.h> |
@@ -22,19 +22,19 @@ MODULE_LICENSE("GPL"); | |||
22 | MODULE_AUTHOR("Svenning Soerensen <svenning@post5.tele.dk>"); | 22 | MODULE_AUTHOR("Svenning Soerensen <svenning@post5.tele.dk>"); |
23 | MODULE_DESCRIPTION("Xtables: 1:1 NAT mapping of IPv4 subnets"); | 23 | MODULE_DESCRIPTION("Xtables: 1:1 NAT mapping of IPv4 subnets"); |
24 | 24 | ||
25 | static bool netmap_tg_check(const struct xt_tgchk_param *par) | 25 | static int netmap_tg_check(const struct xt_tgchk_param *par) |
26 | { | 26 | { |
27 | const struct nf_nat_multi_range_compat *mr = par->targinfo; | 27 | const struct nf_nat_multi_range_compat *mr = par->targinfo; |
28 | 28 | ||
29 | if (!(mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)) { | 29 | if (!(mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)) { |
30 | pr_debug("NETMAP:check: bad MAP_IPS.\n"); | 30 | pr_debug("bad MAP_IPS.\n"); |
31 | return false; | 31 | return -EINVAL; |
32 | } | 32 | } |
33 | if (mr->rangesize != 1) { | 33 | if (mr->rangesize != 1) { |
34 | pr_debug("NETMAP:check: bad rangesize %u.\n", mr->rangesize); | 34 | pr_debug("bad rangesize %u.\n", mr->rangesize); |
35 | return false; | 35 | return -EINVAL; |
36 | } | 36 | } |
37 | return true; | 37 | return 0; |
38 | } | 38 | } |
39 | 39 | ||
40 | static unsigned int | 40 | static unsigned int |
diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c index 698e5e78685b..3cf101916523 100644 --- a/net/ipv4/netfilter/ipt_REDIRECT.c +++ b/net/ipv4/netfilter/ipt_REDIRECT.c | |||
@@ -6,7 +6,7 @@ | |||
6 | * it under the terms of the GNU General Public License version 2 as | 6 | * it under the terms of the GNU General Public License version 2 as |
7 | * published by the Free Software Foundation. | 7 | * published by the Free Software Foundation. |
8 | */ | 8 | */ |
9 | 9 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
10 | #include <linux/types.h> | 10 | #include <linux/types.h> |
11 | #include <linux/ip.h> | 11 | #include <linux/ip.h> |
12 | #include <linux/timer.h> | 12 | #include <linux/timer.h> |
@@ -26,19 +26,19 @@ MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>"); | |||
26 | MODULE_DESCRIPTION("Xtables: Connection redirection to localhost"); | 26 | MODULE_DESCRIPTION("Xtables: Connection redirection to localhost"); |
27 | 27 | ||
28 | /* FIXME: Take multiple ranges --RR */ | 28 | /* FIXME: Take multiple ranges --RR */ |
29 | static bool redirect_tg_check(const struct xt_tgchk_param *par) | 29 | static int redirect_tg_check(const struct xt_tgchk_param *par) |
30 | { | 30 | { |
31 | const struct nf_nat_multi_range_compat *mr = par->targinfo; | 31 | const struct nf_nat_multi_range_compat *mr = par->targinfo; |
32 | 32 | ||
33 | if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { | 33 | if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { |
34 | pr_debug("redirect_check: bad MAP_IPS.\n"); | 34 | pr_debug("bad MAP_IPS.\n"); |
35 | return false; | 35 | return -EINVAL; |
36 | } | 36 | } |
37 | if (mr->rangesize != 1) { | 37 | if (mr->rangesize != 1) { |
38 | pr_debug("redirect_check: bad rangesize %u.\n", mr->rangesize); | 38 | pr_debug("bad rangesize %u.\n", mr->rangesize); |
39 | return false; | 39 | return -EINVAL; |
40 | } | 40 | } |
41 | return true; | 41 | return 0; |
42 | } | 42 | } |
43 | 43 | ||
44 | static unsigned int | 44 | static unsigned int |
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c index a0e8bcf04159..a86135a28058 100644 --- a/net/ipv4/netfilter/ipt_REJECT.c +++ b/net/ipv4/netfilter/ipt_REJECT.c | |||
@@ -9,7 +9,7 @@ | |||
9 | * it under the terms of the GNU General Public License version 2 as | 9 | * it under the terms of the GNU General Public License version 2 as |
10 | * published by the Free Software Foundation. | 10 | * published by the Free Software Foundation. |
11 | */ | 11 | */ |
12 | 12 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
13 | #include <linux/module.h> | 13 | #include <linux/module.h> |
14 | #include <linux/skbuff.h> | 14 | #include <linux/skbuff.h> |
15 | #include <linux/slab.h> | 15 | #include <linux/slab.h> |
@@ -140,9 +140,6 @@ reject_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
140 | { | 140 | { |
141 | const struct ipt_reject_info *reject = par->targinfo; | 141 | const struct ipt_reject_info *reject = par->targinfo; |
142 | 142 | ||
143 | /* WARNING: This code causes reentry within iptables. | ||
144 | This means that the iptables jump stack is now crap. We | ||
145 | must return an absolute verdict. --RR */ | ||
146 | switch (reject->with) { | 143 | switch (reject->with) { |
147 | case IPT_ICMP_NET_UNREACHABLE: | 144 | case IPT_ICMP_NET_UNREACHABLE: |
148 | send_unreach(skb, ICMP_NET_UNREACH); | 145 | send_unreach(skb, ICMP_NET_UNREACH); |
@@ -175,23 +172,23 @@ reject_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
175 | return NF_DROP; | 172 | return NF_DROP; |
176 | } | 173 | } |
177 | 174 | ||
178 | static bool reject_tg_check(const struct xt_tgchk_param *par) | 175 | static int reject_tg_check(const struct xt_tgchk_param *par) |
179 | { | 176 | { |
180 | const struct ipt_reject_info *rejinfo = par->targinfo; | 177 | const struct ipt_reject_info *rejinfo = par->targinfo; |
181 | const struct ipt_entry *e = par->entryinfo; | 178 | const struct ipt_entry *e = par->entryinfo; |
182 | 179 | ||
183 | if (rejinfo->with == IPT_ICMP_ECHOREPLY) { | 180 | if (rejinfo->with == IPT_ICMP_ECHOREPLY) { |
184 | printk("ipt_REJECT: ECHOREPLY no longer supported.\n"); | 181 | pr_info("ECHOREPLY no longer supported.\n"); |
185 | return false; | 182 | return -EINVAL; |
186 | } else if (rejinfo->with == IPT_TCP_RESET) { | 183 | } else if (rejinfo->with == IPT_TCP_RESET) { |
187 | /* Must specify that it's a TCP packet */ | 184 | /* Must specify that it's a TCP packet */ |
188 | if (e->ip.proto != IPPROTO_TCP || | 185 | if (e->ip.proto != IPPROTO_TCP || |
189 | (e->ip.invflags & XT_INV_PROTO)) { | 186 | (e->ip.invflags & XT_INV_PROTO)) { |
190 | printk("ipt_REJECT: TCP_RESET invalid for non-tcp\n"); | 187 | pr_info("TCP_RESET invalid for non-tcp\n"); |
191 | return false; | 188 | return -EINVAL; |
192 | } | 189 | } |
193 | } | 190 | } |
194 | return true; | 191 | return 0; |
195 | } | 192 | } |
196 | 193 | ||
197 | static struct xt_target reject_tg_reg __read_mostly = { | 194 | static struct xt_target reject_tg_reg __read_mostly = { |
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c index 0dbe697f164f..8f60749e87a3 100644 --- a/net/ipv4/netfilter/ipt_ULOG.c +++ b/net/ipv4/netfilter/ipt_ULOG.c | |||
@@ -29,7 +29,7 @@ | |||
29 | * Specify, after how many hundredths of a second the queue should be | 29 | * Specify, after how many hundredths of a second the queue should be |
30 | * flushed even if it is not full yet. | 30 | * flushed even if it is not full yet. |
31 | */ | 31 | */ |
32 | 32 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
33 | #include <linux/module.h> | 33 | #include <linux/module.h> |
34 | #include <linux/spinlock.h> | 34 | #include <linux/spinlock.h> |
35 | #include <linux/socket.h> | 35 | #include <linux/socket.h> |
@@ -57,8 +57,6 @@ MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_NFLOG); | |||
57 | #define ULOG_NL_EVENT 111 /* Harald's favorite number */ | 57 | #define ULOG_NL_EVENT 111 /* Harald's favorite number */ |
58 | #define ULOG_MAXNLGROUPS 32 /* numer of nlgroups */ | 58 | #define ULOG_MAXNLGROUPS 32 /* numer of nlgroups */ |
59 | 59 | ||
60 | #define PRINTR(format, args...) do { if (net_ratelimit()) printk(format , ## args); } while (0) | ||
61 | |||
62 | static unsigned int nlbufsiz = NLMSG_GOODSIZE; | 60 | static unsigned int nlbufsiz = NLMSG_GOODSIZE; |
63 | module_param(nlbufsiz, uint, 0400); | 61 | module_param(nlbufsiz, uint, 0400); |
64 | MODULE_PARM_DESC(nlbufsiz, "netlink buffer size"); | 62 | MODULE_PARM_DESC(nlbufsiz, "netlink buffer size"); |
@@ -91,12 +89,12 @@ static void ulog_send(unsigned int nlgroupnum) | |||
91 | ulog_buff_t *ub = &ulog_buffers[nlgroupnum]; | 89 | ulog_buff_t *ub = &ulog_buffers[nlgroupnum]; |
92 | 90 | ||
93 | if (timer_pending(&ub->timer)) { | 91 | if (timer_pending(&ub->timer)) { |
94 | pr_debug("ipt_ULOG: ulog_send: timer was pending, deleting\n"); | 92 | pr_debug("ulog_send: timer was pending, deleting\n"); |
95 | del_timer(&ub->timer); | 93 | del_timer(&ub->timer); |
96 | } | 94 | } |
97 | 95 | ||
98 | if (!ub->skb) { | 96 | if (!ub->skb) { |
99 | pr_debug("ipt_ULOG: ulog_send: nothing to send\n"); | 97 | pr_debug("ulog_send: nothing to send\n"); |
100 | return; | 98 | return; |
101 | } | 99 | } |
102 | 100 | ||
@@ -105,7 +103,7 @@ static void ulog_send(unsigned int nlgroupnum) | |||
105 | ub->lastnlh->nlmsg_type = NLMSG_DONE; | 103 | ub->lastnlh->nlmsg_type = NLMSG_DONE; |
106 | 104 | ||
107 | NETLINK_CB(ub->skb).dst_group = nlgroupnum + 1; | 105 | NETLINK_CB(ub->skb).dst_group = nlgroupnum + 1; |
108 | pr_debug("ipt_ULOG: throwing %d packets to netlink group %u\n", | 106 | pr_debug("throwing %d packets to netlink group %u\n", |
109 | ub->qlen, nlgroupnum + 1); | 107 | ub->qlen, nlgroupnum + 1); |
110 | netlink_broadcast(nflognl, ub->skb, 0, nlgroupnum + 1, GFP_ATOMIC); | 108 | netlink_broadcast(nflognl, ub->skb, 0, nlgroupnum + 1, GFP_ATOMIC); |
111 | 109 | ||
@@ -118,7 +116,7 @@ static void ulog_send(unsigned int nlgroupnum) | |||
118 | /* timer function to flush queue in flushtimeout time */ | 116 | /* timer function to flush queue in flushtimeout time */ |
119 | static void ulog_timer(unsigned long data) | 117 | static void ulog_timer(unsigned long data) |
120 | { | 118 | { |
121 | pr_debug("ipt_ULOG: timer function called, calling ulog_send\n"); | 119 | pr_debug("timer function called, calling ulog_send\n"); |
122 | 120 | ||
123 | /* lock to protect against somebody modifying our structure | 121 | /* lock to protect against somebody modifying our structure |
124 | * from ipt_ulog_target at the same time */ | 122 | * from ipt_ulog_target at the same time */ |
@@ -139,7 +137,7 @@ static struct sk_buff *ulog_alloc_skb(unsigned int size) | |||
139 | n = max(size, nlbufsiz); | 137 | n = max(size, nlbufsiz); |
140 | skb = alloc_skb(n, GFP_ATOMIC); | 138 | skb = alloc_skb(n, GFP_ATOMIC); |
141 | if (!skb) { | 139 | if (!skb) { |
142 | PRINTR("ipt_ULOG: can't alloc whole buffer %ub!\n", n); | 140 | pr_debug("cannot alloc whole buffer %ub!\n", n); |
143 | 141 | ||
144 | if (n > size) { | 142 | if (n > size) { |
145 | /* try to allocate only as much as we need for | 143 | /* try to allocate only as much as we need for |
@@ -147,8 +145,7 @@ static struct sk_buff *ulog_alloc_skb(unsigned int size) | |||
147 | 145 | ||
148 | skb = alloc_skb(size, GFP_ATOMIC); | 146 | skb = alloc_skb(size, GFP_ATOMIC); |
149 | if (!skb) | 147 | if (!skb) |
150 | PRINTR("ipt_ULOG: can't even allocate %ub\n", | 148 | pr_debug("cannot even allocate %ub\n", size); |
151 | size); | ||
152 | } | 149 | } |
153 | } | 150 | } |
154 | 151 | ||
@@ -199,8 +196,7 @@ static void ipt_ulog_packet(unsigned int hooknum, | |||
199 | goto alloc_failure; | 196 | goto alloc_failure; |
200 | } | 197 | } |
201 | 198 | ||
202 | pr_debug("ipt_ULOG: qlen %d, qthreshold %Zu\n", ub->qlen, | 199 | pr_debug("qlen %d, qthreshold %Zu\n", ub->qlen, loginfo->qthreshold); |
203 | loginfo->qthreshold); | ||
204 | 200 | ||
205 | /* NLMSG_PUT contains a hidden goto nlmsg_failure !!! */ | 201 | /* NLMSG_PUT contains a hidden goto nlmsg_failure !!! */ |
206 | nlh = NLMSG_PUT(ub->skb, 0, ub->qlen, ULOG_NL_EVENT, | 202 | nlh = NLMSG_PUT(ub->skb, 0, ub->qlen, ULOG_NL_EVENT, |
@@ -273,11 +269,9 @@ static void ipt_ulog_packet(unsigned int hooknum, | |||
273 | return; | 269 | return; |
274 | 270 | ||
275 | nlmsg_failure: | 271 | nlmsg_failure: |
276 | PRINTR("ipt_ULOG: error during NLMSG_PUT\n"); | 272 | pr_debug("error during NLMSG_PUT\n"); |
277 | |||
278 | alloc_failure: | 273 | alloc_failure: |
279 | PRINTR("ipt_ULOG: Error building netlink message\n"); | 274 | pr_debug("Error building netlink message\n"); |
280 | |||
281 | spin_unlock_bh(&ulog_lock); | 275 | spin_unlock_bh(&ulog_lock); |
282 | } | 276 | } |
283 | 277 | ||
@@ -314,21 +308,20 @@ static void ipt_logfn(u_int8_t pf, | |||
314 | ipt_ulog_packet(hooknum, skb, in, out, &loginfo, prefix); | 308 | ipt_ulog_packet(hooknum, skb, in, out, &loginfo, prefix); |
315 | } | 309 | } |
316 | 310 | ||
317 | static bool ulog_tg_check(const struct xt_tgchk_param *par) | 311 | static int ulog_tg_check(const struct xt_tgchk_param *par) |
318 | { | 312 | { |
319 | const struct ipt_ulog_info *loginfo = par->targinfo; | 313 | const struct ipt_ulog_info *loginfo = par->targinfo; |
320 | 314 | ||
321 | if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') { | 315 | if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') { |
322 | pr_debug("ipt_ULOG: prefix term %i\n", | 316 | pr_debug("prefix not null-terminated\n"); |
323 | loginfo->prefix[sizeof(loginfo->prefix) - 1]); | 317 | return -EINVAL; |
324 | return false; | ||
325 | } | 318 | } |
326 | if (loginfo->qthreshold > ULOG_MAX_QLEN) { | 319 | if (loginfo->qthreshold > ULOG_MAX_QLEN) { |
327 | pr_debug("ipt_ULOG: queue threshold %Zu > MAX_QLEN\n", | 320 | pr_debug("queue threshold %Zu > MAX_QLEN\n", |
328 | loginfo->qthreshold); | 321 | loginfo->qthreshold); |
329 | return false; | 322 | return -EINVAL; |
330 | } | 323 | } |
331 | return true; | 324 | return 0; |
332 | } | 325 | } |
333 | 326 | ||
334 | #ifdef CONFIG_COMPAT | 327 | #ifdef CONFIG_COMPAT |
@@ -390,10 +383,10 @@ static int __init ulog_tg_init(void) | |||
390 | { | 383 | { |
391 | int ret, i; | 384 | int ret, i; |
392 | 385 | ||
393 | pr_debug("ipt_ULOG: init module\n"); | 386 | pr_debug("init module\n"); |
394 | 387 | ||
395 | if (nlbufsiz > 128*1024) { | 388 | if (nlbufsiz > 128*1024) { |
396 | printk("Netlink buffer has to be <= 128kB\n"); | 389 | pr_warning("Netlink buffer has to be <= 128kB\n"); |
397 | return -EINVAL; | 390 | return -EINVAL; |
398 | } | 391 | } |
399 | 392 | ||
@@ -423,7 +416,7 @@ static void __exit ulog_tg_exit(void) | |||
423 | ulog_buff_t *ub; | 416 | ulog_buff_t *ub; |
424 | int i; | 417 | int i; |
425 | 418 | ||
426 | pr_debug("ipt_ULOG: cleanup_module\n"); | 419 | pr_debug("cleanup_module\n"); |
427 | 420 | ||
428 | if (nflog) | 421 | if (nflog) |
429 | nf_log_unregister(&ipt_ulog_logger); | 422 | nf_log_unregister(&ipt_ulog_logger); |
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c index 3b216be3bc9f..e4b8f2bf8aaa 100644 --- a/net/ipv4/netfilter/ipt_addrtype.c +++ b/net/ipv4/netfilter/ipt_addrtype.c | |||
@@ -8,7 +8,7 @@ | |||
8 | * it under the terms of the GNU General Public License version 2 as | 8 | * it under the terms of the GNU General Public License version 2 as |
9 | * published by the Free Software Foundation. | 9 | * published by the Free Software Foundation. |
10 | */ | 10 | */ |
11 | 11 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
12 | #include <linux/kernel.h> | 12 | #include <linux/kernel.h> |
13 | #include <linux/module.h> | 13 | #include <linux/module.h> |
14 | #include <linux/skbuff.h> | 14 | #include <linux/skbuff.h> |
@@ -70,34 +70,34 @@ addrtype_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par) | |||
70 | return ret; | 70 | return ret; |
71 | } | 71 | } |
72 | 72 | ||
73 | static bool addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par) | 73 | static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par) |
74 | { | 74 | { |
75 | struct ipt_addrtype_info_v1 *info = par->matchinfo; | 75 | struct ipt_addrtype_info_v1 *info = par->matchinfo; |
76 | 76 | ||
77 | if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN && | 77 | if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN && |
78 | info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) { | 78 | info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) { |
79 | printk(KERN_ERR "ipt_addrtype: both incoming and outgoing " | 79 | pr_info("both incoming and outgoing " |
80 | "interface limitation cannot be selected\n"); | 80 | "interface limitation cannot be selected\n"); |
81 | return false; | 81 | return -EINVAL; |
82 | } | 82 | } |
83 | 83 | ||
84 | if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) | | 84 | if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) | |
85 | (1 << NF_INET_LOCAL_IN)) && | 85 | (1 << NF_INET_LOCAL_IN)) && |
86 | info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) { | 86 | info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) { |
87 | printk(KERN_ERR "ipt_addrtype: output interface limitation " | 87 | pr_info("output interface limitation " |
88 | "not valid in PRE_ROUTING and INPUT\n"); | 88 | "not valid in PREROUTING and INPUT\n"); |
89 | return false; | 89 | return -EINVAL; |
90 | } | 90 | } |
91 | 91 | ||
92 | if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) | | 92 | if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) | |
93 | (1 << NF_INET_LOCAL_OUT)) && | 93 | (1 << NF_INET_LOCAL_OUT)) && |
94 | info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) { | 94 | info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) { |
95 | printk(KERN_ERR "ipt_addrtype: input interface limitation " | 95 | pr_info("input interface limitation " |
96 | "not valid in POST_ROUTING and OUTPUT\n"); | 96 | "not valid in POSTROUTING and OUTPUT\n"); |
97 | return false; | 97 | return -EINVAL; |
98 | } | 98 | } |
99 | 99 | ||
100 | return true; | 100 | return 0; |
101 | } | 101 | } |
102 | 102 | ||
103 | static struct xt_match addrtype_mt_reg[] __read_mostly = { | 103 | static struct xt_match addrtype_mt_reg[] __read_mostly = { |
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c index 0104c0b399de..9f9810204892 100644 --- a/net/ipv4/netfilter/ipt_ah.c +++ b/net/ipv4/netfilter/ipt_ah.c | |||
@@ -5,7 +5,7 @@ | |||
5 | * it under the terms of the GNU General Public License version 2 as | 5 | * it under the terms of the GNU General Public License version 2 as |
6 | * published by the Free Software Foundation. | 6 | * published by the Free Software Foundation. |
7 | */ | 7 | */ |
8 | 8 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
9 | #include <linux/in.h> | 9 | #include <linux/in.h> |
10 | #include <linux/module.h> | 10 | #include <linux/module.h> |
11 | #include <linux/skbuff.h> | 11 | #include <linux/skbuff.h> |
@@ -18,21 +18,15 @@ MODULE_LICENSE("GPL"); | |||
18 | MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>"); | 18 | MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>"); |
19 | MODULE_DESCRIPTION("Xtables: IPv4 IPsec-AH SPI match"); | 19 | MODULE_DESCRIPTION("Xtables: IPv4 IPsec-AH SPI match"); |
20 | 20 | ||
21 | #ifdef DEBUG_CONNTRACK | ||
22 | #define duprintf(format, args...) printk(format , ## args) | ||
23 | #else | ||
24 | #define duprintf(format, args...) | ||
25 | #endif | ||
26 | |||
27 | /* Returns 1 if the spi is matched by the range, 0 otherwise */ | 21 | /* Returns 1 if the spi is matched by the range, 0 otherwise */ |
28 | static inline bool | 22 | static inline bool |
29 | spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert) | 23 | spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert) |
30 | { | 24 | { |
31 | bool r; | 25 | bool r; |
32 | duprintf("ah spi_match:%c 0x%x <= 0x%x <= 0x%x",invert? '!':' ', | 26 | pr_debug("spi_match:%c 0x%x <= 0x%x <= 0x%x\n", |
33 | min,spi,max); | 27 | invert ? '!' : ' ', min, spi, max); |
34 | r=(spi >= min && spi <= max) ^ invert; | 28 | r=(spi >= min && spi <= max) ^ invert; |
35 | duprintf(" result %s\n",r? "PASS" : "FAILED"); | 29 | pr_debug(" result %s\n", r ? "PASS" : "FAILED"); |
36 | return r; | 30 | return r; |
37 | } | 31 | } |
38 | 32 | ||
@@ -51,7 +45,7 @@ static bool ah_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
51 | /* We've been asked to examine this packet, and we | 45 | /* We've been asked to examine this packet, and we |
52 | * can't. Hence, no choice but to drop. | 46 | * can't. Hence, no choice but to drop. |
53 | */ | 47 | */ |
54 | duprintf("Dropping evil AH tinygram.\n"); | 48 | pr_debug("Dropping evil AH tinygram.\n"); |
55 | *par->hotdrop = true; | 49 | *par->hotdrop = true; |
56 | return 0; | 50 | return 0; |
57 | } | 51 | } |
@@ -61,16 +55,16 @@ static bool ah_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
61 | !!(ahinfo->invflags & IPT_AH_INV_SPI)); | 55 | !!(ahinfo->invflags & IPT_AH_INV_SPI)); |
62 | } | 56 | } |
63 | 57 | ||
64 | static bool ah_mt_check(const struct xt_mtchk_param *par) | 58 | static int ah_mt_check(const struct xt_mtchk_param *par) |
65 | { | 59 | { |
66 | const struct ipt_ah *ahinfo = par->matchinfo; | 60 | const struct ipt_ah *ahinfo = par->matchinfo; |
67 | 61 | ||
68 | /* Must specify no unknown invflags */ | 62 | /* Must specify no unknown invflags */ |
69 | if (ahinfo->invflags & ~IPT_AH_INV_MASK) { | 63 | if (ahinfo->invflags & ~IPT_AH_INV_MASK) { |
70 | duprintf("ipt_ah: unknown flags %X\n", ahinfo->invflags); | 64 | pr_debug("unknown flags %X\n", ahinfo->invflags); |
71 | return false; | 65 | return -EINVAL; |
72 | } | 66 | } |
73 | return true; | 67 | return 0; |
74 | } | 68 | } |
75 | 69 | ||
76 | static struct xt_match ah_mt_reg __read_mostly = { | 70 | static struct xt_match ah_mt_reg __read_mostly = { |
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c index 2a1e56b71908..32e24100d8d1 100644 --- a/net/ipv4/netfilter/ipt_ecn.c +++ b/net/ipv4/netfilter/ipt_ecn.c | |||
@@ -6,7 +6,7 @@ | |||
6 | * it under the terms of the GNU General Public License version 2 as | 6 | * it under the terms of the GNU General Public License version 2 as |
7 | * published by the Free Software Foundation. | 7 | * published by the Free Software Foundation. |
8 | */ | 8 | */ |
9 | 9 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
10 | #include <linux/in.h> | 10 | #include <linux/in.h> |
11 | #include <linux/ip.h> | 11 | #include <linux/ip.h> |
12 | #include <net/ip.h> | 12 | #include <net/ip.h> |
@@ -85,25 +85,24 @@ static bool ecn_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
85 | return true; | 85 | return true; |
86 | } | 86 | } |
87 | 87 | ||
88 | static bool ecn_mt_check(const struct xt_mtchk_param *par) | 88 | static int ecn_mt_check(const struct xt_mtchk_param *par) |
89 | { | 89 | { |
90 | const struct ipt_ecn_info *info = par->matchinfo; | 90 | const struct ipt_ecn_info *info = par->matchinfo; |
91 | const struct ipt_ip *ip = par->entryinfo; | 91 | const struct ipt_ip *ip = par->entryinfo; |
92 | 92 | ||
93 | if (info->operation & IPT_ECN_OP_MATCH_MASK) | 93 | if (info->operation & IPT_ECN_OP_MATCH_MASK) |
94 | return false; | 94 | return -EINVAL; |
95 | 95 | ||
96 | if (info->invert & IPT_ECN_OP_MATCH_MASK) | 96 | if (info->invert & IPT_ECN_OP_MATCH_MASK) |
97 | return false; | 97 | return -EINVAL; |
98 | 98 | ||
99 | if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) && | 99 | if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) && |
100 | ip->proto != IPPROTO_TCP) { | 100 | ip->proto != IPPROTO_TCP) { |
101 | printk(KERN_WARNING "ipt_ecn: can't match TCP bits in rule for" | 101 | pr_info("cannot match TCP bits in rule for non-tcp packets\n"); |
102 | " non-tcp packets\n"); | 102 | return -EINVAL; |
103 | return false; | ||
104 | } | 103 | } |
105 | 104 | ||
106 | return true; | 105 | return 0; |
107 | } | 106 | } |
108 | 107 | ||
109 | static struct xt_match ecn_mt_reg __read_mostly = { | 108 | static struct xt_match ecn_mt_reg __read_mostly = { |
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c index 2fb7b76da94f..244f7cb08d68 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c | |||
@@ -336,12 +336,12 @@ static int ct_cpu_seq_show(struct seq_file *seq, void *v) | |||
336 | const struct ip_conntrack_stat *st = v; | 336 | const struct ip_conntrack_stat *st = v; |
337 | 337 | ||
338 | if (v == SEQ_START_TOKEN) { | 338 | if (v == SEQ_START_TOKEN) { |
339 | seq_printf(seq, "entries searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete\n"); | 339 | seq_printf(seq, "entries searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete search_restart\n"); |
340 | return 0; | 340 | return 0; |
341 | } | 341 | } |
342 | 342 | ||
343 | seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x " | 343 | seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x " |
344 | "%08x %08x %08x %08x %08x %08x %08x %08x \n", | 344 | "%08x %08x %08x %08x %08x %08x %08x %08x %08x\n", |
345 | nr_conntracks, | 345 | nr_conntracks, |
346 | st->searched, | 346 | st->searched, |
347 | st->found, | 347 | st->found, |
@@ -358,7 +358,8 @@ static int ct_cpu_seq_show(struct seq_file *seq, void *v) | |||
358 | 358 | ||
359 | st->expect_new, | 359 | st->expect_new, |
360 | st->expect_create, | 360 | st->expect_create, |
361 | st->expect_delete | 361 | st->expect_delete, |
362 | st->search_restart | ||
362 | ); | 363 | ); |
363 | return 0; | 364 | return 0; |
364 | } | 365 | } |
diff --git a/net/ipv4/netfilter/nf_nat_h323.c b/net/ipv4/netfilter/nf_nat_h323.c index 7e8e6fc75413..d4c061874f8f 100644 --- a/net/ipv4/netfilter/nf_nat_h323.c +++ b/net/ipv4/netfilter/nf_nat_h323.c | |||
@@ -10,7 +10,6 @@ | |||
10 | */ | 10 | */ |
11 | 11 | ||
12 | #include <linux/module.h> | 12 | #include <linux/module.h> |
13 | #include <linux/moduleparam.h> | ||
14 | #include <linux/tcp.h> | 13 | #include <linux/tcp.h> |
15 | #include <net/tcp.h> | 14 | #include <net/tcp.h> |
16 | 15 | ||
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c index 26de2c1f7fab..b48a0fc3d9ed 100644 --- a/net/ipv4/netfilter/nf_nat_rule.c +++ b/net/ipv4/netfilter/nf_nat_rule.c | |||
@@ -7,6 +7,7 @@ | |||
7 | */ | 7 | */ |
8 | 8 | ||
9 | /* Everything about the rules for NAT. */ | 9 | /* Everything about the rules for NAT. */ |
10 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | ||
10 | #include <linux/types.h> | 11 | #include <linux/types.h> |
11 | #include <linux/ip.h> | 12 | #include <linux/ip.h> |
12 | #include <linux/netfilter.h> | 13 | #include <linux/netfilter.h> |
@@ -74,28 +75,28 @@ ipt_dnat_target(struct sk_buff *skb, const struct xt_target_param *par) | |||
74 | return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_DST); | 75 | return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_DST); |
75 | } | 76 | } |
76 | 77 | ||
77 | static bool ipt_snat_checkentry(const struct xt_tgchk_param *par) | 78 | static int ipt_snat_checkentry(const struct xt_tgchk_param *par) |
78 | { | 79 | { |
79 | const struct nf_nat_multi_range_compat *mr = par->targinfo; | 80 | const struct nf_nat_multi_range_compat *mr = par->targinfo; |
80 | 81 | ||
81 | /* Must be a valid range */ | 82 | /* Must be a valid range */ |
82 | if (mr->rangesize != 1) { | 83 | if (mr->rangesize != 1) { |
83 | printk("SNAT: multiple ranges no longer supported\n"); | 84 | pr_info("SNAT: multiple ranges no longer supported\n"); |
84 | return false; | 85 | return -EINVAL; |
85 | } | 86 | } |
86 | return true; | 87 | return 0; |
87 | } | 88 | } |
88 | 89 | ||
89 | static bool ipt_dnat_checkentry(const struct xt_tgchk_param *par) | 90 | static int ipt_dnat_checkentry(const struct xt_tgchk_param *par) |
90 | { | 91 | { |
91 | const struct nf_nat_multi_range_compat *mr = par->targinfo; | 92 | const struct nf_nat_multi_range_compat *mr = par->targinfo; |
92 | 93 | ||
93 | /* Must be a valid range */ | 94 | /* Must be a valid range */ |
94 | if (mr->rangesize != 1) { | 95 | if (mr->rangesize != 1) { |
95 | printk("DNAT: multiple ranges no longer supported\n"); | 96 | pr_info("DNAT: multiple ranges no longer supported\n"); |
96 | return false; | 97 | return -EINVAL; |
97 | } | 98 | } |
98 | return true; | 99 | return 0; |
99 | } | 100 | } |
100 | 101 | ||
101 | unsigned int | 102 | unsigned int |
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c index c39c9cf6bee6..84c7974f5830 100644 --- a/net/ipv4/netfilter/nf_nat_standalone.c +++ b/net/ipv4/netfilter/nf_nat_standalone.c | |||
@@ -138,9 +138,8 @@ nf_nat_fn(unsigned int hooknum, | |||
138 | ret = nf_nat_rule_find(skb, hooknum, in, out, | 138 | ret = nf_nat_rule_find(skb, hooknum, in, out, |
139 | ct); | 139 | ct); |
140 | 140 | ||
141 | if (ret != NF_ACCEPT) { | 141 | if (ret != NF_ACCEPT) |
142 | return ret; | 142 | return ret; |
143 | } | ||
144 | } else | 143 | } else |
145 | pr_debug("Already setup manip %s for ct %p\n", | 144 | pr_debug("Already setup manip %s for ct %p\n", |
146 | maniptype == IP_NAT_MANIP_SRC ? "SRC" : "DST", | 145 | maniptype == IP_NAT_MANIP_SRC ? "SRC" : "DST", |
diff --git a/net/ipv4/netfilter/nf_nat_tftp.c b/net/ipv4/netfilter/nf_nat_tftp.c index b096e81500ae..7274a43c7a12 100644 --- a/net/ipv4/netfilter/nf_nat_tftp.c +++ b/net/ipv4/netfilter/nf_nat_tftp.c | |||
@@ -6,7 +6,6 @@ | |||
6 | */ | 6 | */ |
7 | 7 | ||
8 | #include <linux/module.h> | 8 | #include <linux/module.h> |
9 | #include <linux/moduleparam.h> | ||
10 | #include <linux/udp.h> | 9 | #include <linux/udp.h> |
11 | 10 | ||
12 | #include <net/netfilter/nf_nat_helper.h> | 11 | #include <net/netfilter/nf_nat_helper.h> |
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c index 52ef5af78a45..2c7a1639388a 100644 --- a/net/ipv4/raw.c +++ b/net/ipv4/raw.c | |||
@@ -381,8 +381,8 @@ static int raw_send_hdrinc(struct sock *sk, void *from, size_t length, | |||
381 | icmp_out_count(net, ((struct icmphdr *) | 381 | icmp_out_count(net, ((struct icmphdr *) |
382 | skb_transport_header(skb))->type); | 382 | skb_transport_header(skb))->type); |
383 | 383 | ||
384 | err = NF_HOOK(PF_INET, NF_INET_LOCAL_OUT, skb, NULL, rt->u.dst.dev, | 384 | err = NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, skb, NULL, |
385 | dst_output); | 385 | rt->u.dst.dev, dst_output); |
386 | if (err > 0) | 386 | if (err > 0) |
387 | err = net_xmit_errno(err); | 387 | err = net_xmit_errno(err); |
388 | if (err) | 388 | if (err) |
diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c index c791bb63203f..abcd7ed65db1 100644 --- a/net/ipv4/xfrm4_input.c +++ b/net/ipv4/xfrm4_input.c | |||
@@ -61,7 +61,7 @@ int xfrm4_transport_finish(struct sk_buff *skb, int async) | |||
61 | iph->tot_len = htons(skb->len); | 61 | iph->tot_len = htons(skb->len); |
62 | ip_send_check(iph); | 62 | ip_send_check(iph); |
63 | 63 | ||
64 | NF_HOOK(PF_INET, NF_INET_PRE_ROUTING, skb, skb->dev, NULL, | 64 | NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, skb, skb->dev, NULL, |
65 | xfrm4_rcv_encap_finish); | 65 | xfrm4_rcv_encap_finish); |
66 | return 0; | 66 | return 0; |
67 | } | 67 | } |
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c index c908bd99bcba..571aa96a175c 100644 --- a/net/ipv4/xfrm4_output.c +++ b/net/ipv4/xfrm4_output.c | |||
@@ -86,7 +86,7 @@ static int xfrm4_output_finish(struct sk_buff *skb) | |||
86 | 86 | ||
87 | int xfrm4_output(struct sk_buff *skb) | 87 | int xfrm4_output(struct sk_buff *skb) |
88 | { | 88 | { |
89 | return NF_HOOK_COND(PF_INET, NF_INET_POST_ROUTING, skb, | 89 | return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, skb, |
90 | NULL, skb_dst(skb)->dev, xfrm4_output_finish, | 90 | NULL, skb_dst(skb)->dev, xfrm4_output_finish, |
91 | !(IPCB(skb)->flags & IPSKB_REROUTED)); | 91 | !(IPCB(skb)->flags & IPSKB_REROUTED)); |
92 | } | 92 | } |
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c index 6aa7ee1295c2..a83e9209cecc 100644 --- a/net/ipv6/ip6_input.c +++ b/net/ipv6/ip6_input.c | |||
@@ -143,7 +143,7 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt | |||
143 | /* Must drop socket now because of tproxy. */ | 143 | /* Must drop socket now because of tproxy. */ |
144 | skb_orphan(skb); | 144 | skb_orphan(skb); |
145 | 145 | ||
146 | return NF_HOOK(PF_INET6, NF_INET_PRE_ROUTING, skb, dev, NULL, | 146 | return NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, skb, dev, NULL, |
147 | ip6_rcv_finish); | 147 | ip6_rcv_finish); |
148 | err: | 148 | err: |
149 | IP6_INC_STATS_BH(net, idev, IPSTATS_MIB_INHDRERRORS); | 149 | IP6_INC_STATS_BH(net, idev, IPSTATS_MIB_INHDRERRORS); |
@@ -236,7 +236,7 @@ discard: | |||
236 | 236 | ||
237 | int ip6_input(struct sk_buff *skb) | 237 | int ip6_input(struct sk_buff *skb) |
238 | { | 238 | { |
239 | return NF_HOOK(PF_INET6, NF_INET_LOCAL_IN, skb, skb->dev, NULL, | 239 | return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_IN, skb, skb->dev, NULL, |
240 | ip6_input_finish); | 240 | ip6_input_finish); |
241 | } | 241 | } |
242 | 242 | ||
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index e7a5f17d5e95..5173acaeb501 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c | |||
@@ -67,8 +67,8 @@ int __ip6_local_out(struct sk_buff *skb) | |||
67 | len = 0; | 67 | len = 0; |
68 | ipv6_hdr(skb)->payload_len = htons(len); | 68 | ipv6_hdr(skb)->payload_len = htons(len); |
69 | 69 | ||
70 | return nf_hook(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, skb_dst(skb)->dev, | 70 | return nf_hook(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL, |
71 | dst_output); | 71 | skb_dst(skb)->dev, dst_output); |
72 | } | 72 | } |
73 | 73 | ||
74 | int ip6_local_out(struct sk_buff *skb) | 74 | int ip6_local_out(struct sk_buff *skb) |
@@ -83,22 +83,6 @@ int ip6_local_out(struct sk_buff *skb) | |||
83 | } | 83 | } |
84 | EXPORT_SYMBOL_GPL(ip6_local_out); | 84 | EXPORT_SYMBOL_GPL(ip6_local_out); |
85 | 85 | ||
86 | static int ip6_output_finish(struct sk_buff *skb) | ||
87 | { | ||
88 | struct dst_entry *dst = skb_dst(skb); | ||
89 | |||
90 | if (dst->hh) | ||
91 | return neigh_hh_output(dst->hh, skb); | ||
92 | else if (dst->neighbour) | ||
93 | return dst->neighbour->output(skb); | ||
94 | |||
95 | IP6_INC_STATS_BH(dev_net(dst->dev), | ||
96 | ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES); | ||
97 | kfree_skb(skb); | ||
98 | return -EINVAL; | ||
99 | |||
100 | } | ||
101 | |||
102 | /* dev_loopback_xmit for use with netfilter. */ | 86 | /* dev_loopback_xmit for use with netfilter. */ |
103 | static int ip6_dev_loopback_xmit(struct sk_buff *newskb) | 87 | static int ip6_dev_loopback_xmit(struct sk_buff *newskb) |
104 | { | 88 | { |
@@ -112,8 +96,7 @@ static int ip6_dev_loopback_xmit(struct sk_buff *newskb) | |||
112 | return 0; | 96 | return 0; |
113 | } | 97 | } |
114 | 98 | ||
115 | 99 | static int ip6_finish_output2(struct sk_buff *skb) | |
116 | static int ip6_output2(struct sk_buff *skb) | ||
117 | { | 100 | { |
118 | struct dst_entry *dst = skb_dst(skb); | 101 | struct dst_entry *dst = skb_dst(skb); |
119 | struct net_device *dev = dst->dev; | 102 | struct net_device *dev = dst->dev; |
@@ -135,8 +118,8 @@ static int ip6_output2(struct sk_buff *skb) | |||
135 | is not supported in any case. | 118 | is not supported in any case. |
136 | */ | 119 | */ |
137 | if (newskb) | 120 | if (newskb) |
138 | NF_HOOK(PF_INET6, NF_INET_POST_ROUTING, newskb, | 121 | NF_HOOK(NFPROTO_IPV6, NF_INET_POST_ROUTING, |
139 | NULL, newskb->dev, | 122 | newskb, NULL, newskb->dev, |
140 | ip6_dev_loopback_xmit); | 123 | ip6_dev_loopback_xmit); |
141 | 124 | ||
142 | if (ipv6_hdr(skb)->hop_limit == 0) { | 125 | if (ipv6_hdr(skb)->hop_limit == 0) { |
@@ -151,8 +134,15 @@ static int ip6_output2(struct sk_buff *skb) | |||
151 | skb->len); | 134 | skb->len); |
152 | } | 135 | } |
153 | 136 | ||
154 | return NF_HOOK(PF_INET6, NF_INET_POST_ROUTING, skb, NULL, skb->dev, | 137 | if (dst->hh) |
155 | ip6_output_finish); | 138 | return neigh_hh_output(dst->hh, skb); |
139 | else if (dst->neighbour) | ||
140 | return dst->neighbour->output(skb); | ||
141 | |||
142 | IP6_INC_STATS_BH(dev_net(dst->dev), | ||
143 | ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES); | ||
144 | kfree_skb(skb); | ||
145 | return -EINVAL; | ||
156 | } | 146 | } |
157 | 147 | ||
158 | static inline int ip6_skb_dst_mtu(struct sk_buff *skb) | 148 | static inline int ip6_skb_dst_mtu(struct sk_buff *skb) |
@@ -163,21 +153,29 @@ static inline int ip6_skb_dst_mtu(struct sk_buff *skb) | |||
163 | skb_dst(skb)->dev->mtu : dst_mtu(skb_dst(skb)); | 153 | skb_dst(skb)->dev->mtu : dst_mtu(skb_dst(skb)); |
164 | } | 154 | } |
165 | 155 | ||
156 | static int ip6_finish_output(struct sk_buff *skb) | ||
157 | { | ||
158 | if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) || | ||
159 | dst_allfrag(skb_dst(skb))) | ||
160 | return ip6_fragment(skb, ip6_finish_output2); | ||
161 | else | ||
162 | return ip6_finish_output2(skb); | ||
163 | } | ||
164 | |||
166 | int ip6_output(struct sk_buff *skb) | 165 | int ip6_output(struct sk_buff *skb) |
167 | { | 166 | { |
167 | struct net_device *dev = skb_dst(skb)->dev; | ||
168 | struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb)); | 168 | struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb)); |
169 | if (unlikely(idev->cnf.disable_ipv6)) { | 169 | if (unlikely(idev->cnf.disable_ipv6)) { |
170 | IP6_INC_STATS(dev_net(skb_dst(skb)->dev), idev, | 170 | IP6_INC_STATS(dev_net(dev), idev, |
171 | IPSTATS_MIB_OUTDISCARDS); | 171 | IPSTATS_MIB_OUTDISCARDS); |
172 | kfree_skb(skb); | 172 | kfree_skb(skb); |
173 | return 0; | 173 | return 0; |
174 | } | 174 | } |
175 | 175 | ||
176 | if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) || | 176 | return NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING, skb, NULL, dev, |
177 | dst_allfrag(skb_dst(skb))) | 177 | ip6_finish_output, |
178 | return ip6_fragment(skb, ip6_output2); | 178 | !(IP6CB(skb)->flags & IP6SKB_REROUTED)); |
179 | else | ||
180 | return ip6_output2(skb); | ||
181 | } | 179 | } |
182 | 180 | ||
183 | /* | 181 | /* |
@@ -256,8 +254,8 @@ int ip6_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl, | |||
256 | if ((skb->len <= mtu) || skb->local_df || skb_is_gso(skb)) { | 254 | if ((skb->len <= mtu) || skb->local_df || skb_is_gso(skb)) { |
257 | IP6_UPD_PO_STATS(net, ip6_dst_idev(skb_dst(skb)), | 255 | IP6_UPD_PO_STATS(net, ip6_dst_idev(skb_dst(skb)), |
258 | IPSTATS_MIB_OUT, skb->len); | 256 | IPSTATS_MIB_OUT, skb->len); |
259 | return NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, dst->dev, | 257 | return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL, |
260 | dst_output); | 258 | dst->dev, dst_output); |
261 | } | 259 | } |
262 | 260 | ||
263 | if (net_ratelimit()) | 261 | if (net_ratelimit()) |
@@ -533,7 +531,7 @@ int ip6_forward(struct sk_buff *skb) | |||
533 | hdr->hop_limit--; | 531 | hdr->hop_limit--; |
534 | 532 | ||
535 | IP6_INC_STATS_BH(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS); | 533 | IP6_INC_STATS_BH(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS); |
536 | return NF_HOOK(PF_INET6, NF_INET_FORWARD, skb, skb->dev, dst->dev, | 534 | return NF_HOOK(NFPROTO_IPV6, NF_INET_FORWARD, skb, skb->dev, dst->dev, |
537 | ip6_forward_finish); | 535 | ip6_forward_finish); |
538 | 536 | ||
539 | error: | 537 | error: |
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c index 3e333268db89..e0b530ca394c 100644 --- a/net/ipv6/ip6mr.c +++ b/net/ipv6/ip6mr.c | |||
@@ -1570,7 +1570,7 @@ static int ip6mr_forward2(struct sk_buff *skb, struct mfc6_cache *c, int vifi) | |||
1570 | 1570 | ||
1571 | IP6CB(skb)->flags |= IP6SKB_FORWARDED; | 1571 | IP6CB(skb)->flags |= IP6SKB_FORWARDED; |
1572 | 1572 | ||
1573 | return NF_HOOK(PF_INET6, NF_INET_FORWARD, skb, skb->dev, dev, | 1573 | return NF_HOOK(NFPROTO_IPV6, NF_INET_FORWARD, skb, skb->dev, dev, |
1574 | ip6mr_forward2_finish); | 1574 | ip6mr_forward2_finish); |
1575 | 1575 | ||
1576 | out_free: | 1576 | out_free: |
diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c index 006aee683a0f..59f1881968c7 100644 --- a/net/ipv6/mcast.c +++ b/net/ipv6/mcast.c | |||
@@ -1428,7 +1428,7 @@ static void mld_sendpack(struct sk_buff *skb) | |||
1428 | 1428 | ||
1429 | payload_len = skb->len; | 1429 | payload_len = skb->len; |
1430 | 1430 | ||
1431 | err = NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, skb->dev, | 1431 | err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL, skb->dev, |
1432 | dst_output); | 1432 | dst_output); |
1433 | out: | 1433 | out: |
1434 | if (!err) { | 1434 | if (!err) { |
@@ -1793,7 +1793,7 @@ static void igmp6_send(struct in6_addr *addr, struct net_device *dev, int type) | |||
1793 | goto err_out; | 1793 | goto err_out; |
1794 | 1794 | ||
1795 | skb_dst_set(skb, dst); | 1795 | skb_dst_set(skb, dst); |
1796 | err = NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, skb->dev, | 1796 | err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL, skb->dev, |
1797 | dst_output); | 1797 | dst_output); |
1798 | out: | 1798 | out: |
1799 | if (!err) { | 1799 | if (!err) { |
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c index da0a4d2adc69..3f7c12b70a26 100644 --- a/net/ipv6/ndisc.c +++ b/net/ipv6/ndisc.c | |||
@@ -536,7 +536,7 @@ void ndisc_send_skb(struct sk_buff *skb, | |||
536 | idev = in6_dev_get(dst->dev); | 536 | idev = in6_dev_get(dst->dev); |
537 | IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUT, skb->len); | 537 | IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUT, skb->len); |
538 | 538 | ||
539 | err = NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, dst->dev, | 539 | err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL, dst->dev, |
540 | dst_output); | 540 | dst_output); |
541 | if (!err) { | 541 | if (!err) { |
542 | ICMP6MSGOUT_INC_STATS(net, idev, type); | 542 | ICMP6MSGOUT_INC_STATS(net, idev, type); |
@@ -1618,7 +1618,7 @@ void ndisc_send_redirect(struct sk_buff *skb, struct neighbour *neigh, | |||
1618 | skb_dst_set(buff, dst); | 1618 | skb_dst_set(buff, dst); |
1619 | idev = in6_dev_get(dst->dev); | 1619 | idev = in6_dev_get(dst->dev); |
1620 | IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUT, skb->len); | 1620 | IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUT, skb->len); |
1621 | err = NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, buff, NULL, dst->dev, | 1621 | err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, buff, NULL, dst->dev, |
1622 | dst_output); | 1622 | dst_output); |
1623 | if (!err) { | 1623 | if (!err) { |
1624 | ICMP6MSGOUT_INC_STATS(net, idev, NDISC_REDIRECT); | 1624 | ICMP6MSGOUT_INC_STATS(net, idev, NDISC_REDIRECT); |
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c index d5ed92b14346..a74951c039b6 100644 --- a/net/ipv6/netfilter.c +++ b/net/ipv6/netfilter.c | |||
@@ -25,20 +25,6 @@ int ip6_route_me_harder(struct sk_buff *skb) | |||
25 | }; | 25 | }; |
26 | 26 | ||
27 | dst = ip6_route_output(net, skb->sk, &fl); | 27 | dst = ip6_route_output(net, skb->sk, &fl); |
28 | |||
29 | #ifdef CONFIG_XFRM | ||
30 | if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) && | ||
31 | xfrm_decode_session(skb, &fl, AF_INET6) == 0) { | ||
32 | struct dst_entry *dst2 = skb_dst(skb); | ||
33 | |||
34 | if (xfrm_lookup(net, &dst2, &fl, skb->sk, 0)) { | ||
35 | skb_dst_set(skb, NULL); | ||
36 | return -1; | ||
37 | } | ||
38 | skb_dst_set(skb, dst2); | ||
39 | } | ||
40 | #endif | ||
41 | |||
42 | if (dst->error) { | 28 | if (dst->error) { |
43 | IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES); | 29 | IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES); |
44 | LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n"); | 30 | LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n"); |
@@ -50,6 +36,17 @@ int ip6_route_me_harder(struct sk_buff *skb) | |||
50 | skb_dst_drop(skb); | 36 | skb_dst_drop(skb); |
51 | 37 | ||
52 | skb_dst_set(skb, dst); | 38 | skb_dst_set(skb, dst); |
39 | |||
40 | #ifdef CONFIG_XFRM | ||
41 | if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) && | ||
42 | xfrm_decode_session(skb, &fl, AF_INET6) == 0) { | ||
43 | skb_dst_set(skb, NULL); | ||
44 | if (xfrm_lookup(net, &dst, &fl, skb->sk, 0)) | ||
45 | return -1; | ||
46 | skb_dst_set(skb, dst); | ||
47 | } | ||
48 | #endif | ||
49 | |||
53 | return 0; | 50 | return 0; |
54 | } | 51 | } |
55 | EXPORT_SYMBOL(ip6_route_me_harder); | 52 | EXPORT_SYMBOL(ip6_route_me_harder); |
diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c index 6a68a74d14a3..8656eb75520c 100644 --- a/net/ipv6/netfilter/ip6_queue.c +++ b/net/ipv6/netfilter/ip6_queue.c | |||
@@ -162,8 +162,7 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp) | |||
162 | break; | 162 | break; |
163 | 163 | ||
164 | case IPQ_COPY_PACKET: | 164 | case IPQ_COPY_PACKET: |
165 | if ((entry->skb->ip_summed == CHECKSUM_PARTIAL || | 165 | if (entry->skb->ip_summed == CHECKSUM_PARTIAL && |
166 | entry->skb->ip_summed == CHECKSUM_COMPLETE) && | ||
167 | (*errp = skb_checksum_help(entry->skb))) { | 166 | (*errp = skb_checksum_help(entry->skb))) { |
168 | read_unlock_bh(&queue_lock); | 167 | read_unlock_bh(&queue_lock); |
169 | return NULL; | 168 | return NULL; |
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 9210e312edf1..7afa11773164 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c | |||
@@ -40,13 +40,13 @@ MODULE_DESCRIPTION("IPv6 packet filter"); | |||
40 | /*#define DEBUG_IP_FIREWALL_USER*/ | 40 | /*#define DEBUG_IP_FIREWALL_USER*/ |
41 | 41 | ||
42 | #ifdef DEBUG_IP_FIREWALL | 42 | #ifdef DEBUG_IP_FIREWALL |
43 | #define dprintf(format, args...) printk(format , ## args) | 43 | #define dprintf(format, args...) pr_info(format , ## args) |
44 | #else | 44 | #else |
45 | #define dprintf(format, args...) | 45 | #define dprintf(format, args...) |
46 | #endif | 46 | #endif |
47 | 47 | ||
48 | #ifdef DEBUG_IP_FIREWALL_USER | 48 | #ifdef DEBUG_IP_FIREWALL_USER |
49 | #define duprintf(format, args...) printk(format , ## args) | 49 | #define duprintf(format, args...) pr_info(format , ## args) |
50 | #else | 50 | #else |
51 | #define duprintf(format, args...) | 51 | #define duprintf(format, args...) |
52 | #endif | 52 | #endif |
@@ -200,8 +200,7 @@ static unsigned int | |||
200 | ip6t_error(struct sk_buff *skb, const struct xt_target_param *par) | 200 | ip6t_error(struct sk_buff *skb, const struct xt_target_param *par) |
201 | { | 201 | { |
202 | if (net_ratelimit()) | 202 | if (net_ratelimit()) |
203 | printk("ip6_tables: error: `%s'\n", | 203 | pr_info("error: `%s'\n", (const char *)par->targinfo); |
204 | (const char *)par->targinfo); | ||
205 | 204 | ||
206 | return NF_DROP; | 205 | return NF_DROP; |
207 | } | 206 | } |
@@ -352,15 +351,14 @@ ip6t_do_table(struct sk_buff *skb, | |||
352 | const struct net_device *out, | 351 | const struct net_device *out, |
353 | struct xt_table *table) | 352 | struct xt_table *table) |
354 | { | 353 | { |
355 | #define tb_comefrom ((struct ip6t_entry *)table_base)->comefrom | ||
356 | |||
357 | static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); | 354 | static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); |
358 | bool hotdrop = false; | 355 | bool hotdrop = false; |
359 | /* Initializing verdict to NF_DROP keeps gcc happy. */ | 356 | /* Initializing verdict to NF_DROP keeps gcc happy. */ |
360 | unsigned int verdict = NF_DROP; | 357 | unsigned int verdict = NF_DROP; |
361 | const char *indev, *outdev; | 358 | const char *indev, *outdev; |
362 | const void *table_base; | 359 | const void *table_base; |
363 | struct ip6t_entry *e, *back; | 360 | struct ip6t_entry *e, **jumpstack; |
361 | unsigned int *stackptr, origptr, cpu; | ||
364 | const struct xt_table_info *private; | 362 | const struct xt_table_info *private; |
365 | struct xt_match_param mtpar; | 363 | struct xt_match_param mtpar; |
366 | struct xt_target_param tgpar; | 364 | struct xt_target_param tgpar; |
@@ -384,19 +382,19 @@ ip6t_do_table(struct sk_buff *skb, | |||
384 | 382 | ||
385 | xt_info_rdlock_bh(); | 383 | xt_info_rdlock_bh(); |
386 | private = table->private; | 384 | private = table->private; |
387 | table_base = private->entries[smp_processor_id()]; | 385 | cpu = smp_processor_id(); |
386 | table_base = private->entries[cpu]; | ||
387 | jumpstack = (struct ip6t_entry **)private->jumpstack[cpu]; | ||
388 | stackptr = &private->stackptr[cpu]; | ||
389 | origptr = *stackptr; | ||
388 | 390 | ||
389 | e = get_entry(table_base, private->hook_entry[hook]); | 391 | e = get_entry(table_base, private->hook_entry[hook]); |
390 | 392 | ||
391 | /* For return from builtin chain */ | ||
392 | back = get_entry(table_base, private->underflow[hook]); | ||
393 | |||
394 | do { | 393 | do { |
395 | const struct ip6t_entry_target *t; | 394 | const struct ip6t_entry_target *t; |
396 | const struct xt_entry_match *ematch; | 395 | const struct xt_entry_match *ematch; |
397 | 396 | ||
398 | IP_NF_ASSERT(e); | 397 | IP_NF_ASSERT(e); |
399 | IP_NF_ASSERT(back); | ||
400 | if (!ip6_packet_match(skb, indev, outdev, &e->ipv6, | 398 | if (!ip6_packet_match(skb, indev, outdev, &e->ipv6, |
401 | &mtpar.thoff, &mtpar.fragoff, &hotdrop)) { | 399 | &mtpar.thoff, &mtpar.fragoff, &hotdrop)) { |
402 | no_match: | 400 | no_match: |
@@ -433,41 +431,30 @@ ip6t_do_table(struct sk_buff *skb, | |||
433 | verdict = (unsigned)(-v) - 1; | 431 | verdict = (unsigned)(-v) - 1; |
434 | break; | 432 | break; |
435 | } | 433 | } |
436 | e = back; | 434 | if (*stackptr == 0) |
437 | back = get_entry(table_base, back->comefrom); | 435 | e = get_entry(table_base, |
436 | private->underflow[hook]); | ||
437 | else | ||
438 | e = ip6t_next_entry(jumpstack[--*stackptr]); | ||
438 | continue; | 439 | continue; |
439 | } | 440 | } |
440 | if (table_base + v != ip6t_next_entry(e) && | 441 | if (table_base + v != ip6t_next_entry(e) && |
441 | !(e->ipv6.flags & IP6T_F_GOTO)) { | 442 | !(e->ipv6.flags & IP6T_F_GOTO)) { |
442 | /* Save old back ptr in next entry */ | 443 | if (*stackptr >= private->stacksize) { |
443 | struct ip6t_entry *next = ip6t_next_entry(e); | 444 | verdict = NF_DROP; |
444 | next->comefrom = (void *)back - table_base; | 445 | break; |
445 | /* set back pointer to next entry */ | 446 | } |
446 | back = next; | 447 | jumpstack[(*stackptr)++] = e; |
447 | } | 448 | } |
448 | 449 | ||
449 | e = get_entry(table_base, v); | 450 | e = get_entry(table_base, v); |
450 | continue; | 451 | continue; |
451 | } | 452 | } |
452 | 453 | ||
453 | /* Targets which reenter must return | ||
454 | abs. verdicts */ | ||
455 | tgpar.target = t->u.kernel.target; | 454 | tgpar.target = t->u.kernel.target; |
456 | tgpar.targinfo = t->data; | 455 | tgpar.targinfo = t->data; |
457 | 456 | ||
458 | #ifdef CONFIG_NETFILTER_DEBUG | ||
459 | tb_comefrom = 0xeeeeeeec; | ||
460 | #endif | ||
461 | verdict = t->u.kernel.target->target(skb, &tgpar); | 457 | verdict = t->u.kernel.target->target(skb, &tgpar); |
462 | |||
463 | #ifdef CONFIG_NETFILTER_DEBUG | ||
464 | if (tb_comefrom != 0xeeeeeeec && verdict == IP6T_CONTINUE) { | ||
465 | printk("Target %s reentered!\n", | ||
466 | t->u.kernel.target->name); | ||
467 | verdict = NF_DROP; | ||
468 | } | ||
469 | tb_comefrom = 0x57acc001; | ||
470 | #endif | ||
471 | if (verdict == IP6T_CONTINUE) | 458 | if (verdict == IP6T_CONTINUE) |
472 | e = ip6t_next_entry(e); | 459 | e = ip6t_next_entry(e); |
473 | else | 460 | else |
@@ -475,10 +462,8 @@ ip6t_do_table(struct sk_buff *skb, | |||
475 | break; | 462 | break; |
476 | } while (!hotdrop); | 463 | } while (!hotdrop); |
477 | 464 | ||
478 | #ifdef CONFIG_NETFILTER_DEBUG | ||
479 | tb_comefrom = NETFILTER_LINK_POISON; | ||
480 | #endif | ||
481 | xt_info_rdunlock_bh(); | 465 | xt_info_rdunlock_bh(); |
466 | *stackptr = origptr; | ||
482 | 467 | ||
483 | #ifdef DEBUG_ALLOW_ALL | 468 | #ifdef DEBUG_ALLOW_ALL |
484 | return NF_ACCEPT; | 469 | return NF_ACCEPT; |
@@ -487,8 +472,6 @@ ip6t_do_table(struct sk_buff *skb, | |||
487 | return NF_DROP; | 472 | return NF_DROP; |
488 | else return verdict; | 473 | else return verdict; |
489 | #endif | 474 | #endif |
490 | |||
491 | #undef tb_comefrom | ||
492 | } | 475 | } |
493 | 476 | ||
494 | /* Figures out from what hook each rule can be called: returns 0 if | 477 | /* Figures out from what hook each rule can be called: returns 0 if |
@@ -661,12 +644,11 @@ find_check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par) | |||
661 | struct xt_match *match; | 644 | struct xt_match *match; |
662 | int ret; | 645 | int ret; |
663 | 646 | ||
664 | match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name, | 647 | match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name, |
665 | m->u.user.revision), | 648 | m->u.user.revision); |
666 | "ip6t_%s", m->u.user.name); | 649 | if (IS_ERR(match)) { |
667 | if (IS_ERR(match) || !match) { | ||
668 | duprintf("find_check_match: `%s' not found\n", m->u.user.name); | 650 | duprintf("find_check_match: `%s' not found\n", m->u.user.name); |
669 | return match ? PTR_ERR(match) : -ENOENT; | 651 | return PTR_ERR(match); |
670 | } | 652 | } |
671 | m->u.kernel.match = match; | 653 | m->u.kernel.match = match; |
672 | 654 | ||
@@ -734,13 +716,11 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name, | |||
734 | } | 716 | } |
735 | 717 | ||
736 | t = ip6t_get_target(e); | 718 | t = ip6t_get_target(e); |
737 | target = try_then_request_module(xt_find_target(AF_INET6, | 719 | target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name, |
738 | t->u.user.name, | 720 | t->u.user.revision); |
739 | t->u.user.revision), | 721 | if (IS_ERR(target)) { |
740 | "ip6t_%s", t->u.user.name); | ||
741 | if (IS_ERR(target) || !target) { | ||
742 | duprintf("find_check_entry: `%s' not found\n", t->u.user.name); | 722 | duprintf("find_check_entry: `%s' not found\n", t->u.user.name); |
743 | ret = target ? PTR_ERR(target) : -ENOENT; | 723 | ret = PTR_ERR(target); |
744 | goto cleanup_matches; | 724 | goto cleanup_matches; |
745 | } | 725 | } |
746 | t->u.kernel.target = target; | 726 | t->u.kernel.target = target; |
@@ -873,6 +853,9 @@ translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0, | |||
873 | if (ret != 0) | 853 | if (ret != 0) |
874 | return ret; | 854 | return ret; |
875 | ++i; | 855 | ++i; |
856 | if (strcmp(ip6t_get_target(iter)->u.user.name, | ||
857 | XT_ERROR_TARGET) == 0) | ||
858 | ++newinfo->stacksize; | ||
876 | } | 859 | } |
877 | 860 | ||
878 | if (i != repl->num_entries) { | 861 | if (i != repl->num_entries) { |
@@ -1509,13 +1492,12 @@ compat_find_calc_match(struct ip6t_entry_match *m, | |||
1509 | { | 1492 | { |
1510 | struct xt_match *match; | 1493 | struct xt_match *match; |
1511 | 1494 | ||
1512 | match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name, | 1495 | match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name, |
1513 | m->u.user.revision), | 1496 | m->u.user.revision); |
1514 | "ip6t_%s", m->u.user.name); | 1497 | if (IS_ERR(match)) { |
1515 | if (IS_ERR(match) || !match) { | ||
1516 | duprintf("compat_check_calc_match: `%s' not found\n", | 1498 | duprintf("compat_check_calc_match: `%s' not found\n", |
1517 | m->u.user.name); | 1499 | m->u.user.name); |
1518 | return match ? PTR_ERR(match) : -ENOENT; | 1500 | return PTR_ERR(match); |
1519 | } | 1501 | } |
1520 | m->u.kernel.match = match; | 1502 | m->u.kernel.match = match; |
1521 | *size += xt_compat_match_offset(match); | 1503 | *size += xt_compat_match_offset(match); |
@@ -1582,14 +1564,12 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e, | |||
1582 | } | 1564 | } |
1583 | 1565 | ||
1584 | t = compat_ip6t_get_target(e); | 1566 | t = compat_ip6t_get_target(e); |
1585 | target = try_then_request_module(xt_find_target(AF_INET6, | 1567 | target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name, |
1586 | t->u.user.name, | 1568 | t->u.user.revision); |
1587 | t->u.user.revision), | 1569 | if (IS_ERR(target)) { |
1588 | "ip6t_%s", t->u.user.name); | ||
1589 | if (IS_ERR(target) || !target) { | ||
1590 | duprintf("check_compat_entry_size_and_hooks: `%s' not found\n", | 1570 | duprintf("check_compat_entry_size_and_hooks: `%s' not found\n", |
1591 | t->u.user.name); | 1571 | t->u.user.name); |
1592 | ret = target ? PTR_ERR(target) : -ENOENT; | 1572 | ret = PTR_ERR(target); |
1593 | goto release_matches; | 1573 | goto release_matches; |
1594 | } | 1574 | } |
1595 | t->u.kernel.target = target; | 1575 | t->u.kernel.target = target; |
@@ -2127,8 +2107,7 @@ struct xt_table *ip6t_register_table(struct net *net, | |||
2127 | { | 2107 | { |
2128 | int ret; | 2108 | int ret; |
2129 | struct xt_table_info *newinfo; | 2109 | struct xt_table_info *newinfo; |
2130 | struct xt_table_info bootstrap | 2110 | struct xt_table_info bootstrap = {0}; |
2131 | = { 0, 0, 0, { 0 }, { 0 }, { } }; | ||
2132 | void *loc_cpu_entry; | 2111 | void *loc_cpu_entry; |
2133 | struct xt_table *new_table; | 2112 | struct xt_table *new_table; |
2134 | 2113 | ||
@@ -2216,12 +2195,12 @@ icmp6_match(const struct sk_buff *skb, const struct xt_match_param *par) | |||
2216 | } | 2195 | } |
2217 | 2196 | ||
2218 | /* Called when user tries to insert an entry of this type. */ | 2197 | /* Called when user tries to insert an entry of this type. */ |
2219 | static bool icmp6_checkentry(const struct xt_mtchk_param *par) | 2198 | static int icmp6_checkentry(const struct xt_mtchk_param *par) |
2220 | { | 2199 | { |
2221 | const struct ip6t_icmp *icmpinfo = par->matchinfo; | 2200 | const struct ip6t_icmp *icmpinfo = par->matchinfo; |
2222 | 2201 | ||
2223 | /* Must specify no unknown invflags */ | 2202 | /* Must specify no unknown invflags */ |
2224 | return !(icmpinfo->invflags & ~IP6T_ICMP_INV); | 2203 | return (icmpinfo->invflags & ~IP6T_ICMP_INV) ? -EINVAL : 0; |
2225 | } | 2204 | } |
2226 | 2205 | ||
2227 | /* The built-in targets: standard (NULL) and error. */ | 2206 | /* The built-in targets: standard (NULL) and error. */ |
@@ -2308,7 +2287,7 @@ static int __init ip6_tables_init(void) | |||
2308 | if (ret < 0) | 2287 | if (ret < 0) |
2309 | goto err5; | 2288 | goto err5; |
2310 | 2289 | ||
2311 | printk(KERN_INFO "ip6_tables: (C) 2000-2006 Netfilter Core Team\n"); | 2290 | pr_info("(C) 2000-2006 Netfilter Core Team\n"); |
2312 | return 0; | 2291 | return 0; |
2313 | 2292 | ||
2314 | err5: | 2293 | err5: |
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c index b285fdf19050..1f47a525f484 100644 --- a/net/ipv6/netfilter/ip6t_LOG.c +++ b/net/ipv6/netfilter/ip6t_LOG.c | |||
@@ -9,9 +9,8 @@ | |||
9 | * it under the terms of the GNU General Public License version 2 as | 9 | * it under the terms of the GNU General Public License version 2 as |
10 | * published by the Free Software Foundation. | 10 | * published by the Free Software Foundation. |
11 | */ | 11 | */ |
12 | 12 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
13 | #include <linux/module.h> | 13 | #include <linux/module.h> |
14 | #include <linux/moduleparam.h> | ||
15 | #include <linux/skbuff.h> | 14 | #include <linux/skbuff.h> |
16 | #include <linux/if_arp.h> | 15 | #include <linux/if_arp.h> |
17 | #include <linux/ip.h> | 16 | #include <linux/ip.h> |
@@ -378,7 +377,7 @@ static struct nf_loginfo default_loginfo = { | |||
378 | .type = NF_LOG_TYPE_LOG, | 377 | .type = NF_LOG_TYPE_LOG, |
379 | .u = { | 378 | .u = { |
380 | .log = { | 379 | .log = { |
381 | .level = 0, | 380 | .level = 5, |
382 | .logflags = NF_LOG_MASK, | 381 | .logflags = NF_LOG_MASK, |
383 | }, | 382 | }, |
384 | }, | 383 | }, |
@@ -452,20 +451,19 @@ log_tg6(struct sk_buff *skb, const struct xt_target_param *par) | |||
452 | } | 451 | } |
453 | 452 | ||
454 | 453 | ||
455 | static bool log_tg6_check(const struct xt_tgchk_param *par) | 454 | static int log_tg6_check(const struct xt_tgchk_param *par) |
456 | { | 455 | { |
457 | const struct ip6t_log_info *loginfo = par->targinfo; | 456 | const struct ip6t_log_info *loginfo = par->targinfo; |
458 | 457 | ||
459 | if (loginfo->level >= 8) { | 458 | if (loginfo->level >= 8) { |
460 | pr_debug("LOG: level %u >= 8\n", loginfo->level); | 459 | pr_debug("level %u >= 8\n", loginfo->level); |
461 | return false; | 460 | return -EINVAL; |
462 | } | 461 | } |
463 | if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') { | 462 | if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') { |
464 | pr_debug("LOG: prefix term %i\n", | 463 | pr_debug("prefix not null-terminated\n"); |
465 | loginfo->prefix[sizeof(loginfo->prefix)-1]); | 464 | return -EINVAL; |
466 | return false; | ||
467 | } | 465 | } |
468 | return true; | 466 | return 0; |
469 | } | 467 | } |
470 | 468 | ||
471 | static struct xt_target log_tg6_reg __read_mostly = { | 469 | static struct xt_target log_tg6_reg __read_mostly = { |
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c index 39b50c3768e8..af1d6494ac39 100644 --- a/net/ipv6/netfilter/ip6t_REJECT.c +++ b/net/ipv6/netfilter/ip6t_REJECT.c | |||
@@ -14,6 +14,7 @@ | |||
14 | * as published by the Free Software Foundation; either version | 14 | * as published by the Free Software Foundation; either version |
15 | * 2 of the License, or (at your option) any later version. | 15 | * 2 of the License, or (at your option) any later version. |
16 | */ | 16 | */ |
17 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | ||
17 | 18 | ||
18 | #include <linux/gfp.h> | 19 | #include <linux/gfp.h> |
19 | #include <linux/module.h> | 20 | #include <linux/module.h> |
@@ -50,7 +51,7 @@ static void send_reset(struct net *net, struct sk_buff *oldskb) | |||
50 | 51 | ||
51 | if ((!(ipv6_addr_type(&oip6h->saddr) & IPV6_ADDR_UNICAST)) || | 52 | if ((!(ipv6_addr_type(&oip6h->saddr) & IPV6_ADDR_UNICAST)) || |
52 | (!(ipv6_addr_type(&oip6h->daddr) & IPV6_ADDR_UNICAST))) { | 53 | (!(ipv6_addr_type(&oip6h->daddr) & IPV6_ADDR_UNICAST))) { |
53 | pr_debug("ip6t_REJECT: addr is not unicast.\n"); | 54 | pr_debug("addr is not unicast.\n"); |
54 | return; | 55 | return; |
55 | } | 56 | } |
56 | 57 | ||
@@ -58,7 +59,7 @@ static void send_reset(struct net *net, struct sk_buff *oldskb) | |||
58 | tcphoff = ipv6_skip_exthdr(oldskb, ((u8*)(oip6h+1) - oldskb->data), &proto); | 59 | tcphoff = ipv6_skip_exthdr(oldskb, ((u8*)(oip6h+1) - oldskb->data), &proto); |
59 | 60 | ||
60 | if ((tcphoff < 0) || (tcphoff > oldskb->len)) { | 61 | if ((tcphoff < 0) || (tcphoff > oldskb->len)) { |
61 | pr_debug("ip6t_REJECT: Can't get TCP header.\n"); | 62 | pr_debug("Cannot get TCP header.\n"); |
62 | return; | 63 | return; |
63 | } | 64 | } |
64 | 65 | ||
@@ -66,7 +67,7 @@ static void send_reset(struct net *net, struct sk_buff *oldskb) | |||
66 | 67 | ||
67 | /* IP header checks: fragment, too short. */ | 68 | /* IP header checks: fragment, too short. */ |
68 | if (proto != IPPROTO_TCP || otcplen < sizeof(struct tcphdr)) { | 69 | if (proto != IPPROTO_TCP || otcplen < sizeof(struct tcphdr)) { |
69 | pr_debug("ip6t_REJECT: proto(%d) != IPPROTO_TCP, " | 70 | pr_debug("proto(%d) != IPPROTO_TCP, " |
70 | "or too short. otcplen = %d\n", | 71 | "or too short. otcplen = %d\n", |
71 | proto, otcplen); | 72 | proto, otcplen); |
72 | return; | 73 | return; |
@@ -77,14 +78,14 @@ static void send_reset(struct net *net, struct sk_buff *oldskb) | |||
77 | 78 | ||
78 | /* No RST for RST. */ | 79 | /* No RST for RST. */ |
79 | if (otcph.rst) { | 80 | if (otcph.rst) { |
80 | pr_debug("ip6t_REJECT: RST is set\n"); | 81 | pr_debug("RST is set\n"); |
81 | return; | 82 | return; |
82 | } | 83 | } |
83 | 84 | ||
84 | /* Check checksum. */ | 85 | /* Check checksum. */ |
85 | if (csum_ipv6_magic(&oip6h->saddr, &oip6h->daddr, otcplen, IPPROTO_TCP, | 86 | if (csum_ipv6_magic(&oip6h->saddr, &oip6h->daddr, otcplen, IPPROTO_TCP, |
86 | skb_checksum(oldskb, tcphoff, otcplen, 0))) { | 87 | skb_checksum(oldskb, tcphoff, otcplen, 0))) { |
87 | pr_debug("ip6t_REJECT: TCP checksum is invalid\n"); | 88 | pr_debug("TCP checksum is invalid\n"); |
88 | return; | 89 | return; |
89 | } | 90 | } |
90 | 91 | ||
@@ -108,7 +109,7 @@ static void send_reset(struct net *net, struct sk_buff *oldskb) | |||
108 | 109 | ||
109 | if (!nskb) { | 110 | if (!nskb) { |
110 | if (net_ratelimit()) | 111 | if (net_ratelimit()) |
111 | printk("ip6t_REJECT: Can't alloc skb\n"); | 112 | pr_debug("cannot alloc skb\n"); |
112 | dst_release(dst); | 113 | dst_release(dst); |
113 | return; | 114 | return; |
114 | } | 115 | } |
@@ -180,9 +181,6 @@ reject_tg6(struct sk_buff *skb, const struct xt_target_param *par) | |||
180 | struct net *net = dev_net((par->in != NULL) ? par->in : par->out); | 181 | struct net *net = dev_net((par->in != NULL) ? par->in : par->out); |
181 | 182 | ||
182 | pr_debug("%s: medium point\n", __func__); | 183 | pr_debug("%s: medium point\n", __func__); |
183 | /* WARNING: This code causes reentry within ip6tables. | ||
184 | This means that the ip6tables jump stack is now crap. We | ||
185 | must return an absolute verdict. --RR */ | ||
186 | switch (reject->with) { | 184 | switch (reject->with) { |
187 | case IP6T_ICMP6_NO_ROUTE: | 185 | case IP6T_ICMP6_NO_ROUTE: |
188 | send_unreach(net, skb, ICMPV6_NOROUTE, par->hooknum); | 186 | send_unreach(net, skb, ICMPV6_NOROUTE, par->hooknum); |
@@ -207,30 +205,30 @@ reject_tg6(struct sk_buff *skb, const struct xt_target_param *par) | |||
207 | break; | 205 | break; |
208 | default: | 206 | default: |
209 | if (net_ratelimit()) | 207 | if (net_ratelimit()) |
210 | printk(KERN_WARNING "ip6t_REJECT: case %u not handled yet\n", reject->with); | 208 | pr_info("case %u not handled yet\n", reject->with); |
211 | break; | 209 | break; |
212 | } | 210 | } |
213 | 211 | ||
214 | return NF_DROP; | 212 | return NF_DROP; |
215 | } | 213 | } |
216 | 214 | ||
217 | static bool reject_tg6_check(const struct xt_tgchk_param *par) | 215 | static int reject_tg6_check(const struct xt_tgchk_param *par) |
218 | { | 216 | { |
219 | const struct ip6t_reject_info *rejinfo = par->targinfo; | 217 | const struct ip6t_reject_info *rejinfo = par->targinfo; |
220 | const struct ip6t_entry *e = par->entryinfo; | 218 | const struct ip6t_entry *e = par->entryinfo; |
221 | 219 | ||
222 | if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) { | 220 | if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) { |
223 | printk("ip6t_REJECT: ECHOREPLY is not supported.\n"); | 221 | pr_info("ECHOREPLY is not supported.\n"); |
224 | return false; | 222 | return -EINVAL; |
225 | } else if (rejinfo->with == IP6T_TCP_RESET) { | 223 | } else if (rejinfo->with == IP6T_TCP_RESET) { |
226 | /* Must specify that it's a TCP packet */ | 224 | /* Must specify that it's a TCP packet */ |
227 | if (e->ipv6.proto != IPPROTO_TCP || | 225 | if (e->ipv6.proto != IPPROTO_TCP || |
228 | (e->ipv6.invflags & XT_INV_PROTO)) { | 226 | (e->ipv6.invflags & XT_INV_PROTO)) { |
229 | printk("ip6t_REJECT: TCP_RESET illegal for non-tcp\n"); | 227 | pr_info("TCP_RESET illegal for non-tcp\n"); |
230 | return false; | 228 | return -EINVAL; |
231 | } | 229 | } |
232 | } | 230 | } |
233 | return true; | 231 | return 0; |
234 | } | 232 | } |
235 | 233 | ||
236 | static struct xt_target reject_tg6_reg __read_mostly = { | 234 | static struct xt_target reject_tg6_reg __read_mostly = { |
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c index ac0b7c629d78..1580693c86c1 100644 --- a/net/ipv6/netfilter/ip6t_ah.c +++ b/net/ipv6/netfilter/ip6t_ah.c | |||
@@ -6,7 +6,7 @@ | |||
6 | * it under the terms of the GNU General Public License version 2 as | 6 | * it under the terms of the GNU General Public License version 2 as |
7 | * published by the Free Software Foundation. | 7 | * published by the Free Software Foundation. |
8 | */ | 8 | */ |
9 | 9 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
10 | #include <linux/module.h> | 10 | #include <linux/module.h> |
11 | #include <linux/skbuff.h> | 11 | #include <linux/skbuff.h> |
12 | #include <linux/ip.h> | 12 | #include <linux/ip.h> |
@@ -29,7 +29,7 @@ spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert) | |||
29 | { | 29 | { |
30 | bool r; | 30 | bool r; |
31 | 31 | ||
32 | pr_debug("ah spi_match:%c 0x%x <= 0x%x <= 0x%x", | 32 | pr_debug("spi_match:%c 0x%x <= 0x%x <= 0x%x\n", |
33 | invert ? '!' : ' ', min, spi, max); | 33 | invert ? '!' : ' ', min, spi, max); |
34 | r = (spi >= min && spi <= max) ^ invert; | 34 | r = (spi >= min && spi <= max) ^ invert; |
35 | pr_debug(" result %s\n", r ? "PASS" : "FAILED"); | 35 | pr_debug(" result %s\n", r ? "PASS" : "FAILED"); |
@@ -87,15 +87,15 @@ static bool ah_mt6(const struct sk_buff *skb, const struct xt_match_param *par) | |||
87 | !(ahinfo->hdrres && ah->reserved); | 87 | !(ahinfo->hdrres && ah->reserved); |
88 | } | 88 | } |
89 | 89 | ||
90 | static bool ah_mt6_check(const struct xt_mtchk_param *par) | 90 | static int ah_mt6_check(const struct xt_mtchk_param *par) |
91 | { | 91 | { |
92 | const struct ip6t_ah *ahinfo = par->matchinfo; | 92 | const struct ip6t_ah *ahinfo = par->matchinfo; |
93 | 93 | ||
94 | if (ahinfo->invflags & ~IP6T_AH_INV_MASK) { | 94 | if (ahinfo->invflags & ~IP6T_AH_INV_MASK) { |
95 | pr_debug("ip6t_ah: unknown flags %X\n", ahinfo->invflags); | 95 | pr_debug("unknown flags %X\n", ahinfo->invflags); |
96 | return false; | 96 | return -EINVAL; |
97 | } | 97 | } |
98 | return true; | 98 | return 0; |
99 | } | 99 | } |
100 | 100 | ||
101 | static struct xt_match ah_mt6_reg __read_mostly = { | 101 | static struct xt_match ah_mt6_reg __read_mostly = { |
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c index 7b91c2598ed5..a5daf0ffb4ec 100644 --- a/net/ipv6/netfilter/ip6t_frag.c +++ b/net/ipv6/netfilter/ip6t_frag.c | |||
@@ -6,7 +6,7 @@ | |||
6 | * it under the terms of the GNU General Public License version 2 as | 6 | * it under the terms of the GNU General Public License version 2 as |
7 | * published by the Free Software Foundation. | 7 | * published by the Free Software Foundation. |
8 | */ | 8 | */ |
9 | 9 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
10 | #include <linux/module.h> | 10 | #include <linux/module.h> |
11 | #include <linux/skbuff.h> | 11 | #include <linux/skbuff.h> |
12 | #include <linux/ipv6.h> | 12 | #include <linux/ipv6.h> |
@@ -27,7 +27,7 @@ static inline bool | |||
27 | id_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert) | 27 | id_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert) |
28 | { | 28 | { |
29 | bool r; | 29 | bool r; |
30 | pr_debug("frag id_match:%c 0x%x <= 0x%x <= 0x%x", invert ? '!' : ' ', | 30 | pr_debug("id_match:%c 0x%x <= 0x%x <= 0x%x\n", invert ? '!' : ' ', |
31 | min, id, max); | 31 | min, id, max); |
32 | r = (id >= min && id <= max) ^ invert; | 32 | r = (id >= min && id <= max) ^ invert; |
33 | pr_debug(" result %s\n", r ? "PASS" : "FAILED"); | 33 | pr_debug(" result %s\n", r ? "PASS" : "FAILED"); |
@@ -102,15 +102,15 @@ frag_mt6(const struct sk_buff *skb, const struct xt_match_param *par) | |||
102 | (ntohs(fh->frag_off) & IP6_MF)); | 102 | (ntohs(fh->frag_off) & IP6_MF)); |
103 | } | 103 | } |
104 | 104 | ||
105 | static bool frag_mt6_check(const struct xt_mtchk_param *par) | 105 | static int frag_mt6_check(const struct xt_mtchk_param *par) |
106 | { | 106 | { |
107 | const struct ip6t_frag *fraginfo = par->matchinfo; | 107 | const struct ip6t_frag *fraginfo = par->matchinfo; |
108 | 108 | ||
109 | if (fraginfo->invflags & ~IP6T_FRAG_INV_MASK) { | 109 | if (fraginfo->invflags & ~IP6T_FRAG_INV_MASK) { |
110 | pr_debug("ip6t_frag: unknown flags %X\n", fraginfo->invflags); | 110 | pr_debug("unknown flags %X\n", fraginfo->invflags); |
111 | return false; | 111 | return -EINVAL; |
112 | } | 112 | } |
113 | return true; | 113 | return 0; |
114 | } | 114 | } |
115 | 115 | ||
116 | static struct xt_match frag_mt6_reg __read_mostly = { | 116 | static struct xt_match frag_mt6_reg __read_mostly = { |
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c index e60677519e40..e424e7c8f824 100644 --- a/net/ipv6/netfilter/ip6t_hbh.c +++ b/net/ipv6/netfilter/ip6t_hbh.c | |||
@@ -6,7 +6,7 @@ | |||
6 | * it under the terms of the GNU General Public License version 2 as | 6 | * it under the terms of the GNU General Public License version 2 as |
7 | * published by the Free Software Foundation. | 7 | * published by the Free Software Foundation. |
8 | */ | 8 | */ |
9 | 9 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
10 | #include <linux/module.h> | 10 | #include <linux/module.h> |
11 | #include <linux/skbuff.h> | 11 | #include <linux/skbuff.h> |
12 | #include <linux/ipv6.h> | 12 | #include <linux/ipv6.h> |
@@ -41,6 +41,8 @@ MODULE_ALIAS("ip6t_dst"); | |||
41 | * 5 -> RTALERT 2 x x | 41 | * 5 -> RTALERT 2 x x |
42 | */ | 42 | */ |
43 | 43 | ||
44 | static struct xt_match hbh_mt6_reg[] __read_mostly; | ||
45 | |||
44 | static bool | 46 | static bool |
45 | hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par) | 47 | hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par) |
46 | { | 48 | { |
@@ -58,7 +60,9 @@ hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par) | |||
58 | unsigned int optlen; | 60 | unsigned int optlen; |
59 | int err; | 61 | int err; |
60 | 62 | ||
61 | err = ipv6_find_hdr(skb, &ptr, par->match->data, NULL); | 63 | err = ipv6_find_hdr(skb, &ptr, |
64 | (par->match == &hbh_mt6_reg[0]) ? | ||
65 | NEXTHDR_HOP : NEXTHDR_DEST, NULL); | ||
62 | if (err < 0) { | 66 | if (err < 0) { |
63 | if (err != -ENOENT) | 67 | if (err != -ENOENT) |
64 | *par->hotdrop = true; | 68 | *par->hotdrop = true; |
@@ -160,32 +164,32 @@ hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par) | |||
160 | return false; | 164 | return false; |
161 | } | 165 | } |
162 | 166 | ||
163 | static bool hbh_mt6_check(const struct xt_mtchk_param *par) | 167 | static int hbh_mt6_check(const struct xt_mtchk_param *par) |
164 | { | 168 | { |
165 | const struct ip6t_opts *optsinfo = par->matchinfo; | 169 | const struct ip6t_opts *optsinfo = par->matchinfo; |
166 | 170 | ||
167 | if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) { | 171 | if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) { |
168 | pr_debug("ip6t_opts: unknown flags %X\n", optsinfo->invflags); | 172 | pr_debug("unknown flags %X\n", optsinfo->invflags); |
169 | return false; | 173 | return -EINVAL; |
170 | } | 174 | } |
171 | 175 | ||
172 | if (optsinfo->flags & IP6T_OPTS_NSTRICT) { | 176 | if (optsinfo->flags & IP6T_OPTS_NSTRICT) { |
173 | pr_debug("ip6t_opts: Not strict - not implemented"); | 177 | pr_debug("Not strict - not implemented"); |
174 | return false; | 178 | return -EINVAL; |
175 | } | 179 | } |
176 | 180 | ||
177 | return true; | 181 | return 0; |
178 | } | 182 | } |
179 | 183 | ||
180 | static struct xt_match hbh_mt6_reg[] __read_mostly = { | 184 | static struct xt_match hbh_mt6_reg[] __read_mostly = { |
181 | { | 185 | { |
186 | /* Note, hbh_mt6 relies on the order of hbh_mt6_reg */ | ||
182 | .name = "hbh", | 187 | .name = "hbh", |
183 | .family = NFPROTO_IPV6, | 188 | .family = NFPROTO_IPV6, |
184 | .match = hbh_mt6, | 189 | .match = hbh_mt6, |
185 | .matchsize = sizeof(struct ip6t_opts), | 190 | .matchsize = sizeof(struct ip6t_opts), |
186 | .checkentry = hbh_mt6_check, | 191 | .checkentry = hbh_mt6_check, |
187 | .me = THIS_MODULE, | 192 | .me = THIS_MODULE, |
188 | .data = NEXTHDR_HOP, | ||
189 | }, | 193 | }, |
190 | { | 194 | { |
191 | .name = "dst", | 195 | .name = "dst", |
@@ -194,7 +198,6 @@ static struct xt_match hbh_mt6_reg[] __read_mostly = { | |||
194 | .matchsize = sizeof(struct ip6t_opts), | 198 | .matchsize = sizeof(struct ip6t_opts), |
195 | .checkentry = hbh_mt6_check, | 199 | .checkentry = hbh_mt6_check, |
196 | .me = THIS_MODULE, | 200 | .me = THIS_MODULE, |
197 | .data = NEXTHDR_DEST, | ||
198 | }, | 201 | }, |
199 | }; | 202 | }; |
200 | 203 | ||
diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c index 91490ad9302c..46fbabb493fa 100644 --- a/net/ipv6/netfilter/ip6t_ipv6header.c +++ b/net/ipv6/netfilter/ip6t_ipv6header.c | |||
@@ -118,16 +118,16 @@ ipv6header_mt6(const struct sk_buff *skb, const struct xt_match_param *par) | |||
118 | } | 118 | } |
119 | } | 119 | } |
120 | 120 | ||
121 | static bool ipv6header_mt6_check(const struct xt_mtchk_param *par) | 121 | static int ipv6header_mt6_check(const struct xt_mtchk_param *par) |
122 | { | 122 | { |
123 | const struct ip6t_ipv6header_info *info = par->matchinfo; | 123 | const struct ip6t_ipv6header_info *info = par->matchinfo; |
124 | 124 | ||
125 | /* invflags is 0 or 0xff in hard mode */ | 125 | /* invflags is 0 or 0xff in hard mode */ |
126 | if ((!info->modeflag) && info->invflags != 0x00 && | 126 | if ((!info->modeflag) && info->invflags != 0x00 && |
127 | info->invflags != 0xFF) | 127 | info->invflags != 0xFF) |
128 | return false; | 128 | return -EINVAL; |
129 | 129 | ||
130 | return true; | 130 | return 0; |
131 | } | 131 | } |
132 | 132 | ||
133 | static struct xt_match ipv6header_mt6_reg __read_mostly = { | 133 | static struct xt_match ipv6header_mt6_reg __read_mostly = { |
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c index aafe4e66577b..c9f443e0138f 100644 --- a/net/ipv6/netfilter/ip6t_mh.c +++ b/net/ipv6/netfilter/ip6t_mh.c | |||
@@ -11,6 +11,7 @@ | |||
11 | * Based on net/netfilter/xt_tcpudp.c | 11 | * Based on net/netfilter/xt_tcpudp.c |
12 | * | 12 | * |
13 | */ | 13 | */ |
14 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | ||
14 | #include <linux/types.h> | 15 | #include <linux/types.h> |
15 | #include <linux/module.h> | 16 | #include <linux/module.h> |
16 | #include <net/ip.h> | 17 | #include <net/ip.h> |
@@ -24,12 +25,6 @@ | |||
24 | MODULE_DESCRIPTION("Xtables: IPv6 Mobility Header match"); | 25 | MODULE_DESCRIPTION("Xtables: IPv6 Mobility Header match"); |
25 | MODULE_LICENSE("GPL"); | 26 | MODULE_LICENSE("GPL"); |
26 | 27 | ||
27 | #ifdef DEBUG_IP_FIREWALL_USER | ||
28 | #define duprintf(format, args...) printk(format , ## args) | ||
29 | #else | ||
30 | #define duprintf(format, args...) | ||
31 | #endif | ||
32 | |||
33 | /* Returns 1 if the type is matched by the range, 0 otherwise */ | 28 | /* Returns 1 if the type is matched by the range, 0 otherwise */ |
34 | static inline bool | 29 | static inline bool |
35 | type_match(u_int8_t min, u_int8_t max, u_int8_t type, bool invert) | 30 | type_match(u_int8_t min, u_int8_t max, u_int8_t type, bool invert) |
@@ -51,13 +46,13 @@ static bool mh_mt6(const struct sk_buff *skb, const struct xt_match_param *par) | |||
51 | if (mh == NULL) { | 46 | if (mh == NULL) { |
52 | /* We've been asked to examine this packet, and we | 47 | /* We've been asked to examine this packet, and we |
53 | can't. Hence, no choice but to drop. */ | 48 | can't. Hence, no choice but to drop. */ |
54 | duprintf("Dropping evil MH tinygram.\n"); | 49 | pr_debug("Dropping evil MH tinygram.\n"); |
55 | *par->hotdrop = true; | 50 | *par->hotdrop = true; |
56 | return false; | 51 | return false; |
57 | } | 52 | } |
58 | 53 | ||
59 | if (mh->ip6mh_proto != IPPROTO_NONE) { | 54 | if (mh->ip6mh_proto != IPPROTO_NONE) { |
60 | duprintf("Dropping invalid MH Payload Proto: %u\n", | 55 | pr_debug("Dropping invalid MH Payload Proto: %u\n", |
61 | mh->ip6mh_proto); | 56 | mh->ip6mh_proto); |
62 | *par->hotdrop = true; | 57 | *par->hotdrop = true; |
63 | return false; | 58 | return false; |
@@ -67,12 +62,12 @@ static bool mh_mt6(const struct sk_buff *skb, const struct xt_match_param *par) | |||
67 | !!(mhinfo->invflags & IP6T_MH_INV_TYPE)); | 62 | !!(mhinfo->invflags & IP6T_MH_INV_TYPE)); |
68 | } | 63 | } |
69 | 64 | ||
70 | static bool mh_mt6_check(const struct xt_mtchk_param *par) | 65 | static int mh_mt6_check(const struct xt_mtchk_param *par) |
71 | { | 66 | { |
72 | const struct ip6t_mh *mhinfo = par->matchinfo; | 67 | const struct ip6t_mh *mhinfo = par->matchinfo; |
73 | 68 | ||
74 | /* Must specify no unknown invflags */ | 69 | /* Must specify no unknown invflags */ |
75 | return !(mhinfo->invflags & ~IP6T_MH_INV_MASK); | 70 | return (mhinfo->invflags & ~IP6T_MH_INV_MASK) ? -EINVAL : 0; |
76 | } | 71 | } |
77 | 72 | ||
78 | static struct xt_match mh_mt6_reg __read_mostly = { | 73 | static struct xt_match mh_mt6_reg __read_mostly = { |
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c index b77307fc8743..09322720d2a6 100644 --- a/net/ipv6/netfilter/ip6t_rt.c +++ b/net/ipv6/netfilter/ip6t_rt.c | |||
@@ -6,7 +6,7 @@ | |||
6 | * it under the terms of the GNU General Public License version 2 as | 6 | * it under the terms of the GNU General Public License version 2 as |
7 | * published by the Free Software Foundation. | 7 | * published by the Free Software Foundation. |
8 | */ | 8 | */ |
9 | 9 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
10 | #include <linux/module.h> | 10 | #include <linux/module.h> |
11 | #include <linux/skbuff.h> | 11 | #include <linux/skbuff.h> |
12 | #include <linux/ipv6.h> | 12 | #include <linux/ipv6.h> |
@@ -29,7 +29,7 @@ static inline bool | |||
29 | segsleft_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert) | 29 | segsleft_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert) |
30 | { | 30 | { |
31 | bool r; | 31 | bool r; |
32 | pr_debug("rt segsleft_match:%c 0x%x <= 0x%x <= 0x%x", | 32 | pr_debug("segsleft_match:%c 0x%x <= 0x%x <= 0x%x\n", |
33 | invert ? '!' : ' ', min, id, max); | 33 | invert ? '!' : ' ', min, id, max); |
34 | r = (id >= min && id <= max) ^ invert; | 34 | r = (id >= min && id <= max) ^ invert; |
35 | pr_debug(" result %s\n", r ? "PASS" : "FAILED"); | 35 | pr_debug(" result %s\n", r ? "PASS" : "FAILED"); |
@@ -183,23 +183,23 @@ static bool rt_mt6(const struct sk_buff *skb, const struct xt_match_param *par) | |||
183 | return false; | 183 | return false; |
184 | } | 184 | } |
185 | 185 | ||
186 | static bool rt_mt6_check(const struct xt_mtchk_param *par) | 186 | static int rt_mt6_check(const struct xt_mtchk_param *par) |
187 | { | 187 | { |
188 | const struct ip6t_rt *rtinfo = par->matchinfo; | 188 | const struct ip6t_rt *rtinfo = par->matchinfo; |
189 | 189 | ||
190 | if (rtinfo->invflags & ~IP6T_RT_INV_MASK) { | 190 | if (rtinfo->invflags & ~IP6T_RT_INV_MASK) { |
191 | pr_debug("ip6t_rt: unknown flags %X\n", rtinfo->invflags); | 191 | pr_debug("unknown flags %X\n", rtinfo->invflags); |
192 | return false; | 192 | return -EINVAL; |
193 | } | 193 | } |
194 | if ((rtinfo->flags & (IP6T_RT_RES | IP6T_RT_FST_MASK)) && | 194 | if ((rtinfo->flags & (IP6T_RT_RES | IP6T_RT_FST_MASK)) && |
195 | (!(rtinfo->flags & IP6T_RT_TYP) || | 195 | (!(rtinfo->flags & IP6T_RT_TYP) || |
196 | (rtinfo->rt_type != 0) || | 196 | (rtinfo->rt_type != 0) || |
197 | (rtinfo->invflags & IP6T_RT_INV_TYP))) { | 197 | (rtinfo->invflags & IP6T_RT_INV_TYP))) { |
198 | pr_debug("`--rt-type 0' required before `--rt-0-*'"); | 198 | pr_debug("`--rt-type 0' required before `--rt-0-*'"); |
199 | return false; | 199 | return -EINVAL; |
200 | } | 200 | } |
201 | 201 | ||
202 | return true; | 202 | return 0; |
203 | } | 203 | } |
204 | 204 | ||
205 | static struct xt_match rt_mt6_reg __read_mostly = { | 205 | static struct xt_match rt_mt6_reg __read_mostly = { |
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c index dd5b9bd61c62..6fb890187de0 100644 --- a/net/ipv6/netfilter/nf_conntrack_reasm.c +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c | |||
@@ -644,7 +644,7 @@ void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb, | |||
644 | s2 = s->next; | 644 | s2 = s->next; |
645 | s->next = NULL; | 645 | s->next = NULL; |
646 | 646 | ||
647 | NF_HOOK_THRESH(PF_INET6, hooknum, s, in, out, okfn, | 647 | NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, s, in, out, okfn, |
648 | NF_IP6_PRI_CONNTRACK_DEFRAG + 1); | 648 | NF_IP6_PRI_CONNTRACK_DEFRAG + 1); |
649 | s = s2; | 649 | s = s2; |
650 | } | 650 | } |
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c index 0e3d2dd92078..4a4dcbe4f8b2 100644 --- a/net/ipv6/raw.c +++ b/net/ipv6/raw.c | |||
@@ -640,8 +640,8 @@ static int rawv6_send_hdrinc(struct sock *sk, void *from, int length, | |||
640 | goto error_fault; | 640 | goto error_fault; |
641 | 641 | ||
642 | IP6_UPD_PO_STATS(sock_net(sk), rt->rt6i_idev, IPSTATS_MIB_OUT, skb->len); | 642 | IP6_UPD_PO_STATS(sock_net(sk), rt->rt6i_idev, IPSTATS_MIB_OUT, skb->len); |
643 | err = NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, rt->u.dst.dev, | 643 | err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL, |
644 | dst_output); | 644 | rt->u.dst.dev, dst_output); |
645 | if (err > 0) | 645 | if (err > 0) |
646 | err = net_xmit_errno(err); | 646 | err = net_xmit_errno(err); |
647 | if (err) | 647 | if (err) |
diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c index 2bc98ede1235..f8c3cf842f53 100644 --- a/net/ipv6/xfrm6_input.c +++ b/net/ipv6/xfrm6_input.c | |||
@@ -42,7 +42,7 @@ int xfrm6_transport_finish(struct sk_buff *skb, int async) | |||
42 | ipv6_hdr(skb)->payload_len = htons(skb->len); | 42 | ipv6_hdr(skb)->payload_len = htons(skb->len); |
43 | __skb_push(skb, skb->data - skb_network_header(skb)); | 43 | __skb_push(skb, skb->data - skb_network_header(skb)); |
44 | 44 | ||
45 | NF_HOOK(PF_INET6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL, | 45 | NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL, |
46 | ip6_rcv_finish); | 46 | ip6_rcv_finish); |
47 | return -1; | 47 | return -1; |
48 | } | 48 | } |
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c index 0c92112dcba3..6434bd5ce088 100644 --- a/net/ipv6/xfrm6_output.c +++ b/net/ipv6/xfrm6_output.c | |||
@@ -90,6 +90,6 @@ static int xfrm6_output_finish(struct sk_buff *skb) | |||
90 | 90 | ||
91 | int xfrm6_output(struct sk_buff *skb) | 91 | int xfrm6_output(struct sk_buff *skb) |
92 | { | 92 | { |
93 | return NF_HOOK(PF_INET6, NF_INET_POST_ROUTING, skb, NULL, skb_dst(skb)->dev, | 93 | return NF_HOOK(NFPROTO_IPV6, NF_INET_POST_ROUTING, skb, NULL, |
94 | xfrm6_output_finish); | 94 | skb_dst(skb)->dev, xfrm6_output_finish); |
95 | } | 95 | } |
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 18d77b5c351a..673a6c8f0e95 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig | |||
@@ -314,8 +314,39 @@ config NETFILTER_XTABLES | |||
314 | 314 | ||
315 | if NETFILTER_XTABLES | 315 | if NETFILTER_XTABLES |
316 | 316 | ||
317 | comment "Xtables combined modules" | ||
318 | |||
319 | config NETFILTER_XT_MARK | ||
320 | tristate 'nfmark target and match support' | ||
321 | default m if NETFILTER_ADVANCED=n | ||
322 | ---help--- | ||
323 | This option adds the "MARK" target and "mark" match. | ||
324 | |||
325 | Netfilter mark matching allows you to match packets based on the | ||
326 | "nfmark" value in the packet. | ||
327 | The target allows you to create rules in the "mangle" table which alter | ||
328 | the netfilter mark (nfmark) field associated with the packet. | ||
329 | |||
330 | Prior to routing, the nfmark can influence the routing method (see | ||
331 | "Use netfilter MARK value as routing key") and can also be used by | ||
332 | other subsystems to change their behavior. | ||
333 | |||
334 | config NETFILTER_XT_CONNMARK | ||
335 | tristate 'ctmark target and match support' | ||
336 | depends on NF_CONNTRACK | ||
337 | depends on NETFILTER_ADVANCED | ||
338 | select NF_CONNTRACK_MARK | ||
339 | ---help--- | ||
340 | This option adds the "CONNMARK" target and "connmark" match. | ||
341 | |||
342 | Netfilter allows you to store a mark value per connection (a.k.a. | ||
343 | ctmark), similarly to the packet mark (nfmark). Using this | ||
344 | target and match, you can set and match on this mark. | ||
345 | |||
317 | # alphabetically ordered list of targets | 346 | # alphabetically ordered list of targets |
318 | 347 | ||
348 | comment "Xtables targets" | ||
349 | |||
319 | config NETFILTER_XT_TARGET_CLASSIFY | 350 | config NETFILTER_XT_TARGET_CLASSIFY |
320 | tristate '"CLASSIFY" target support' | 351 | tristate '"CLASSIFY" target support' |
321 | depends on NETFILTER_ADVANCED | 352 | depends on NETFILTER_ADVANCED |
@@ -332,15 +363,11 @@ config NETFILTER_XT_TARGET_CONNMARK | |||
332 | tristate '"CONNMARK" target support' | 363 | tristate '"CONNMARK" target support' |
333 | depends on NF_CONNTRACK | 364 | depends on NF_CONNTRACK |
334 | depends on NETFILTER_ADVANCED | 365 | depends on NETFILTER_ADVANCED |
335 | select NF_CONNTRACK_MARK | 366 | select NETFILTER_XT_CONNMARK |
336 | help | 367 | ---help--- |
337 | This option adds a `CONNMARK' target, which allows one to manipulate | 368 | This is a backwards-compat option for the user's convenience |
338 | the connection mark value. Similar to the MARK target, but | 369 | (e.g. when running oldconfig). It selects |
339 | affects the connection mark value rather than the packet mark value. | 370 | CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). |
340 | |||
341 | If you want to compile it as a module, say M here and read | ||
342 | <file:Documentation/kbuild/modules.txt>. The module will be called | ||
343 | ipt_CONNMARK. If unsure, say `N'. | ||
344 | 371 | ||
345 | config NETFILTER_XT_TARGET_CONNSECMARK | 372 | config NETFILTER_XT_TARGET_CONNSECMARK |
346 | tristate '"CONNSECMARK" target support' | 373 | tristate '"CONNSECMARK" target support' |
@@ -423,16 +450,12 @@ config NETFILTER_XT_TARGET_LED | |||
423 | 450 | ||
424 | config NETFILTER_XT_TARGET_MARK | 451 | config NETFILTER_XT_TARGET_MARK |
425 | tristate '"MARK" target support' | 452 | tristate '"MARK" target support' |
426 | default m if NETFILTER_ADVANCED=n | 453 | depends on NETFILTER_ADVANCED |
427 | help | 454 | select NETFILTER_XT_MARK |
428 | This option adds a `MARK' target, which allows you to create rules | 455 | ---help--- |
429 | in the `mangle' table which alter the netfilter mark (nfmark) field | 456 | This is a backwards-compat option for the user's convenience |
430 | associated with the packet prior to routing. This can change | 457 | (e.g. when running oldconfig). It selects |
431 | the routing method (see `Use netfilter MARK value as routing | 458 | CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). |
432 | key') and can also be used by other subsystems to change their | ||
433 | behavior. | ||
434 | |||
435 | To compile it as a module, choose M here. If unsure, say N. | ||
436 | 459 | ||
437 | config NETFILTER_XT_TARGET_NFLOG | 460 | config NETFILTER_XT_TARGET_NFLOG |
438 | tristate '"NFLOG" target support' | 461 | tristate '"NFLOG" target support' |
@@ -479,6 +502,13 @@ config NETFILTER_XT_TARGET_RATEEST | |||
479 | 502 | ||
480 | To compile it as a module, choose M here. If unsure, say N. | 503 | To compile it as a module, choose M here. If unsure, say N. |
481 | 504 | ||
505 | config NETFILTER_XT_TARGET_TEE | ||
506 | tristate '"TEE" - packet cloning to alternate destiantion' | ||
507 | depends on NETFILTER_ADVANCED | ||
508 | ---help--- | ||
509 | This option adds a "TEE" target with which a packet can be cloned and | ||
510 | this clone be rerouted to another nexthop. | ||
511 | |||
482 | config NETFILTER_XT_TARGET_TPROXY | 512 | config NETFILTER_XT_TARGET_TPROXY |
483 | tristate '"TPROXY" target support (EXPERIMENTAL)' | 513 | tristate '"TPROXY" target support (EXPERIMENTAL)' |
484 | depends on EXPERIMENTAL | 514 | depends on EXPERIMENTAL |
@@ -552,6 +582,10 @@ config NETFILTER_XT_TARGET_TCPOPTSTRIP | |||
552 | This option adds a "TCPOPTSTRIP" target, which allows you to strip | 582 | This option adds a "TCPOPTSTRIP" target, which allows you to strip |
553 | TCP options from TCP packets. | 583 | TCP options from TCP packets. |
554 | 584 | ||
585 | # alphabetically ordered list of matches | ||
586 | |||
587 | comment "Xtables matches" | ||
588 | |||
555 | config NETFILTER_XT_MATCH_CLUSTER | 589 | config NETFILTER_XT_MATCH_CLUSTER |
556 | tristate '"cluster" match support' | 590 | tristate '"cluster" match support' |
557 | depends on NF_CONNTRACK | 591 | depends on NF_CONNTRACK |
@@ -602,14 +636,11 @@ config NETFILTER_XT_MATCH_CONNMARK | |||
602 | tristate '"connmark" connection mark match support' | 636 | tristate '"connmark" connection mark match support' |
603 | depends on NF_CONNTRACK | 637 | depends on NF_CONNTRACK |
604 | depends on NETFILTER_ADVANCED | 638 | depends on NETFILTER_ADVANCED |
605 | select NF_CONNTRACK_MARK | 639 | select NETFILTER_XT_CONNMARK |
606 | help | 640 | ---help--- |
607 | This option adds a `connmark' match, which allows you to match the | 641 | This is a backwards-compat option for the user's convenience |
608 | connection mark value previously set for the session by `CONNMARK'. | 642 | (e.g. when running oldconfig). It selects |
609 | 643 | CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). | |
610 | If you want to compile it as a module, say M here and read | ||
611 | <file:Documentation/kbuild/modules.txt>. The module will be called | ||
612 | ipt_connmark. If unsure, say `N'. | ||
613 | 644 | ||
614 | config NETFILTER_XT_MATCH_CONNTRACK | 645 | config NETFILTER_XT_MATCH_CONNTRACK |
615 | tristate '"conntrack" connection tracking match support' | 646 | tristate '"conntrack" connection tracking match support' |
@@ -733,13 +764,12 @@ config NETFILTER_XT_MATCH_MAC | |||
733 | 764 | ||
734 | config NETFILTER_XT_MATCH_MARK | 765 | config NETFILTER_XT_MATCH_MARK |
735 | tristate '"mark" match support' | 766 | tristate '"mark" match support' |
736 | default m if NETFILTER_ADVANCED=n | 767 | depends on NETFILTER_ADVANCED |
737 | help | 768 | select NETFILTER_XT_MARK |
738 | Netfilter mark matching allows you to match packets based on the | 769 | ---help--- |
739 | `nfmark' value in the packet. This can be set by the MARK target | 770 | This is a backwards-compat option for the user's convenience |
740 | (see below). | 771 | (e.g. when running oldconfig). It selects |
741 | 772 | CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). | |
742 | To compile it as a module, choose M here. If unsure, say N. | ||
743 | 773 | ||
744 | config NETFILTER_XT_MATCH_MULTIPORT | 774 | config NETFILTER_XT_MATCH_MULTIPORT |
745 | tristate '"multiport" Multiple port match support' | 775 | tristate '"multiport" Multiple port match support' |
@@ -751,6 +781,19 @@ config NETFILTER_XT_MATCH_MULTIPORT | |||
751 | 781 | ||
752 | To compile it as a module, choose M here. If unsure, say N. | 782 | To compile it as a module, choose M here. If unsure, say N. |
753 | 783 | ||
784 | config NETFILTER_XT_MATCH_OSF | ||
785 | tristate '"osf" Passive OS fingerprint match' | ||
786 | depends on NETFILTER_ADVANCED && NETFILTER_NETLINK | ||
787 | help | ||
788 | This option selects the Passive OS Fingerprinting match module | ||
789 | that allows to passively match the remote operating system by | ||
790 | analyzing incoming TCP SYN packets. | ||
791 | |||
792 | Rules and loading software can be downloaded from | ||
793 | http://www.ioremap.net/projects/osf | ||
794 | |||
795 | To compile it as a module, choose M here. If unsure, say N. | ||
796 | |||
754 | config NETFILTER_XT_MATCH_OWNER | 797 | config NETFILTER_XT_MATCH_OWNER |
755 | tristate '"owner" match support' | 798 | tristate '"owner" match support' |
756 | depends on NETFILTER_ADVANCED | 799 | depends on NETFILTER_ADVANCED |
@@ -836,13 +879,6 @@ config NETFILTER_XT_MATCH_RECENT | |||
836 | Short options are available by using 'iptables -m recent -h' | 879 | Short options are available by using 'iptables -m recent -h' |
837 | Official Website: <http://snowman.net/projects/ipt_recent/> | 880 | Official Website: <http://snowman.net/projects/ipt_recent/> |
838 | 881 | ||
839 | config NETFILTER_XT_MATCH_RECENT_PROC_COMPAT | ||
840 | bool 'Enable obsolete /proc/net/ipt_recent' | ||
841 | depends on NETFILTER_XT_MATCH_RECENT && PROC_FS | ||
842 | ---help--- | ||
843 | This option enables the old /proc/net/ipt_recent interface, | ||
844 | which has been obsoleted by /proc/net/xt_recent. | ||
845 | |||
846 | config NETFILTER_XT_MATCH_SCTP | 882 | config NETFILTER_XT_MATCH_SCTP |
847 | tristate '"sctp" protocol match support (EXPERIMENTAL)' | 883 | tristate '"sctp" protocol match support (EXPERIMENTAL)' |
848 | depends on EXPERIMENTAL | 884 | depends on EXPERIMENTAL |
@@ -942,19 +978,6 @@ config NETFILTER_XT_MATCH_U32 | |||
942 | 978 | ||
943 | Details and examples are in the kernel module source. | 979 | Details and examples are in the kernel module source. |
944 | 980 | ||
945 | config NETFILTER_XT_MATCH_OSF | ||
946 | tristate '"osf" Passive OS fingerprint match' | ||
947 | depends on NETFILTER_ADVANCED && NETFILTER_NETLINK | ||
948 | help | ||
949 | This option selects the Passive OS Fingerprinting match module | ||
950 | that allows to passively match the remote operating system by | ||
951 | analyzing incoming TCP SYN packets. | ||
952 | |||
953 | Rules and loading software can be downloaded from | ||
954 | http://www.ioremap.net/projects/osf | ||
955 | |||
956 | To compile it as a module, choose M here. If unsure, say N. | ||
957 | |||
958 | endif # NETFILTER_XTABLES | 981 | endif # NETFILTER_XTABLES |
959 | 982 | ||
960 | endmenu | 983 | endmenu |
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index f873644f02f6..14e3a8fd8180 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile | |||
@@ -40,15 +40,17 @@ obj-$(CONFIG_NETFILTER_TPROXY) += nf_tproxy_core.o | |||
40 | # generic X tables | 40 | # generic X tables |
41 | obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o | 41 | obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o |
42 | 42 | ||
43 | # combos | ||
44 | obj-$(CONFIG_NETFILTER_XT_MARK) += xt_mark.o | ||
45 | obj-$(CONFIG_NETFILTER_XT_CONNMARK) += xt_connmark.o | ||
46 | |||
43 | # targets | 47 | # targets |
44 | obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o | 48 | obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o |
45 | obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o | ||
46 | obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o | 49 | obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o |
47 | obj-$(CONFIG_NETFILTER_XT_TARGET_CT) += xt_CT.o | 50 | obj-$(CONFIG_NETFILTER_XT_TARGET_CT) += xt_CT.o |
48 | obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o | 51 | obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o |
49 | obj-$(CONFIG_NETFILTER_XT_TARGET_HL) += xt_HL.o | 52 | obj-$(CONFIG_NETFILTER_XT_TARGET_HL) += xt_HL.o |
50 | obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o | 53 | obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o |
51 | obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o | ||
52 | obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o | 54 | obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o |
53 | obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o | 55 | obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o |
54 | obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o | 56 | obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o |
@@ -57,6 +59,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o | |||
57 | obj-$(CONFIG_NETFILTER_XT_TARGET_TPROXY) += xt_TPROXY.o | 59 | obj-$(CONFIG_NETFILTER_XT_TARGET_TPROXY) += xt_TPROXY.o |
58 | obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o | 60 | obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o |
59 | obj-$(CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP) += xt_TCPOPTSTRIP.o | 61 | obj-$(CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP) += xt_TCPOPTSTRIP.o |
62 | obj-$(CONFIG_NETFILTER_XT_TARGET_TEE) += xt_TEE.o | ||
60 | obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) += xt_TRACE.o | 63 | obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) += xt_TRACE.o |
61 | 64 | ||
62 | # matches | 65 | # matches |
@@ -64,7 +67,6 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CLUSTER) += xt_cluster.o | |||
64 | obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o | 67 | obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o |
65 | obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o | 68 | obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o |
66 | obj-$(CONFIG_NETFILTER_XT_MATCH_CONNLIMIT) += xt_connlimit.o | 69 | obj-$(CONFIG_NETFILTER_XT_MATCH_CONNLIMIT) += xt_connlimit.o |
67 | obj-$(CONFIG_NETFILTER_XT_MATCH_CONNMARK) += xt_connmark.o | ||
68 | obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) += xt_conntrack.o | 70 | obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) += xt_conntrack.o |
69 | obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o | 71 | obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o |
70 | obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o | 72 | obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o |
@@ -76,7 +78,6 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_IPRANGE) += xt_iprange.o | |||
76 | obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o | 78 | obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o |
77 | obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o | 79 | obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o |
78 | obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o | 80 | obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o |
79 | obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o | ||
80 | obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o | 81 | obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o |
81 | obj-$(CONFIG_NETFILTER_XT_MATCH_OSF) += xt_osf.o | 82 | obj-$(CONFIG_NETFILTER_XT_MATCH_OSF) += xt_osf.o |
82 | obj-$(CONFIG_NETFILTER_XT_MATCH_OWNER) += xt_owner.o | 83 | obj-$(CONFIG_NETFILTER_XT_MATCH_OWNER) += xt_owner.o |
diff --git a/net/netfilter/ipvs/ip_vs_ftp.c b/net/netfilter/ipvs/ip_vs_ftp.c index 2c7f185dfae4..2ae747a376a5 100644 --- a/net/netfilter/ipvs/ip_vs_ftp.c +++ b/net/netfilter/ipvs/ip_vs_ftp.c | |||
@@ -209,8 +209,14 @@ static int ip_vs_ftp_out(struct ip_vs_app *app, struct ip_vs_conn *cp, | |||
209 | */ | 209 | */ |
210 | from.ip = n_cp->vaddr.ip; | 210 | from.ip = n_cp->vaddr.ip; |
211 | port = n_cp->vport; | 211 | port = n_cp->vport; |
212 | sprintf(buf, "%u,%u,%u,%u,%u,%u", NIPQUAD(from.ip), | 212 | snprintf(buf, sizeof(buf), "%u,%u,%u,%u,%u,%u", |
213 | (ntohs(port)>>8)&255, ntohs(port)&255); | 213 | ((unsigned char *)&from.ip)[0], |
214 | ((unsigned char *)&from.ip)[1], | ||
215 | ((unsigned char *)&from.ip)[2], | ||
216 | ((unsigned char *)&from.ip)[3], | ||
217 | ntohs(port) >> 8, | ||
218 | ntohs(port) & 0xFF); | ||
219 | |||
214 | buf_len = strlen(buf); | 220 | buf_len = strlen(buf); |
215 | 221 | ||
216 | /* | 222 | /* |
diff --git a/net/netfilter/ipvs/ip_vs_proto.c b/net/netfilter/ipvs/ip_vs_proto.c index 7fc49f4cf5ad..2d3d5e4b35f8 100644 --- a/net/netfilter/ipvs/ip_vs_proto.c +++ b/net/netfilter/ipvs/ip_vs_proto.c | |||
@@ -167,26 +167,24 @@ ip_vs_tcpudp_debug_packet_v4(struct ip_vs_protocol *pp, | |||
167 | 167 | ||
168 | ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); | 168 | ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); |
169 | if (ih == NULL) | 169 | if (ih == NULL) |
170 | sprintf(buf, "%s TRUNCATED", pp->name); | 170 | sprintf(buf, "TRUNCATED"); |
171 | else if (ih->frag_off & htons(IP_OFFSET)) | 171 | else if (ih->frag_off & htons(IP_OFFSET)) |
172 | sprintf(buf, "%s %pI4->%pI4 frag", | 172 | sprintf(buf, "%pI4->%pI4 frag", &ih->saddr, &ih->daddr); |
173 | pp->name, &ih->saddr, &ih->daddr); | ||
174 | else { | 173 | else { |
175 | __be16 _ports[2], *pptr | 174 | __be16 _ports[2], *pptr |
176 | ; | 175 | ; |
177 | pptr = skb_header_pointer(skb, offset + ih->ihl*4, | 176 | pptr = skb_header_pointer(skb, offset + ih->ihl*4, |
178 | sizeof(_ports), _ports); | 177 | sizeof(_ports), _ports); |
179 | if (pptr == NULL) | 178 | if (pptr == NULL) |
180 | sprintf(buf, "%s TRUNCATED %pI4->%pI4", | 179 | sprintf(buf, "TRUNCATED %pI4->%pI4", |
181 | pp->name, &ih->saddr, &ih->daddr); | 180 | &ih->saddr, &ih->daddr); |
182 | else | 181 | else |
183 | sprintf(buf, "%s %pI4:%u->%pI4:%u", | 182 | sprintf(buf, "%pI4:%u->%pI4:%u", |
184 | pp->name, | ||
185 | &ih->saddr, ntohs(pptr[0]), | 183 | &ih->saddr, ntohs(pptr[0]), |
186 | &ih->daddr, ntohs(pptr[1])); | 184 | &ih->daddr, ntohs(pptr[1])); |
187 | } | 185 | } |
188 | 186 | ||
189 | pr_debug("%s: %s\n", msg, buf); | 187 | pr_debug("%s: %s %s\n", msg, pp->name, buf); |
190 | } | 188 | } |
191 | 189 | ||
192 | #ifdef CONFIG_IP_VS_IPV6 | 190 | #ifdef CONFIG_IP_VS_IPV6 |
@@ -201,26 +199,24 @@ ip_vs_tcpudp_debug_packet_v6(struct ip_vs_protocol *pp, | |||
201 | 199 | ||
202 | ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); | 200 | ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); |
203 | if (ih == NULL) | 201 | if (ih == NULL) |
204 | sprintf(buf, "%s TRUNCATED", pp->name); | 202 | sprintf(buf, "TRUNCATED"); |
205 | else if (ih->nexthdr == IPPROTO_FRAGMENT) | 203 | else if (ih->nexthdr == IPPROTO_FRAGMENT) |
206 | sprintf(buf, "%s %pI6->%pI6 frag", | 204 | sprintf(buf, "%pI6->%pI6 frag", &ih->saddr, &ih->daddr); |
207 | pp->name, &ih->saddr, &ih->daddr); | ||
208 | else { | 205 | else { |
209 | __be16 _ports[2], *pptr; | 206 | __be16 _ports[2], *pptr; |
210 | 207 | ||
211 | pptr = skb_header_pointer(skb, offset + sizeof(struct ipv6hdr), | 208 | pptr = skb_header_pointer(skb, offset + sizeof(struct ipv6hdr), |
212 | sizeof(_ports), _ports); | 209 | sizeof(_ports), _ports); |
213 | if (pptr == NULL) | 210 | if (pptr == NULL) |
214 | sprintf(buf, "%s TRUNCATED %pI6->%pI6", | 211 | sprintf(buf, "TRUNCATED %pI6->%pI6", |
215 | pp->name, &ih->saddr, &ih->daddr); | 212 | &ih->saddr, &ih->daddr); |
216 | else | 213 | else |
217 | sprintf(buf, "%s %pI6:%u->%pI6:%u", | 214 | sprintf(buf, "%pI6:%u->%pI6:%u", |
218 | pp->name, | ||
219 | &ih->saddr, ntohs(pptr[0]), | 215 | &ih->saddr, ntohs(pptr[0]), |
220 | &ih->daddr, ntohs(pptr[1])); | 216 | &ih->daddr, ntohs(pptr[1])); |
221 | } | 217 | } |
222 | 218 | ||
223 | pr_debug("%s: %s\n", msg, buf); | 219 | pr_debug("%s: %s %s\n", msg, pp->name, buf); |
224 | } | 220 | } |
225 | #endif | 221 | #endif |
226 | 222 | ||
diff --git a/net/netfilter/ipvs/ip_vs_proto_ah_esp.c b/net/netfilter/ipvs/ip_vs_proto_ah_esp.c index c30b43c36cd7..1892dfc12fdd 100644 --- a/net/netfilter/ipvs/ip_vs_proto_ah_esp.c +++ b/net/netfilter/ipvs/ip_vs_proto_ah_esp.c | |||
@@ -136,12 +136,11 @@ ah_esp_debug_packet_v4(struct ip_vs_protocol *pp, const struct sk_buff *skb, | |||
136 | 136 | ||
137 | ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); | 137 | ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); |
138 | if (ih == NULL) | 138 | if (ih == NULL) |
139 | sprintf(buf, "%s TRUNCATED", pp->name); | 139 | sprintf(buf, "TRUNCATED"); |
140 | else | 140 | else |
141 | sprintf(buf, "%s %pI4->%pI4", | 141 | sprintf(buf, "%pI4->%pI4", &ih->saddr, &ih->daddr); |
142 | pp->name, &ih->saddr, &ih->daddr); | ||
143 | 142 | ||
144 | pr_debug("%s: %s\n", msg, buf); | 143 | pr_debug("%s: %s %s\n", msg, pp->name, buf); |
145 | } | 144 | } |
146 | 145 | ||
147 | #ifdef CONFIG_IP_VS_IPV6 | 146 | #ifdef CONFIG_IP_VS_IPV6 |
@@ -154,12 +153,11 @@ ah_esp_debug_packet_v6(struct ip_vs_protocol *pp, const struct sk_buff *skb, | |||
154 | 153 | ||
155 | ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); | 154 | ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); |
156 | if (ih == NULL) | 155 | if (ih == NULL) |
157 | sprintf(buf, "%s TRUNCATED", pp->name); | 156 | sprintf(buf, "TRUNCATED"); |
158 | else | 157 | else |
159 | sprintf(buf, "%s %pI6->%pI6", | 158 | sprintf(buf, "%pI6->%pI6", &ih->saddr, &ih->daddr); |
160 | pp->name, &ih->saddr, &ih->daddr); | ||
161 | 159 | ||
162 | pr_debug("%s: %s\n", msg, buf); | 160 | pr_debug("%s: %s %s\n", msg, pp->name, buf); |
163 | } | 161 | } |
164 | #endif | 162 | #endif |
165 | 163 | ||
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c index e450cd6f4eb5..93c15a107b2c 100644 --- a/net/netfilter/ipvs/ip_vs_xmit.c +++ b/net/netfilter/ipvs/ip_vs_xmit.c | |||
@@ -270,7 +270,7 @@ ip_vs_bypass_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, | |||
270 | /* Another hack: avoid icmp_send in ip_fragment */ | 270 | /* Another hack: avoid icmp_send in ip_fragment */ |
271 | skb->local_df = 1; | 271 | skb->local_df = 1; |
272 | 272 | ||
273 | IP_VS_XMIT(PF_INET, skb, rt); | 273 | IP_VS_XMIT(NFPROTO_IPV4, skb, rt); |
274 | 274 | ||
275 | LeaveFunction(10); | 275 | LeaveFunction(10); |
276 | return NF_STOLEN; | 276 | return NF_STOLEN; |
@@ -334,7 +334,7 @@ ip_vs_bypass_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp, | |||
334 | /* Another hack: avoid icmp_send in ip_fragment */ | 334 | /* Another hack: avoid icmp_send in ip_fragment */ |
335 | skb->local_df = 1; | 335 | skb->local_df = 1; |
336 | 336 | ||
337 | IP_VS_XMIT(PF_INET6, skb, rt); | 337 | IP_VS_XMIT(NFPROTO_IPV6, skb, rt); |
338 | 338 | ||
339 | LeaveFunction(10); | 339 | LeaveFunction(10); |
340 | return NF_STOLEN; | 340 | return NF_STOLEN; |
@@ -410,7 +410,7 @@ ip_vs_nat_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, | |||
410 | /* Another hack: avoid icmp_send in ip_fragment */ | 410 | /* Another hack: avoid icmp_send in ip_fragment */ |
411 | skb->local_df = 1; | 411 | skb->local_df = 1; |
412 | 412 | ||
413 | IP_VS_XMIT(PF_INET, skb, rt); | 413 | IP_VS_XMIT(NFPROTO_IPV4, skb, rt); |
414 | 414 | ||
415 | LeaveFunction(10); | 415 | LeaveFunction(10); |
416 | return NF_STOLEN; | 416 | return NF_STOLEN; |
@@ -486,7 +486,7 @@ ip_vs_nat_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp, | |||
486 | /* Another hack: avoid icmp_send in ip_fragment */ | 486 | /* Another hack: avoid icmp_send in ip_fragment */ |
487 | skb->local_df = 1; | 487 | skb->local_df = 1; |
488 | 488 | ||
489 | IP_VS_XMIT(PF_INET6, skb, rt); | 489 | IP_VS_XMIT(NFPROTO_IPV6, skb, rt); |
490 | 490 | ||
491 | LeaveFunction(10); | 491 | LeaveFunction(10); |
492 | return NF_STOLEN; | 492 | return NF_STOLEN; |
@@ -785,7 +785,7 @@ ip_vs_dr_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, | |||
785 | /* Another hack: avoid icmp_send in ip_fragment */ | 785 | /* Another hack: avoid icmp_send in ip_fragment */ |
786 | skb->local_df = 1; | 786 | skb->local_df = 1; |
787 | 787 | ||
788 | IP_VS_XMIT(PF_INET, skb, rt); | 788 | IP_VS_XMIT(NFPROTO_IPV4, skb, rt); |
789 | 789 | ||
790 | LeaveFunction(10); | 790 | LeaveFunction(10); |
791 | return NF_STOLEN; | 791 | return NF_STOLEN; |
@@ -838,7 +838,7 @@ ip_vs_dr_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp, | |||
838 | /* Another hack: avoid icmp_send in ip_fragment */ | 838 | /* Another hack: avoid icmp_send in ip_fragment */ |
839 | skb->local_df = 1; | 839 | skb->local_df = 1; |
840 | 840 | ||
841 | IP_VS_XMIT(PF_INET6, skb, rt); | 841 | IP_VS_XMIT(NFPROTO_IPV6, skb, rt); |
842 | 842 | ||
843 | LeaveFunction(10); | 843 | LeaveFunction(10); |
844 | return NF_STOLEN; | 844 | return NF_STOLEN; |
@@ -912,7 +912,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, | |||
912 | /* Another hack: avoid icmp_send in ip_fragment */ | 912 | /* Another hack: avoid icmp_send in ip_fragment */ |
913 | skb->local_df = 1; | 913 | skb->local_df = 1; |
914 | 914 | ||
915 | IP_VS_XMIT(PF_INET, skb, rt); | 915 | IP_VS_XMIT(NFPROTO_IPV4, skb, rt); |
916 | 916 | ||
917 | rc = NF_STOLEN; | 917 | rc = NF_STOLEN; |
918 | goto out; | 918 | goto out; |
@@ -987,7 +987,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp, | |||
987 | /* Another hack: avoid icmp_send in ip_fragment */ | 987 | /* Another hack: avoid icmp_send in ip_fragment */ |
988 | skb->local_df = 1; | 988 | skb->local_df = 1; |
989 | 989 | ||
990 | IP_VS_XMIT(PF_INET6, skb, rt); | 990 | IP_VS_XMIT(NFPROTO_IPV6, skb, rt); |
991 | 991 | ||
992 | rc = NF_STOLEN; | 992 | rc = NF_STOLEN; |
993 | goto out; | 993 | goto out; |
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 0c9bbe93cc16..3907efb97a7c 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c | |||
@@ -319,8 +319,10 @@ begin: | |||
319 | * not the expected one, we must restart lookup. | 319 | * not the expected one, we must restart lookup. |
320 | * We probably met an item that was moved to another chain. | 320 | * We probably met an item that was moved to another chain. |
321 | */ | 321 | */ |
322 | if (get_nulls_value(n) != hash) | 322 | if (get_nulls_value(n) != hash) { |
323 | NF_CT_STAT_INC(net, search_restart); | ||
323 | goto begin; | 324 | goto begin; |
325 | } | ||
324 | local_bh_enable(); | 326 | local_bh_enable(); |
325 | 327 | ||
326 | return NULL; | 328 | return NULL; |
diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c index f516961a83b4..cdcc7649476b 100644 --- a/net/netfilter/nf_conntrack_ecache.c +++ b/net/netfilter/nf_conntrack_ecache.c | |||
@@ -85,7 +85,8 @@ int nf_conntrack_register_notifier(struct nf_ct_event_notifier *new) | |||
85 | struct nf_ct_event_notifier *notify; | 85 | struct nf_ct_event_notifier *notify; |
86 | 86 | ||
87 | mutex_lock(&nf_ct_ecache_mutex); | 87 | mutex_lock(&nf_ct_ecache_mutex); |
88 | notify = rcu_dereference(nf_conntrack_event_cb); | 88 | notify = rcu_dereference_protected(nf_conntrack_event_cb, |
89 | lockdep_is_held(&nf_ct_ecache_mutex)); | ||
89 | if (notify != NULL) { | 90 | if (notify != NULL) { |
90 | ret = -EBUSY; | 91 | ret = -EBUSY; |
91 | goto out_unlock; | 92 | goto out_unlock; |
@@ -105,7 +106,8 @@ void nf_conntrack_unregister_notifier(struct nf_ct_event_notifier *new) | |||
105 | struct nf_ct_event_notifier *notify; | 106 | struct nf_ct_event_notifier *notify; |
106 | 107 | ||
107 | mutex_lock(&nf_ct_ecache_mutex); | 108 | mutex_lock(&nf_ct_ecache_mutex); |
108 | notify = rcu_dereference(nf_conntrack_event_cb); | 109 | notify = rcu_dereference_protected(nf_conntrack_event_cb, |
110 | lockdep_is_held(&nf_ct_ecache_mutex)); | ||
109 | BUG_ON(notify != new); | 111 | BUG_ON(notify != new); |
110 | rcu_assign_pointer(nf_conntrack_event_cb, NULL); | 112 | rcu_assign_pointer(nf_conntrack_event_cb, NULL); |
111 | mutex_unlock(&nf_ct_ecache_mutex); | 113 | mutex_unlock(&nf_ct_ecache_mutex); |
@@ -118,7 +120,8 @@ int nf_ct_expect_register_notifier(struct nf_exp_event_notifier *new) | |||
118 | struct nf_exp_event_notifier *notify; | 120 | struct nf_exp_event_notifier *notify; |
119 | 121 | ||
120 | mutex_lock(&nf_ct_ecache_mutex); | 122 | mutex_lock(&nf_ct_ecache_mutex); |
121 | notify = rcu_dereference(nf_expect_event_cb); | 123 | notify = rcu_dereference_protected(nf_expect_event_cb, |
124 | lockdep_is_held(&nf_ct_ecache_mutex)); | ||
122 | if (notify != NULL) { | 125 | if (notify != NULL) { |
123 | ret = -EBUSY; | 126 | ret = -EBUSY; |
124 | goto out_unlock; | 127 | goto out_unlock; |
@@ -138,7 +141,8 @@ void nf_ct_expect_unregister_notifier(struct nf_exp_event_notifier *new) | |||
138 | struct nf_exp_event_notifier *notify; | 141 | struct nf_exp_event_notifier *notify; |
139 | 142 | ||
140 | mutex_lock(&nf_ct_ecache_mutex); | 143 | mutex_lock(&nf_ct_ecache_mutex); |
141 | notify = rcu_dereference(nf_expect_event_cb); | 144 | notify = rcu_dereference_protected(nf_expect_event_cb, |
145 | lockdep_is_held(&nf_ct_ecache_mutex)); | ||
142 | BUG_ON(notify != new); | 146 | BUG_ON(notify != new); |
143 | rcu_assign_pointer(nf_expect_event_cb, NULL); | 147 | rcu_assign_pointer(nf_expect_event_cb, NULL); |
144 | mutex_unlock(&nf_ct_ecache_mutex); | 148 | mutex_unlock(&nf_ct_ecache_mutex); |
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c index a487c8038044..48bf15073a85 100644 --- a/net/netfilter/nf_conntrack_h323_main.c +++ b/net/netfilter/nf_conntrack_h323_main.c | |||
@@ -194,8 +194,7 @@ static int get_tpkt_data(struct sk_buff *skb, unsigned int protoff, | |||
194 | return 0; | 194 | return 0; |
195 | } | 195 | } |
196 | 196 | ||
197 | if (net_ratelimit()) | 197 | pr_debug("nf_ct_h323: incomplete TPKT (fragmented?)\n"); |
198 | printk("nf_ct_h323: incomplete TPKT (fragmented?)\n"); | ||
199 | goto clear_out; | 198 | goto clear_out; |
200 | } | 199 | } |
201 | 200 | ||
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index afc52f2ee4ac..4e55403bf263 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c | |||
@@ -427,6 +427,17 @@ ctnetlink_proto_size(const struct nf_conn *ct) | |||
427 | } | 427 | } |
428 | 428 | ||
429 | static inline size_t | 429 | static inline size_t |
430 | ctnetlink_counters_size(const struct nf_conn *ct) | ||
431 | { | ||
432 | if (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT)) | ||
433 | return 0; | ||
434 | return 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */ | ||
435 | + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */ | ||
436 | + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */ | ||
437 | ; | ||
438 | } | ||
439 | |||
440 | static inline size_t | ||
430 | ctnetlink_nlmsg_size(const struct nf_conn *ct) | 441 | ctnetlink_nlmsg_size(const struct nf_conn *ct) |
431 | { | 442 | { |
432 | return NLMSG_ALIGN(sizeof(struct nfgenmsg)) | 443 | return NLMSG_ALIGN(sizeof(struct nfgenmsg)) |
@@ -436,11 +447,7 @@ ctnetlink_nlmsg_size(const struct nf_conn *ct) | |||
436 | + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */ | 447 | + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */ |
437 | + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */ | 448 | + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */ |
438 | + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */ | 449 | + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */ |
439 | #ifdef CONFIG_NF_CT_ACCT | 450 | + ctnetlink_counters_size(ct) |
440 | + 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */ | ||
441 | + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */ | ||
442 | + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */ | ||
443 | #endif | ||
444 | + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */ | 451 | + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */ |
445 | + nla_total_size(0) /* CTA_PROTOINFO */ | 452 | + nla_total_size(0) /* CTA_PROTOINFO */ |
446 | + nla_total_size(0) /* CTA_HELP */ | 453 | + nla_total_size(0) /* CTA_HELP */ |
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c index a44fa75b5178..5886ba1d52a0 100644 --- a/net/netfilter/nf_conntrack_proto.c +++ b/net/netfilter/nf_conntrack_proto.c | |||
@@ -14,12 +14,10 @@ | |||
14 | #include <linux/module.h> | 14 | #include <linux/module.h> |
15 | #include <linux/slab.h> | 15 | #include <linux/slab.h> |
16 | #include <linux/mutex.h> | 16 | #include <linux/mutex.h> |
17 | #include <linux/skbuff.h> | ||
18 | #include <linux/vmalloc.h> | 17 | #include <linux/vmalloc.h> |
19 | #include <linux/stddef.h> | 18 | #include <linux/stddef.h> |
20 | #include <linux/err.h> | 19 | #include <linux/err.h> |
21 | #include <linux/percpu.h> | 20 | #include <linux/percpu.h> |
22 | #include <linux/moduleparam.h> | ||
23 | #include <linux/notifier.h> | 21 | #include <linux/notifier.h> |
24 | #include <linux/kernel.h> | 22 | #include <linux/kernel.h> |
25 | #include <linux/netdevice.h> | 23 | #include <linux/netdevice.h> |
@@ -119,9 +117,13 @@ void nf_ct_l3proto_module_put(unsigned short l3proto) | |||
119 | { | 117 | { |
120 | struct nf_conntrack_l3proto *p; | 118 | struct nf_conntrack_l3proto *p; |
121 | 119 | ||
122 | /* rcu_read_lock not necessary since the caller holds a reference */ | 120 | /* rcu_read_lock not necessary since the caller holds a reference, but |
121 | * taken anyways to avoid lockdep warnings in __nf_ct_l3proto_find() | ||
122 | */ | ||
123 | rcu_read_lock(); | ||
123 | p = __nf_ct_l3proto_find(l3proto); | 124 | p = __nf_ct_l3proto_find(l3proto); |
124 | module_put(p->me); | 125 | module_put(p->me); |
126 | rcu_read_unlock(); | ||
125 | } | 127 | } |
126 | EXPORT_SYMBOL_GPL(nf_ct_l3proto_module_put); | 128 | EXPORT_SYMBOL_GPL(nf_ct_l3proto_module_put); |
127 | 129 | ||
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index faa8eb3722b9..ea4a8d384234 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c | |||
@@ -252,12 +252,12 @@ static int ct_cpu_seq_show(struct seq_file *seq, void *v) | |||
252 | const struct ip_conntrack_stat *st = v; | 252 | const struct ip_conntrack_stat *st = v; |
253 | 253 | ||
254 | if (v == SEQ_START_TOKEN) { | 254 | if (v == SEQ_START_TOKEN) { |
255 | seq_printf(seq, "entries searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete\n"); | 255 | seq_printf(seq, "entries searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete search_restart\n"); |
256 | return 0; | 256 | return 0; |
257 | } | 257 | } |
258 | 258 | ||
259 | seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x " | 259 | seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x " |
260 | "%08x %08x %08x %08x %08x %08x %08x %08x \n", | 260 | "%08x %08x %08x %08x %08x %08x %08x %08x %08x\n", |
261 | nr_conntracks, | 261 | nr_conntracks, |
262 | st->searched, | 262 | st->searched, |
263 | st->found, | 263 | st->found, |
@@ -274,7 +274,8 @@ static int ct_cpu_seq_show(struct seq_file *seq, void *v) | |||
274 | 274 | ||
275 | st->expect_new, | 275 | st->expect_new, |
276 | st->expect_create, | 276 | st->expect_create, |
277 | st->expect_delete | 277 | st->expect_delete, |
278 | st->search_restart | ||
278 | ); | 279 | ); |
279 | return 0; | 280 | return 0; |
280 | } | 281 | } |
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c index 015725a5cd50..7df37fd786bc 100644 --- a/net/netfilter/nf_log.c +++ b/net/netfilter/nf_log.c | |||
@@ -52,7 +52,8 @@ int nf_log_register(u_int8_t pf, struct nf_logger *logger) | |||
52 | } else { | 52 | } else { |
53 | /* register at end of list to honor first register win */ | 53 | /* register at end of list to honor first register win */ |
54 | list_add_tail(&logger->list[pf], &nf_loggers_l[pf]); | 54 | list_add_tail(&logger->list[pf], &nf_loggers_l[pf]); |
55 | llog = rcu_dereference(nf_loggers[pf]); | 55 | llog = rcu_dereference_protected(nf_loggers[pf], |
56 | lockdep_is_held(&nf_log_mutex)); | ||
56 | if (llog == NULL) | 57 | if (llog == NULL) |
57 | rcu_assign_pointer(nf_loggers[pf], logger); | 58 | rcu_assign_pointer(nf_loggers[pf], logger); |
58 | } | 59 | } |
@@ -70,7 +71,8 @@ void nf_log_unregister(struct nf_logger *logger) | |||
70 | 71 | ||
71 | mutex_lock(&nf_log_mutex); | 72 | mutex_lock(&nf_log_mutex); |
72 | for (i = 0; i < ARRAY_SIZE(nf_loggers); i++) { | 73 | for (i = 0; i < ARRAY_SIZE(nf_loggers); i++) { |
73 | c_logger = rcu_dereference(nf_loggers[i]); | 74 | c_logger = rcu_dereference_protected(nf_loggers[i], |
75 | lockdep_is_held(&nf_log_mutex)); | ||
74 | if (c_logger == logger) | 76 | if (c_logger == logger) |
75 | rcu_assign_pointer(nf_loggers[i], NULL); | 77 | rcu_assign_pointer(nf_loggers[i], NULL); |
76 | list_del(&logger->list[i]); | 78 | list_del(&logger->list[i]); |
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c index 6afa3d52ea5f..39b0e3100575 100644 --- a/net/netfilter/nfnetlink.c +++ b/net/netfilter/nfnetlink.c | |||
@@ -18,12 +18,9 @@ | |||
18 | #include <linux/types.h> | 18 | #include <linux/types.h> |
19 | #include <linux/socket.h> | 19 | #include <linux/socket.h> |
20 | #include <linux/kernel.h> | 20 | #include <linux/kernel.h> |
21 | #include <linux/major.h> | ||
22 | #include <linux/timer.h> | ||
23 | #include <linux/string.h> | 21 | #include <linux/string.h> |
24 | #include <linux/sockios.h> | 22 | #include <linux/sockios.h> |
25 | #include <linux/net.h> | 23 | #include <linux/net.h> |
26 | #include <linux/fcntl.h> | ||
27 | #include <linux/skbuff.h> | 24 | #include <linux/skbuff.h> |
28 | #include <asm/uaccess.h> | 25 | #include <asm/uaccess.h> |
29 | #include <asm/system.h> | 26 | #include <asm/system.h> |
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index e70a6ef1f4f2..12e1ab37fcd8 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c | |||
@@ -246,8 +246,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue, | |||
246 | break; | 246 | break; |
247 | 247 | ||
248 | case NFQNL_COPY_PACKET: | 248 | case NFQNL_COPY_PACKET: |
249 | if ((entskb->ip_summed == CHECKSUM_PARTIAL || | 249 | if (entskb->ip_summed == CHECKSUM_PARTIAL && |
250 | entskb->ip_summed == CHECKSUM_COMPLETE) && | ||
251 | skb_checksum_help(entskb)) { | 250 | skb_checksum_help(entskb)) { |
252 | spin_unlock_bh(&queue->lock); | 251 | spin_unlock_bh(&queue->lock); |
253 | return NULL; | 252 | return NULL; |
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index 665f5beef6ad..445de702b8b7 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c | |||
@@ -12,7 +12,7 @@ | |||
12 | * published by the Free Software Foundation. | 12 | * published by the Free Software Foundation. |
13 | * | 13 | * |
14 | */ | 14 | */ |
15 | 15 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
16 | #include <linux/kernel.h> | 16 | #include <linux/kernel.h> |
17 | #include <linux/socket.h> | 17 | #include <linux/socket.h> |
18 | #include <linux/net.h> | 18 | #include <linux/net.h> |
@@ -55,12 +55,6 @@ struct xt_af { | |||
55 | 55 | ||
56 | static struct xt_af *xt; | 56 | static struct xt_af *xt; |
57 | 57 | ||
58 | #ifdef DEBUG_IP_FIREWALL_USER | ||
59 | #define duprintf(format, args...) printk(format , ## args) | ||
60 | #else | ||
61 | #define duprintf(format, args...) | ||
62 | #endif | ||
63 | |||
64 | static const char *const xt_prefix[NFPROTO_NUMPROTO] = { | 58 | static const char *const xt_prefix[NFPROTO_NUMPROTO] = { |
65 | [NFPROTO_UNSPEC] = "x", | 59 | [NFPROTO_UNSPEC] = "x", |
66 | [NFPROTO_IPV4] = "ip", | 60 | [NFPROTO_IPV4] = "ip", |
@@ -69,6 +63,9 @@ static const char *const xt_prefix[NFPROTO_NUMPROTO] = { | |||
69 | [NFPROTO_IPV6] = "ip6", | 63 | [NFPROTO_IPV6] = "ip6", |
70 | }; | 64 | }; |
71 | 65 | ||
66 | /* Allow this many total (re)entries. */ | ||
67 | static const unsigned int xt_jumpstack_multiplier = 2; | ||
68 | |||
72 | /* Registration hooks for targets. */ | 69 | /* Registration hooks for targets. */ |
73 | int | 70 | int |
74 | xt_register_target(struct xt_target *target) | 71 | xt_register_target(struct xt_target *target) |
@@ -221,6 +218,17 @@ struct xt_match *xt_find_match(u8 af, const char *name, u8 revision) | |||
221 | } | 218 | } |
222 | EXPORT_SYMBOL(xt_find_match); | 219 | EXPORT_SYMBOL(xt_find_match); |
223 | 220 | ||
221 | struct xt_match * | ||
222 | xt_request_find_match(uint8_t nfproto, const char *name, uint8_t revision) | ||
223 | { | ||
224 | struct xt_match *match; | ||
225 | |||
226 | match = try_then_request_module(xt_find_match(nfproto, name, revision), | ||
227 | "%st_%s", xt_prefix[nfproto], name); | ||
228 | return (match != NULL) ? match : ERR_PTR(-ENOENT); | ||
229 | } | ||
230 | EXPORT_SYMBOL_GPL(xt_request_find_match); | ||
231 | |||
224 | /* Find target, grabs ref. Returns ERR_PTR() on error. */ | 232 | /* Find target, grabs ref. Returns ERR_PTR() on error. */ |
225 | struct xt_target *xt_find_target(u8 af, const char *name, u8 revision) | 233 | struct xt_target *xt_find_target(u8 af, const char *name, u8 revision) |
226 | { | 234 | { |
@@ -257,9 +265,7 @@ struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision) | |||
257 | 265 | ||
258 | target = try_then_request_module(xt_find_target(af, name, revision), | 266 | target = try_then_request_module(xt_find_target(af, name, revision), |
259 | "%st_%s", xt_prefix[af], name); | 267 | "%st_%s", xt_prefix[af], name); |
260 | if (IS_ERR(target) || !target) | 268 | return (target != NULL) ? target : ERR_PTR(-ENOENT); |
261 | return NULL; | ||
262 | return target; | ||
263 | } | 269 | } |
264 | EXPORT_SYMBOL_GPL(xt_request_find_target); | 270 | EXPORT_SYMBOL_GPL(xt_request_find_target); |
265 | 271 | ||
@@ -361,6 +367,8 @@ static char *textify_hooks(char *buf, size_t size, unsigned int mask) | |||
361 | int xt_check_match(struct xt_mtchk_param *par, | 367 | int xt_check_match(struct xt_mtchk_param *par, |
362 | unsigned int size, u_int8_t proto, bool inv_proto) | 368 | unsigned int size, u_int8_t proto, bool inv_proto) |
363 | { | 369 | { |
370 | int ret; | ||
371 | |||
364 | if (XT_ALIGN(par->match->matchsize) != size && | 372 | if (XT_ALIGN(par->match->matchsize) != size && |
365 | par->match->matchsize != -1) { | 373 | par->match->matchsize != -1) { |
366 | /* | 374 | /* |
@@ -397,8 +405,14 @@ int xt_check_match(struct xt_mtchk_param *par, | |||
397 | par->match->proto); | 405 | par->match->proto); |
398 | return -EINVAL; | 406 | return -EINVAL; |
399 | } | 407 | } |
400 | if (par->match->checkentry != NULL && !par->match->checkentry(par)) | 408 | if (par->match->checkentry != NULL) { |
401 | return -EINVAL; | 409 | ret = par->match->checkentry(par); |
410 | if (ret < 0) | ||
411 | return ret; | ||
412 | else if (ret > 0) | ||
413 | /* Flag up potential errors. */ | ||
414 | return -EIO; | ||
415 | } | ||
402 | return 0; | 416 | return 0; |
403 | } | 417 | } |
404 | EXPORT_SYMBOL_GPL(xt_check_match); | 418 | EXPORT_SYMBOL_GPL(xt_check_match); |
@@ -518,6 +532,8 @@ EXPORT_SYMBOL_GPL(xt_compat_match_to_user); | |||
518 | int xt_check_target(struct xt_tgchk_param *par, | 532 | int xt_check_target(struct xt_tgchk_param *par, |
519 | unsigned int size, u_int8_t proto, bool inv_proto) | 533 | unsigned int size, u_int8_t proto, bool inv_proto) |
520 | { | 534 | { |
535 | int ret; | ||
536 | |||
521 | if (XT_ALIGN(par->target->targetsize) != size) { | 537 | if (XT_ALIGN(par->target->targetsize) != size) { |
522 | pr_err("%s_tables: %s.%u target: invalid size " | 538 | pr_err("%s_tables: %s.%u target: invalid size " |
523 | "%u (kernel) != (user) %u\n", | 539 | "%u (kernel) != (user) %u\n", |
@@ -549,8 +565,14 @@ int xt_check_target(struct xt_tgchk_param *par, | |||
549 | par->target->proto); | 565 | par->target->proto); |
550 | return -EINVAL; | 566 | return -EINVAL; |
551 | } | 567 | } |
552 | if (par->target->checkentry != NULL && !par->target->checkentry(par)) | 568 | if (par->target->checkentry != NULL) { |
553 | return -EINVAL; | 569 | ret = par->target->checkentry(par); |
570 | if (ret < 0) | ||
571 | return ret; | ||
572 | else if (ret > 0) | ||
573 | /* Flag up potential errors. */ | ||
574 | return -EIO; | ||
575 | } | ||
554 | return 0; | 576 | return 0; |
555 | } | 577 | } |
556 | EXPORT_SYMBOL_GPL(xt_check_target); | 578 | EXPORT_SYMBOL_GPL(xt_check_target); |
@@ -662,6 +684,26 @@ void xt_free_table_info(struct xt_table_info *info) | |||
662 | else | 684 | else |
663 | vfree(info->entries[cpu]); | 685 | vfree(info->entries[cpu]); |
664 | } | 686 | } |
687 | |||
688 | if (info->jumpstack != NULL) { | ||
689 | if (sizeof(void *) * info->stacksize > PAGE_SIZE) { | ||
690 | for_each_possible_cpu(cpu) | ||
691 | vfree(info->jumpstack[cpu]); | ||
692 | } else { | ||
693 | for_each_possible_cpu(cpu) | ||
694 | kfree(info->jumpstack[cpu]); | ||
695 | } | ||
696 | } | ||
697 | |||
698 | if (sizeof(void **) * nr_cpu_ids > PAGE_SIZE) | ||
699 | vfree(info->jumpstack); | ||
700 | else | ||
701 | kfree(info->jumpstack); | ||
702 | if (sizeof(unsigned int) * nr_cpu_ids > PAGE_SIZE) | ||
703 | vfree(info->stackptr); | ||
704 | else | ||
705 | kfree(info->stackptr); | ||
706 | |||
665 | kfree(info); | 707 | kfree(info); |
666 | } | 708 | } |
667 | EXPORT_SYMBOL(xt_free_table_info); | 709 | EXPORT_SYMBOL(xt_free_table_info); |
@@ -706,6 +748,49 @@ EXPORT_SYMBOL_GPL(xt_compat_unlock); | |||
706 | DEFINE_PER_CPU(struct xt_info_lock, xt_info_locks); | 748 | DEFINE_PER_CPU(struct xt_info_lock, xt_info_locks); |
707 | EXPORT_PER_CPU_SYMBOL_GPL(xt_info_locks); | 749 | EXPORT_PER_CPU_SYMBOL_GPL(xt_info_locks); |
708 | 750 | ||
751 | static int xt_jumpstack_alloc(struct xt_table_info *i) | ||
752 | { | ||
753 | unsigned int size; | ||
754 | int cpu; | ||
755 | |||
756 | size = sizeof(unsigned int) * nr_cpu_ids; | ||
757 | if (size > PAGE_SIZE) | ||
758 | i->stackptr = vmalloc(size); | ||
759 | else | ||
760 | i->stackptr = kmalloc(size, GFP_KERNEL); | ||
761 | if (i->stackptr == NULL) | ||
762 | return -ENOMEM; | ||
763 | memset(i->stackptr, 0, size); | ||
764 | |||
765 | size = sizeof(void **) * nr_cpu_ids; | ||
766 | if (size > PAGE_SIZE) | ||
767 | i->jumpstack = vmalloc(size); | ||
768 | else | ||
769 | i->jumpstack = kmalloc(size, GFP_KERNEL); | ||
770 | if (i->jumpstack == NULL) | ||
771 | return -ENOMEM; | ||
772 | memset(i->jumpstack, 0, size); | ||
773 | |||
774 | i->stacksize *= xt_jumpstack_multiplier; | ||
775 | size = sizeof(void *) * i->stacksize; | ||
776 | for_each_possible_cpu(cpu) { | ||
777 | if (size > PAGE_SIZE) | ||
778 | i->jumpstack[cpu] = vmalloc_node(size, | ||
779 | cpu_to_node(cpu)); | ||
780 | else | ||
781 | i->jumpstack[cpu] = kmalloc_node(size, | ||
782 | GFP_KERNEL, cpu_to_node(cpu)); | ||
783 | if (i->jumpstack[cpu] == NULL) | ||
784 | /* | ||
785 | * Freeing will be done later on by the callers. The | ||
786 | * chain is: xt_replace_table -> __do_replace -> | ||
787 | * do_replace -> xt_free_table_info. | ||
788 | */ | ||
789 | return -ENOMEM; | ||
790 | } | ||
791 | |||
792 | return 0; | ||
793 | } | ||
709 | 794 | ||
710 | struct xt_table_info * | 795 | struct xt_table_info * |
711 | xt_replace_table(struct xt_table *table, | 796 | xt_replace_table(struct xt_table *table, |
@@ -714,6 +799,13 @@ xt_replace_table(struct xt_table *table, | |||
714 | int *error) | 799 | int *error) |
715 | { | 800 | { |
716 | struct xt_table_info *private; | 801 | struct xt_table_info *private; |
802 | int ret; | ||
803 | |||
804 | ret = xt_jumpstack_alloc(newinfo); | ||
805 | if (ret < 0) { | ||
806 | *error = ret; | ||
807 | return NULL; | ||
808 | } | ||
717 | 809 | ||
718 | /* Do the substitution. */ | 810 | /* Do the substitution. */ |
719 | local_bh_disable(); | 811 | local_bh_disable(); |
@@ -721,7 +813,7 @@ xt_replace_table(struct xt_table *table, | |||
721 | 813 | ||
722 | /* Check inside lock: is the old number correct? */ | 814 | /* Check inside lock: is the old number correct? */ |
723 | if (num_counters != private->number) { | 815 | if (num_counters != private->number) { |
724 | duprintf("num_counters != table->private->number (%u/%u)\n", | 816 | pr_debug("num_counters != table->private->number (%u/%u)\n", |
725 | num_counters, private->number); | 817 | num_counters, private->number); |
726 | local_bh_enable(); | 818 | local_bh_enable(); |
727 | *error = -EAGAIN; | 819 | *error = -EAGAIN; |
@@ -752,6 +844,10 @@ struct xt_table *xt_register_table(struct net *net, | |||
752 | struct xt_table_info *private; | 844 | struct xt_table_info *private; |
753 | struct xt_table *t, *table; | 845 | struct xt_table *t, *table; |
754 | 846 | ||
847 | ret = xt_jumpstack_alloc(newinfo); | ||
848 | if (ret < 0) | ||
849 | return ERR_PTR(ret); | ||
850 | |||
755 | /* Don't add one object to multiple lists. */ | 851 | /* Don't add one object to multiple lists. */ |
756 | table = kmemdup(input_table, sizeof(struct xt_table), GFP_KERNEL); | 852 | table = kmemdup(input_table, sizeof(struct xt_table), GFP_KERNEL); |
757 | if (!table) { | 853 | if (!table) { |
@@ -778,7 +874,7 @@ struct xt_table *xt_register_table(struct net *net, | |||
778 | goto unlock; | 874 | goto unlock; |
779 | 875 | ||
780 | private = table->private; | 876 | private = table->private; |
781 | duprintf("table->private->number = %u\n", private->number); | 877 | pr_debug("table->private->number = %u\n", private->number); |
782 | 878 | ||
783 | /* save number of initial entries */ | 879 | /* save number of initial entries */ |
784 | private->initial_entries = private->number; | 880 | private->initial_entries = private->number; |
diff --git a/net/netfilter/xt_CONNMARK.c b/net/netfilter/xt_CONNMARK.c deleted file mode 100644 index 593457068ae1..000000000000 --- a/net/netfilter/xt_CONNMARK.c +++ /dev/null | |||
@@ -1,113 +0,0 @@ | |||
1 | /* | ||
2 | * xt_CONNMARK - Netfilter module to modify the connection mark values | ||
3 | * | ||
4 | * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> | ||
5 | * by Henrik Nordstrom <hno@marasystems.com> | ||
6 | * Copyright © CC Computer Consultants GmbH, 2007 - 2008 | ||
7 | * Jan Engelhardt <jengelh@computergmbh.de> | ||
8 | * | ||
9 | * This program is free software; you can redistribute it and/or modify | ||
10 | * it under the terms of the GNU General Public License as published by | ||
11 | * the Free Software Foundation; either version 2 of the License, or | ||
12 | * (at your option) any later version. | ||
13 | * | ||
14 | * This program is distributed in the hope that it will be useful, | ||
15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
17 | * GNU General Public License for more details. | ||
18 | * | ||
19 | * You should have received a copy of the GNU General Public License | ||
20 | * along with this program; if not, write to the Free Software | ||
21 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | ||
22 | */ | ||
23 | #include <linux/module.h> | ||
24 | #include <linux/skbuff.h> | ||
25 | #include <linux/ip.h> | ||
26 | #include <net/checksum.h> | ||
27 | |||
28 | MODULE_AUTHOR("Henrik Nordstrom <hno@marasystems.com>"); | ||
29 | MODULE_DESCRIPTION("Xtables: connection mark modification"); | ||
30 | MODULE_LICENSE("GPL"); | ||
31 | MODULE_ALIAS("ipt_CONNMARK"); | ||
32 | MODULE_ALIAS("ip6t_CONNMARK"); | ||
33 | |||
34 | #include <linux/netfilter/x_tables.h> | ||
35 | #include <linux/netfilter/xt_CONNMARK.h> | ||
36 | #include <net/netfilter/nf_conntrack_ecache.h> | ||
37 | |||
38 | static unsigned int | ||
39 | connmark_tg(struct sk_buff *skb, const struct xt_target_param *par) | ||
40 | { | ||
41 | const struct xt_connmark_tginfo1 *info = par->targinfo; | ||
42 | enum ip_conntrack_info ctinfo; | ||
43 | struct nf_conn *ct; | ||
44 | u_int32_t newmark; | ||
45 | |||
46 | ct = nf_ct_get(skb, &ctinfo); | ||
47 | if (ct == NULL) | ||
48 | return XT_CONTINUE; | ||
49 | |||
50 | switch (info->mode) { | ||
51 | case XT_CONNMARK_SET: | ||
52 | newmark = (ct->mark & ~info->ctmask) ^ info->ctmark; | ||
53 | if (ct->mark != newmark) { | ||
54 | ct->mark = newmark; | ||
55 | nf_conntrack_event_cache(IPCT_MARK, ct); | ||
56 | } | ||
57 | break; | ||
58 | case XT_CONNMARK_SAVE: | ||
59 | newmark = (ct->mark & ~info->ctmask) ^ | ||
60 | (skb->mark & info->nfmask); | ||
61 | if (ct->mark != newmark) { | ||
62 | ct->mark = newmark; | ||
63 | nf_conntrack_event_cache(IPCT_MARK, ct); | ||
64 | } | ||
65 | break; | ||
66 | case XT_CONNMARK_RESTORE: | ||
67 | newmark = (skb->mark & ~info->nfmask) ^ | ||
68 | (ct->mark & info->ctmask); | ||
69 | skb->mark = newmark; | ||
70 | break; | ||
71 | } | ||
72 | |||
73 | return XT_CONTINUE; | ||
74 | } | ||
75 | |||
76 | static bool connmark_tg_check(const struct xt_tgchk_param *par) | ||
77 | { | ||
78 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { | ||
79 | printk(KERN_WARNING "cannot load conntrack support for " | ||
80 | "proto=%u\n", par->family); | ||
81 | return false; | ||
82 | } | ||
83 | return true; | ||
84 | } | ||
85 | |||
86 | static void connmark_tg_destroy(const struct xt_tgdtor_param *par) | ||
87 | { | ||
88 | nf_ct_l3proto_module_put(par->family); | ||
89 | } | ||
90 | |||
91 | static struct xt_target connmark_tg_reg __read_mostly = { | ||
92 | .name = "CONNMARK", | ||
93 | .revision = 1, | ||
94 | .family = NFPROTO_UNSPEC, | ||
95 | .checkentry = connmark_tg_check, | ||
96 | .target = connmark_tg, | ||
97 | .targetsize = sizeof(struct xt_connmark_tginfo1), | ||
98 | .destroy = connmark_tg_destroy, | ||
99 | .me = THIS_MODULE, | ||
100 | }; | ||
101 | |||
102 | static int __init connmark_tg_init(void) | ||
103 | { | ||
104 | return xt_register_target(&connmark_tg_reg); | ||
105 | } | ||
106 | |||
107 | static void __exit connmark_tg_exit(void) | ||
108 | { | ||
109 | xt_unregister_target(&connmark_tg_reg); | ||
110 | } | ||
111 | |||
112 | module_init(connmark_tg_init); | ||
113 | module_exit(connmark_tg_exit); | ||
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c index b54c3756fdc3..e953e302141d 100644 --- a/net/netfilter/xt_CONNSECMARK.c +++ b/net/netfilter/xt_CONNSECMARK.c | |||
@@ -15,6 +15,7 @@ | |||
15 | * published by the Free Software Foundation. | 15 | * published by the Free Software Foundation. |
16 | * | 16 | * |
17 | */ | 17 | */ |
18 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | ||
18 | #include <linux/module.h> | 19 | #include <linux/module.h> |
19 | #include <linux/skbuff.h> | 20 | #include <linux/skbuff.h> |
20 | #include <linux/netfilter/x_tables.h> | 21 | #include <linux/netfilter/x_tables.h> |
@@ -22,8 +23,6 @@ | |||
22 | #include <net/netfilter/nf_conntrack.h> | 23 | #include <net/netfilter/nf_conntrack.h> |
23 | #include <net/netfilter/nf_conntrack_ecache.h> | 24 | #include <net/netfilter/nf_conntrack_ecache.h> |
24 | 25 | ||
25 | #define PFX "CONNSECMARK: " | ||
26 | |||
27 | MODULE_LICENSE("GPL"); | 26 | MODULE_LICENSE("GPL"); |
28 | MODULE_AUTHOR("James Morris <jmorris@redhat.com>"); | 27 | MODULE_AUTHOR("James Morris <jmorris@redhat.com>"); |
29 | MODULE_DESCRIPTION("Xtables: target for copying between connection and security mark"); | 28 | MODULE_DESCRIPTION("Xtables: target for copying between connection and security mark"); |
@@ -85,15 +84,16 @@ connsecmark_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
85 | return XT_CONTINUE; | 84 | return XT_CONTINUE; |
86 | } | 85 | } |
87 | 86 | ||
88 | static bool connsecmark_tg_check(const struct xt_tgchk_param *par) | 87 | static int connsecmark_tg_check(const struct xt_tgchk_param *par) |
89 | { | 88 | { |
90 | const struct xt_connsecmark_target_info *info = par->targinfo; | 89 | const struct xt_connsecmark_target_info *info = par->targinfo; |
90 | int ret; | ||
91 | 91 | ||
92 | if (strcmp(par->table, "mangle") != 0 && | 92 | if (strcmp(par->table, "mangle") != 0 && |
93 | strcmp(par->table, "security") != 0) { | 93 | strcmp(par->table, "security") != 0) { |
94 | printk(KERN_INFO PFX "target only valid in the \'mangle\' " | 94 | pr_info("target only valid in the \'mangle\' " |
95 | "or \'security\' tables, not \'%s\'.\n", par->table); | 95 | "or \'security\' tables, not \'%s\'.\n", par->table); |
96 | return false; | 96 | return -EINVAL; |
97 | } | 97 | } |
98 | 98 | ||
99 | switch (info->mode) { | 99 | switch (info->mode) { |
@@ -102,16 +102,15 @@ static bool connsecmark_tg_check(const struct xt_tgchk_param *par) | |||
102 | break; | 102 | break; |
103 | 103 | ||
104 | default: | 104 | default: |
105 | printk(KERN_INFO PFX "invalid mode: %hu\n", info->mode); | 105 | pr_info("invalid mode: %hu\n", info->mode); |
106 | return false; | 106 | return -EINVAL; |
107 | } | 107 | } |
108 | 108 | ||
109 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { | 109 | ret = nf_ct_l3proto_try_module_get(par->family); |
110 | printk(KERN_WARNING "can't load conntrack support for " | 110 | if (ret < 0) |
111 | "proto=%u\n", par->family); | 111 | pr_info("cannot load conntrack support for proto=%u\n", |
112 | return false; | 112 | par->family); |
113 | } | 113 | return ret; |
114 | return true; | ||
115 | } | 114 | } |
116 | 115 | ||
117 | static void connsecmark_tg_destroy(const struct xt_tgdtor_param *par) | 116 | static void connsecmark_tg_destroy(const struct xt_tgdtor_param *par) |
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c index ee18b231b950..c8f547829bad 100644 --- a/net/netfilter/xt_CT.c +++ b/net/netfilter/xt_CT.c | |||
@@ -38,13 +38,13 @@ static unsigned int xt_ct_target(struct sk_buff *skb, | |||
38 | 38 | ||
39 | static u8 xt_ct_find_proto(const struct xt_tgchk_param *par) | 39 | static u8 xt_ct_find_proto(const struct xt_tgchk_param *par) |
40 | { | 40 | { |
41 | if (par->family == AF_INET) { | 41 | if (par->family == NFPROTO_IPV4) { |
42 | const struct ipt_entry *e = par->entryinfo; | 42 | const struct ipt_entry *e = par->entryinfo; |
43 | 43 | ||
44 | if (e->ip.invflags & IPT_INV_PROTO) | 44 | if (e->ip.invflags & IPT_INV_PROTO) |
45 | return 0; | 45 | return 0; |
46 | return e->ip.proto; | 46 | return e->ip.proto; |
47 | } else if (par->family == AF_INET6) { | 47 | } else if (par->family == NFPROTO_IPV6) { |
48 | const struct ip6t_entry *e = par->entryinfo; | 48 | const struct ip6t_entry *e = par->entryinfo; |
49 | 49 | ||
50 | if (e->ipv6.invflags & IP6T_INV_PROTO) | 50 | if (e->ipv6.invflags & IP6T_INV_PROTO) |
@@ -54,16 +54,17 @@ static u8 xt_ct_find_proto(const struct xt_tgchk_param *par) | |||
54 | return 0; | 54 | return 0; |
55 | } | 55 | } |
56 | 56 | ||
57 | static bool xt_ct_tg_check(const struct xt_tgchk_param *par) | 57 | static int xt_ct_tg_check(const struct xt_tgchk_param *par) |
58 | { | 58 | { |
59 | struct xt_ct_target_info *info = par->targinfo; | 59 | struct xt_ct_target_info *info = par->targinfo; |
60 | struct nf_conntrack_tuple t; | 60 | struct nf_conntrack_tuple t; |
61 | struct nf_conn_help *help; | 61 | struct nf_conn_help *help; |
62 | struct nf_conn *ct; | 62 | struct nf_conn *ct; |
63 | int ret = 0; | ||
63 | u8 proto; | 64 | u8 proto; |
64 | 65 | ||
65 | if (info->flags & ~XT_CT_NOTRACK) | 66 | if (info->flags & ~XT_CT_NOTRACK) |
66 | return false; | 67 | return -EINVAL; |
67 | 68 | ||
68 | if (info->flags & XT_CT_NOTRACK) { | 69 | if (info->flags & XT_CT_NOTRACK) { |
69 | ct = &nf_conntrack_untracked; | 70 | ct = &nf_conntrack_untracked; |
@@ -76,28 +77,34 @@ static bool xt_ct_tg_check(const struct xt_tgchk_param *par) | |||
76 | goto err1; | 77 | goto err1; |
77 | #endif | 78 | #endif |
78 | 79 | ||
79 | if (nf_ct_l3proto_try_module_get(par->family) < 0) | 80 | ret = nf_ct_l3proto_try_module_get(par->family); |
81 | if (ret < 0) | ||
80 | goto err1; | 82 | goto err1; |
81 | 83 | ||
82 | memset(&t, 0, sizeof(t)); | 84 | memset(&t, 0, sizeof(t)); |
83 | ct = nf_conntrack_alloc(par->net, info->zone, &t, &t, GFP_KERNEL); | 85 | ct = nf_conntrack_alloc(par->net, info->zone, &t, &t, GFP_KERNEL); |
86 | ret = PTR_ERR(ct); | ||
84 | if (IS_ERR(ct)) | 87 | if (IS_ERR(ct)) |
85 | goto err2; | 88 | goto err2; |
86 | 89 | ||
90 | ret = 0; | ||
87 | if ((info->ct_events || info->exp_events) && | 91 | if ((info->ct_events || info->exp_events) && |
88 | !nf_ct_ecache_ext_add(ct, info->ct_events, info->exp_events, | 92 | !nf_ct_ecache_ext_add(ct, info->ct_events, info->exp_events, |
89 | GFP_KERNEL)) | 93 | GFP_KERNEL)) |
90 | goto err3; | 94 | goto err3; |
91 | 95 | ||
92 | if (info->helper[0]) { | 96 | if (info->helper[0]) { |
97 | ret = -ENOENT; | ||
93 | proto = xt_ct_find_proto(par); | 98 | proto = xt_ct_find_proto(par); |
94 | if (!proto) | 99 | if (!proto) |
95 | goto err3; | 100 | goto err3; |
96 | 101 | ||
102 | ret = -ENOMEM; | ||
97 | help = nf_ct_helper_ext_add(ct, GFP_KERNEL); | 103 | help = nf_ct_helper_ext_add(ct, GFP_KERNEL); |
98 | if (help == NULL) | 104 | if (help == NULL) |
99 | goto err3; | 105 | goto err3; |
100 | 106 | ||
107 | ret = -ENOENT; | ||
101 | help->helper = nf_conntrack_helper_try_module_get(info->helper, | 108 | help->helper = nf_conntrack_helper_try_module_get(info->helper, |
102 | par->family, | 109 | par->family, |
103 | proto); | 110 | proto); |
@@ -109,14 +116,14 @@ static bool xt_ct_tg_check(const struct xt_tgchk_param *par) | |||
109 | __set_bit(IPS_CONFIRMED_BIT, &ct->status); | 116 | __set_bit(IPS_CONFIRMED_BIT, &ct->status); |
110 | out: | 117 | out: |
111 | info->ct = ct; | 118 | info->ct = ct; |
112 | return true; | 119 | return 0; |
113 | 120 | ||
114 | err3: | 121 | err3: |
115 | nf_conntrack_free(ct); | 122 | nf_conntrack_free(ct); |
116 | err2: | 123 | err2: |
117 | nf_ct_l3proto_module_put(par->family); | 124 | nf_ct_l3proto_module_put(par->family); |
118 | err1: | 125 | err1: |
119 | return false; | 126 | return ret; |
120 | } | 127 | } |
121 | 128 | ||
122 | static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par) | 129 | static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par) |
@@ -138,7 +145,7 @@ static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par) | |||
138 | static struct xt_target xt_ct_tg __read_mostly = { | 145 | static struct xt_target xt_ct_tg __read_mostly = { |
139 | .name = "CT", | 146 | .name = "CT", |
140 | .family = NFPROTO_UNSPEC, | 147 | .family = NFPROTO_UNSPEC, |
141 | .targetsize = XT_ALIGN(sizeof(struct xt_ct_target_info)), | 148 | .targetsize = sizeof(struct xt_ct_target_info), |
142 | .checkentry = xt_ct_tg_check, | 149 | .checkentry = xt_ct_tg_check, |
143 | .destroy = xt_ct_tg_destroy, | 150 | .destroy = xt_ct_tg_destroy, |
144 | .target = xt_ct_target, | 151 | .target = xt_ct_target, |
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c index 74ce89260056..969634f293e5 100644 --- a/net/netfilter/xt_DSCP.c +++ b/net/netfilter/xt_DSCP.c | |||
@@ -9,7 +9,7 @@ | |||
9 | * | 9 | * |
10 | * See RFC2474 for a description of the DSCP field within the IP Header. | 10 | * See RFC2474 for a description of the DSCP field within the IP Header. |
11 | */ | 11 | */ |
12 | 12 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
13 | #include <linux/module.h> | 13 | #include <linux/module.h> |
14 | #include <linux/skbuff.h> | 14 | #include <linux/skbuff.h> |
15 | #include <linux/ip.h> | 15 | #include <linux/ip.h> |
@@ -60,15 +60,15 @@ dscp_tg6(struct sk_buff *skb, const struct xt_target_param *par) | |||
60 | return XT_CONTINUE; | 60 | return XT_CONTINUE; |
61 | } | 61 | } |
62 | 62 | ||
63 | static bool dscp_tg_check(const struct xt_tgchk_param *par) | 63 | static int dscp_tg_check(const struct xt_tgchk_param *par) |
64 | { | 64 | { |
65 | const struct xt_DSCP_info *info = par->targinfo; | 65 | const struct xt_DSCP_info *info = par->targinfo; |
66 | 66 | ||
67 | if (info->dscp > XT_DSCP_MAX) { | 67 | if (info->dscp > XT_DSCP_MAX) { |
68 | printk(KERN_WARNING "DSCP: dscp %x out of range\n", info->dscp); | 68 | pr_info("dscp %x out of range\n", info->dscp); |
69 | return false; | 69 | return -EDOM; |
70 | } | 70 | } |
71 | return true; | 71 | return 0; |
72 | } | 72 | } |
73 | 73 | ||
74 | static unsigned int | 74 | static unsigned int |
diff --git a/net/netfilter/xt_HL.c b/net/netfilter/xt_HL.c index 10e789e2d12a..77b99f732711 100644 --- a/net/netfilter/xt_HL.c +++ b/net/netfilter/xt_HL.c | |||
@@ -9,7 +9,7 @@ | |||
9 | * it under the terms of the GNU General Public License version 2 as | 9 | * it under the terms of the GNU General Public License version 2 as |
10 | * published by the Free Software Foundation. | 10 | * published by the Free Software Foundation. |
11 | */ | 11 | */ |
12 | 12 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
13 | #include <linux/module.h> | 13 | #include <linux/module.h> |
14 | #include <linux/skbuff.h> | 14 | #include <linux/skbuff.h> |
15 | #include <linux/ip.h> | 15 | #include <linux/ip.h> |
@@ -101,35 +101,33 @@ hl_tg6(struct sk_buff *skb, const struct xt_target_param *par) | |||
101 | return XT_CONTINUE; | 101 | return XT_CONTINUE; |
102 | } | 102 | } |
103 | 103 | ||
104 | static bool ttl_tg_check(const struct xt_tgchk_param *par) | 104 | static int ttl_tg_check(const struct xt_tgchk_param *par) |
105 | { | 105 | { |
106 | const struct ipt_TTL_info *info = par->targinfo; | 106 | const struct ipt_TTL_info *info = par->targinfo; |
107 | 107 | ||
108 | if (info->mode > IPT_TTL_MAXMODE) { | 108 | if (info->mode > IPT_TTL_MAXMODE) { |
109 | printk(KERN_WARNING "ipt_TTL: invalid or unknown Mode %u\n", | 109 | pr_info("TTL: invalid or unknown mode %u\n", info->mode); |
110 | info->mode); | 110 | return -EINVAL; |
111 | return false; | ||
112 | } | 111 | } |
113 | if (info->mode != IPT_TTL_SET && info->ttl == 0) | 112 | if (info->mode != IPT_TTL_SET && info->ttl == 0) |
114 | return false; | 113 | return -EINVAL; |
115 | return true; | 114 | return 0; |
116 | } | 115 | } |
117 | 116 | ||
118 | static bool hl_tg6_check(const struct xt_tgchk_param *par) | 117 | static int hl_tg6_check(const struct xt_tgchk_param *par) |
119 | { | 118 | { |
120 | const struct ip6t_HL_info *info = par->targinfo; | 119 | const struct ip6t_HL_info *info = par->targinfo; |
121 | 120 | ||
122 | if (info->mode > IP6T_HL_MAXMODE) { | 121 | if (info->mode > IP6T_HL_MAXMODE) { |
123 | printk(KERN_WARNING "ip6t_HL: invalid or unknown Mode %u\n", | 122 | pr_info("invalid or unknown mode %u\n", info->mode); |
124 | info->mode); | 123 | return -EINVAL; |
125 | return false; | ||
126 | } | 124 | } |
127 | if (info->mode != IP6T_HL_SET && info->hop_limit == 0) { | 125 | if (info->mode != IP6T_HL_SET && info->hop_limit == 0) { |
128 | printk(KERN_WARNING "ip6t_HL: increment/decrement doesn't " | 126 | pr_info("increment/decrement does not " |
129 | "make sense with value 0\n"); | 127 | "make sense with value 0\n"); |
130 | return false; | 128 | return -EINVAL; |
131 | } | 129 | } |
132 | return true; | 130 | return 0; |
133 | } | 131 | } |
134 | 132 | ||
135 | static struct xt_target hl_tg_reg[] __read_mostly = { | 133 | static struct xt_target hl_tg_reg[] __read_mostly = { |
diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c index 3271c8e52153..ab6f8ff9c9a7 100644 --- a/net/netfilter/xt_LED.c +++ b/net/netfilter/xt_LED.c | |||
@@ -18,7 +18,7 @@ | |||
18 | * 02110-1301 USA. | 18 | * 02110-1301 USA. |
19 | * | 19 | * |
20 | */ | 20 | */ |
21 | 21 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
22 | #include <linux/module.h> | 22 | #include <linux/module.h> |
23 | #include <linux/skbuff.h> | 23 | #include <linux/skbuff.h> |
24 | #include <linux/netfilter/x_tables.h> | 24 | #include <linux/netfilter/x_tables.h> |
@@ -32,12 +32,18 @@ MODULE_LICENSE("GPL"); | |||
32 | MODULE_AUTHOR("Adam Nielsen <a.nielsen@shikadi.net>"); | 32 | MODULE_AUTHOR("Adam Nielsen <a.nielsen@shikadi.net>"); |
33 | MODULE_DESCRIPTION("Xtables: trigger LED devices on packet match"); | 33 | MODULE_DESCRIPTION("Xtables: trigger LED devices on packet match"); |
34 | 34 | ||
35 | static LIST_HEAD(xt_led_triggers); | ||
36 | static DEFINE_MUTEX(xt_led_mutex); | ||
37 | |||
35 | /* | 38 | /* |
36 | * This is declared in here (the kernel module) only, to avoid having these | 39 | * This is declared in here (the kernel module) only, to avoid having these |
37 | * dependencies in userspace code. This is what xt_led_info.internal_data | 40 | * dependencies in userspace code. This is what xt_led_info.internal_data |
38 | * points to. | 41 | * points to. |
39 | */ | 42 | */ |
40 | struct xt_led_info_internal { | 43 | struct xt_led_info_internal { |
44 | struct list_head list; | ||
45 | int refcnt; | ||
46 | char *trigger_id; | ||
41 | struct led_trigger netfilter_led_trigger; | 47 | struct led_trigger netfilter_led_trigger; |
42 | struct timer_list timer; | 48 | struct timer_list timer; |
43 | }; | 49 | }; |
@@ -54,7 +60,7 @@ led_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
54 | */ | 60 | */ |
55 | if ((ledinfo->delay > 0) && ledinfo->always_blink && | 61 | if ((ledinfo->delay > 0) && ledinfo->always_blink && |
56 | timer_pending(&ledinternal->timer)) | 62 | timer_pending(&ledinternal->timer)) |
57 | led_trigger_event(&ledinternal->netfilter_led_trigger,LED_OFF); | 63 | led_trigger_event(&ledinternal->netfilter_led_trigger, LED_OFF); |
58 | 64 | ||
59 | led_trigger_event(&ledinternal->netfilter_led_trigger, LED_FULL); | 65 | led_trigger_event(&ledinternal->netfilter_led_trigger, LED_FULL); |
60 | 66 | ||
@@ -75,54 +81,86 @@ led_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
75 | 81 | ||
76 | static void led_timeout_callback(unsigned long data) | 82 | static void led_timeout_callback(unsigned long data) |
77 | { | 83 | { |
78 | struct xt_led_info *ledinfo = (struct xt_led_info *)data; | 84 | struct xt_led_info_internal *ledinternal = (struct xt_led_info_internal *)data; |
79 | struct xt_led_info_internal *ledinternal = ledinfo->internal_data; | ||
80 | 85 | ||
81 | led_trigger_event(&ledinternal->netfilter_led_trigger, LED_OFF); | 86 | led_trigger_event(&ledinternal->netfilter_led_trigger, LED_OFF); |
82 | } | 87 | } |
83 | 88 | ||
84 | static bool led_tg_check(const struct xt_tgchk_param *par) | 89 | static struct xt_led_info_internal *led_trigger_lookup(const char *name) |
90 | { | ||
91 | struct xt_led_info_internal *ledinternal; | ||
92 | |||
93 | list_for_each_entry(ledinternal, &xt_led_triggers, list) { | ||
94 | if (!strcmp(name, ledinternal->netfilter_led_trigger.name)) { | ||
95 | return ledinternal; | ||
96 | } | ||
97 | } | ||
98 | return NULL; | ||
99 | } | ||
100 | |||
101 | static int led_tg_check(const struct xt_tgchk_param *par) | ||
85 | { | 102 | { |
86 | struct xt_led_info *ledinfo = par->targinfo; | 103 | struct xt_led_info *ledinfo = par->targinfo; |
87 | struct xt_led_info_internal *ledinternal; | 104 | struct xt_led_info_internal *ledinternal; |
88 | int err; | 105 | int err; |
89 | 106 | ||
90 | if (ledinfo->id[0] == '\0') { | 107 | if (ledinfo->id[0] == '\0') { |
91 | printk(KERN_ERR KBUILD_MODNAME ": No 'id' parameter given.\n"); | 108 | pr_info("No 'id' parameter given.\n"); |
92 | return false; | 109 | return -EINVAL; |
93 | } | 110 | } |
94 | 111 | ||
95 | ledinternal = kzalloc(sizeof(struct xt_led_info_internal), GFP_KERNEL); | 112 | mutex_lock(&xt_led_mutex); |
96 | if (!ledinternal) { | 113 | |
97 | printk(KERN_CRIT KBUILD_MODNAME ": out of memory\n"); | 114 | ledinternal = led_trigger_lookup(ledinfo->id); |
98 | return false; | 115 | if (ledinternal) { |
116 | ledinternal->refcnt++; | ||
117 | goto out; | ||
99 | } | 118 | } |
100 | 119 | ||
101 | ledinternal->netfilter_led_trigger.name = ledinfo->id; | 120 | err = -ENOMEM; |
121 | ledinternal = kzalloc(sizeof(struct xt_led_info_internal), GFP_KERNEL); | ||
122 | if (!ledinternal) | ||
123 | goto exit_mutex_only; | ||
124 | |||
125 | ledinternal->trigger_id = kstrdup(ledinfo->id, GFP_KERNEL); | ||
126 | if (!ledinternal->trigger_id) | ||
127 | goto exit_internal_alloc; | ||
128 | |||
129 | ledinternal->refcnt = 1; | ||
130 | ledinternal->netfilter_led_trigger.name = ledinternal->trigger_id; | ||
102 | 131 | ||
103 | err = led_trigger_register(&ledinternal->netfilter_led_trigger); | 132 | err = led_trigger_register(&ledinternal->netfilter_led_trigger); |
104 | if (err) { | 133 | if (err) { |
105 | printk(KERN_CRIT KBUILD_MODNAME | 134 | pr_warning("led_trigger_register() failed\n"); |
106 | ": led_trigger_register() failed\n"); | ||
107 | if (err == -EEXIST) | 135 | if (err == -EEXIST) |
108 | printk(KERN_ERR KBUILD_MODNAME | 136 | pr_warning("Trigger name is already in use.\n"); |
109 | ": Trigger name is already in use.\n"); | ||
110 | goto exit_alloc; | 137 | goto exit_alloc; |
111 | } | 138 | } |
112 | 139 | ||
113 | /* See if we need to set up a timer */ | 140 | /* See if we need to set up a timer */ |
114 | if (ledinfo->delay > 0) | 141 | if (ledinfo->delay > 0) |
115 | setup_timer(&ledinternal->timer, led_timeout_callback, | 142 | setup_timer(&ledinternal->timer, led_timeout_callback, |
116 | (unsigned long)ledinfo); | 143 | (unsigned long)ledinternal); |
144 | |||
145 | list_add_tail(&ledinternal->list, &xt_led_triggers); | ||
146 | |||
147 | out: | ||
148 | mutex_unlock(&xt_led_mutex); | ||
117 | 149 | ||
118 | ledinfo->internal_data = ledinternal; | 150 | ledinfo->internal_data = ledinternal; |
119 | 151 | ||
120 | return true; | 152 | return 0; |
121 | 153 | ||
122 | exit_alloc: | 154 | exit_alloc: |
155 | kfree(ledinternal->trigger_id); | ||
156 | |||
157 | exit_internal_alloc: | ||
123 | kfree(ledinternal); | 158 | kfree(ledinternal); |
124 | 159 | ||
125 | return false; | 160 | exit_mutex_only: |
161 | mutex_unlock(&xt_led_mutex); | ||
162 | |||
163 | return err; | ||
126 | } | 164 | } |
127 | 165 | ||
128 | static void led_tg_destroy(const struct xt_tgdtor_param *par) | 166 | static void led_tg_destroy(const struct xt_tgdtor_param *par) |
@@ -130,10 +168,23 @@ static void led_tg_destroy(const struct xt_tgdtor_param *par) | |||
130 | const struct xt_led_info *ledinfo = par->targinfo; | 168 | const struct xt_led_info *ledinfo = par->targinfo; |
131 | struct xt_led_info_internal *ledinternal = ledinfo->internal_data; | 169 | struct xt_led_info_internal *ledinternal = ledinfo->internal_data; |
132 | 170 | ||
171 | mutex_lock(&xt_led_mutex); | ||
172 | |||
173 | if (--ledinternal->refcnt) { | ||
174 | mutex_unlock(&xt_led_mutex); | ||
175 | return; | ||
176 | } | ||
177 | |||
178 | list_del(&ledinternal->list); | ||
179 | |||
133 | if (ledinfo->delay > 0) | 180 | if (ledinfo->delay > 0) |
134 | del_timer_sync(&ledinternal->timer); | 181 | del_timer_sync(&ledinternal->timer); |
135 | 182 | ||
136 | led_trigger_unregister(&ledinternal->netfilter_led_trigger); | 183 | led_trigger_unregister(&ledinternal->netfilter_led_trigger); |
184 | |||
185 | mutex_unlock(&xt_led_mutex); | ||
186 | |||
187 | kfree(ledinternal->trigger_id); | ||
137 | kfree(ledinternal); | 188 | kfree(ledinternal); |
138 | } | 189 | } |
139 | 190 | ||
@@ -142,7 +193,7 @@ static struct xt_target led_tg_reg __read_mostly = { | |||
142 | .revision = 0, | 193 | .revision = 0, |
143 | .family = NFPROTO_UNSPEC, | 194 | .family = NFPROTO_UNSPEC, |
144 | .target = led_tg, | 195 | .target = led_tg, |
145 | .targetsize = XT_ALIGN(sizeof(struct xt_led_info)), | 196 | .targetsize = sizeof(struct xt_led_info), |
146 | .checkentry = led_tg_check, | 197 | .checkentry = led_tg_check, |
147 | .destroy = led_tg_destroy, | 198 | .destroy = led_tg_destroy, |
148 | .me = THIS_MODULE, | 199 | .me = THIS_MODULE, |
diff --git a/net/netfilter/xt_MARK.c b/net/netfilter/xt_MARK.c deleted file mode 100644 index 225f8d11e173..000000000000 --- a/net/netfilter/xt_MARK.c +++ /dev/null | |||
@@ -1,56 +0,0 @@ | |||
1 | /* | ||
2 | * xt_MARK - Netfilter module to modify the NFMARK field of an skb | ||
3 | * | ||
4 | * (C) 1999-2001 Marc Boucher <marc@mbsi.ca> | ||
5 | * Copyright © CC Computer Consultants GmbH, 2007 - 2008 | ||
6 | * Jan Engelhardt <jengelh@computergmbh.de> | ||
7 | * | ||
8 | * This program is free software; you can redistribute it and/or modify | ||
9 | * it under the terms of the GNU General Public License version 2 as | ||
10 | * published by the Free Software Foundation. | ||
11 | */ | ||
12 | |||
13 | #include <linux/module.h> | ||
14 | #include <linux/skbuff.h> | ||
15 | #include <linux/ip.h> | ||
16 | #include <net/checksum.h> | ||
17 | |||
18 | #include <linux/netfilter/x_tables.h> | ||
19 | #include <linux/netfilter/xt_MARK.h> | ||
20 | |||
21 | MODULE_LICENSE("GPL"); | ||
22 | MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>"); | ||
23 | MODULE_DESCRIPTION("Xtables: packet mark modification"); | ||
24 | MODULE_ALIAS("ipt_MARK"); | ||
25 | MODULE_ALIAS("ip6t_MARK"); | ||
26 | |||
27 | static unsigned int | ||
28 | mark_tg(struct sk_buff *skb, const struct xt_target_param *par) | ||
29 | { | ||
30 | const struct xt_mark_tginfo2 *info = par->targinfo; | ||
31 | |||
32 | skb->mark = (skb->mark & ~info->mask) ^ info->mark; | ||
33 | return XT_CONTINUE; | ||
34 | } | ||
35 | |||
36 | static struct xt_target mark_tg_reg __read_mostly = { | ||
37 | .name = "MARK", | ||
38 | .revision = 2, | ||
39 | .family = NFPROTO_UNSPEC, | ||
40 | .target = mark_tg, | ||
41 | .targetsize = sizeof(struct xt_mark_tginfo2), | ||
42 | .me = THIS_MODULE, | ||
43 | }; | ||
44 | |||
45 | static int __init mark_tg_init(void) | ||
46 | { | ||
47 | return xt_register_target(&mark_tg_reg); | ||
48 | } | ||
49 | |||
50 | static void __exit mark_tg_exit(void) | ||
51 | { | ||
52 | xt_unregister_target(&mark_tg_reg); | ||
53 | } | ||
54 | |||
55 | module_init(mark_tg_init); | ||
56 | module_exit(mark_tg_exit); | ||
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c index a57c5cf018ec..42dd8747b421 100644 --- a/net/netfilter/xt_NFLOG.c +++ b/net/netfilter/xt_NFLOG.c | |||
@@ -37,15 +37,15 @@ nflog_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
37 | return XT_CONTINUE; | 37 | return XT_CONTINUE; |
38 | } | 38 | } |
39 | 39 | ||
40 | static bool nflog_tg_check(const struct xt_tgchk_param *par) | 40 | static int nflog_tg_check(const struct xt_tgchk_param *par) |
41 | { | 41 | { |
42 | const struct xt_nflog_info *info = par->targinfo; | 42 | const struct xt_nflog_info *info = par->targinfo; |
43 | 43 | ||
44 | if (info->flags & ~XT_NFLOG_MASK) | 44 | if (info->flags & ~XT_NFLOG_MASK) |
45 | return false; | 45 | return -EINVAL; |
46 | if (info->prefix[sizeof(info->prefix) - 1] != '\0') | 46 | if (info->prefix[sizeof(info->prefix) - 1] != '\0') |
47 | return false; | 47 | return -EINVAL; |
48 | return true; | 48 | return 0; |
49 | } | 49 | } |
50 | 50 | ||
51 | static struct xt_target nflog_tg_reg __read_mostly = { | 51 | static struct xt_target nflog_tg_reg __read_mostly = { |
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c index 12dcd7007c3e..f9217cb56fe3 100644 --- a/net/netfilter/xt_NFQUEUE.c +++ b/net/netfilter/xt_NFQUEUE.c | |||
@@ -49,17 +49,6 @@ static u32 hash_v4(const struct sk_buff *skb) | |||
49 | return jhash_2words((__force u32)ipaddr, iph->protocol, jhash_initval); | 49 | return jhash_2words((__force u32)ipaddr, iph->protocol, jhash_initval); |
50 | } | 50 | } |
51 | 51 | ||
52 | static unsigned int | ||
53 | nfqueue_tg4_v1(struct sk_buff *skb, const struct xt_target_param *par) | ||
54 | { | ||
55 | const struct xt_NFQ_info_v1 *info = par->targinfo; | ||
56 | u32 queue = info->queuenum; | ||
57 | |||
58 | if (info->queues_total > 1) | ||
59 | queue = hash_v4(skb) % info->queues_total + queue; | ||
60 | return NF_QUEUE_NR(queue); | ||
61 | } | ||
62 | |||
63 | #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) | 52 | #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) |
64 | static u32 hash_v6(const struct sk_buff *skb) | 53 | static u32 hash_v6(const struct sk_buff *skb) |
65 | { | 54 | { |
@@ -73,20 +62,26 @@ static u32 hash_v6(const struct sk_buff *skb) | |||
73 | 62 | ||
74 | return jhash2((__force u32 *)addr, ARRAY_SIZE(addr), jhash_initval); | 63 | return jhash2((__force u32 *)addr, ARRAY_SIZE(addr), jhash_initval); |
75 | } | 64 | } |
65 | #endif | ||
76 | 66 | ||
77 | static unsigned int | 67 | static unsigned int |
78 | nfqueue_tg6_v1(struct sk_buff *skb, const struct xt_target_param *par) | 68 | nfqueue_tg_v1(struct sk_buff *skb, const struct xt_target_param *par) |
79 | { | 69 | { |
80 | const struct xt_NFQ_info_v1 *info = par->targinfo; | 70 | const struct xt_NFQ_info_v1 *info = par->targinfo; |
81 | u32 queue = info->queuenum; | 71 | u32 queue = info->queuenum; |
82 | 72 | ||
83 | if (info->queues_total > 1) | 73 | if (info->queues_total > 1) { |
84 | queue = hash_v6(skb) % info->queues_total + queue; | 74 | if (par->family == NFPROTO_IPV4) |
75 | queue = hash_v4(skb) % info->queues_total + queue; | ||
76 | #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) | ||
77 | else if (par->family == NFPROTO_IPV6) | ||
78 | queue = hash_v6(skb) % info->queues_total + queue; | ||
79 | #endif | ||
80 | } | ||
85 | return NF_QUEUE_NR(queue); | 81 | return NF_QUEUE_NR(queue); |
86 | } | 82 | } |
87 | #endif | ||
88 | 83 | ||
89 | static bool nfqueue_tg_v1_check(const struct xt_tgchk_param *par) | 84 | static int nfqueue_tg_v1_check(const struct xt_tgchk_param *par) |
90 | { | 85 | { |
91 | const struct xt_NFQ_info_v1 *info = par->targinfo; | 86 | const struct xt_NFQ_info_v1 *info = par->targinfo; |
92 | u32 maxid; | 87 | u32 maxid; |
@@ -97,15 +92,15 @@ static bool nfqueue_tg_v1_check(const struct xt_tgchk_param *par) | |||
97 | } | 92 | } |
98 | if (info->queues_total == 0) { | 93 | if (info->queues_total == 0) { |
99 | pr_err("NFQUEUE: number of total queues is 0\n"); | 94 | pr_err("NFQUEUE: number of total queues is 0\n"); |
100 | return false; | 95 | return -EINVAL; |
101 | } | 96 | } |
102 | maxid = info->queues_total - 1 + info->queuenum; | 97 | maxid = info->queues_total - 1 + info->queuenum; |
103 | if (maxid > 0xffff) { | 98 | if (maxid > 0xffff) { |
104 | pr_err("NFQUEUE: number of queues (%u) out of range (got %u)\n", | 99 | pr_err("NFQUEUE: number of queues (%u) out of range (got %u)\n", |
105 | info->queues_total, maxid); | 100 | info->queues_total, maxid); |
106 | return false; | 101 | return -ERANGE; |
107 | } | 102 | } |
108 | return true; | 103 | return 0; |
109 | } | 104 | } |
110 | 105 | ||
111 | static struct xt_target nfqueue_tg_reg[] __read_mostly = { | 106 | static struct xt_target nfqueue_tg_reg[] __read_mostly = { |
@@ -119,23 +114,12 @@ static struct xt_target nfqueue_tg_reg[] __read_mostly = { | |||
119 | { | 114 | { |
120 | .name = "NFQUEUE", | 115 | .name = "NFQUEUE", |
121 | .revision = 1, | 116 | .revision = 1, |
122 | .family = NFPROTO_IPV4, | 117 | .family = NFPROTO_UNSPEC, |
123 | .checkentry = nfqueue_tg_v1_check, | ||
124 | .target = nfqueue_tg4_v1, | ||
125 | .targetsize = sizeof(struct xt_NFQ_info_v1), | ||
126 | .me = THIS_MODULE, | ||
127 | }, | ||
128 | #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) | ||
129 | { | ||
130 | .name = "NFQUEUE", | ||
131 | .revision = 1, | ||
132 | .family = NFPROTO_IPV6, | ||
133 | .checkentry = nfqueue_tg_v1_check, | 118 | .checkentry = nfqueue_tg_v1_check, |
134 | .target = nfqueue_tg6_v1, | 119 | .target = nfqueue_tg_v1, |
135 | .targetsize = sizeof(struct xt_NFQ_info_v1), | 120 | .targetsize = sizeof(struct xt_NFQ_info_v1), |
136 | .me = THIS_MODULE, | 121 | .me = THIS_MODULE, |
137 | }, | 122 | }, |
138 | #endif | ||
139 | }; | 123 | }; |
140 | 124 | ||
141 | static int __init nfqueue_tg_init(void) | 125 | static int __init nfqueue_tg_init(void) |
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c index d16d55df4f61..a02193f06e39 100644 --- a/net/netfilter/xt_RATEEST.c +++ b/net/netfilter/xt_RATEEST.c | |||
@@ -86,7 +86,7 @@ xt_rateest_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
86 | return XT_CONTINUE; | 86 | return XT_CONTINUE; |
87 | } | 87 | } |
88 | 88 | ||
89 | static bool xt_rateest_tg_checkentry(const struct xt_tgchk_param *par) | 89 | static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par) |
90 | { | 90 | { |
91 | struct xt_rateest_target_info *info = par->targinfo; | 91 | struct xt_rateest_target_info *info = par->targinfo; |
92 | struct xt_rateest *est; | 92 | struct xt_rateest *est; |
@@ -94,6 +94,7 @@ static bool xt_rateest_tg_checkentry(const struct xt_tgchk_param *par) | |||
94 | struct nlattr opt; | 94 | struct nlattr opt; |
95 | struct gnet_estimator est; | 95 | struct gnet_estimator est; |
96 | } cfg; | 96 | } cfg; |
97 | int ret; | ||
97 | 98 | ||
98 | if (unlikely(!rnd_inited)) { | 99 | if (unlikely(!rnd_inited)) { |
99 | get_random_bytes(&jhash_rnd, sizeof(jhash_rnd)); | 100 | get_random_bytes(&jhash_rnd, sizeof(jhash_rnd)); |
@@ -110,12 +111,13 @@ static bool xt_rateest_tg_checkentry(const struct xt_tgchk_param *par) | |||
110 | (info->interval != est->params.interval || | 111 | (info->interval != est->params.interval || |
111 | info->ewma_log != est->params.ewma_log)) { | 112 | info->ewma_log != est->params.ewma_log)) { |
112 | xt_rateest_put(est); | 113 | xt_rateest_put(est); |
113 | return false; | 114 | return -EINVAL; |
114 | } | 115 | } |
115 | info->est = est; | 116 | info->est = est; |
116 | return true; | 117 | return 0; |
117 | } | 118 | } |
118 | 119 | ||
120 | ret = -ENOMEM; | ||
119 | est = kzalloc(sizeof(*est), GFP_KERNEL); | 121 | est = kzalloc(sizeof(*est), GFP_KERNEL); |
120 | if (!est) | 122 | if (!est) |
121 | goto err1; | 123 | goto err1; |
@@ -131,19 +133,19 @@ static bool xt_rateest_tg_checkentry(const struct xt_tgchk_param *par) | |||
131 | cfg.est.interval = info->interval; | 133 | cfg.est.interval = info->interval; |
132 | cfg.est.ewma_log = info->ewma_log; | 134 | cfg.est.ewma_log = info->ewma_log; |
133 | 135 | ||
134 | if (gen_new_estimator(&est->bstats, &est->rstats, &est->lock, | 136 | ret = gen_new_estimator(&est->bstats, &est->rstats, |
135 | &cfg.opt) < 0) | 137 | &est->lock, &cfg.opt); |
138 | if (ret < 0) | ||
136 | goto err2; | 139 | goto err2; |
137 | 140 | ||
138 | info->est = est; | 141 | info->est = est; |
139 | xt_rateest_hash_insert(est); | 142 | xt_rateest_hash_insert(est); |
140 | 143 | return 0; | |
141 | return true; | ||
142 | 144 | ||
143 | err2: | 145 | err2: |
144 | kfree(est); | 146 | kfree(est); |
145 | err1: | 147 | err1: |
146 | return false; | 148 | return ret; |
147 | } | 149 | } |
148 | 150 | ||
149 | static void xt_rateest_tg_destroy(const struct xt_tgdtor_param *par) | 151 | static void xt_rateest_tg_destroy(const struct xt_tgdtor_param *par) |
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c index 7a6f9e6f5dfa..a91d4a7d5a2c 100644 --- a/net/netfilter/xt_SECMARK.c +++ b/net/netfilter/xt_SECMARK.c | |||
@@ -12,6 +12,7 @@ | |||
12 | * published by the Free Software Foundation. | 12 | * published by the Free Software Foundation. |
13 | * | 13 | * |
14 | */ | 14 | */ |
15 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | ||
15 | #include <linux/module.h> | 16 | #include <linux/module.h> |
16 | #include <linux/skbuff.h> | 17 | #include <linux/skbuff.h> |
17 | #include <linux/selinux.h> | 18 | #include <linux/selinux.h> |
@@ -49,7 +50,7 @@ secmark_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
49 | return XT_CONTINUE; | 50 | return XT_CONTINUE; |
50 | } | 51 | } |
51 | 52 | ||
52 | static bool checkentry_selinux(struct xt_secmark_target_info *info) | 53 | static int checkentry_selinux(struct xt_secmark_target_info *info) |
53 | { | 54 | { |
54 | int err; | 55 | int err; |
55 | struct xt_secmark_target_selinux_info *sel = &info->u.sel; | 56 | struct xt_secmark_target_selinux_info *sel = &info->u.sel; |
@@ -59,58 +60,59 @@ static bool checkentry_selinux(struct xt_secmark_target_info *info) | |||
59 | err = selinux_string_to_sid(sel->selctx, &sel->selsid); | 60 | err = selinux_string_to_sid(sel->selctx, &sel->selsid); |
60 | if (err) { | 61 | if (err) { |
61 | if (err == -EINVAL) | 62 | if (err == -EINVAL) |
62 | printk(KERN_INFO PFX "invalid SELinux context \'%s\'\n", | 63 | pr_info("invalid SELinux context \'%s\'\n", |
63 | sel->selctx); | 64 | sel->selctx); |
64 | return false; | 65 | return err; |
65 | } | 66 | } |
66 | 67 | ||
67 | if (!sel->selsid) { | 68 | if (!sel->selsid) { |
68 | printk(KERN_INFO PFX "unable to map SELinux context \'%s\'\n", | 69 | pr_info("unable to map SELinux context \'%s\'\n", sel->selctx); |
69 | sel->selctx); | 70 | return -ENOENT; |
70 | return false; | ||
71 | } | 71 | } |
72 | 72 | ||
73 | err = selinux_secmark_relabel_packet_permission(sel->selsid); | 73 | err = selinux_secmark_relabel_packet_permission(sel->selsid); |
74 | if (err) { | 74 | if (err) { |
75 | printk(KERN_INFO PFX "unable to obtain relabeling permission\n"); | 75 | pr_info("unable to obtain relabeling permission\n"); |
76 | return false; | 76 | return err; |
77 | } | 77 | } |
78 | 78 | ||
79 | selinux_secmark_refcount_inc(); | 79 | selinux_secmark_refcount_inc(); |
80 | return true; | 80 | return 0; |
81 | } | 81 | } |
82 | 82 | ||
83 | static bool secmark_tg_check(const struct xt_tgchk_param *par) | 83 | static int secmark_tg_check(const struct xt_tgchk_param *par) |
84 | { | 84 | { |
85 | struct xt_secmark_target_info *info = par->targinfo; | 85 | struct xt_secmark_target_info *info = par->targinfo; |
86 | int err; | ||
86 | 87 | ||
87 | if (strcmp(par->table, "mangle") != 0 && | 88 | if (strcmp(par->table, "mangle") != 0 && |
88 | strcmp(par->table, "security") != 0) { | 89 | strcmp(par->table, "security") != 0) { |
89 | printk(KERN_INFO PFX "target only valid in the \'mangle\' " | 90 | pr_info("target only valid in the \'mangle\' " |
90 | "or \'security\' tables, not \'%s\'.\n", par->table); | 91 | "or \'security\' tables, not \'%s\'.\n", par->table); |
91 | return false; | 92 | return -EINVAL; |
92 | } | 93 | } |
93 | 94 | ||
94 | if (mode && mode != info->mode) { | 95 | if (mode && mode != info->mode) { |
95 | printk(KERN_INFO PFX "mode already set to %hu cannot mix with " | 96 | pr_info("mode already set to %hu cannot mix with " |
96 | "rules for mode %hu\n", mode, info->mode); | 97 | "rules for mode %hu\n", mode, info->mode); |
97 | return false; | 98 | return -EINVAL; |
98 | } | 99 | } |
99 | 100 | ||
100 | switch (info->mode) { | 101 | switch (info->mode) { |
101 | case SECMARK_MODE_SEL: | 102 | case SECMARK_MODE_SEL: |
102 | if (!checkentry_selinux(info)) | 103 | err = checkentry_selinux(info); |
103 | return false; | 104 | if (err <= 0) |
105 | return err; | ||
104 | break; | 106 | break; |
105 | 107 | ||
106 | default: | 108 | default: |
107 | printk(KERN_INFO PFX "invalid mode: %hu\n", info->mode); | 109 | pr_info("invalid mode: %hu\n", info->mode); |
108 | return false; | 110 | return -EINVAL; |
109 | } | 111 | } |
110 | 112 | ||
111 | if (!mode) | 113 | if (!mode) |
112 | mode = info->mode; | 114 | mode = info->mode; |
113 | return true; | 115 | return 0; |
114 | } | 116 | } |
115 | 117 | ||
116 | static void secmark_tg_destroy(const struct xt_tgdtor_param *par) | 118 | static void secmark_tg_destroy(const struct xt_tgdtor_param *par) |
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c index c5f4b9919e9a..d04606459c9d 100644 --- a/net/netfilter/xt_TCPMSS.c +++ b/net/netfilter/xt_TCPMSS.c | |||
@@ -7,7 +7,7 @@ | |||
7 | * it under the terms of the GNU General Public License version 2 as | 7 | * it under the terms of the GNU General Public License version 2 as |
8 | * published by the Free Software Foundation. | 8 | * published by the Free Software Foundation. |
9 | */ | 9 | */ |
10 | 10 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
11 | #include <linux/module.h> | 11 | #include <linux/module.h> |
12 | #include <linux/skbuff.h> | 12 | #include <linux/skbuff.h> |
13 | #include <linux/ip.h> | 13 | #include <linux/ip.h> |
@@ -68,15 +68,14 @@ tcpmss_mangle_packet(struct sk_buff *skb, | |||
68 | if (info->mss == XT_TCPMSS_CLAMP_PMTU) { | 68 | if (info->mss == XT_TCPMSS_CLAMP_PMTU) { |
69 | if (dst_mtu(skb_dst(skb)) <= minlen) { | 69 | if (dst_mtu(skb_dst(skb)) <= minlen) { |
70 | if (net_ratelimit()) | 70 | if (net_ratelimit()) |
71 | printk(KERN_ERR "xt_TCPMSS: " | 71 | pr_err("unknown or invalid path-MTU (%u)\n", |
72 | "unknown or invalid path-MTU (%u)\n", | ||
73 | dst_mtu(skb_dst(skb))); | 72 | dst_mtu(skb_dst(skb))); |
74 | return -1; | 73 | return -1; |
75 | } | 74 | } |
76 | if (in_mtu <= minlen) { | 75 | if (in_mtu <= minlen) { |
77 | if (net_ratelimit()) | 76 | if (net_ratelimit()) |
78 | printk(KERN_ERR "xt_TCPMSS: unknown or " | 77 | pr_err("unknown or invalid path-MTU (%u)\n", |
79 | "invalid path-MTU (%u)\n", in_mtu); | 78 | in_mtu); |
80 | return -1; | 79 | return -1; |
81 | } | 80 | } |
82 | newmss = min(dst_mtu(skb_dst(skb)), in_mtu) - minlen; | 81 | newmss = min(dst_mtu(skb_dst(skb)), in_mtu) - minlen; |
@@ -236,7 +235,7 @@ static inline bool find_syn_match(const struct xt_entry_match *m) | |||
236 | return false; | 235 | return false; |
237 | } | 236 | } |
238 | 237 | ||
239 | static bool tcpmss_tg4_check(const struct xt_tgchk_param *par) | 238 | static int tcpmss_tg4_check(const struct xt_tgchk_param *par) |
240 | { | 239 | { |
241 | const struct xt_tcpmss_info *info = par->targinfo; | 240 | const struct xt_tcpmss_info *info = par->targinfo; |
242 | const struct ipt_entry *e = par->entryinfo; | 241 | const struct ipt_entry *e = par->entryinfo; |
@@ -246,19 +245,19 @@ static bool tcpmss_tg4_check(const struct xt_tgchk_param *par) | |||
246 | (par->hook_mask & ~((1 << NF_INET_FORWARD) | | 245 | (par->hook_mask & ~((1 << NF_INET_FORWARD) | |
247 | (1 << NF_INET_LOCAL_OUT) | | 246 | (1 << NF_INET_LOCAL_OUT) | |
248 | (1 << NF_INET_POST_ROUTING))) != 0) { | 247 | (1 << NF_INET_POST_ROUTING))) != 0) { |
249 | printk("xt_TCPMSS: path-MTU clamping only supported in " | 248 | pr_info("path-MTU clamping only supported in " |
250 | "FORWARD, OUTPUT and POSTROUTING hooks\n"); | 249 | "FORWARD, OUTPUT and POSTROUTING hooks\n"); |
251 | return false; | 250 | return -EINVAL; |
252 | } | 251 | } |
253 | xt_ematch_foreach(ematch, e) | 252 | xt_ematch_foreach(ematch, e) |
254 | if (find_syn_match(ematch)) | 253 | if (find_syn_match(ematch)) |
255 | return true; | 254 | return 0; |
256 | printk("xt_TCPMSS: Only works on TCP SYN packets\n"); | 255 | pr_info("Only works on TCP SYN packets\n"); |
257 | return false; | 256 | return -EINVAL; |
258 | } | 257 | } |
259 | 258 | ||
260 | #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) | 259 | #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) |
261 | static bool tcpmss_tg6_check(const struct xt_tgchk_param *par) | 260 | static int tcpmss_tg6_check(const struct xt_tgchk_param *par) |
262 | { | 261 | { |
263 | const struct xt_tcpmss_info *info = par->targinfo; | 262 | const struct xt_tcpmss_info *info = par->targinfo; |
264 | const struct ip6t_entry *e = par->entryinfo; | 263 | const struct ip6t_entry *e = par->entryinfo; |
@@ -268,15 +267,15 @@ static bool tcpmss_tg6_check(const struct xt_tgchk_param *par) | |||
268 | (par->hook_mask & ~((1 << NF_INET_FORWARD) | | 267 | (par->hook_mask & ~((1 << NF_INET_FORWARD) | |
269 | (1 << NF_INET_LOCAL_OUT) | | 268 | (1 << NF_INET_LOCAL_OUT) | |
270 | (1 << NF_INET_POST_ROUTING))) != 0) { | 269 | (1 << NF_INET_POST_ROUTING))) != 0) { |
271 | printk("xt_TCPMSS: path-MTU clamping only supported in " | 270 | pr_info("path-MTU clamping only supported in " |
272 | "FORWARD, OUTPUT and POSTROUTING hooks\n"); | 271 | "FORWARD, OUTPUT and POSTROUTING hooks\n"); |
273 | return false; | 272 | return -EINVAL; |
274 | } | 273 | } |
275 | xt_ematch_foreach(ematch, e) | 274 | xt_ematch_foreach(ematch, e) |
276 | if (find_syn_match(ematch)) | 275 | if (find_syn_match(ematch)) |
277 | return true; | 276 | return 0; |
278 | printk("xt_TCPMSS: Only works on TCP SYN packets\n"); | 277 | pr_info("Only works on TCP SYN packets\n"); |
279 | return false; | 278 | return -EINVAL; |
280 | } | 279 | } |
281 | #endif | 280 | #endif |
282 | 281 | ||
diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c index 9dd8c8ef63eb..e8b57609ddc0 100644 --- a/net/netfilter/xt_TCPOPTSTRIP.c +++ b/net/netfilter/xt_TCPOPTSTRIP.c | |||
@@ -3,7 +3,6 @@ | |||
3 | * | 3 | * |
4 | * Copyright (C) 2007 Sven Schnelle <svens@bitebene.org> | 4 | * Copyright (C) 2007 Sven Schnelle <svens@bitebene.org> |
5 | * Copyright © CC Computer Consultants GmbH, 2007 | 5 | * Copyright © CC Computer Consultants GmbH, 2007 |
6 | * Contact: Jan Engelhardt <jengelh@computergmbh.de> | ||
7 | * | 6 | * |
8 | * This program is free software; you can redistribute it and/or modify | 7 | * This program is free software; you can redistribute it and/or modify |
9 | * it under the terms of the GNU General Public License version 2 as | 8 | * it under the terms of the GNU General Public License version 2 as |
@@ -136,7 +135,7 @@ static void __exit tcpoptstrip_tg_exit(void) | |||
136 | 135 | ||
137 | module_init(tcpoptstrip_tg_init); | 136 | module_init(tcpoptstrip_tg_init); |
138 | module_exit(tcpoptstrip_tg_exit); | 137 | module_exit(tcpoptstrip_tg_exit); |
139 | MODULE_AUTHOR("Sven Schnelle <svens@bitebene.org>, Jan Engelhardt <jengelh@computergmbh.de>"); | 138 | MODULE_AUTHOR("Sven Schnelle <svens@bitebene.org>, Jan Engelhardt <jengelh@medozas.de>"); |
140 | MODULE_DESCRIPTION("Xtables: TCP option stripping"); | 139 | MODULE_DESCRIPTION("Xtables: TCP option stripping"); |
141 | MODULE_LICENSE("GPL"); | 140 | MODULE_LICENSE("GPL"); |
142 | MODULE_ALIAS("ipt_TCPOPTSTRIP"); | 141 | MODULE_ALIAS("ipt_TCPOPTSTRIP"); |
diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c new file mode 100644 index 000000000000..49da6c05f4e0 --- /dev/null +++ b/net/netfilter/xt_TEE.c | |||
@@ -0,0 +1,309 @@ | |||
1 | /* | ||
2 | * "TEE" target extension for Xtables | ||
3 | * Copyright © Sebastian Claßen, 2007 | ||
4 | * Jan Engelhardt, 2007-2010 | ||
5 | * | ||
6 | * based on ipt_ROUTE.c from Cédric de Launois | ||
7 | * <delaunois@info.ucl.be> | ||
8 | * | ||
9 | * This program is free software; you can redistribute it and/or | ||
10 | * modify it under the terms of the GNU General Public License | ||
11 | * version 2 or later, as published by the Free Software Foundation. | ||
12 | */ | ||
13 | #include <linux/ip.h> | ||
14 | #include <linux/module.h> | ||
15 | #include <linux/percpu.h> | ||
16 | #include <linux/route.h> | ||
17 | #include <linux/skbuff.h> | ||
18 | #include <linux/notifier.h> | ||
19 | #include <net/checksum.h> | ||
20 | #include <net/icmp.h> | ||
21 | #include <net/ip.h> | ||
22 | #include <net/ipv6.h> | ||
23 | #include <net/ip6_route.h> | ||
24 | #include <net/route.h> | ||
25 | #include <linux/netfilter/x_tables.h> | ||
26 | #include <linux/netfilter/xt_TEE.h> | ||
27 | |||
28 | #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) | ||
29 | # define WITH_CONNTRACK 1 | ||
30 | # include <net/netfilter/nf_conntrack.h> | ||
31 | #endif | ||
32 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | ||
33 | # define WITH_IPV6 1 | ||
34 | #endif | ||
35 | |||
36 | struct xt_tee_priv { | ||
37 | struct notifier_block notifier; | ||
38 | struct xt_tee_tginfo *tginfo; | ||
39 | int oif; | ||
40 | }; | ||
41 | |||
42 | static const union nf_inet_addr tee_zero_address; | ||
43 | static DEFINE_PER_CPU(bool, tee_active); | ||
44 | |||
45 | static struct net *pick_net(struct sk_buff *skb) | ||
46 | { | ||
47 | #ifdef CONFIG_NET_NS | ||
48 | const struct dst_entry *dst; | ||
49 | |||
50 | if (skb->dev != NULL) | ||
51 | return dev_net(skb->dev); | ||
52 | dst = skb_dst(skb); | ||
53 | if (dst != NULL && dst->dev != NULL) | ||
54 | return dev_net(dst->dev); | ||
55 | #endif | ||
56 | return &init_net; | ||
57 | } | ||
58 | |||
59 | static bool | ||
60 | tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info) | ||
61 | { | ||
62 | const struct iphdr *iph = ip_hdr(skb); | ||
63 | struct net *net = pick_net(skb); | ||
64 | struct rtable *rt; | ||
65 | struct flowi fl; | ||
66 | |||
67 | memset(&fl, 0, sizeof(fl)); | ||
68 | if (info->priv) { | ||
69 | if (info->priv->oif == -1) | ||
70 | return false; | ||
71 | fl.oif = info->priv->oif; | ||
72 | } | ||
73 | fl.nl_u.ip4_u.daddr = info->gw.ip; | ||
74 | fl.nl_u.ip4_u.tos = RT_TOS(iph->tos); | ||
75 | fl.nl_u.ip4_u.scope = RT_SCOPE_UNIVERSE; | ||
76 | if (ip_route_output_key(net, &rt, &fl) != 0) | ||
77 | return false; | ||
78 | |||
79 | dst_release(skb_dst(skb)); | ||
80 | skb_dst_set(skb, &rt->u.dst); | ||
81 | skb->dev = rt->u.dst.dev; | ||
82 | skb->protocol = htons(ETH_P_IP); | ||
83 | return true; | ||
84 | } | ||
85 | |||
86 | static unsigned int | ||
87 | tee_tg4(struct sk_buff *skb, const struct xt_target_param *par) | ||
88 | { | ||
89 | const struct xt_tee_tginfo *info = par->targinfo; | ||
90 | struct iphdr *iph; | ||
91 | |||
92 | if (percpu_read(tee_active)) | ||
93 | return XT_CONTINUE; | ||
94 | /* | ||
95 | * Copy the skb, and route the copy. Will later return %XT_CONTINUE for | ||
96 | * the original skb, which should continue on its way as if nothing has | ||
97 | * happened. The copy should be independently delivered to the TEE | ||
98 | * --gateway. | ||
99 | */ | ||
100 | skb = pskb_copy(skb, GFP_ATOMIC); | ||
101 | if (skb == NULL) | ||
102 | return XT_CONTINUE; | ||
103 | |||
104 | #ifdef WITH_CONNTRACK | ||
105 | /* Avoid counting cloned packets towards the original connection. */ | ||
106 | nf_conntrack_put(skb->nfct); | ||
107 | skb->nfct = &nf_conntrack_untracked.ct_general; | ||
108 | skb->nfctinfo = IP_CT_NEW; | ||
109 | nf_conntrack_get(skb->nfct); | ||
110 | #endif | ||
111 | /* | ||
112 | * If we are in PREROUTING/INPUT, the checksum must be recalculated | ||
113 | * since the length could have changed as a result of defragmentation. | ||
114 | * | ||
115 | * We also decrease the TTL to mitigate potential TEE loops | ||
116 | * between two hosts. | ||
117 | * | ||
118 | * Set %IP_DF so that the original source is notified of a potentially | ||
119 | * decreased MTU on the clone route. IPv6 does this too. | ||
120 | */ | ||
121 | iph = ip_hdr(skb); | ||
122 | iph->frag_off |= htons(IP_DF); | ||
123 | if (par->hooknum == NF_INET_PRE_ROUTING || | ||
124 | par->hooknum == NF_INET_LOCAL_IN) | ||
125 | --iph->ttl; | ||
126 | ip_send_check(iph); | ||
127 | |||
128 | if (tee_tg_route4(skb, info)) { | ||
129 | percpu_write(tee_active, true); | ||
130 | ip_local_out(skb); | ||
131 | percpu_write(tee_active, false); | ||
132 | } else { | ||
133 | kfree_skb(skb); | ||
134 | } | ||
135 | return XT_CONTINUE; | ||
136 | } | ||
137 | |||
138 | #ifdef WITH_IPV6 | ||
139 | static bool | ||
140 | tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info) | ||
141 | { | ||
142 | const struct ipv6hdr *iph = ipv6_hdr(skb); | ||
143 | struct net *net = pick_net(skb); | ||
144 | struct dst_entry *dst; | ||
145 | struct flowi fl; | ||
146 | |||
147 | memset(&fl, 0, sizeof(fl)); | ||
148 | if (info->priv) { | ||
149 | if (info->priv->oif == -1) | ||
150 | return false; | ||
151 | fl.oif = info->priv->oif; | ||
152 | } | ||
153 | fl.nl_u.ip6_u.daddr = info->gw.in6; | ||
154 | fl.nl_u.ip6_u.flowlabel = ((iph->flow_lbl[0] & 0xF) << 16) | | ||
155 | (iph->flow_lbl[1] << 8) | iph->flow_lbl[2]; | ||
156 | dst = ip6_route_output(net, NULL, &fl); | ||
157 | if (dst == NULL) | ||
158 | return false; | ||
159 | |||
160 | dst_release(skb_dst(skb)); | ||
161 | skb_dst_set(skb, dst); | ||
162 | skb->dev = dst->dev; | ||
163 | skb->protocol = htons(ETH_P_IPV6); | ||
164 | return true; | ||
165 | } | ||
166 | |||
167 | static unsigned int | ||
168 | tee_tg6(struct sk_buff *skb, const struct xt_target_param *par) | ||
169 | { | ||
170 | const struct xt_tee_tginfo *info = par->targinfo; | ||
171 | |||
172 | if (percpu_read(tee_active)) | ||
173 | return XT_CONTINUE; | ||
174 | skb = pskb_copy(skb, GFP_ATOMIC); | ||
175 | if (skb == NULL) | ||
176 | return XT_CONTINUE; | ||
177 | |||
178 | #ifdef WITH_CONNTRACK | ||
179 | nf_conntrack_put(skb->nfct); | ||
180 | skb->nfct = &nf_conntrack_untracked.ct_general; | ||
181 | skb->nfctinfo = IP_CT_NEW; | ||
182 | nf_conntrack_get(skb->nfct); | ||
183 | #endif | ||
184 | if (par->hooknum == NF_INET_PRE_ROUTING || | ||
185 | par->hooknum == NF_INET_LOCAL_IN) { | ||
186 | struct ipv6hdr *iph = ipv6_hdr(skb); | ||
187 | --iph->hop_limit; | ||
188 | } | ||
189 | if (tee_tg_route6(skb, info)) { | ||
190 | percpu_write(tee_active, true); | ||
191 | ip6_local_out(skb); | ||
192 | percpu_write(tee_active, false); | ||
193 | } else { | ||
194 | kfree_skb(skb); | ||
195 | } | ||
196 | return XT_CONTINUE; | ||
197 | } | ||
198 | #endif /* WITH_IPV6 */ | ||
199 | |||
200 | static int tee_netdev_event(struct notifier_block *this, unsigned long event, | ||
201 | void *ptr) | ||
202 | { | ||
203 | struct net_device *dev = ptr; | ||
204 | struct xt_tee_priv *priv; | ||
205 | |||
206 | priv = container_of(this, struct xt_tee_priv, notifier); | ||
207 | switch (event) { | ||
208 | case NETDEV_REGISTER: | ||
209 | if (!strcmp(dev->name, priv->tginfo->oif)) | ||
210 | priv->oif = dev->ifindex; | ||
211 | break; | ||
212 | case NETDEV_UNREGISTER: | ||
213 | if (dev->ifindex == priv->oif) | ||
214 | priv->oif = -1; | ||
215 | break; | ||
216 | case NETDEV_CHANGENAME: | ||
217 | if (!strcmp(dev->name, priv->tginfo->oif)) | ||
218 | priv->oif = dev->ifindex; | ||
219 | else if (dev->ifindex == priv->oif) | ||
220 | priv->oif = -1; | ||
221 | break; | ||
222 | } | ||
223 | |||
224 | return NOTIFY_DONE; | ||
225 | } | ||
226 | |||
227 | static int tee_tg_check(const struct xt_tgchk_param *par) | ||
228 | { | ||
229 | struct xt_tee_tginfo *info = par->targinfo; | ||
230 | struct xt_tee_priv *priv; | ||
231 | |||
232 | /* 0.0.0.0 and :: not allowed */ | ||
233 | if (memcmp(&info->gw, &tee_zero_address, | ||
234 | sizeof(tee_zero_address)) == 0) | ||
235 | return -EINVAL; | ||
236 | |||
237 | if (info->oif[0]) { | ||
238 | if (info->oif[sizeof(info->oif)-1] != '\0') | ||
239 | return -EINVAL; | ||
240 | |||
241 | priv = kzalloc(sizeof(*priv), GFP_KERNEL); | ||
242 | if (priv == NULL) | ||
243 | return -ENOMEM; | ||
244 | |||
245 | priv->tginfo = info; | ||
246 | priv->oif = -1; | ||
247 | priv->notifier.notifier_call = tee_netdev_event; | ||
248 | info->priv = priv; | ||
249 | |||
250 | register_netdevice_notifier(&priv->notifier); | ||
251 | } else | ||
252 | info->priv = NULL; | ||
253 | |||
254 | return 0; | ||
255 | } | ||
256 | |||
257 | static void tee_tg_destroy(const struct xt_tgdtor_param *par) | ||
258 | { | ||
259 | struct xt_tee_tginfo *info = par->targinfo; | ||
260 | |||
261 | if (info->priv) { | ||
262 | unregister_netdevice_notifier(&info->priv->notifier); | ||
263 | kfree(info->priv); | ||
264 | } | ||
265 | } | ||
266 | |||
267 | static struct xt_target tee_tg_reg[] __read_mostly = { | ||
268 | { | ||
269 | .name = "TEE", | ||
270 | .revision = 1, | ||
271 | .family = NFPROTO_IPV4, | ||
272 | .target = tee_tg4, | ||
273 | .targetsize = sizeof(struct xt_tee_tginfo), | ||
274 | .checkentry = tee_tg_check, | ||
275 | .destroy = tee_tg_destroy, | ||
276 | .me = THIS_MODULE, | ||
277 | }, | ||
278 | #ifdef WITH_IPV6 | ||
279 | { | ||
280 | .name = "TEE", | ||
281 | .revision = 1, | ||
282 | .family = NFPROTO_IPV6, | ||
283 | .target = tee_tg6, | ||
284 | .targetsize = sizeof(struct xt_tee_tginfo), | ||
285 | .checkentry = tee_tg_check, | ||
286 | .destroy = tee_tg_destroy, | ||
287 | .me = THIS_MODULE, | ||
288 | }, | ||
289 | #endif | ||
290 | }; | ||
291 | |||
292 | static int __init tee_tg_init(void) | ||
293 | { | ||
294 | return xt_register_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg)); | ||
295 | } | ||
296 | |||
297 | static void __exit tee_tg_exit(void) | ||
298 | { | ||
299 | xt_unregister_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg)); | ||
300 | } | ||
301 | |||
302 | module_init(tee_tg_init); | ||
303 | module_exit(tee_tg_exit); | ||
304 | MODULE_AUTHOR("Sebastian Claßen <sebastian.classen@freenet.ag>"); | ||
305 | MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>"); | ||
306 | MODULE_DESCRIPTION("Xtables: Reroute packet copy"); | ||
307 | MODULE_LICENSE("GPL"); | ||
308 | MODULE_ALIAS("ipt_TEE"); | ||
309 | MODULE_ALIAS("ip6t_TEE"); | ||
diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c index 1340c2fa3621..4f246ddc5c48 100644 --- a/net/netfilter/xt_TPROXY.c +++ b/net/netfilter/xt_TPROXY.c | |||
@@ -9,7 +9,7 @@ | |||
9 | * published by the Free Software Foundation. | 9 | * published by the Free Software Foundation. |
10 | * | 10 | * |
11 | */ | 11 | */ |
12 | 12 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
13 | #include <linux/module.h> | 13 | #include <linux/module.h> |
14 | #include <linux/skbuff.h> | 14 | #include <linux/skbuff.h> |
15 | #include <linux/ip.h> | 15 | #include <linux/ip.h> |
@@ -59,17 +59,17 @@ tproxy_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
59 | return NF_DROP; | 59 | return NF_DROP; |
60 | } | 60 | } |
61 | 61 | ||
62 | static bool tproxy_tg_check(const struct xt_tgchk_param *par) | 62 | static int tproxy_tg_check(const struct xt_tgchk_param *par) |
63 | { | 63 | { |
64 | const struct ipt_ip *i = par->entryinfo; | 64 | const struct ipt_ip *i = par->entryinfo; |
65 | 65 | ||
66 | if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP) | 66 | if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP) |
67 | && !(i->invflags & IPT_INV_PROTO)) | 67 | && !(i->invflags & IPT_INV_PROTO)) |
68 | return true; | 68 | return 0; |
69 | 69 | ||
70 | pr_info("xt_TPROXY: Can be used only in combination with " | 70 | pr_info("Can be used only in combination with " |
71 | "either -p tcp or -p udp\n"); | 71 | "either -p tcp or -p udp\n"); |
72 | return false; | 72 | return -EINVAL; |
73 | } | 73 | } |
74 | 74 | ||
75 | static struct xt_target tproxy_tg_reg __read_mostly = { | 75 | static struct xt_target tproxy_tg_reg __read_mostly = { |
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c index 225ee3ecd69d..6c941e1c6b9e 100644 --- a/net/netfilter/xt_cluster.c +++ b/net/netfilter/xt_cluster.c | |||
@@ -5,6 +5,7 @@ | |||
5 | * it under the terms of the GNU General Public License version 2 as | 5 | * it under the terms of the GNU General Public License version 2 as |
6 | * published by the Free Software Foundation. | 6 | * published by the Free Software Foundation. |
7 | */ | 7 | */ |
8 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | ||
8 | #include <linux/module.h> | 9 | #include <linux/module.h> |
9 | #include <linux/skbuff.h> | 10 | #include <linux/skbuff.h> |
10 | #include <linux/jhash.h> | 11 | #include <linux/jhash.h> |
@@ -131,22 +132,22 @@ xt_cluster_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
131 | !!(info->flags & XT_CLUSTER_F_INV); | 132 | !!(info->flags & XT_CLUSTER_F_INV); |
132 | } | 133 | } |
133 | 134 | ||
134 | static bool xt_cluster_mt_checkentry(const struct xt_mtchk_param *par) | 135 | static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par) |
135 | { | 136 | { |
136 | struct xt_cluster_match_info *info = par->matchinfo; | 137 | struct xt_cluster_match_info *info = par->matchinfo; |
137 | 138 | ||
138 | if (info->total_nodes > XT_CLUSTER_NODES_MAX) { | 139 | if (info->total_nodes > XT_CLUSTER_NODES_MAX) { |
139 | printk(KERN_ERR "xt_cluster: you have exceeded the maximum " | 140 | pr_info("you have exceeded the maximum " |
140 | "number of cluster nodes (%u > %u)\n", | 141 | "number of cluster nodes (%u > %u)\n", |
141 | info->total_nodes, XT_CLUSTER_NODES_MAX); | 142 | info->total_nodes, XT_CLUSTER_NODES_MAX); |
142 | return false; | 143 | return -EINVAL; |
143 | } | 144 | } |
144 | if (info->node_mask >= (1ULL << info->total_nodes)) { | 145 | if (info->node_mask >= (1ULL << info->total_nodes)) { |
145 | printk(KERN_ERR "xt_cluster: this node mask cannot be " | 146 | pr_info("this node mask cannot be " |
146 | "higher than the total number of nodes\n"); | 147 | "higher than the total number of nodes\n"); |
147 | return false; | 148 | return -EDOM; |
148 | } | 149 | } |
149 | return true; | 150 | return 0; |
150 | } | 151 | } |
151 | 152 | ||
152 | static struct xt_match xt_cluster_match __read_mostly = { | 153 | static struct xt_match xt_cluster_match __read_mostly = { |
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c index 955e6598a7f0..ff738a5f963a 100644 --- a/net/netfilter/xt_connbytes.c +++ b/net/netfilter/xt_connbytes.c | |||
@@ -1,6 +1,7 @@ | |||
1 | /* Kernel module to match connection tracking byte counter. | 1 | /* Kernel module to match connection tracking byte counter. |
2 | * GPL (C) 2002 Martin Devera (devik@cdi.cz). | 2 | * GPL (C) 2002 Martin Devera (devik@cdi.cz). |
3 | */ | 3 | */ |
4 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | ||
4 | #include <linux/module.h> | 5 | #include <linux/module.h> |
5 | #include <linux/bitops.h> | 6 | #include <linux/bitops.h> |
6 | #include <linux/skbuff.h> | 7 | #include <linux/skbuff.h> |
@@ -92,27 +93,26 @@ connbytes_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
92 | return what >= sinfo->count.from; | 93 | return what >= sinfo->count.from; |
93 | } | 94 | } |
94 | 95 | ||
95 | static bool connbytes_mt_check(const struct xt_mtchk_param *par) | 96 | static int connbytes_mt_check(const struct xt_mtchk_param *par) |
96 | { | 97 | { |
97 | const struct xt_connbytes_info *sinfo = par->matchinfo; | 98 | const struct xt_connbytes_info *sinfo = par->matchinfo; |
99 | int ret; | ||
98 | 100 | ||
99 | if (sinfo->what != XT_CONNBYTES_PKTS && | 101 | if (sinfo->what != XT_CONNBYTES_PKTS && |
100 | sinfo->what != XT_CONNBYTES_BYTES && | 102 | sinfo->what != XT_CONNBYTES_BYTES && |
101 | sinfo->what != XT_CONNBYTES_AVGPKT) | 103 | sinfo->what != XT_CONNBYTES_AVGPKT) |
102 | return false; | 104 | return -EINVAL; |
103 | 105 | ||
104 | if (sinfo->direction != XT_CONNBYTES_DIR_ORIGINAL && | 106 | if (sinfo->direction != XT_CONNBYTES_DIR_ORIGINAL && |
105 | sinfo->direction != XT_CONNBYTES_DIR_REPLY && | 107 | sinfo->direction != XT_CONNBYTES_DIR_REPLY && |
106 | sinfo->direction != XT_CONNBYTES_DIR_BOTH) | 108 | sinfo->direction != XT_CONNBYTES_DIR_BOTH) |
107 | return false; | 109 | return -EINVAL; |
108 | |||
109 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { | ||
110 | printk(KERN_WARNING "can't load conntrack support for " | ||
111 | "proto=%u\n", par->family); | ||
112 | return false; | ||
113 | } | ||
114 | 110 | ||
115 | return true; | 111 | ret = nf_ct_l3proto_try_module_get(par->family); |
112 | if (ret < 0) | ||
113 | pr_info("cannot load conntrack support for proto=%u\n", | ||
114 | par->family); | ||
115 | return ret; | ||
116 | } | 116 | } |
117 | 117 | ||
118 | static void connbytes_mt_destroy(const struct xt_mtdtor_param *par) | 118 | static void connbytes_mt_destroy(const struct xt_mtdtor_param *par) |
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c index 388ca4596098..326bc1b81681 100644 --- a/net/netfilter/xt_connlimit.c +++ b/net/netfilter/xt_connlimit.c | |||
@@ -5,13 +5,13 @@ | |||
5 | * Nov 2002: Martin Bene <martin.bene@icomedias.com>: | 5 | * Nov 2002: Martin Bene <martin.bene@icomedias.com>: |
6 | * only ignore TIME_WAIT or gone connections | 6 | * only ignore TIME_WAIT or gone connections |
7 | * (C) CC Computer Consultants GmbH, 2007 | 7 | * (C) CC Computer Consultants GmbH, 2007 |
8 | * Contact: <jengelh@computergmbh.de> | ||
9 | * | 8 | * |
10 | * based on ... | 9 | * based on ... |
11 | * | 10 | * |
12 | * Kernel module to match connection tracking information. | 11 | * Kernel module to match connection tracking information. |
13 | * GPL (C) 1999 Rusty Russell (rusty@rustcorp.com.au). | 12 | * GPL (C) 1999 Rusty Russell (rusty@rustcorp.com.au). |
14 | */ | 13 | */ |
14 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | ||
15 | #include <linux/in.h> | 15 | #include <linux/in.h> |
16 | #include <linux/in6.h> | 16 | #include <linux/in6.h> |
17 | #include <linux/ip.h> | 17 | #include <linux/ip.h> |
@@ -217,33 +217,35 @@ connlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
217 | return false; | 217 | return false; |
218 | } | 218 | } |
219 | 219 | ||
220 | static bool connlimit_mt_check(const struct xt_mtchk_param *par) | 220 | static int connlimit_mt_check(const struct xt_mtchk_param *par) |
221 | { | 221 | { |
222 | struct xt_connlimit_info *info = par->matchinfo; | 222 | struct xt_connlimit_info *info = par->matchinfo; |
223 | unsigned int i; | 223 | unsigned int i; |
224 | int ret; | ||
224 | 225 | ||
225 | if (unlikely(!connlimit_rnd_inited)) { | 226 | if (unlikely(!connlimit_rnd_inited)) { |
226 | get_random_bytes(&connlimit_rnd, sizeof(connlimit_rnd)); | 227 | get_random_bytes(&connlimit_rnd, sizeof(connlimit_rnd)); |
227 | connlimit_rnd_inited = true; | 228 | connlimit_rnd_inited = true; |
228 | } | 229 | } |
229 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { | 230 | ret = nf_ct_l3proto_try_module_get(par->family); |
230 | printk(KERN_WARNING "cannot load conntrack support for " | 231 | if (ret < 0) { |
231 | "address family %u\n", par->family); | 232 | pr_info("cannot load conntrack support for " |
232 | return false; | 233 | "address family %u\n", par->family); |
234 | return ret; | ||
233 | } | 235 | } |
234 | 236 | ||
235 | /* init private data */ | 237 | /* init private data */ |
236 | info->data = kmalloc(sizeof(struct xt_connlimit_data), GFP_KERNEL); | 238 | info->data = kmalloc(sizeof(struct xt_connlimit_data), GFP_KERNEL); |
237 | if (info->data == NULL) { | 239 | if (info->data == NULL) { |
238 | nf_ct_l3proto_module_put(par->family); | 240 | nf_ct_l3proto_module_put(par->family); |
239 | return false; | 241 | return -ENOMEM; |
240 | } | 242 | } |
241 | 243 | ||
242 | spin_lock_init(&info->data->lock); | 244 | spin_lock_init(&info->data->lock); |
243 | for (i = 0; i < ARRAY_SIZE(info->data->iphash); ++i) | 245 | for (i = 0; i < ARRAY_SIZE(info->data->iphash); ++i) |
244 | INIT_LIST_HEAD(&info->data->iphash[i]); | 246 | INIT_LIST_HEAD(&info->data->iphash[i]); |
245 | 247 | ||
246 | return true; | 248 | return 0; |
247 | } | 249 | } |
248 | 250 | ||
249 | static void connlimit_mt_destroy(const struct xt_mtdtor_param *par) | 251 | static void connlimit_mt_destroy(const struct xt_mtdtor_param *par) |
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c index 122aa8b0147b..ae1015484ae2 100644 --- a/net/netfilter/xt_connmark.c +++ b/net/netfilter/xt_connmark.c | |||
@@ -1,10 +1,10 @@ | |||
1 | /* | 1 | /* |
2 | * xt_connmark - Netfilter module to match connection mark values | 2 | * xt_connmark - Netfilter module to operate on connection marks |
3 | * | 3 | * |
4 | * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> | 4 | * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> |
5 | * by Henrik Nordstrom <hno@marasystems.com> | 5 | * by Henrik Nordstrom <hno@marasystems.com> |
6 | * Copyright © CC Computer Consultants GmbH, 2007 - 2008 | 6 | * Copyright © CC Computer Consultants GmbH, 2007 - 2008 |
7 | * Jan Engelhardt <jengelh@computergmbh.de> | 7 | * Jan Engelhardt <jengelh@medozas.de> |
8 | * | 8 | * |
9 | * This program is free software; you can redistribute it and/or modify | 9 | * This program is free software; you can redistribute it and/or modify |
10 | * it under the terms of the GNU General Public License as published by | 10 | * it under the terms of the GNU General Public License as published by |
@@ -24,15 +24,72 @@ | |||
24 | #include <linux/module.h> | 24 | #include <linux/module.h> |
25 | #include <linux/skbuff.h> | 25 | #include <linux/skbuff.h> |
26 | #include <net/netfilter/nf_conntrack.h> | 26 | #include <net/netfilter/nf_conntrack.h> |
27 | #include <net/netfilter/nf_conntrack_ecache.h> | ||
27 | #include <linux/netfilter/x_tables.h> | 28 | #include <linux/netfilter/x_tables.h> |
28 | #include <linux/netfilter/xt_connmark.h> | 29 | #include <linux/netfilter/xt_connmark.h> |
29 | 30 | ||
30 | MODULE_AUTHOR("Henrik Nordstrom <hno@marasystems.com>"); | 31 | MODULE_AUTHOR("Henrik Nordstrom <hno@marasystems.com>"); |
31 | MODULE_DESCRIPTION("Xtables: connection mark match"); | 32 | MODULE_DESCRIPTION("Xtables: connection mark operations"); |
32 | MODULE_LICENSE("GPL"); | 33 | MODULE_LICENSE("GPL"); |
34 | MODULE_ALIAS("ipt_CONNMARK"); | ||
35 | MODULE_ALIAS("ip6t_CONNMARK"); | ||
33 | MODULE_ALIAS("ipt_connmark"); | 36 | MODULE_ALIAS("ipt_connmark"); |
34 | MODULE_ALIAS("ip6t_connmark"); | 37 | MODULE_ALIAS("ip6t_connmark"); |
35 | 38 | ||
39 | static unsigned int | ||
40 | connmark_tg(struct sk_buff *skb, const struct xt_target_param *par) | ||
41 | { | ||
42 | const struct xt_connmark_tginfo1 *info = par->targinfo; | ||
43 | enum ip_conntrack_info ctinfo; | ||
44 | struct nf_conn *ct; | ||
45 | u_int32_t newmark; | ||
46 | |||
47 | ct = nf_ct_get(skb, &ctinfo); | ||
48 | if (ct == NULL) | ||
49 | return XT_CONTINUE; | ||
50 | |||
51 | switch (info->mode) { | ||
52 | case XT_CONNMARK_SET: | ||
53 | newmark = (ct->mark & ~info->ctmask) ^ info->ctmark; | ||
54 | if (ct->mark != newmark) { | ||
55 | ct->mark = newmark; | ||
56 | nf_conntrack_event_cache(IPCT_MARK, ct); | ||
57 | } | ||
58 | break; | ||
59 | case XT_CONNMARK_SAVE: | ||
60 | newmark = (ct->mark & ~info->ctmask) ^ | ||
61 | (skb->mark & info->nfmask); | ||
62 | if (ct->mark != newmark) { | ||
63 | ct->mark = newmark; | ||
64 | nf_conntrack_event_cache(IPCT_MARK, ct); | ||
65 | } | ||
66 | break; | ||
67 | case XT_CONNMARK_RESTORE: | ||
68 | newmark = (skb->mark & ~info->nfmask) ^ | ||
69 | (ct->mark & info->ctmask); | ||
70 | skb->mark = newmark; | ||
71 | break; | ||
72 | } | ||
73 | |||
74 | return XT_CONTINUE; | ||
75 | } | ||
76 | |||
77 | static int connmark_tg_check(const struct xt_tgchk_param *par) | ||
78 | { | ||
79 | int ret; | ||
80 | |||
81 | ret = nf_ct_l3proto_try_module_get(par->family); | ||
82 | if (ret < 0) | ||
83 | pr_info("cannot load conntrack support for proto=%u\n", | ||
84 | par->family); | ||
85 | return ret; | ||
86 | } | ||
87 | |||
88 | static void connmark_tg_destroy(const struct xt_tgdtor_param *par) | ||
89 | { | ||
90 | nf_ct_l3proto_module_put(par->family); | ||
91 | } | ||
92 | |||
36 | static bool | 93 | static bool |
37 | connmark_mt(const struct sk_buff *skb, const struct xt_match_param *par) | 94 | connmark_mt(const struct sk_buff *skb, const struct xt_match_param *par) |
38 | { | 95 | { |
@@ -47,14 +104,15 @@ connmark_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
47 | return ((ct->mark & info->mask) == info->mark) ^ info->invert; | 104 | return ((ct->mark & info->mask) == info->mark) ^ info->invert; |
48 | } | 105 | } |
49 | 106 | ||
50 | static bool connmark_mt_check(const struct xt_mtchk_param *par) | 107 | static int connmark_mt_check(const struct xt_mtchk_param *par) |
51 | { | 108 | { |
52 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { | 109 | int ret; |
53 | printk(KERN_WARNING "cannot load conntrack support for " | 110 | |
54 | "proto=%u\n", par->family); | 111 | ret = nf_ct_l3proto_try_module_get(par->family); |
55 | return false; | 112 | if (ret < 0) |
56 | } | 113 | pr_info("cannot load conntrack support for proto=%u\n", |
57 | return true; | 114 | par->family); |
115 | return ret; | ||
58 | } | 116 | } |
59 | 117 | ||
60 | static void connmark_mt_destroy(const struct xt_mtdtor_param *par) | 118 | static void connmark_mt_destroy(const struct xt_mtdtor_param *par) |
@@ -62,6 +120,17 @@ static void connmark_mt_destroy(const struct xt_mtdtor_param *par) | |||
62 | nf_ct_l3proto_module_put(par->family); | 120 | nf_ct_l3proto_module_put(par->family); |
63 | } | 121 | } |
64 | 122 | ||
123 | static struct xt_target connmark_tg_reg __read_mostly = { | ||
124 | .name = "CONNMARK", | ||
125 | .revision = 1, | ||
126 | .family = NFPROTO_UNSPEC, | ||
127 | .checkentry = connmark_tg_check, | ||
128 | .target = connmark_tg, | ||
129 | .targetsize = sizeof(struct xt_connmark_tginfo1), | ||
130 | .destroy = connmark_tg_destroy, | ||
131 | .me = THIS_MODULE, | ||
132 | }; | ||
133 | |||
65 | static struct xt_match connmark_mt_reg __read_mostly = { | 134 | static struct xt_match connmark_mt_reg __read_mostly = { |
66 | .name = "connmark", | 135 | .name = "connmark", |
67 | .revision = 1, | 136 | .revision = 1, |
@@ -75,12 +144,23 @@ static struct xt_match connmark_mt_reg __read_mostly = { | |||
75 | 144 | ||
76 | static int __init connmark_mt_init(void) | 145 | static int __init connmark_mt_init(void) |
77 | { | 146 | { |
78 | return xt_register_match(&connmark_mt_reg); | 147 | int ret; |
148 | |||
149 | ret = xt_register_target(&connmark_tg_reg); | ||
150 | if (ret < 0) | ||
151 | return ret; | ||
152 | ret = xt_register_match(&connmark_mt_reg); | ||
153 | if (ret < 0) { | ||
154 | xt_unregister_target(&connmark_tg_reg); | ||
155 | return ret; | ||
156 | } | ||
157 | return 0; | ||
79 | } | 158 | } |
80 | 159 | ||
81 | static void __exit connmark_mt_exit(void) | 160 | static void __exit connmark_mt_exit(void) |
82 | { | 161 | { |
83 | xt_unregister_match(&connmark_mt_reg); | 162 | xt_unregister_match(&connmark_mt_reg); |
163 | xt_unregister_target(&connmark_tg_reg); | ||
84 | } | 164 | } |
85 | 165 | ||
86 | module_init(connmark_mt_init); | 166 | module_init(connmark_mt_init); |
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c index ae66305f0fe5..3348706ce56d 100644 --- a/net/netfilter/xt_conntrack.c +++ b/net/netfilter/xt_conntrack.c | |||
@@ -9,7 +9,7 @@ | |||
9 | * it under the terms of the GNU General Public License version 2 as | 9 | * it under the terms of the GNU General Public License version 2 as |
10 | * published by the Free Software Foundation. | 10 | * published by the Free Software Foundation. |
11 | */ | 11 | */ |
12 | 12 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
13 | #include <linux/module.h> | 13 | #include <linux/module.h> |
14 | #include <linux/skbuff.h> | 14 | #include <linux/skbuff.h> |
15 | #include <net/ipv6.h> | 15 | #include <net/ipv6.h> |
@@ -206,14 +206,15 @@ conntrack_mt_v2(const struct sk_buff *skb, const struct xt_match_param *par) | |||
206 | return conntrack_mt(skb, par, info->state_mask, info->status_mask); | 206 | return conntrack_mt(skb, par, info->state_mask, info->status_mask); |
207 | } | 207 | } |
208 | 208 | ||
209 | static bool conntrack_mt_check(const struct xt_mtchk_param *par) | 209 | static int conntrack_mt_check(const struct xt_mtchk_param *par) |
210 | { | 210 | { |
211 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { | 211 | int ret; |
212 | printk(KERN_WARNING "can't load conntrack support for " | 212 | |
213 | "proto=%u\n", par->family); | 213 | ret = nf_ct_l3proto_try_module_get(par->family); |
214 | return false; | 214 | if (ret < 0) |
215 | } | 215 | pr_info("cannot load conntrack support for proto=%u\n", |
216 | return true; | 216 | par->family); |
217 | return ret; | ||
217 | } | 218 | } |
218 | 219 | ||
219 | static void conntrack_mt_destroy(const struct xt_mtdtor_param *par) | 220 | static void conntrack_mt_destroy(const struct xt_mtdtor_param *par) |
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c index 395af5943ffd..0d260aec487f 100644 --- a/net/netfilter/xt_dccp.c +++ b/net/netfilter/xt_dccp.c | |||
@@ -124,13 +124,17 @@ dccp_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
124 | XT_DCCP_OPTION, info->flags, info->invflags); | 124 | XT_DCCP_OPTION, info->flags, info->invflags); |
125 | } | 125 | } |
126 | 126 | ||
127 | static bool dccp_mt_check(const struct xt_mtchk_param *par) | 127 | static int dccp_mt_check(const struct xt_mtchk_param *par) |
128 | { | 128 | { |
129 | const struct xt_dccp_info *info = par->matchinfo; | 129 | const struct xt_dccp_info *info = par->matchinfo; |
130 | 130 | ||
131 | return !(info->flags & ~XT_DCCP_VALID_FLAGS) | 131 | if (info->flags & ~XT_DCCP_VALID_FLAGS) |
132 | && !(info->invflags & ~XT_DCCP_VALID_FLAGS) | 132 | return -EINVAL; |
133 | && !(info->invflags & ~info->flags); | 133 | if (info->invflags & ~XT_DCCP_VALID_FLAGS) |
134 | return -EINVAL; | ||
135 | if (info->invflags & ~info->flags) | ||
136 | return -EINVAL; | ||
137 | return 0; | ||
134 | } | 138 | } |
135 | 139 | ||
136 | static struct xt_match dccp_mt_reg[] __read_mostly = { | 140 | static struct xt_match dccp_mt_reg[] __read_mostly = { |
diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c index 0280d3a8c161..9db51fddbdb8 100644 --- a/net/netfilter/xt_dscp.c +++ b/net/netfilter/xt_dscp.c | |||
@@ -6,7 +6,7 @@ | |||
6 | * it under the terms of the GNU General Public License version 2 as | 6 | * it under the terms of the GNU General Public License version 2 as |
7 | * published by the Free Software Foundation. | 7 | * published by the Free Software Foundation. |
8 | */ | 8 | */ |
9 | 9 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
10 | #include <linux/module.h> | 10 | #include <linux/module.h> |
11 | #include <linux/skbuff.h> | 11 | #include <linux/skbuff.h> |
12 | #include <linux/ip.h> | 12 | #include <linux/ip.h> |
@@ -42,23 +42,23 @@ dscp_mt6(const struct sk_buff *skb, const struct xt_match_param *par) | |||
42 | return (dscp == info->dscp) ^ !!info->invert; | 42 | return (dscp == info->dscp) ^ !!info->invert; |
43 | } | 43 | } |
44 | 44 | ||
45 | static bool dscp_mt_check(const struct xt_mtchk_param *par) | 45 | static int dscp_mt_check(const struct xt_mtchk_param *par) |
46 | { | 46 | { |
47 | const struct xt_dscp_info *info = par->matchinfo; | 47 | const struct xt_dscp_info *info = par->matchinfo; |
48 | 48 | ||
49 | if (info->dscp > XT_DSCP_MAX) { | 49 | if (info->dscp > XT_DSCP_MAX) { |
50 | printk(KERN_ERR "xt_dscp: dscp %x out of range\n", info->dscp); | 50 | pr_info("dscp %x out of range\n", info->dscp); |
51 | return false; | 51 | return -EDOM; |
52 | } | 52 | } |
53 | 53 | ||
54 | return true; | 54 | return 0; |
55 | } | 55 | } |
56 | 56 | ||
57 | static bool tos_mt(const struct sk_buff *skb, const struct xt_match_param *par) | 57 | static bool tos_mt(const struct sk_buff *skb, const struct xt_match_param *par) |
58 | { | 58 | { |
59 | const struct xt_tos_match_info *info = par->matchinfo; | 59 | const struct xt_tos_match_info *info = par->matchinfo; |
60 | 60 | ||
61 | if (par->match->family == NFPROTO_IPV4) | 61 | if (par->family == NFPROTO_IPV4) |
62 | return ((ip_hdr(skb)->tos & info->tos_mask) == | 62 | return ((ip_hdr(skb)->tos & info->tos_mask) == |
63 | info->tos_value) ^ !!info->invert; | 63 | info->tos_value) ^ !!info->invert; |
64 | else | 64 | else |
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c index 609439967c2c..143bfdc8e38f 100644 --- a/net/netfilter/xt_esp.c +++ b/net/netfilter/xt_esp.c | |||
@@ -6,7 +6,7 @@ | |||
6 | * it under the terms of the GNU General Public License version 2 as | 6 | * it under the terms of the GNU General Public License version 2 as |
7 | * published by the Free Software Foundation. | 7 | * published by the Free Software Foundation. |
8 | */ | 8 | */ |
9 | 9 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
10 | #include <linux/module.h> | 10 | #include <linux/module.h> |
11 | #include <linux/skbuff.h> | 11 | #include <linux/skbuff.h> |
12 | #include <linux/in.h> | 12 | #include <linux/in.h> |
@@ -24,21 +24,15 @@ MODULE_DESCRIPTION("Xtables: IPsec-ESP packet match"); | |||
24 | MODULE_ALIAS("ipt_esp"); | 24 | MODULE_ALIAS("ipt_esp"); |
25 | MODULE_ALIAS("ip6t_esp"); | 25 | MODULE_ALIAS("ip6t_esp"); |
26 | 26 | ||
27 | #if 0 | ||
28 | #define duprintf(format, args...) printk(format , ## args) | ||
29 | #else | ||
30 | #define duprintf(format, args...) | ||
31 | #endif | ||
32 | |||
33 | /* Returns 1 if the spi is matched by the range, 0 otherwise */ | 27 | /* Returns 1 if the spi is matched by the range, 0 otherwise */ |
34 | static inline bool | 28 | static inline bool |
35 | spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert) | 29 | spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert) |
36 | { | 30 | { |
37 | bool r; | 31 | bool r; |
38 | duprintf("esp spi_match:%c 0x%x <= 0x%x <= 0x%x", invert ? '!' : ' ', | 32 | pr_debug("spi_match:%c 0x%x <= 0x%x <= 0x%x\n", |
39 | min, spi, max); | 33 | invert ? '!' : ' ', min, spi, max); |
40 | r = (spi >= min && spi <= max) ^ invert; | 34 | r = (spi >= min && spi <= max) ^ invert; |
41 | duprintf(" result %s\n", r ? "PASS" : "FAILED"); | 35 | pr_debug(" result %s\n", r ? "PASS" : "FAILED"); |
42 | return r; | 36 | return r; |
43 | } | 37 | } |
44 | 38 | ||
@@ -57,7 +51,7 @@ static bool esp_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
57 | /* We've been asked to examine this packet, and we | 51 | /* We've been asked to examine this packet, and we |
58 | * can't. Hence, no choice but to drop. | 52 | * can't. Hence, no choice but to drop. |
59 | */ | 53 | */ |
60 | duprintf("Dropping evil ESP tinygram.\n"); | 54 | pr_debug("Dropping evil ESP tinygram.\n"); |
61 | *par->hotdrop = true; | 55 | *par->hotdrop = true; |
62 | return false; | 56 | return false; |
63 | } | 57 | } |
@@ -66,16 +60,16 @@ static bool esp_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
66 | !!(espinfo->invflags & XT_ESP_INV_SPI)); | 60 | !!(espinfo->invflags & XT_ESP_INV_SPI)); |
67 | } | 61 | } |
68 | 62 | ||
69 | static bool esp_mt_check(const struct xt_mtchk_param *par) | 63 | static int esp_mt_check(const struct xt_mtchk_param *par) |
70 | { | 64 | { |
71 | const struct xt_esp *espinfo = par->matchinfo; | 65 | const struct xt_esp *espinfo = par->matchinfo; |
72 | 66 | ||
73 | if (espinfo->invflags & ~XT_ESP_INV_MASK) { | 67 | if (espinfo->invflags & ~XT_ESP_INV_MASK) { |
74 | duprintf("xt_esp: unknown flags %X\n", espinfo->invflags); | 68 | pr_debug("unknown flags %X\n", espinfo->invflags); |
75 | return false; | 69 | return -EINVAL; |
76 | } | 70 | } |
77 | 71 | ||
78 | return true; | 72 | return 0; |
79 | } | 73 | } |
80 | 74 | ||
81 | static struct xt_match esp_mt_reg[] __read_mostly = { | 75 | static struct xt_match esp_mt_reg[] __read_mostly = { |
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c index 215a64835de8..0c366d387c8c 100644 --- a/net/netfilter/xt_hashlimit.c +++ b/net/netfilter/xt_hashlimit.c | |||
@@ -7,6 +7,7 @@ | |||
7 | * | 7 | * |
8 | * Development of this code was funded by Astaro AG, http://www.astaro.com/ | 8 | * Development of this code was funded by Astaro AG, http://www.astaro.com/ |
9 | */ | 9 | */ |
10 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | ||
10 | #include <linux/module.h> | 11 | #include <linux/module.h> |
11 | #include <linux/spinlock.h> | 12 | #include <linux/spinlock.h> |
12 | #include <linux/random.h> | 13 | #include <linux/random.h> |
@@ -36,7 +37,7 @@ | |||
36 | 37 | ||
37 | MODULE_LICENSE("GPL"); | 38 | MODULE_LICENSE("GPL"); |
38 | MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); | 39 | MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); |
39 | MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>"); | 40 | MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>"); |
40 | MODULE_DESCRIPTION("Xtables: per hash-bucket rate-limit match"); | 41 | MODULE_DESCRIPTION("Xtables: per hash-bucket rate-limit match"); |
41 | MODULE_ALIAS("ipt_hashlimit"); | 42 | MODULE_ALIAS("ipt_hashlimit"); |
42 | MODULE_ALIAS("ip6t_hashlimit"); | 43 | MODULE_ALIAS("ip6t_hashlimit"); |
@@ -80,12 +81,14 @@ struct dsthash_ent { | |||
80 | struct dsthash_dst dst; | 81 | struct dsthash_dst dst; |
81 | 82 | ||
82 | /* modified structure members in the end */ | 83 | /* modified structure members in the end */ |
84 | spinlock_t lock; | ||
83 | unsigned long expires; /* precalculated expiry time */ | 85 | unsigned long expires; /* precalculated expiry time */ |
84 | struct { | 86 | struct { |
85 | unsigned long prev; /* last modification */ | 87 | unsigned long prev; /* last modification */ |
86 | u_int32_t credit; | 88 | u_int32_t credit; |
87 | u_int32_t credit_cap, cost; | 89 | u_int32_t credit_cap, cost; |
88 | } rateinfo; | 90 | } rateinfo; |
91 | struct rcu_head rcu; | ||
89 | }; | 92 | }; |
90 | 93 | ||
91 | struct xt_hashlimit_htable { | 94 | struct xt_hashlimit_htable { |
@@ -142,9 +145,11 @@ dsthash_find(const struct xt_hashlimit_htable *ht, | |||
142 | u_int32_t hash = hash_dst(ht, dst); | 145 | u_int32_t hash = hash_dst(ht, dst); |
143 | 146 | ||
144 | if (!hlist_empty(&ht->hash[hash])) { | 147 | if (!hlist_empty(&ht->hash[hash])) { |
145 | hlist_for_each_entry(ent, pos, &ht->hash[hash], node) | 148 | hlist_for_each_entry_rcu(ent, pos, &ht->hash[hash], node) |
146 | if (dst_cmp(ent, dst)) | 149 | if (dst_cmp(ent, dst)) { |
150 | spin_lock(&ent->lock); | ||
147 | return ent; | 151 | return ent; |
152 | } | ||
148 | } | 153 | } |
149 | return NULL; | 154 | return NULL; |
150 | } | 155 | } |
@@ -156,9 +161,10 @@ dsthash_alloc_init(struct xt_hashlimit_htable *ht, | |||
156 | { | 161 | { |
157 | struct dsthash_ent *ent; | 162 | struct dsthash_ent *ent; |
158 | 163 | ||
164 | spin_lock(&ht->lock); | ||
159 | /* initialize hash with random val at the time we allocate | 165 | /* initialize hash with random val at the time we allocate |
160 | * the first hashtable entry */ | 166 | * the first hashtable entry */ |
161 | if (!ht->rnd_initialized) { | 167 | if (unlikely(!ht->rnd_initialized)) { |
162 | get_random_bytes(&ht->rnd, sizeof(ht->rnd)); | 168 | get_random_bytes(&ht->rnd, sizeof(ht->rnd)); |
163 | ht->rnd_initialized = true; | 169 | ht->rnd_initialized = true; |
164 | } | 170 | } |
@@ -166,106 +172,40 @@ dsthash_alloc_init(struct xt_hashlimit_htable *ht, | |||
166 | if (ht->cfg.max && ht->count >= ht->cfg.max) { | 172 | if (ht->cfg.max && ht->count >= ht->cfg.max) { |
167 | /* FIXME: do something. question is what.. */ | 173 | /* FIXME: do something. question is what.. */ |
168 | if (net_ratelimit()) | 174 | if (net_ratelimit()) |
169 | printk(KERN_WARNING | 175 | pr_err("max count of %u reached\n", ht->cfg.max); |
170 | "xt_hashlimit: max count of %u reached\n", | 176 | ent = NULL; |
171 | ht->cfg.max); | 177 | } else |
172 | return NULL; | 178 | ent = kmem_cache_alloc(hashlimit_cachep, GFP_ATOMIC); |
173 | } | ||
174 | |||
175 | ent = kmem_cache_alloc(hashlimit_cachep, GFP_ATOMIC); | ||
176 | if (!ent) { | 179 | if (!ent) { |
177 | if (net_ratelimit()) | 180 | if (net_ratelimit()) |
178 | printk(KERN_ERR | 181 | pr_err("cannot allocate dsthash_ent\n"); |
179 | "xt_hashlimit: can't allocate dsthash_ent\n"); | 182 | } else { |
180 | return NULL; | 183 | memcpy(&ent->dst, dst, sizeof(ent->dst)); |
181 | } | 184 | spin_lock_init(&ent->lock); |
182 | memcpy(&ent->dst, dst, sizeof(ent->dst)); | ||
183 | 185 | ||
184 | hlist_add_head(&ent->node, &ht->hash[hash_dst(ht, dst)]); | 186 | spin_lock(&ent->lock); |
185 | ht->count++; | 187 | hlist_add_head_rcu(&ent->node, &ht->hash[hash_dst(ht, dst)]); |
188 | ht->count++; | ||
189 | } | ||
190 | spin_unlock(&ht->lock); | ||
186 | return ent; | 191 | return ent; |
187 | } | 192 | } |
188 | 193 | ||
189 | static inline void | 194 | static void dsthash_free_rcu(struct rcu_head *head) |
190 | dsthash_free(struct xt_hashlimit_htable *ht, struct dsthash_ent *ent) | ||
191 | { | 195 | { |
192 | hlist_del(&ent->node); | 196 | struct dsthash_ent *ent = container_of(head, struct dsthash_ent, rcu); |
197 | |||
193 | kmem_cache_free(hashlimit_cachep, ent); | 198 | kmem_cache_free(hashlimit_cachep, ent); |
194 | ht->count--; | ||
195 | } | 199 | } |
196 | static void htable_gc(unsigned long htlong); | ||
197 | 200 | ||
198 | static int htable_create_v0(struct net *net, struct xt_hashlimit_info *minfo, u_int8_t family) | 201 | static inline void |
202 | dsthash_free(struct xt_hashlimit_htable *ht, struct dsthash_ent *ent) | ||
199 | { | 203 | { |
200 | struct hashlimit_net *hashlimit_net = hashlimit_pernet(net); | 204 | hlist_del_rcu(&ent->node); |
201 | struct xt_hashlimit_htable *hinfo; | 205 | call_rcu_bh(&ent->rcu, dsthash_free_rcu); |
202 | unsigned int size; | 206 | ht->count--; |
203 | unsigned int i; | ||
204 | |||
205 | if (minfo->cfg.size) | ||
206 | size = minfo->cfg.size; | ||
207 | else { | ||
208 | size = ((totalram_pages << PAGE_SHIFT) / 16384) / | ||
209 | sizeof(struct list_head); | ||
210 | if (totalram_pages > (1024 * 1024 * 1024 / PAGE_SIZE)) | ||
211 | size = 8192; | ||
212 | if (size < 16) | ||
213 | size = 16; | ||
214 | } | ||
215 | /* FIXME: don't use vmalloc() here or anywhere else -HW */ | ||
216 | hinfo = vmalloc(sizeof(struct xt_hashlimit_htable) + | ||
217 | sizeof(struct list_head) * size); | ||
218 | if (!hinfo) { | ||
219 | printk(KERN_ERR "xt_hashlimit: unable to create hashtable\n"); | ||
220 | return -1; | ||
221 | } | ||
222 | minfo->hinfo = hinfo; | ||
223 | |||
224 | /* copy match config into hashtable config */ | ||
225 | hinfo->cfg.mode = minfo->cfg.mode; | ||
226 | hinfo->cfg.avg = minfo->cfg.avg; | ||
227 | hinfo->cfg.burst = minfo->cfg.burst; | ||
228 | hinfo->cfg.max = minfo->cfg.max; | ||
229 | hinfo->cfg.gc_interval = minfo->cfg.gc_interval; | ||
230 | hinfo->cfg.expire = minfo->cfg.expire; | ||
231 | |||
232 | if (family == NFPROTO_IPV4) | ||
233 | hinfo->cfg.srcmask = hinfo->cfg.dstmask = 32; | ||
234 | else | ||
235 | hinfo->cfg.srcmask = hinfo->cfg.dstmask = 128; | ||
236 | |||
237 | hinfo->cfg.size = size; | ||
238 | if (!hinfo->cfg.max) | ||
239 | hinfo->cfg.max = 8 * hinfo->cfg.size; | ||
240 | else if (hinfo->cfg.max < hinfo->cfg.size) | ||
241 | hinfo->cfg.max = hinfo->cfg.size; | ||
242 | |||
243 | for (i = 0; i < hinfo->cfg.size; i++) | ||
244 | INIT_HLIST_HEAD(&hinfo->hash[i]); | ||
245 | |||
246 | hinfo->use = 1; | ||
247 | hinfo->count = 0; | ||
248 | hinfo->family = family; | ||
249 | hinfo->rnd_initialized = false; | ||
250 | spin_lock_init(&hinfo->lock); | ||
251 | hinfo->pde = proc_create_data(minfo->name, 0, | ||
252 | (family == NFPROTO_IPV4) ? | ||
253 | hashlimit_net->ipt_hashlimit : hashlimit_net->ip6t_hashlimit, | ||
254 | &dl_file_ops, hinfo); | ||
255 | if (!hinfo->pde) { | ||
256 | vfree(hinfo); | ||
257 | return -1; | ||
258 | } | ||
259 | hinfo->net = net; | ||
260 | |||
261 | setup_timer(&hinfo->timer, htable_gc, (unsigned long )hinfo); | ||
262 | hinfo->timer.expires = jiffies + msecs_to_jiffies(hinfo->cfg.gc_interval); | ||
263 | add_timer(&hinfo->timer); | ||
264 | |||
265 | hlist_add_head(&hinfo->node, &hashlimit_net->htables); | ||
266 | |||
267 | return 0; | ||
268 | } | 207 | } |
208 | static void htable_gc(unsigned long htlong); | ||
269 | 209 | ||
270 | static int htable_create(struct net *net, struct xt_hashlimit_mtinfo1 *minfo, | 210 | static int htable_create(struct net *net, struct xt_hashlimit_mtinfo1 *minfo, |
271 | u_int8_t family) | 211 | u_int8_t family) |
@@ -288,10 +228,8 @@ static int htable_create(struct net *net, struct xt_hashlimit_mtinfo1 *minfo, | |||
288 | /* FIXME: don't use vmalloc() here or anywhere else -HW */ | 228 | /* FIXME: don't use vmalloc() here or anywhere else -HW */ |
289 | hinfo = vmalloc(sizeof(struct xt_hashlimit_htable) + | 229 | hinfo = vmalloc(sizeof(struct xt_hashlimit_htable) + |
290 | sizeof(struct list_head) * size); | 230 | sizeof(struct list_head) * size); |
291 | if (hinfo == NULL) { | 231 | if (hinfo == NULL) |
292 | printk(KERN_ERR "xt_hashlimit: unable to create hashtable\n"); | 232 | return -ENOMEM; |
293 | return -1; | ||
294 | } | ||
295 | minfo->hinfo = hinfo; | 233 | minfo->hinfo = hinfo; |
296 | 234 | ||
297 | /* copy match config into hashtable config */ | 235 | /* copy match config into hashtable config */ |
@@ -317,7 +255,7 @@ static int htable_create(struct net *net, struct xt_hashlimit_mtinfo1 *minfo, | |||
317 | &dl_file_ops, hinfo); | 255 | &dl_file_ops, hinfo); |
318 | if (hinfo->pde == NULL) { | 256 | if (hinfo->pde == NULL) { |
319 | vfree(hinfo); | 257 | vfree(hinfo); |
320 | return -1; | 258 | return -ENOMEM; |
321 | } | 259 | } |
322 | hinfo->net = net; | 260 | hinfo->net = net; |
323 | 261 | ||
@@ -578,57 +516,6 @@ hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo, | |||
578 | } | 516 | } |
579 | 517 | ||
580 | static bool | 518 | static bool |
581 | hashlimit_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par) | ||
582 | { | ||
583 | const struct xt_hashlimit_info *r = par->matchinfo; | ||
584 | struct xt_hashlimit_htable *hinfo = r->hinfo; | ||
585 | unsigned long now = jiffies; | ||
586 | struct dsthash_ent *dh; | ||
587 | struct dsthash_dst dst; | ||
588 | |||
589 | if (hashlimit_init_dst(hinfo, &dst, skb, par->thoff) < 0) | ||
590 | goto hotdrop; | ||
591 | |||
592 | spin_lock_bh(&hinfo->lock); | ||
593 | dh = dsthash_find(hinfo, &dst); | ||
594 | if (!dh) { | ||
595 | dh = dsthash_alloc_init(hinfo, &dst); | ||
596 | if (!dh) { | ||
597 | spin_unlock_bh(&hinfo->lock); | ||
598 | goto hotdrop; | ||
599 | } | ||
600 | |||
601 | dh->expires = jiffies + msecs_to_jiffies(hinfo->cfg.expire); | ||
602 | dh->rateinfo.prev = jiffies; | ||
603 | dh->rateinfo.credit = user2credits(hinfo->cfg.avg * | ||
604 | hinfo->cfg.burst); | ||
605 | dh->rateinfo.credit_cap = user2credits(hinfo->cfg.avg * | ||
606 | hinfo->cfg.burst); | ||
607 | dh->rateinfo.cost = user2credits(hinfo->cfg.avg); | ||
608 | } else { | ||
609 | /* update expiration timeout */ | ||
610 | dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire); | ||
611 | rateinfo_recalc(dh, now); | ||
612 | } | ||
613 | |||
614 | if (dh->rateinfo.credit >= dh->rateinfo.cost) { | ||
615 | /* We're underlimit. */ | ||
616 | dh->rateinfo.credit -= dh->rateinfo.cost; | ||
617 | spin_unlock_bh(&hinfo->lock); | ||
618 | return true; | ||
619 | } | ||
620 | |||
621 | spin_unlock_bh(&hinfo->lock); | ||
622 | |||
623 | /* default case: we're overlimit, thus don't match */ | ||
624 | return false; | ||
625 | |||
626 | hotdrop: | ||
627 | *par->hotdrop = true; | ||
628 | return false; | ||
629 | } | ||
630 | |||
631 | static bool | ||
632 | hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par) | 519 | hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par) |
633 | { | 520 | { |
634 | const struct xt_hashlimit_mtinfo1 *info = par->matchinfo; | 521 | const struct xt_hashlimit_mtinfo1 *info = par->matchinfo; |
@@ -640,15 +527,14 @@ hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
640 | if (hashlimit_init_dst(hinfo, &dst, skb, par->thoff) < 0) | 527 | if (hashlimit_init_dst(hinfo, &dst, skb, par->thoff) < 0) |
641 | goto hotdrop; | 528 | goto hotdrop; |
642 | 529 | ||
643 | spin_lock_bh(&hinfo->lock); | 530 | rcu_read_lock_bh(); |
644 | dh = dsthash_find(hinfo, &dst); | 531 | dh = dsthash_find(hinfo, &dst); |
645 | if (dh == NULL) { | 532 | if (dh == NULL) { |
646 | dh = dsthash_alloc_init(hinfo, &dst); | 533 | dh = dsthash_alloc_init(hinfo, &dst); |
647 | if (dh == NULL) { | 534 | if (dh == NULL) { |
648 | spin_unlock_bh(&hinfo->lock); | 535 | rcu_read_unlock_bh(); |
649 | goto hotdrop; | 536 | goto hotdrop; |
650 | } | 537 | } |
651 | |||
652 | dh->expires = jiffies + msecs_to_jiffies(hinfo->cfg.expire); | 538 | dh->expires = jiffies + msecs_to_jiffies(hinfo->cfg.expire); |
653 | dh->rateinfo.prev = jiffies; | 539 | dh->rateinfo.prev = jiffies; |
654 | dh->rateinfo.credit = user2credits(hinfo->cfg.avg * | 540 | dh->rateinfo.credit = user2credits(hinfo->cfg.avg * |
@@ -665,11 +551,13 @@ hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
665 | if (dh->rateinfo.credit >= dh->rateinfo.cost) { | 551 | if (dh->rateinfo.credit >= dh->rateinfo.cost) { |
666 | /* below the limit */ | 552 | /* below the limit */ |
667 | dh->rateinfo.credit -= dh->rateinfo.cost; | 553 | dh->rateinfo.credit -= dh->rateinfo.cost; |
668 | spin_unlock_bh(&hinfo->lock); | 554 | spin_unlock(&dh->lock); |
555 | rcu_read_unlock_bh(); | ||
669 | return !(info->cfg.mode & XT_HASHLIMIT_INVERT); | 556 | return !(info->cfg.mode & XT_HASHLIMIT_INVERT); |
670 | } | 557 | } |
671 | 558 | ||
672 | spin_unlock_bh(&hinfo->lock); | 559 | spin_unlock(&dh->lock); |
560 | rcu_read_unlock_bh(); | ||
673 | /* default match is underlimit - so over the limit, we need to invert */ | 561 | /* default match is underlimit - so over the limit, we need to invert */ |
674 | return info->cfg.mode & XT_HASHLIMIT_INVERT; | 562 | return info->cfg.mode & XT_HASHLIMIT_INVERT; |
675 | 563 | ||
@@ -678,83 +566,43 @@ hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
678 | return false; | 566 | return false; |
679 | } | 567 | } |
680 | 568 | ||
681 | static bool hashlimit_mt_check_v0(const struct xt_mtchk_param *par) | 569 | static int hashlimit_mt_check(const struct xt_mtchk_param *par) |
682 | { | ||
683 | struct net *net = par->net; | ||
684 | struct xt_hashlimit_info *r = par->matchinfo; | ||
685 | |||
686 | /* Check for overflow. */ | ||
687 | if (r->cfg.burst == 0 || | ||
688 | user2credits(r->cfg.avg * r->cfg.burst) < user2credits(r->cfg.avg)) { | ||
689 | printk(KERN_ERR "xt_hashlimit: overflow, try lower: %u/%u\n", | ||
690 | r->cfg.avg, r->cfg.burst); | ||
691 | return false; | ||
692 | } | ||
693 | if (r->cfg.mode == 0 || | ||
694 | r->cfg.mode > (XT_HASHLIMIT_HASH_DPT | | ||
695 | XT_HASHLIMIT_HASH_DIP | | ||
696 | XT_HASHLIMIT_HASH_SIP | | ||
697 | XT_HASHLIMIT_HASH_SPT)) | ||
698 | return false; | ||
699 | if (!r->cfg.gc_interval) | ||
700 | return false; | ||
701 | if (!r->cfg.expire) | ||
702 | return false; | ||
703 | if (r->name[sizeof(r->name) - 1] != '\0') | ||
704 | return false; | ||
705 | |||
706 | mutex_lock(&hashlimit_mutex); | ||
707 | r->hinfo = htable_find_get(net, r->name, par->match->family); | ||
708 | if (!r->hinfo && htable_create_v0(net, r, par->match->family) != 0) { | ||
709 | mutex_unlock(&hashlimit_mutex); | ||
710 | return false; | ||
711 | } | ||
712 | mutex_unlock(&hashlimit_mutex); | ||
713 | |||
714 | return true; | ||
715 | } | ||
716 | |||
717 | static bool hashlimit_mt_check(const struct xt_mtchk_param *par) | ||
718 | { | 570 | { |
719 | struct net *net = par->net; | 571 | struct net *net = par->net; |
720 | struct xt_hashlimit_mtinfo1 *info = par->matchinfo; | 572 | struct xt_hashlimit_mtinfo1 *info = par->matchinfo; |
573 | int ret; | ||
721 | 574 | ||
722 | /* Check for overflow. */ | 575 | /* Check for overflow. */ |
723 | if (info->cfg.burst == 0 || | 576 | if (info->cfg.burst == 0 || |
724 | user2credits(info->cfg.avg * info->cfg.burst) < | 577 | user2credits(info->cfg.avg * info->cfg.burst) < |
725 | user2credits(info->cfg.avg)) { | 578 | user2credits(info->cfg.avg)) { |
726 | printk(KERN_ERR "xt_hashlimit: overflow, try lower: %u/%u\n", | 579 | pr_info("overflow, try lower: %u/%u\n", |
727 | info->cfg.avg, info->cfg.burst); | 580 | info->cfg.avg, info->cfg.burst); |
728 | return false; | 581 | return -ERANGE; |
729 | } | 582 | } |
730 | if (info->cfg.gc_interval == 0 || info->cfg.expire == 0) | 583 | if (info->cfg.gc_interval == 0 || info->cfg.expire == 0) |
731 | return false; | 584 | return -EINVAL; |
732 | if (info->name[sizeof(info->name)-1] != '\0') | 585 | if (info->name[sizeof(info->name)-1] != '\0') |
733 | return false; | 586 | return -EINVAL; |
734 | if (par->match->family == NFPROTO_IPV4) { | 587 | if (par->family == NFPROTO_IPV4) { |
735 | if (info->cfg.srcmask > 32 || info->cfg.dstmask > 32) | 588 | if (info->cfg.srcmask > 32 || info->cfg.dstmask > 32) |
736 | return false; | 589 | return -EINVAL; |
737 | } else { | 590 | } else { |
738 | if (info->cfg.srcmask > 128 || info->cfg.dstmask > 128) | 591 | if (info->cfg.srcmask > 128 || info->cfg.dstmask > 128) |
739 | return false; | 592 | return -EINVAL; |
740 | } | 593 | } |
741 | 594 | ||
742 | mutex_lock(&hashlimit_mutex); | 595 | mutex_lock(&hashlimit_mutex); |
743 | info->hinfo = htable_find_get(net, info->name, par->match->family); | 596 | info->hinfo = htable_find_get(net, info->name, par->family); |
744 | if (!info->hinfo && htable_create(net, info, par->match->family) != 0) { | 597 | if (info->hinfo == NULL) { |
745 | mutex_unlock(&hashlimit_mutex); | 598 | ret = htable_create(net, info, par->family); |
746 | return false; | 599 | if (ret < 0) { |
600 | mutex_unlock(&hashlimit_mutex); | ||
601 | return ret; | ||
602 | } | ||
747 | } | 603 | } |
748 | mutex_unlock(&hashlimit_mutex); | 604 | mutex_unlock(&hashlimit_mutex); |
749 | return true; | 605 | return 0; |
750 | } | ||
751 | |||
752 | static void | ||
753 | hashlimit_mt_destroy_v0(const struct xt_mtdtor_param *par) | ||
754 | { | ||
755 | const struct xt_hashlimit_info *r = par->matchinfo; | ||
756 | |||
757 | htable_put(r->hinfo); | ||
758 | } | 606 | } |
759 | 607 | ||
760 | static void hashlimit_mt_destroy(const struct xt_mtdtor_param *par) | 608 | static void hashlimit_mt_destroy(const struct xt_mtdtor_param *par) |
@@ -764,47 +612,8 @@ static void hashlimit_mt_destroy(const struct xt_mtdtor_param *par) | |||
764 | htable_put(info->hinfo); | 612 | htable_put(info->hinfo); |
765 | } | 613 | } |
766 | 614 | ||
767 | #ifdef CONFIG_COMPAT | ||
768 | struct compat_xt_hashlimit_info { | ||
769 | char name[IFNAMSIZ]; | ||
770 | struct hashlimit_cfg cfg; | ||
771 | compat_uptr_t hinfo; | ||
772 | compat_uptr_t master; | ||
773 | }; | ||
774 | |||
775 | static void hashlimit_mt_compat_from_user(void *dst, const void *src) | ||
776 | { | ||
777 | int off = offsetof(struct compat_xt_hashlimit_info, hinfo); | ||
778 | |||
779 | memcpy(dst, src, off); | ||
780 | memset(dst + off, 0, sizeof(struct compat_xt_hashlimit_info) - off); | ||
781 | } | ||
782 | |||
783 | static int hashlimit_mt_compat_to_user(void __user *dst, const void *src) | ||
784 | { | ||
785 | int off = offsetof(struct compat_xt_hashlimit_info, hinfo); | ||
786 | |||
787 | return copy_to_user(dst, src, off) ? -EFAULT : 0; | ||
788 | } | ||
789 | #endif | ||
790 | |||
791 | static struct xt_match hashlimit_mt_reg[] __read_mostly = { | 615 | static struct xt_match hashlimit_mt_reg[] __read_mostly = { |
792 | { | 616 | { |
793 | .name = "hashlimit", | ||
794 | .revision = 0, | ||
795 | .family = NFPROTO_IPV4, | ||
796 | .match = hashlimit_mt_v0, | ||
797 | .matchsize = sizeof(struct xt_hashlimit_info), | ||
798 | #ifdef CONFIG_COMPAT | ||
799 | .compatsize = sizeof(struct compat_xt_hashlimit_info), | ||
800 | .compat_from_user = hashlimit_mt_compat_from_user, | ||
801 | .compat_to_user = hashlimit_mt_compat_to_user, | ||
802 | #endif | ||
803 | .checkentry = hashlimit_mt_check_v0, | ||
804 | .destroy = hashlimit_mt_destroy_v0, | ||
805 | .me = THIS_MODULE | ||
806 | }, | ||
807 | { | ||
808 | .name = "hashlimit", | 617 | .name = "hashlimit", |
809 | .revision = 1, | 618 | .revision = 1, |
810 | .family = NFPROTO_IPV4, | 619 | .family = NFPROTO_IPV4, |
@@ -816,20 +625,6 @@ static struct xt_match hashlimit_mt_reg[] __read_mostly = { | |||
816 | }, | 625 | }, |
817 | #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) | 626 | #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) |
818 | { | 627 | { |
819 | .name = "hashlimit", | ||
820 | .family = NFPROTO_IPV6, | ||
821 | .match = hashlimit_mt_v0, | ||
822 | .matchsize = sizeof(struct xt_hashlimit_info), | ||
823 | #ifdef CONFIG_COMPAT | ||
824 | .compatsize = sizeof(struct compat_xt_hashlimit_info), | ||
825 | .compat_from_user = hashlimit_mt_compat_from_user, | ||
826 | .compat_to_user = hashlimit_mt_compat_to_user, | ||
827 | #endif | ||
828 | .checkentry = hashlimit_mt_check_v0, | ||
829 | .destroy = hashlimit_mt_destroy_v0, | ||
830 | .me = THIS_MODULE | ||
831 | }, | ||
832 | { | ||
833 | .name = "hashlimit", | 628 | .name = "hashlimit", |
834 | .revision = 1, | 629 | .revision = 1, |
835 | .family = NFPROTO_IPV6, | 630 | .family = NFPROTO_IPV6, |
@@ -888,12 +683,15 @@ static void dl_seq_stop(struct seq_file *s, void *v) | |||
888 | static int dl_seq_real_show(struct dsthash_ent *ent, u_int8_t family, | 683 | static int dl_seq_real_show(struct dsthash_ent *ent, u_int8_t family, |
889 | struct seq_file *s) | 684 | struct seq_file *s) |
890 | { | 685 | { |
686 | int res; | ||
687 | |||
688 | spin_lock(&ent->lock); | ||
891 | /* recalculate to show accurate numbers */ | 689 | /* recalculate to show accurate numbers */ |
892 | rateinfo_recalc(ent, jiffies); | 690 | rateinfo_recalc(ent, jiffies); |
893 | 691 | ||
894 | switch (family) { | 692 | switch (family) { |
895 | case NFPROTO_IPV4: | 693 | case NFPROTO_IPV4: |
896 | return seq_printf(s, "%ld %pI4:%u->%pI4:%u %u %u %u\n", | 694 | res = seq_printf(s, "%ld %pI4:%u->%pI4:%u %u %u %u\n", |
897 | (long)(ent->expires - jiffies)/HZ, | 695 | (long)(ent->expires - jiffies)/HZ, |
898 | &ent->dst.ip.src, | 696 | &ent->dst.ip.src, |
899 | ntohs(ent->dst.src_port), | 697 | ntohs(ent->dst.src_port), |
@@ -901,9 +699,10 @@ static int dl_seq_real_show(struct dsthash_ent *ent, u_int8_t family, | |||
901 | ntohs(ent->dst.dst_port), | 699 | ntohs(ent->dst.dst_port), |
902 | ent->rateinfo.credit, ent->rateinfo.credit_cap, | 700 | ent->rateinfo.credit, ent->rateinfo.credit_cap, |
903 | ent->rateinfo.cost); | 701 | ent->rateinfo.cost); |
702 | break; | ||
904 | #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) | 703 | #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) |
905 | case NFPROTO_IPV6: | 704 | case NFPROTO_IPV6: |
906 | return seq_printf(s, "%ld %pI6:%u->%pI6:%u %u %u %u\n", | 705 | res = seq_printf(s, "%ld %pI6:%u->%pI6:%u %u %u %u\n", |
907 | (long)(ent->expires - jiffies)/HZ, | 706 | (long)(ent->expires - jiffies)/HZ, |
908 | &ent->dst.ip6.src, | 707 | &ent->dst.ip6.src, |
909 | ntohs(ent->dst.src_port), | 708 | ntohs(ent->dst.src_port), |
@@ -911,11 +710,14 @@ static int dl_seq_real_show(struct dsthash_ent *ent, u_int8_t family, | |||
911 | ntohs(ent->dst.dst_port), | 710 | ntohs(ent->dst.dst_port), |
912 | ent->rateinfo.credit, ent->rateinfo.credit_cap, | 711 | ent->rateinfo.credit, ent->rateinfo.credit_cap, |
913 | ent->rateinfo.cost); | 712 | ent->rateinfo.cost); |
713 | break; | ||
914 | #endif | 714 | #endif |
915 | default: | 715 | default: |
916 | BUG(); | 716 | BUG(); |
917 | return 0; | 717 | res = 0; |
918 | } | 718 | } |
719 | spin_unlock(&ent->lock); | ||
720 | return res; | ||
919 | } | 721 | } |
920 | 722 | ||
921 | static int dl_seq_show(struct seq_file *s, void *v) | 723 | static int dl_seq_show(struct seq_file *s, void *v) |
@@ -1024,7 +826,7 @@ static int __init hashlimit_mt_init(void) | |||
1024 | sizeof(struct dsthash_ent), 0, 0, | 826 | sizeof(struct dsthash_ent), 0, 0, |
1025 | NULL); | 827 | NULL); |
1026 | if (!hashlimit_cachep) { | 828 | if (!hashlimit_cachep) { |
1027 | printk(KERN_ERR "xt_hashlimit: unable to create slab cache\n"); | 829 | pr_warning("unable to create slab cache\n"); |
1028 | goto err2; | 830 | goto err2; |
1029 | } | 831 | } |
1030 | return 0; | 832 | return 0; |
@@ -1039,9 +841,11 @@ err1: | |||
1039 | 841 | ||
1040 | static void __exit hashlimit_mt_exit(void) | 842 | static void __exit hashlimit_mt_exit(void) |
1041 | { | 843 | { |
1042 | kmem_cache_destroy(hashlimit_cachep); | ||
1043 | xt_unregister_matches(hashlimit_mt_reg, ARRAY_SIZE(hashlimit_mt_reg)); | 844 | xt_unregister_matches(hashlimit_mt_reg, ARRAY_SIZE(hashlimit_mt_reg)); |
1044 | unregister_pernet_subsys(&hashlimit_net_ops); | 845 | unregister_pernet_subsys(&hashlimit_net_ops); |
846 | |||
847 | rcu_barrier_bh(); | ||
848 | kmem_cache_destroy(hashlimit_cachep); | ||
1045 | } | 849 | } |
1046 | 850 | ||
1047 | module_init(hashlimit_mt_init); | 851 | module_init(hashlimit_mt_init); |
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c index 64fc7f277221..b8b3e13dc71e 100644 --- a/net/netfilter/xt_helper.c +++ b/net/netfilter/xt_helper.c | |||
@@ -6,7 +6,7 @@ | |||
6 | * it under the terms of the GNU General Public License version 2 as | 6 | * it under the terms of the GNU General Public License version 2 as |
7 | * published by the Free Software Foundation. | 7 | * published by the Free Software Foundation. |
8 | */ | 8 | */ |
9 | 9 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
10 | #include <linux/module.h> | 10 | #include <linux/module.h> |
11 | #include <linux/skbuff.h> | 11 | #include <linux/skbuff.h> |
12 | #include <linux/netfilter.h> | 12 | #include <linux/netfilter.h> |
@@ -54,17 +54,19 @@ helper_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
54 | return ret; | 54 | return ret; |
55 | } | 55 | } |
56 | 56 | ||
57 | static bool helper_mt_check(const struct xt_mtchk_param *par) | 57 | static int helper_mt_check(const struct xt_mtchk_param *par) |
58 | { | 58 | { |
59 | struct xt_helper_info *info = par->matchinfo; | 59 | struct xt_helper_info *info = par->matchinfo; |
60 | int ret; | ||
60 | 61 | ||
61 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { | 62 | ret = nf_ct_l3proto_try_module_get(par->family); |
62 | printk(KERN_WARNING "can't load conntrack support for " | 63 | if (ret < 0) { |
63 | "proto=%u\n", par->family); | 64 | pr_info("cannot load conntrack support for proto=%u\n", |
64 | return false; | 65 | par->family); |
66 | return ret; | ||
65 | } | 67 | } |
66 | info->name[29] = '\0'; | 68 | info->name[29] = '\0'; |
67 | return true; | 69 | return 0; |
68 | } | 70 | } |
69 | 71 | ||
70 | static void helper_mt_destroy(const struct xt_mtdtor_param *par) | 72 | static void helper_mt_destroy(const struct xt_mtdtor_param *par) |
diff --git a/net/netfilter/xt_hl.c b/net/netfilter/xt_hl.c index 7726154c87b2..be53f7299623 100644 --- a/net/netfilter/xt_hl.c +++ b/net/netfilter/xt_hl.c | |||
@@ -39,10 +39,6 @@ static bool ttl_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
39 | return ttl < info->ttl; | 39 | return ttl < info->ttl; |
40 | case IPT_TTL_GT: | 40 | case IPT_TTL_GT: |
41 | return ttl > info->ttl; | 41 | return ttl > info->ttl; |
42 | default: | ||
43 | printk(KERN_WARNING "ipt_ttl: unknown mode %d\n", | ||
44 | info->mode); | ||
45 | return false; | ||
46 | } | 42 | } |
47 | 43 | ||
48 | return false; | 44 | return false; |
@@ -56,20 +52,12 @@ static bool hl_mt6(const struct sk_buff *skb, const struct xt_match_param *par) | |||
56 | switch (info->mode) { | 52 | switch (info->mode) { |
57 | case IP6T_HL_EQ: | 53 | case IP6T_HL_EQ: |
58 | return ip6h->hop_limit == info->hop_limit; | 54 | return ip6h->hop_limit == info->hop_limit; |
59 | break; | ||
60 | case IP6T_HL_NE: | 55 | case IP6T_HL_NE: |
61 | return ip6h->hop_limit != info->hop_limit; | 56 | return ip6h->hop_limit != info->hop_limit; |
62 | break; | ||
63 | case IP6T_HL_LT: | 57 | case IP6T_HL_LT: |
64 | return ip6h->hop_limit < info->hop_limit; | 58 | return ip6h->hop_limit < info->hop_limit; |
65 | break; | ||
66 | case IP6T_HL_GT: | 59 | case IP6T_HL_GT: |
67 | return ip6h->hop_limit > info->hop_limit; | 60 | return ip6h->hop_limit > info->hop_limit; |
68 | break; | ||
69 | default: | ||
70 | printk(KERN_WARNING "ip6t_hl: unknown mode %d\n", | ||
71 | info->mode); | ||
72 | return false; | ||
73 | } | 61 | } |
74 | 62 | ||
75 | return false; | 63 | return false; |
diff --git a/net/netfilter/xt_iprange.c b/net/netfilter/xt_iprange.c index ffc96387d556..8471d9715bde 100644 --- a/net/netfilter/xt_iprange.c +++ b/net/netfilter/xt_iprange.c | |||
@@ -8,6 +8,7 @@ | |||
8 | * it under the terms of the GNU General Public License version 2 as | 8 | * it under the terms of the GNU General Public License version 2 as |
9 | * published by the Free Software Foundation. | 9 | * published by the Free Software Foundation. |
10 | */ | 10 | */ |
11 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | ||
11 | #include <linux/module.h> | 12 | #include <linux/module.h> |
12 | #include <linux/skbuff.h> | 13 | #include <linux/skbuff.h> |
13 | #include <linux/ip.h> | 14 | #include <linux/ip.h> |
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c index e5d7e1ffb1a4..88215dca19cb 100644 --- a/net/netfilter/xt_limit.c +++ b/net/netfilter/xt_limit.c | |||
@@ -5,6 +5,7 @@ | |||
5 | * it under the terms of the GNU General Public License version 2 as | 5 | * it under the terms of the GNU General Public License version 2 as |
6 | * published by the Free Software Foundation. | 6 | * published by the Free Software Foundation. |
7 | */ | 7 | */ |
8 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | ||
8 | 9 | ||
9 | #include <linux/slab.h> | 10 | #include <linux/slab.h> |
10 | #include <linux/module.h> | 11 | #include <linux/module.h> |
@@ -98,7 +99,7 @@ user2credits(u_int32_t user) | |||
98 | return (user * HZ * CREDITS_PER_JIFFY) / XT_LIMIT_SCALE; | 99 | return (user * HZ * CREDITS_PER_JIFFY) / XT_LIMIT_SCALE; |
99 | } | 100 | } |
100 | 101 | ||
101 | static bool limit_mt_check(const struct xt_mtchk_param *par) | 102 | static int limit_mt_check(const struct xt_mtchk_param *par) |
102 | { | 103 | { |
103 | struct xt_rateinfo *r = par->matchinfo; | 104 | struct xt_rateinfo *r = par->matchinfo; |
104 | struct xt_limit_priv *priv; | 105 | struct xt_limit_priv *priv; |
@@ -106,14 +107,14 @@ static bool limit_mt_check(const struct xt_mtchk_param *par) | |||
106 | /* Check for overflow. */ | 107 | /* Check for overflow. */ |
107 | if (r->burst == 0 | 108 | if (r->burst == 0 |
108 | || user2credits(r->avg * r->burst) < user2credits(r->avg)) { | 109 | || user2credits(r->avg * r->burst) < user2credits(r->avg)) { |
109 | printk("Overflow in xt_limit, try lower: %u/%u\n", | 110 | pr_info("Overflow, try lower: %u/%u\n", |
110 | r->avg, r->burst); | 111 | r->avg, r->burst); |
111 | return false; | 112 | return -ERANGE; |
112 | } | 113 | } |
113 | 114 | ||
114 | priv = kmalloc(sizeof(*priv), GFP_KERNEL); | 115 | priv = kmalloc(sizeof(*priv), GFP_KERNEL); |
115 | if (priv == NULL) | 116 | if (priv == NULL) |
116 | return false; | 117 | return -ENOMEM; |
117 | 118 | ||
118 | /* For SMP, we only want to use one set of state. */ | 119 | /* For SMP, we only want to use one set of state. */ |
119 | r->master = priv; | 120 | r->master = priv; |
@@ -125,7 +126,7 @@ static bool limit_mt_check(const struct xt_mtchk_param *par) | |||
125 | r->credit_cap = user2credits(r->avg * r->burst); /* Credits full. */ | 126 | r->credit_cap = user2credits(r->avg * r->burst); /* Credits full. */ |
126 | r->cost = user2credits(r->avg); | 127 | r->cost = user2credits(r->avg); |
127 | } | 128 | } |
128 | return true; | 129 | return 0; |
129 | } | 130 | } |
130 | 131 | ||
131 | static void limit_mt_destroy(const struct xt_mtdtor_param *par) | 132 | static void limit_mt_destroy(const struct xt_mtdtor_param *par) |
diff --git a/net/netfilter/xt_mac.c b/net/netfilter/xt_mac.c index c2007116ce5b..b971ce93773e 100644 --- a/net/netfilter/xt_mac.c +++ b/net/netfilter/xt_mac.c | |||
@@ -10,6 +10,7 @@ | |||
10 | 10 | ||
11 | #include <linux/module.h> | 11 | #include <linux/module.h> |
12 | #include <linux/skbuff.h> | 12 | #include <linux/skbuff.h> |
13 | #include <linux/if_arp.h> | ||
13 | #include <linux/if_ether.h> | 14 | #include <linux/if_ether.h> |
14 | #include <linux/etherdevice.h> | 15 | #include <linux/etherdevice.h> |
15 | 16 | ||
@@ -26,14 +27,18 @@ MODULE_ALIAS("ip6t_mac"); | |||
26 | 27 | ||
27 | static bool mac_mt(const struct sk_buff *skb, const struct xt_match_param *par) | 28 | static bool mac_mt(const struct sk_buff *skb, const struct xt_match_param *par) |
28 | { | 29 | { |
29 | const struct xt_mac_info *info = par->matchinfo; | 30 | const struct xt_mac_info *info = par->matchinfo; |
30 | 31 | bool ret; | |
31 | /* Is mac pointer valid? */ | 32 | |
32 | return skb_mac_header(skb) >= skb->head && | 33 | if (skb->dev == NULL || skb->dev->type != ARPHRD_ETHER) |
33 | skb_mac_header(skb) + ETH_HLEN <= skb->data | 34 | return false; |
34 | /* If so, compare... */ | 35 | if (skb_mac_header(skb) < skb->head) |
35 | && ((!compare_ether_addr(eth_hdr(skb)->h_source, info->srcaddr)) | 36 | return false; |
36 | ^ info->invert); | 37 | if (skb_mac_header(skb) + ETH_HLEN > skb->data) |
38 | return false; | ||
39 | ret = compare_ether_addr(eth_hdr(skb)->h_source, info->srcaddr) == 0; | ||
40 | ret ^= info->invert; | ||
41 | return ret; | ||
37 | } | 42 | } |
38 | 43 | ||
39 | static struct xt_match mac_mt_reg __read_mostly = { | 44 | static struct xt_match mac_mt_reg __read_mostly = { |
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c index 1db07d8125f8..035c468a0040 100644 --- a/net/netfilter/xt_mark.c +++ b/net/netfilter/xt_mark.c | |||
@@ -18,9 +18,20 @@ | |||
18 | 18 | ||
19 | MODULE_LICENSE("GPL"); | 19 | MODULE_LICENSE("GPL"); |
20 | MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>"); | 20 | MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>"); |
21 | MODULE_DESCRIPTION("Xtables: packet mark match"); | 21 | MODULE_DESCRIPTION("Xtables: packet mark operations"); |
22 | MODULE_ALIAS("ipt_mark"); | 22 | MODULE_ALIAS("ipt_mark"); |
23 | MODULE_ALIAS("ip6t_mark"); | 23 | MODULE_ALIAS("ip6t_mark"); |
24 | MODULE_ALIAS("ipt_MARK"); | ||
25 | MODULE_ALIAS("ip6t_MARK"); | ||
26 | |||
27 | static unsigned int | ||
28 | mark_tg(struct sk_buff *skb, const struct xt_target_param *par) | ||
29 | { | ||
30 | const struct xt_mark_tginfo2 *info = par->targinfo; | ||
31 | |||
32 | skb->mark = (skb->mark & ~info->mask) ^ info->mark; | ||
33 | return XT_CONTINUE; | ||
34 | } | ||
24 | 35 | ||
25 | static bool | 36 | static bool |
26 | mark_mt(const struct sk_buff *skb, const struct xt_match_param *par) | 37 | mark_mt(const struct sk_buff *skb, const struct xt_match_param *par) |
@@ -30,6 +41,15 @@ mark_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
30 | return ((skb->mark & info->mask) == info->mark) ^ info->invert; | 41 | return ((skb->mark & info->mask) == info->mark) ^ info->invert; |
31 | } | 42 | } |
32 | 43 | ||
44 | static struct xt_target mark_tg_reg __read_mostly = { | ||
45 | .name = "MARK", | ||
46 | .revision = 2, | ||
47 | .family = NFPROTO_UNSPEC, | ||
48 | .target = mark_tg, | ||
49 | .targetsize = sizeof(struct xt_mark_tginfo2), | ||
50 | .me = THIS_MODULE, | ||
51 | }; | ||
52 | |||
33 | static struct xt_match mark_mt_reg __read_mostly = { | 53 | static struct xt_match mark_mt_reg __read_mostly = { |
34 | .name = "mark", | 54 | .name = "mark", |
35 | .revision = 1, | 55 | .revision = 1, |
@@ -41,12 +61,23 @@ static struct xt_match mark_mt_reg __read_mostly = { | |||
41 | 61 | ||
42 | static int __init mark_mt_init(void) | 62 | static int __init mark_mt_init(void) |
43 | { | 63 | { |
44 | return xt_register_match(&mark_mt_reg); | 64 | int ret; |
65 | |||
66 | ret = xt_register_target(&mark_tg_reg); | ||
67 | if (ret < 0) | ||
68 | return ret; | ||
69 | ret = xt_register_match(&mark_mt_reg); | ||
70 | if (ret < 0) { | ||
71 | xt_unregister_target(&mark_tg_reg); | ||
72 | return ret; | ||
73 | } | ||
74 | return 0; | ||
45 | } | 75 | } |
46 | 76 | ||
47 | static void __exit mark_mt_exit(void) | 77 | static void __exit mark_mt_exit(void) |
48 | { | 78 | { |
49 | xt_unregister_match(&mark_mt_reg); | 79 | xt_unregister_match(&mark_mt_reg); |
80 | xt_unregister_target(&mark_tg_reg); | ||
50 | } | 81 | } |
51 | 82 | ||
52 | module_init(mark_mt_init); | 83 | module_init(mark_mt_init); |
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c index d06bb2dd3900..83b77ceb264f 100644 --- a/net/netfilter/xt_multiport.c +++ b/net/netfilter/xt_multiport.c | |||
@@ -8,7 +8,7 @@ | |||
8 | * it under the terms of the GNU General Public License version 2 as | 8 | * it under the terms of the GNU General Public License version 2 as |
9 | * published by the Free Software Foundation. | 9 | * published by the Free Software Foundation. |
10 | */ | 10 | */ |
11 | 11 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
12 | #include <linux/module.h> | 12 | #include <linux/module.h> |
13 | #include <linux/types.h> | 13 | #include <linux/types.h> |
14 | #include <linux/udp.h> | 14 | #include <linux/udp.h> |
@@ -26,29 +26,6 @@ MODULE_DESCRIPTION("Xtables: multiple port matching for TCP, UDP, UDP-Lite, SCTP | |||
26 | MODULE_ALIAS("ipt_multiport"); | 26 | MODULE_ALIAS("ipt_multiport"); |
27 | MODULE_ALIAS("ip6t_multiport"); | 27 | MODULE_ALIAS("ip6t_multiport"); |
28 | 28 | ||
29 | #if 0 | ||
30 | #define duprintf(format, args...) printk(format , ## args) | ||
31 | #else | ||
32 | #define duprintf(format, args...) | ||
33 | #endif | ||
34 | |||
35 | /* Returns 1 if the port is matched by the test, 0 otherwise. */ | ||
36 | static inline bool | ||
37 | ports_match_v0(const u_int16_t *portlist, enum xt_multiport_flags flags, | ||
38 | u_int8_t count, u_int16_t src, u_int16_t dst) | ||
39 | { | ||
40 | unsigned int i; | ||
41 | for (i = 0; i < count; i++) { | ||
42 | if (flags != XT_MULTIPORT_DESTINATION && portlist[i] == src) | ||
43 | return true; | ||
44 | |||
45 | if (flags != XT_MULTIPORT_SOURCE && portlist[i] == dst) | ||
46 | return true; | ||
47 | } | ||
48 | |||
49 | return false; | ||
50 | } | ||
51 | |||
52 | /* Returns 1 if the port is matched by the test, 0 otherwise. */ | 29 | /* Returns 1 if the port is matched by the test, 0 otherwise. */ |
53 | static inline bool | 30 | static inline bool |
54 | ports_match_v1(const struct xt_multiport_v1 *minfo, | 31 | ports_match_v1(const struct xt_multiport_v1 *minfo, |
@@ -63,7 +40,7 @@ ports_match_v1(const struct xt_multiport_v1 *minfo, | |||
63 | if (minfo->pflags[i]) { | 40 | if (minfo->pflags[i]) { |
64 | /* range port matching */ | 41 | /* range port matching */ |
65 | e = minfo->ports[++i]; | 42 | e = minfo->ports[++i]; |
66 | duprintf("src or dst matches with %d-%d?\n", s, e); | 43 | pr_debug("src or dst matches with %d-%d?\n", s, e); |
67 | 44 | ||
68 | if (minfo->flags == XT_MULTIPORT_SOURCE | 45 | if (minfo->flags == XT_MULTIPORT_SOURCE |
69 | && src >= s && src <= e) | 46 | && src >= s && src <= e) |
@@ -77,7 +54,7 @@ ports_match_v1(const struct xt_multiport_v1 *minfo, | |||
77 | return true ^ minfo->invert; | 54 | return true ^ minfo->invert; |
78 | } else { | 55 | } else { |
79 | /* exact port matching */ | 56 | /* exact port matching */ |
80 | duprintf("src or dst matches with %d?\n", s); | 57 | pr_debug("src or dst matches with %d?\n", s); |
81 | 58 | ||
82 | if (minfo->flags == XT_MULTIPORT_SOURCE | 59 | if (minfo->flags == XT_MULTIPORT_SOURCE |
83 | && src == s) | 60 | && src == s) |
@@ -95,30 +72,6 @@ ports_match_v1(const struct xt_multiport_v1 *minfo, | |||
95 | } | 72 | } |
96 | 73 | ||
97 | static bool | 74 | static bool |
98 | multiport_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par) | ||
99 | { | ||
100 | const __be16 *pptr; | ||
101 | __be16 _ports[2]; | ||
102 | const struct xt_multiport *multiinfo = par->matchinfo; | ||
103 | |||
104 | if (par->fragoff != 0) | ||
105 | return false; | ||
106 | |||
107 | pptr = skb_header_pointer(skb, par->thoff, sizeof(_ports), _ports); | ||
108 | if (pptr == NULL) { | ||
109 | /* We've been asked to examine this packet, and we | ||
110 | * can't. Hence, no choice but to drop. | ||
111 | */ | ||
112 | duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n"); | ||
113 | *par->hotdrop = true; | ||
114 | return false; | ||
115 | } | ||
116 | |||
117 | return ports_match_v0(multiinfo->ports, multiinfo->flags, | ||
118 | multiinfo->count, ntohs(pptr[0]), ntohs(pptr[1])); | ||
119 | } | ||
120 | |||
121 | static bool | ||
122 | multiport_mt(const struct sk_buff *skb, const struct xt_match_param *par) | 75 | multiport_mt(const struct sk_buff *skb, const struct xt_match_param *par) |
123 | { | 76 | { |
124 | const __be16 *pptr; | 77 | const __be16 *pptr; |
@@ -133,7 +86,7 @@ multiport_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
133 | /* We've been asked to examine this packet, and we | 86 | /* We've been asked to examine this packet, and we |
134 | * can't. Hence, no choice but to drop. | 87 | * can't. Hence, no choice but to drop. |
135 | */ | 88 | */ |
136 | duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n"); | 89 | pr_debug("Dropping evil offset=0 tinygram.\n"); |
137 | *par->hotdrop = true; | 90 | *par->hotdrop = true; |
138 | return false; | 91 | return false; |
139 | } | 92 | } |
@@ -158,16 +111,7 @@ check(u_int16_t proto, | |||
158 | && count <= XT_MULTI_PORTS; | 111 | && count <= XT_MULTI_PORTS; |
159 | } | 112 | } |
160 | 113 | ||
161 | static bool multiport_mt_check_v0(const struct xt_mtchk_param *par) | 114 | static int multiport_mt_check(const struct xt_mtchk_param *par) |
162 | { | ||
163 | const struct ipt_ip *ip = par->entryinfo; | ||
164 | const struct xt_multiport *multiinfo = par->matchinfo; | ||
165 | |||
166 | return check(ip->proto, ip->invflags, multiinfo->flags, | ||
167 | multiinfo->count); | ||
168 | } | ||
169 | |||
170 | static bool multiport_mt_check(const struct xt_mtchk_param *par) | ||
171 | { | 115 | { |
172 | const struct ipt_ip *ip = par->entryinfo; | 116 | const struct ipt_ip *ip = par->entryinfo; |
173 | const struct xt_multiport_v1 *multiinfo = par->matchinfo; | 117 | const struct xt_multiport_v1 *multiinfo = par->matchinfo; |
@@ -176,16 +120,7 @@ static bool multiport_mt_check(const struct xt_mtchk_param *par) | |||
176 | multiinfo->count); | 120 | multiinfo->count); |
177 | } | 121 | } |
178 | 122 | ||
179 | static bool multiport_mt6_check_v0(const struct xt_mtchk_param *par) | 123 | static int multiport_mt6_check(const struct xt_mtchk_param *par) |
180 | { | ||
181 | const struct ip6t_ip6 *ip = par->entryinfo; | ||
182 | const struct xt_multiport *multiinfo = par->matchinfo; | ||
183 | |||
184 | return check(ip->proto, ip->invflags, multiinfo->flags, | ||
185 | multiinfo->count); | ||
186 | } | ||
187 | |||
188 | static bool multiport_mt6_check(const struct xt_mtchk_param *par) | ||
189 | { | 124 | { |
190 | const struct ip6t_ip6 *ip = par->entryinfo; | 125 | const struct ip6t_ip6 *ip = par->entryinfo; |
191 | const struct xt_multiport_v1 *multiinfo = par->matchinfo; | 126 | const struct xt_multiport_v1 *multiinfo = par->matchinfo; |
@@ -198,15 +133,6 @@ static struct xt_match multiport_mt_reg[] __read_mostly = { | |||
198 | { | 133 | { |
199 | .name = "multiport", | 134 | .name = "multiport", |
200 | .family = NFPROTO_IPV4, | 135 | .family = NFPROTO_IPV4, |
201 | .revision = 0, | ||
202 | .checkentry = multiport_mt_check_v0, | ||
203 | .match = multiport_mt_v0, | ||
204 | .matchsize = sizeof(struct xt_multiport), | ||
205 | .me = THIS_MODULE, | ||
206 | }, | ||
207 | { | ||
208 | .name = "multiport", | ||
209 | .family = NFPROTO_IPV4, | ||
210 | .revision = 1, | 136 | .revision = 1, |
211 | .checkentry = multiport_mt_check, | 137 | .checkentry = multiport_mt_check, |
212 | .match = multiport_mt, | 138 | .match = multiport_mt, |
@@ -216,15 +142,6 @@ static struct xt_match multiport_mt_reg[] __read_mostly = { | |||
216 | { | 142 | { |
217 | .name = "multiport", | 143 | .name = "multiport", |
218 | .family = NFPROTO_IPV6, | 144 | .family = NFPROTO_IPV6, |
219 | .revision = 0, | ||
220 | .checkentry = multiport_mt6_check_v0, | ||
221 | .match = multiport_mt_v0, | ||
222 | .matchsize = sizeof(struct xt_multiport), | ||
223 | .me = THIS_MODULE, | ||
224 | }, | ||
225 | { | ||
226 | .name = "multiport", | ||
227 | .family = NFPROTO_IPV6, | ||
228 | .revision = 1, | 145 | .revision = 1, |
229 | .checkentry = multiport_mt6_check, | 146 | .checkentry = multiport_mt6_check, |
230 | .match = multiport_mt, | 147 | .match = multiport_mt, |
diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c index 4169e200588d..8dcde13a0781 100644 --- a/net/netfilter/xt_osf.c +++ b/net/netfilter/xt_osf.c | |||
@@ -16,7 +16,7 @@ | |||
16 | * along with this program; if not, write to the Free Software | 16 | * along with this program; if not, write to the Free Software |
17 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | 17 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
18 | */ | 18 | */ |
19 | 19 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
20 | #include <linux/module.h> | 20 | #include <linux/module.h> |
21 | #include <linux/kernel.h> | 21 | #include <linux/kernel.h> |
22 | 22 | ||
@@ -382,14 +382,14 @@ static int __init xt_osf_init(void) | |||
382 | 382 | ||
383 | err = nfnetlink_subsys_register(&xt_osf_nfnetlink); | 383 | err = nfnetlink_subsys_register(&xt_osf_nfnetlink); |
384 | if (err < 0) { | 384 | if (err < 0) { |
385 | printk(KERN_ERR "Failed (%d) to register OSF nsfnetlink helper.\n", err); | 385 | pr_err("Failed to register OSF nsfnetlink helper (%d)\n", err); |
386 | goto err_out_exit; | 386 | goto err_out_exit; |
387 | } | 387 | } |
388 | 388 | ||
389 | err = xt_register_match(&xt_osf_match); | 389 | err = xt_register_match(&xt_osf_match); |
390 | if (err) { | 390 | if (err) { |
391 | printk(KERN_ERR "Failed (%d) to register OS fingerprint " | 391 | pr_err("Failed to register OS fingerprint " |
392 | "matching module.\n", err); | 392 | "matching module (%d)\n", err); |
393 | goto err_out_remove; | 393 | goto err_out_remove; |
394 | } | 394 | } |
395 | 395 | ||
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c index 8d28ca5848bc..d0bdf3dd4d25 100644 --- a/net/netfilter/xt_physdev.c +++ b/net/netfilter/xt_physdev.c | |||
@@ -7,7 +7,7 @@ | |||
7 | * it under the terms of the GNU General Public License version 2 as | 7 | * it under the terms of the GNU General Public License version 2 as |
8 | * published by the Free Software Foundation. | 8 | * published by the Free Software Foundation. |
9 | */ | 9 | */ |
10 | 10 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
11 | #include <linux/module.h> | 11 | #include <linux/module.h> |
12 | #include <linux/skbuff.h> | 12 | #include <linux/skbuff.h> |
13 | #include <linux/netfilter_bridge.h> | 13 | #include <linux/netfilter_bridge.h> |
@@ -83,25 +83,25 @@ match_outdev: | |||
83 | return (!!ret ^ !(info->invert & XT_PHYSDEV_OP_OUT)); | 83 | return (!!ret ^ !(info->invert & XT_PHYSDEV_OP_OUT)); |
84 | } | 84 | } |
85 | 85 | ||
86 | static bool physdev_mt_check(const struct xt_mtchk_param *par) | 86 | static int physdev_mt_check(const struct xt_mtchk_param *par) |
87 | { | 87 | { |
88 | const struct xt_physdev_info *info = par->matchinfo; | 88 | const struct xt_physdev_info *info = par->matchinfo; |
89 | 89 | ||
90 | if (!(info->bitmask & XT_PHYSDEV_OP_MASK) || | 90 | if (!(info->bitmask & XT_PHYSDEV_OP_MASK) || |
91 | info->bitmask & ~XT_PHYSDEV_OP_MASK) | 91 | info->bitmask & ~XT_PHYSDEV_OP_MASK) |
92 | return false; | 92 | return -EINVAL; |
93 | if (info->bitmask & XT_PHYSDEV_OP_OUT && | 93 | if (info->bitmask & XT_PHYSDEV_OP_OUT && |
94 | (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) || | 94 | (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) || |
95 | info->invert & XT_PHYSDEV_OP_BRIDGED) && | 95 | info->invert & XT_PHYSDEV_OP_BRIDGED) && |
96 | par->hook_mask & ((1 << NF_INET_LOCAL_OUT) | | 96 | par->hook_mask & ((1 << NF_INET_LOCAL_OUT) | |
97 | (1 << NF_INET_FORWARD) | (1 << NF_INET_POST_ROUTING))) { | 97 | (1 << NF_INET_FORWARD) | (1 << NF_INET_POST_ROUTING))) { |
98 | printk(KERN_WARNING "physdev match: using --physdev-out in the " | 98 | pr_info("using --physdev-out in the OUTPUT, FORWARD and " |
99 | "OUTPUT, FORWARD and POSTROUTING chains for non-bridged " | 99 | "POSTROUTING chains for non-bridged traffic is not " |
100 | "traffic is not supported anymore.\n"); | 100 | "supported anymore.\n"); |
101 | if (par->hook_mask & (1 << NF_INET_LOCAL_OUT)) | 101 | if (par->hook_mask & (1 << NF_INET_LOCAL_OUT)) |
102 | return false; | 102 | return -EINVAL; |
103 | } | 103 | } |
104 | return true; | 104 | return 0; |
105 | } | 105 | } |
106 | 106 | ||
107 | static struct xt_match physdev_mt_reg __read_mostly = { | 107 | static struct xt_match physdev_mt_reg __read_mostly = { |
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c index 4cbfebda8fa1..1fa239c1fb93 100644 --- a/net/netfilter/xt_policy.c +++ b/net/netfilter/xt_policy.c | |||
@@ -6,7 +6,7 @@ | |||
6 | * it under the terms of the GNU General Public License version 2 as | 6 | * it under the terms of the GNU General Public License version 2 as |
7 | * published by the Free Software Foundation. | 7 | * published by the Free Software Foundation. |
8 | */ | 8 | */ |
9 | 9 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
10 | #include <linux/kernel.h> | 10 | #include <linux/kernel.h> |
11 | #include <linux/module.h> | 11 | #include <linux/module.h> |
12 | #include <linux/skbuff.h> | 12 | #include <linux/skbuff.h> |
@@ -116,9 +116,9 @@ policy_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
116 | int ret; | 116 | int ret; |
117 | 117 | ||
118 | if (info->flags & XT_POLICY_MATCH_IN) | 118 | if (info->flags & XT_POLICY_MATCH_IN) |
119 | ret = match_policy_in(skb, info, par->match->family); | 119 | ret = match_policy_in(skb, info, par->family); |
120 | else | 120 | else |
121 | ret = match_policy_out(skb, info, par->match->family); | 121 | ret = match_policy_out(skb, info, par->family); |
122 | 122 | ||
123 | if (ret < 0) | 123 | if (ret < 0) |
124 | ret = info->flags & XT_POLICY_MATCH_NONE ? true : false; | 124 | ret = info->flags & XT_POLICY_MATCH_NONE ? true : false; |
@@ -128,32 +128,29 @@ policy_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
128 | return ret; | 128 | return ret; |
129 | } | 129 | } |
130 | 130 | ||
131 | static bool policy_mt_check(const struct xt_mtchk_param *par) | 131 | static int policy_mt_check(const struct xt_mtchk_param *par) |
132 | { | 132 | { |
133 | const struct xt_policy_info *info = par->matchinfo; | 133 | const struct xt_policy_info *info = par->matchinfo; |
134 | 134 | ||
135 | if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) { | 135 | if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) { |
136 | printk(KERN_ERR "xt_policy: neither incoming nor " | 136 | pr_info("neither incoming nor outgoing policy selected\n"); |
137 | "outgoing policy selected\n"); | 137 | return -EINVAL; |
138 | return false; | ||
139 | } | 138 | } |
140 | if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) | | 139 | if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) | |
141 | (1 << NF_INET_LOCAL_IN)) && info->flags & XT_POLICY_MATCH_OUT) { | 140 | (1 << NF_INET_LOCAL_IN)) && info->flags & XT_POLICY_MATCH_OUT) { |
142 | printk(KERN_ERR "xt_policy: output policy not valid in " | 141 | pr_info("output policy not valid in PREROUTING and INPUT\n"); |
143 | "PRE_ROUTING and INPUT\n"); | 142 | return -EINVAL; |
144 | return false; | ||
145 | } | 143 | } |
146 | if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) | | 144 | if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) | |
147 | (1 << NF_INET_LOCAL_OUT)) && info->flags & XT_POLICY_MATCH_IN) { | 145 | (1 << NF_INET_LOCAL_OUT)) && info->flags & XT_POLICY_MATCH_IN) { |
148 | printk(KERN_ERR "xt_policy: input policy not valid in " | 146 | pr_info("input policy not valid in POSTROUTING and OUTPUT\n"); |
149 | "POST_ROUTING and OUTPUT\n"); | 147 | return -EINVAL; |
150 | return false; | ||
151 | } | 148 | } |
152 | if (info->len > XT_POLICY_MAX_ELEM) { | 149 | if (info->len > XT_POLICY_MAX_ELEM) { |
153 | printk(KERN_ERR "xt_policy: too many policy elements\n"); | 150 | pr_info("too many policy elements\n"); |
154 | return false; | 151 | return -EINVAL; |
155 | } | 152 | } |
156 | return true; | 153 | return 0; |
157 | } | 154 | } |
158 | 155 | ||
159 | static struct xt_match policy_mt_reg[] __read_mostly = { | 156 | static struct xt_match policy_mt_reg[] __read_mostly = { |
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c index 2d5562498c43..7c95d69f6f06 100644 --- a/net/netfilter/xt_quota.c +++ b/net/netfilter/xt_quota.c | |||
@@ -44,19 +44,19 @@ quota_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
44 | return ret; | 44 | return ret; |
45 | } | 45 | } |
46 | 46 | ||
47 | static bool quota_mt_check(const struct xt_mtchk_param *par) | 47 | static int quota_mt_check(const struct xt_mtchk_param *par) |
48 | { | 48 | { |
49 | struct xt_quota_info *q = par->matchinfo; | 49 | struct xt_quota_info *q = par->matchinfo; |
50 | 50 | ||
51 | if (q->flags & ~XT_QUOTA_MASK) | 51 | if (q->flags & ~XT_QUOTA_MASK) |
52 | return false; | 52 | return -EINVAL; |
53 | 53 | ||
54 | q->master = kmalloc(sizeof(*q->master), GFP_KERNEL); | 54 | q->master = kmalloc(sizeof(*q->master), GFP_KERNEL); |
55 | if (q->master == NULL) | 55 | if (q->master == NULL) |
56 | return false; | 56 | return -ENOMEM; |
57 | 57 | ||
58 | q->master->quota = q->quota; | 58 | q->master->quota = q->quota; |
59 | return true; | 59 | return 0; |
60 | } | 60 | } |
61 | 61 | ||
62 | static void quota_mt_destroy(const struct xt_mtdtor_param *par) | 62 | static void quota_mt_destroy(const struct xt_mtdtor_param *par) |
diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c index 4fc6a917f6de..23805f8a444b 100644 --- a/net/netfilter/xt_rateest.c +++ b/net/netfilter/xt_rateest.c | |||
@@ -74,10 +74,11 @@ xt_rateest_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
74 | return ret; | 74 | return ret; |
75 | } | 75 | } |
76 | 76 | ||
77 | static bool xt_rateest_mt_checkentry(const struct xt_mtchk_param *par) | 77 | static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par) |
78 | { | 78 | { |
79 | struct xt_rateest_match_info *info = par->matchinfo; | 79 | struct xt_rateest_match_info *info = par->matchinfo; |
80 | struct xt_rateest *est1, *est2; | 80 | struct xt_rateest *est1, *est2; |
81 | int ret = false; | ||
81 | 82 | ||
82 | if (hweight32(info->flags & (XT_RATEEST_MATCH_ABS | | 83 | if (hweight32(info->flags & (XT_RATEEST_MATCH_ABS | |
83 | XT_RATEEST_MATCH_REL)) != 1) | 84 | XT_RATEEST_MATCH_REL)) != 1) |
@@ -95,6 +96,7 @@ static bool xt_rateest_mt_checkentry(const struct xt_mtchk_param *par) | |||
95 | goto err1; | 96 | goto err1; |
96 | } | 97 | } |
97 | 98 | ||
99 | ret = -ENOENT; | ||
98 | est1 = xt_rateest_lookup(info->name1); | 100 | est1 = xt_rateest_lookup(info->name1); |
99 | if (!est1) | 101 | if (!est1) |
100 | goto err1; | 102 | goto err1; |
@@ -109,12 +111,12 @@ static bool xt_rateest_mt_checkentry(const struct xt_mtchk_param *par) | |||
109 | 111 | ||
110 | info->est1 = est1; | 112 | info->est1 = est1; |
111 | info->est2 = est2; | 113 | info->est2 = est2; |
112 | return true; | 114 | return 0; |
113 | 115 | ||
114 | err2: | 116 | err2: |
115 | xt_rateest_put(est1); | 117 | xt_rateest_put(est1); |
116 | err1: | 118 | err1: |
117 | return false; | 119 | return -EINVAL; |
118 | } | 120 | } |
119 | 121 | ||
120 | static void xt_rateest_mt_destroy(const struct xt_mtdtor_param *par) | 122 | static void xt_rateest_mt_destroy(const struct xt_mtdtor_param *par) |
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c index 834b736857cb..b88d63b9c76a 100644 --- a/net/netfilter/xt_recent.c +++ b/net/netfilter/xt_recent.c | |||
@@ -12,6 +12,7 @@ | |||
12 | * Author: Stephen Frost <sfrost@snowman.net> | 12 | * Author: Stephen Frost <sfrost@snowman.net> |
13 | * Copyright 2002-2003, Stephen Frost, 2.5.x port by laforge@netfilter.org | 13 | * Copyright 2002-2003, Stephen Frost, 2.5.x port by laforge@netfilter.org |
14 | */ | 14 | */ |
15 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | ||
15 | #include <linux/init.h> | 16 | #include <linux/init.h> |
16 | #include <linux/ip.h> | 17 | #include <linux/ip.h> |
17 | #include <linux/ipv6.h> | 18 | #include <linux/ipv6.h> |
@@ -35,8 +36,8 @@ | |||
35 | #include <linux/netfilter/xt_recent.h> | 36 | #include <linux/netfilter/xt_recent.h> |
36 | 37 | ||
37 | MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); | 38 | MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); |
38 | MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>"); | 39 | MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>"); |
39 | MODULE_DESCRIPTION("Xtables: \"recently-seen\" host matching for IPv4"); | 40 | MODULE_DESCRIPTION("Xtables: \"recently-seen\" host matching"); |
40 | MODULE_LICENSE("GPL"); | 41 | MODULE_LICENSE("GPL"); |
41 | MODULE_ALIAS("ipt_recent"); | 42 | MODULE_ALIAS("ipt_recent"); |
42 | MODULE_ALIAS("ip6t_recent"); | 43 | MODULE_ALIAS("ip6t_recent"); |
@@ -51,14 +52,14 @@ module_param(ip_list_tot, uint, 0400); | |||
51 | module_param(ip_pkt_list_tot, uint, 0400); | 52 | module_param(ip_pkt_list_tot, uint, 0400); |
52 | module_param(ip_list_hash_size, uint, 0400); | 53 | module_param(ip_list_hash_size, uint, 0400); |
53 | module_param(ip_list_perms, uint, 0400); | 54 | module_param(ip_list_perms, uint, 0400); |
54 | module_param(ip_list_uid, uint, 0400); | 55 | module_param(ip_list_uid, uint, S_IRUGO | S_IWUSR); |
55 | module_param(ip_list_gid, uint, 0400); | 56 | module_param(ip_list_gid, uint, S_IRUGO | S_IWUSR); |
56 | MODULE_PARM_DESC(ip_list_tot, "number of IPs to remember per list"); | 57 | MODULE_PARM_DESC(ip_list_tot, "number of IPs to remember per list"); |
57 | MODULE_PARM_DESC(ip_pkt_list_tot, "number of packets per IP address to remember (max. 255)"); | 58 | MODULE_PARM_DESC(ip_pkt_list_tot, "number of packets per IP address to remember (max. 255)"); |
58 | MODULE_PARM_DESC(ip_list_hash_size, "size of hash table used to look up IPs"); | 59 | MODULE_PARM_DESC(ip_list_hash_size, "size of hash table used to look up IPs"); |
59 | MODULE_PARM_DESC(ip_list_perms, "permissions on /proc/net/xt_recent/* files"); | 60 | MODULE_PARM_DESC(ip_list_perms, "permissions on /proc/net/xt_recent/* files"); |
60 | MODULE_PARM_DESC(ip_list_uid,"owner of /proc/net/xt_recent/* files"); | 61 | MODULE_PARM_DESC(ip_list_uid, "default owner of /proc/net/xt_recent/* files"); |
61 | MODULE_PARM_DESC(ip_list_gid,"owning group of /proc/net/xt_recent/* files"); | 62 | MODULE_PARM_DESC(ip_list_gid, "default owning group of /proc/net/xt_recent/* files"); |
62 | 63 | ||
63 | struct recent_entry { | 64 | struct recent_entry { |
64 | struct list_head list; | 65 | struct list_head list; |
@@ -84,9 +85,6 @@ struct recent_net { | |||
84 | struct list_head tables; | 85 | struct list_head tables; |
85 | #ifdef CONFIG_PROC_FS | 86 | #ifdef CONFIG_PROC_FS |
86 | struct proc_dir_entry *xt_recent; | 87 | struct proc_dir_entry *xt_recent; |
87 | #ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT | ||
88 | struct proc_dir_entry *ipt_recent; | ||
89 | #endif | ||
90 | #endif | 88 | #endif |
91 | }; | 89 | }; |
92 | 90 | ||
@@ -147,6 +145,25 @@ static void recent_entry_remove(struct recent_table *t, struct recent_entry *e) | |||
147 | t->entries--; | 145 | t->entries--; |
148 | } | 146 | } |
149 | 147 | ||
148 | /* | ||
149 | * Drop entries with timestamps older then 'time'. | ||
150 | */ | ||
151 | static void recent_entry_reap(struct recent_table *t, unsigned long time) | ||
152 | { | ||
153 | struct recent_entry *e; | ||
154 | |||
155 | /* | ||
156 | * The head of the LRU list is always the oldest entry. | ||
157 | */ | ||
158 | e = list_entry(t->lru_list.next, struct recent_entry, lru_list); | ||
159 | |||
160 | /* | ||
161 | * The last time stamp is the most recent. | ||
162 | */ | ||
163 | if (time_after(time, e->stamps[e->index-1])) | ||
164 | recent_entry_remove(t, e); | ||
165 | } | ||
166 | |||
150 | static struct recent_entry * | 167 | static struct recent_entry * |
151 | recent_entry_init(struct recent_table *t, const union nf_inet_addr *addr, | 168 | recent_entry_init(struct recent_table *t, const union nf_inet_addr *addr, |
152 | u_int16_t family, u_int8_t ttl) | 169 | u_int16_t family, u_int8_t ttl) |
@@ -218,7 +235,7 @@ recent_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
218 | u_int8_t ttl; | 235 | u_int8_t ttl; |
219 | bool ret = info->invert; | 236 | bool ret = info->invert; |
220 | 237 | ||
221 | if (par->match->family == NFPROTO_IPV4) { | 238 | if (par->family == NFPROTO_IPV4) { |
222 | const struct iphdr *iph = ip_hdr(skb); | 239 | const struct iphdr *iph = ip_hdr(skb); |
223 | 240 | ||
224 | if (info->side == XT_RECENT_DEST) | 241 | if (info->side == XT_RECENT_DEST) |
@@ -244,12 +261,12 @@ recent_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
244 | 261 | ||
245 | spin_lock_bh(&recent_lock); | 262 | spin_lock_bh(&recent_lock); |
246 | t = recent_table_lookup(recent_net, info->name); | 263 | t = recent_table_lookup(recent_net, info->name); |
247 | e = recent_entry_lookup(t, &addr, par->match->family, | 264 | e = recent_entry_lookup(t, &addr, par->family, |
248 | (info->check_set & XT_RECENT_TTL) ? ttl : 0); | 265 | (info->check_set & XT_RECENT_TTL) ? ttl : 0); |
249 | if (e == NULL) { | 266 | if (e == NULL) { |
250 | if (!(info->check_set & XT_RECENT_SET)) | 267 | if (!(info->check_set & XT_RECENT_SET)) |
251 | goto out; | 268 | goto out; |
252 | e = recent_entry_init(t, &addr, par->match->family, ttl); | 269 | e = recent_entry_init(t, &addr, par->family, ttl); |
253 | if (e == NULL) | 270 | if (e == NULL) |
254 | *par->hotdrop = true; | 271 | *par->hotdrop = true; |
255 | ret = !ret; | 272 | ret = !ret; |
@@ -273,6 +290,10 @@ recent_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
273 | break; | 290 | break; |
274 | } | 291 | } |
275 | } | 292 | } |
293 | |||
294 | /* info->seconds must be non-zero */ | ||
295 | if (info->check_set & XT_RECENT_REAP) | ||
296 | recent_entry_reap(t, time); | ||
276 | } | 297 | } |
277 | 298 | ||
278 | if (info->check_set & XT_RECENT_SET || | 299 | if (info->check_set & XT_RECENT_SET || |
@@ -285,7 +306,7 @@ out: | |||
285 | return ret; | 306 | return ret; |
286 | } | 307 | } |
287 | 308 | ||
288 | static bool recent_mt_check(const struct xt_mtchk_param *par) | 309 | static int recent_mt_check(const struct xt_mtchk_param *par) |
289 | { | 310 | { |
290 | struct recent_net *recent_net = recent_pernet(par->net); | 311 | struct recent_net *recent_net = recent_pernet(par->net); |
291 | const struct xt_recent_mtinfo *info = par->matchinfo; | 312 | const struct xt_recent_mtinfo *info = par->matchinfo; |
@@ -294,41 +315,51 @@ static bool recent_mt_check(const struct xt_mtchk_param *par) | |||
294 | struct proc_dir_entry *pde; | 315 | struct proc_dir_entry *pde; |
295 | #endif | 316 | #endif |
296 | unsigned i; | 317 | unsigned i; |
297 | bool ret = false; | 318 | int ret = -EINVAL; |
298 | 319 | ||
299 | if (unlikely(!hash_rnd_inited)) { | 320 | if (unlikely(!hash_rnd_inited)) { |
300 | get_random_bytes(&hash_rnd, sizeof(hash_rnd)); | 321 | get_random_bytes(&hash_rnd, sizeof(hash_rnd)); |
301 | hash_rnd_inited = true; | 322 | hash_rnd_inited = true; |
302 | } | 323 | } |
324 | if (info->check_set & ~XT_RECENT_VALID_FLAGS) { | ||
325 | pr_info("Unsupported user space flags (%08x)\n", | ||
326 | info->check_set); | ||
327 | return -EINVAL; | ||
328 | } | ||
303 | if (hweight8(info->check_set & | 329 | if (hweight8(info->check_set & |
304 | (XT_RECENT_SET | XT_RECENT_REMOVE | | 330 | (XT_RECENT_SET | XT_RECENT_REMOVE | |
305 | XT_RECENT_CHECK | XT_RECENT_UPDATE)) != 1) | 331 | XT_RECENT_CHECK | XT_RECENT_UPDATE)) != 1) |
306 | return false; | 332 | return -EINVAL; |
307 | if ((info->check_set & (XT_RECENT_SET | XT_RECENT_REMOVE)) && | 333 | if ((info->check_set & (XT_RECENT_SET | XT_RECENT_REMOVE)) && |
308 | (info->seconds || info->hit_count)) | 334 | (info->seconds || info->hit_count || |
309 | return false; | 335 | (info->check_set & XT_RECENT_MODIFIERS))) |
336 | return -EINVAL; | ||
337 | if ((info->check_set & XT_RECENT_REAP) && !info->seconds) | ||
338 | return -EINVAL; | ||
310 | if (info->hit_count > ip_pkt_list_tot) { | 339 | if (info->hit_count > ip_pkt_list_tot) { |
311 | pr_info(KBUILD_MODNAME ": hitcount (%u) is larger than " | 340 | pr_info("hitcount (%u) is larger than " |
312 | "packets to be remembered (%u)\n", | 341 | "packets to be remembered (%u)\n", |
313 | info->hit_count, ip_pkt_list_tot); | 342 | info->hit_count, ip_pkt_list_tot); |
314 | return false; | 343 | return -EINVAL; |
315 | } | 344 | } |
316 | if (info->name[0] == '\0' || | 345 | if (info->name[0] == '\0' || |
317 | strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN) | 346 | strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN) |
318 | return false; | 347 | return -EINVAL; |
319 | 348 | ||
320 | mutex_lock(&recent_mutex); | 349 | mutex_lock(&recent_mutex); |
321 | t = recent_table_lookup(recent_net, info->name); | 350 | t = recent_table_lookup(recent_net, info->name); |
322 | if (t != NULL) { | 351 | if (t != NULL) { |
323 | t->refcnt++; | 352 | t->refcnt++; |
324 | ret = true; | 353 | ret = 0; |
325 | goto out; | 354 | goto out; |
326 | } | 355 | } |
327 | 356 | ||
328 | t = kzalloc(sizeof(*t) + sizeof(t->iphash[0]) * ip_list_hash_size, | 357 | t = kzalloc(sizeof(*t) + sizeof(t->iphash[0]) * ip_list_hash_size, |
329 | GFP_KERNEL); | 358 | GFP_KERNEL); |
330 | if (t == NULL) | 359 | if (t == NULL) { |
360 | ret = -ENOMEM; | ||
331 | goto out; | 361 | goto out; |
362 | } | ||
332 | t->refcnt = 1; | 363 | t->refcnt = 1; |
333 | strcpy(t->name, info->name); | 364 | strcpy(t->name, info->name); |
334 | INIT_LIST_HEAD(&t->lru_list); | 365 | INIT_LIST_HEAD(&t->lru_list); |
@@ -339,26 +370,16 @@ static bool recent_mt_check(const struct xt_mtchk_param *par) | |||
339 | &recent_mt_fops, t); | 370 | &recent_mt_fops, t); |
340 | if (pde == NULL) { | 371 | if (pde == NULL) { |
341 | kfree(t); | 372 | kfree(t); |
342 | goto out; | 373 | ret = -ENOMEM; |
343 | } | ||
344 | pde->uid = ip_list_uid; | ||
345 | pde->gid = ip_list_gid; | ||
346 | #ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT | ||
347 | pde = proc_create_data(t->name, ip_list_perms, recent_net->ipt_recent, | ||
348 | &recent_old_fops, t); | ||
349 | if (pde == NULL) { | ||
350 | remove_proc_entry(t->name, recent_net->xt_recent); | ||
351 | kfree(t); | ||
352 | goto out; | 374 | goto out; |
353 | } | 375 | } |
354 | pde->uid = ip_list_uid; | 376 | pde->uid = ip_list_uid; |
355 | pde->gid = ip_list_gid; | 377 | pde->gid = ip_list_gid; |
356 | #endif | 378 | #endif |
357 | #endif | ||
358 | spin_lock_bh(&recent_lock); | 379 | spin_lock_bh(&recent_lock); |
359 | list_add_tail(&t->list, &recent_net->tables); | 380 | list_add_tail(&t->list, &recent_net->tables); |
360 | spin_unlock_bh(&recent_lock); | 381 | spin_unlock_bh(&recent_lock); |
361 | ret = true; | 382 | ret = 0; |
362 | out: | 383 | out: |
363 | mutex_unlock(&recent_mutex); | 384 | mutex_unlock(&recent_mutex); |
364 | return ret; | 385 | return ret; |
@@ -377,9 +398,6 @@ static void recent_mt_destroy(const struct xt_mtdtor_param *par) | |||
377 | list_del(&t->list); | 398 | list_del(&t->list); |
378 | spin_unlock_bh(&recent_lock); | 399 | spin_unlock_bh(&recent_lock); |
379 | #ifdef CONFIG_PROC_FS | 400 | #ifdef CONFIG_PROC_FS |
380 | #ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT | ||
381 | remove_proc_entry(t->name, recent_net->ipt_recent); | ||
382 | #endif | ||
383 | remove_proc_entry(t->name, recent_net->xt_recent); | 401 | remove_proc_entry(t->name, recent_net->xt_recent); |
384 | #endif | 402 | #endif |
385 | recent_table_flush(t); | 403 | recent_table_flush(t); |
@@ -471,84 +489,6 @@ static int recent_seq_open(struct inode *inode, struct file *file) | |||
471 | return 0; | 489 | return 0; |
472 | } | 490 | } |
473 | 491 | ||
474 | #ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT | ||
475 | static int recent_old_seq_open(struct inode *inode, struct file *filp) | ||
476 | { | ||
477 | static bool warned_of_old; | ||
478 | |||
479 | if (unlikely(!warned_of_old)) { | ||
480 | printk(KERN_INFO KBUILD_MODNAME ": Use of /proc/net/ipt_recent" | ||
481 | " is deprecated; use /proc/net/xt_recent.\n"); | ||
482 | warned_of_old = true; | ||
483 | } | ||
484 | return recent_seq_open(inode, filp); | ||
485 | } | ||
486 | |||
487 | static ssize_t recent_old_proc_write(struct file *file, | ||
488 | const char __user *input, | ||
489 | size_t size, loff_t *loff) | ||
490 | { | ||
491 | const struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode); | ||
492 | struct recent_table *t = pde->data; | ||
493 | struct recent_entry *e; | ||
494 | char buf[sizeof("+255.255.255.255")], *c = buf; | ||
495 | union nf_inet_addr addr = {}; | ||
496 | int add; | ||
497 | |||
498 | if (size > sizeof(buf)) | ||
499 | size = sizeof(buf); | ||
500 | if (copy_from_user(buf, input, size)) | ||
501 | return -EFAULT; | ||
502 | |||
503 | c = skip_spaces(c); | ||
504 | |||
505 | if (size - (c - buf) < 5) | ||
506 | return c - buf; | ||
507 | if (!strncmp(c, "clear", 5)) { | ||
508 | c += 5; | ||
509 | spin_lock_bh(&recent_lock); | ||
510 | recent_table_flush(t); | ||
511 | spin_unlock_bh(&recent_lock); | ||
512 | return c - buf; | ||
513 | } | ||
514 | |||
515 | switch (*c) { | ||
516 | case '-': | ||
517 | add = 0; | ||
518 | c++; | ||
519 | break; | ||
520 | case '+': | ||
521 | c++; | ||
522 | default: | ||
523 | add = 1; | ||
524 | break; | ||
525 | } | ||
526 | addr.ip = in_aton(c); | ||
527 | |||
528 | spin_lock_bh(&recent_lock); | ||
529 | e = recent_entry_lookup(t, &addr, NFPROTO_IPV4, 0); | ||
530 | if (e == NULL) { | ||
531 | if (add) | ||
532 | recent_entry_init(t, &addr, NFPROTO_IPV4, 0); | ||
533 | } else { | ||
534 | if (add) | ||
535 | recent_entry_update(t, e); | ||
536 | else | ||
537 | recent_entry_remove(t, e); | ||
538 | } | ||
539 | spin_unlock_bh(&recent_lock); | ||
540 | return size; | ||
541 | } | ||
542 | |||
543 | static const struct file_operations recent_old_fops = { | ||
544 | .open = recent_old_seq_open, | ||
545 | .read = seq_read, | ||
546 | .write = recent_old_proc_write, | ||
547 | .release = seq_release_private, | ||
548 | .owner = THIS_MODULE, | ||
549 | }; | ||
550 | #endif | ||
551 | |||
552 | static ssize_t | 492 | static ssize_t |
553 | recent_mt_proc_write(struct file *file, const char __user *input, | 493 | recent_mt_proc_write(struct file *file, const char __user *input, |
554 | size_t size, loff_t *loff) | 494 | size_t size, loff_t *loff) |
@@ -585,7 +525,7 @@ recent_mt_proc_write(struct file *file, const char __user *input, | |||
585 | add = true; | 525 | add = true; |
586 | break; | 526 | break; |
587 | default: | 527 | default: |
588 | printk(KERN_INFO KBUILD_MODNAME ": Need +ip, -ip or /\n"); | 528 | pr_info("Need \"+ip\", \"-ip\" or \"/\"\n"); |
589 | return -EINVAL; | 529 | return -EINVAL; |
590 | } | 530 | } |
591 | 531 | ||
@@ -600,8 +540,7 @@ recent_mt_proc_write(struct file *file, const char __user *input, | |||
600 | } | 540 | } |
601 | 541 | ||
602 | if (!succ) { | 542 | if (!succ) { |
603 | printk(KERN_INFO KBUILD_MODNAME ": illegal address written " | 543 | pr_info("illegal address written to procfs\n"); |
604 | "to procfs\n"); | ||
605 | return -EINVAL; | 544 | return -EINVAL; |
606 | } | 545 | } |
607 | 546 | ||
@@ -637,21 +576,11 @@ static int __net_init recent_proc_net_init(struct net *net) | |||
637 | recent_net->xt_recent = proc_mkdir("xt_recent", net->proc_net); | 576 | recent_net->xt_recent = proc_mkdir("xt_recent", net->proc_net); |
638 | if (!recent_net->xt_recent) | 577 | if (!recent_net->xt_recent) |
639 | return -ENOMEM; | 578 | return -ENOMEM; |
640 | #ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT | ||
641 | recent_net->ipt_recent = proc_mkdir("ipt_recent", net->proc_net); | ||
642 | if (!recent_net->ipt_recent) { | ||
643 | proc_net_remove(net, "xt_recent"); | ||
644 | return -ENOMEM; | ||
645 | } | ||
646 | #endif | ||
647 | return 0; | 579 | return 0; |
648 | } | 580 | } |
649 | 581 | ||
650 | static void __net_exit recent_proc_net_exit(struct net *net) | 582 | static void __net_exit recent_proc_net_exit(struct net *net) |
651 | { | 583 | { |
652 | #ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT | ||
653 | proc_net_remove(net, "ipt_recent"); | ||
654 | #endif | ||
655 | proc_net_remove(net, "xt_recent"); | 584 | proc_net_remove(net, "xt_recent"); |
656 | } | 585 | } |
657 | #else | 586 | #else |
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c index a189ada9128f..c3694df54672 100644 --- a/net/netfilter/xt_sctp.c +++ b/net/netfilter/xt_sctp.c | |||
@@ -1,3 +1,4 @@ | |||
1 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | ||
1 | #include <linux/module.h> | 2 | #include <linux/module.h> |
2 | #include <linux/skbuff.h> | 3 | #include <linux/skbuff.h> |
3 | #include <net/ip.h> | 4 | #include <net/ip.h> |
@@ -15,12 +16,6 @@ MODULE_DESCRIPTION("Xtables: SCTP protocol packet match"); | |||
15 | MODULE_ALIAS("ipt_sctp"); | 16 | MODULE_ALIAS("ipt_sctp"); |
16 | MODULE_ALIAS("ip6t_sctp"); | 17 | MODULE_ALIAS("ip6t_sctp"); |
17 | 18 | ||
18 | #ifdef DEBUG_SCTP | ||
19 | #define duprintf(format, args...) printk(format , ## args) | ||
20 | #else | ||
21 | #define duprintf(format, args...) | ||
22 | #endif | ||
23 | |||
24 | #define SCCHECK(cond, option, flag, invflag) (!((flag) & (option)) \ | 19 | #define SCCHECK(cond, option, flag, invflag) (!((flag) & (option)) \ |
25 | || (!!((invflag) & (option)) ^ (cond))) | 20 | || (!!((invflag) & (option)) ^ (cond))) |
26 | 21 | ||
@@ -52,7 +47,7 @@ match_packet(const struct sk_buff *skb, | |||
52 | const struct xt_sctp_flag_info *flag_info = info->flag_info; | 47 | const struct xt_sctp_flag_info *flag_info = info->flag_info; |
53 | int flag_count = info->flag_count; | 48 | int flag_count = info->flag_count; |
54 | 49 | ||
55 | #ifdef DEBUG_SCTP | 50 | #ifdef DEBUG |
56 | int i = 0; | 51 | int i = 0; |
57 | #endif | 52 | #endif |
58 | 53 | ||
@@ -62,17 +57,19 @@ match_packet(const struct sk_buff *skb, | |||
62 | do { | 57 | do { |
63 | sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch); | 58 | sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch); |
64 | if (sch == NULL || sch->length == 0) { | 59 | if (sch == NULL || sch->length == 0) { |
65 | duprintf("Dropping invalid SCTP packet.\n"); | 60 | pr_debug("Dropping invalid SCTP packet.\n"); |
66 | *hotdrop = true; | 61 | *hotdrop = true; |
67 | return false; | 62 | return false; |
68 | } | 63 | } |
69 | 64 | #ifdef DEBUG | |
70 | duprintf("Chunk num: %d\toffset: %d\ttype: %d\tlength: %d\tflags: %x\n", | 65 | pr_debug("Chunk num: %d\toffset: %d\ttype: %d\tlength: %d" |
71 | ++i, offset, sch->type, htons(sch->length), sch->flags); | 66 | "\tflags: %x\n", |
72 | 67 | ++i, offset, sch->type, htons(sch->length), | |
68 | sch->flags); | ||
69 | #endif | ||
73 | offset += (ntohs(sch->length) + 3) & ~3; | 70 | offset += (ntohs(sch->length) + 3) & ~3; |
74 | 71 | ||
75 | duprintf("skb->len: %d\toffset: %d\n", skb->len, offset); | 72 | pr_debug("skb->len: %d\toffset: %d\n", skb->len, offset); |
76 | 73 | ||
77 | if (SCTP_CHUNKMAP_IS_SET(info->chunkmap, sch->type)) { | 74 | if (SCTP_CHUNKMAP_IS_SET(info->chunkmap, sch->type)) { |
78 | switch (chunk_match_type) { | 75 | switch (chunk_match_type) { |
@@ -124,17 +121,17 @@ sctp_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
124 | sctp_sctphdr_t _sh; | 121 | sctp_sctphdr_t _sh; |
125 | 122 | ||
126 | if (par->fragoff != 0) { | 123 | if (par->fragoff != 0) { |
127 | duprintf("Dropping non-first fragment.. FIXME\n"); | 124 | pr_debug("Dropping non-first fragment.. FIXME\n"); |
128 | return false; | 125 | return false; |
129 | } | 126 | } |
130 | 127 | ||
131 | sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh); | 128 | sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh); |
132 | if (sh == NULL) { | 129 | if (sh == NULL) { |
133 | duprintf("Dropping evil TCP offset=0 tinygram.\n"); | 130 | pr_debug("Dropping evil TCP offset=0 tinygram.\n"); |
134 | *par->hotdrop = true; | 131 | *par->hotdrop = true; |
135 | return false; | 132 | return false; |
136 | } | 133 | } |
137 | duprintf("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest)); | 134 | pr_debug("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest)); |
138 | 135 | ||
139 | return SCCHECK(ntohs(sh->source) >= info->spts[0] | 136 | return SCCHECK(ntohs(sh->source) >= info->spts[0] |
140 | && ntohs(sh->source) <= info->spts[1], | 137 | && ntohs(sh->source) <= info->spts[1], |
@@ -147,18 +144,22 @@ sctp_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
147 | XT_SCTP_CHUNK_TYPES, info->flags, info->invflags); | 144 | XT_SCTP_CHUNK_TYPES, info->flags, info->invflags); |
148 | } | 145 | } |
149 | 146 | ||
150 | static bool sctp_mt_check(const struct xt_mtchk_param *par) | 147 | static int sctp_mt_check(const struct xt_mtchk_param *par) |
151 | { | 148 | { |
152 | const struct xt_sctp_info *info = par->matchinfo; | 149 | const struct xt_sctp_info *info = par->matchinfo; |
153 | 150 | ||
154 | return !(info->flags & ~XT_SCTP_VALID_FLAGS) | 151 | if (info->flags & ~XT_SCTP_VALID_FLAGS) |
155 | && !(info->invflags & ~XT_SCTP_VALID_FLAGS) | 152 | return -EINVAL; |
156 | && !(info->invflags & ~info->flags) | 153 | if (info->invflags & ~XT_SCTP_VALID_FLAGS) |
157 | && ((!(info->flags & XT_SCTP_CHUNK_TYPES)) || | 154 | return -EINVAL; |
158 | (info->chunk_match_type & | 155 | if (info->invflags & ~info->flags) |
159 | (SCTP_CHUNK_MATCH_ALL | 156 | return -EINVAL; |
160 | | SCTP_CHUNK_MATCH_ANY | 157 | if (!(info->flags & XT_SCTP_CHUNK_TYPES)) |
161 | | SCTP_CHUNK_MATCH_ONLY))); | 158 | return 0; |
159 | if (info->chunk_match_type & (SCTP_CHUNK_MATCH_ALL | | ||
160 | SCTP_CHUNK_MATCH_ANY | SCTP_CHUNK_MATCH_ONLY)) | ||
161 | return 0; | ||
162 | return -EINVAL; | ||
162 | } | 163 | } |
163 | 164 | ||
164 | static struct xt_match sctp_mt_reg[] __read_mostly = { | 165 | static struct xt_match sctp_mt_reg[] __read_mostly = { |
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c index 6a902564d24f..a9b16867e1f7 100644 --- a/net/netfilter/xt_socket.c +++ b/net/netfilter/xt_socket.c | |||
@@ -9,7 +9,7 @@ | |||
9 | * published by the Free Software Foundation. | 9 | * published by the Free Software Foundation. |
10 | * | 10 | * |
11 | */ | 11 | */ |
12 | 12 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
13 | #include <linux/module.h> | 13 | #include <linux/module.h> |
14 | #include <linux/skbuff.h> | 14 | #include <linux/skbuff.h> |
15 | #include <linux/netfilter/x_tables.h> | 15 | #include <linux/netfilter/x_tables.h> |
@@ -165,8 +165,7 @@ socket_match(const struct sk_buff *skb, const struct xt_match_param *par, | |||
165 | sk = NULL; | 165 | sk = NULL; |
166 | } | 166 | } |
167 | 167 | ||
168 | pr_debug("socket match: proto %u %08x:%u -> %08x:%u " | 168 | pr_debug("proto %u %08x:%u -> %08x:%u (orig %08x:%u) sock %p\n", |
169 | "(orig %08x:%u) sock %p\n", | ||
170 | protocol, ntohl(saddr), ntohs(sport), | 169 | protocol, ntohl(saddr), ntohs(sport), |
171 | ntohl(daddr), ntohs(dport), | 170 | ntohl(daddr), ntohs(dport), |
172 | ntohl(iph->daddr), hp ? ntohs(hp->dest) : 0, sk); | 171 | ntohl(iph->daddr), hp ? ntohs(hp->dest) : 0, sk); |
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c index 4c946cbd731f..bb1271852d50 100644 --- a/net/netfilter/xt_state.c +++ b/net/netfilter/xt_state.c | |||
@@ -37,50 +37,40 @@ state_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
37 | return (sinfo->statemask & statebit); | 37 | return (sinfo->statemask & statebit); |
38 | } | 38 | } |
39 | 39 | ||
40 | static bool state_mt_check(const struct xt_mtchk_param *par) | 40 | static int state_mt_check(const struct xt_mtchk_param *par) |
41 | { | 41 | { |
42 | if (nf_ct_l3proto_try_module_get(par->match->family) < 0) { | 42 | int ret; |
43 | printk(KERN_WARNING "can't load conntrack support for " | 43 | |
44 | "proto=%u\n", par->match->family); | 44 | ret = nf_ct_l3proto_try_module_get(par->family); |
45 | return false; | 45 | if (ret < 0) |
46 | } | 46 | pr_info("cannot load conntrack support for proto=%u\n", |
47 | return true; | 47 | par->family); |
48 | return ret; | ||
48 | } | 49 | } |
49 | 50 | ||
50 | static void state_mt_destroy(const struct xt_mtdtor_param *par) | 51 | static void state_mt_destroy(const struct xt_mtdtor_param *par) |
51 | { | 52 | { |
52 | nf_ct_l3proto_module_put(par->match->family); | 53 | nf_ct_l3proto_module_put(par->family); |
53 | } | 54 | } |
54 | 55 | ||
55 | static struct xt_match state_mt_reg[] __read_mostly = { | 56 | static struct xt_match state_mt_reg __read_mostly = { |
56 | { | 57 | .name = "state", |
57 | .name = "state", | 58 | .family = NFPROTO_UNSPEC, |
58 | .family = NFPROTO_IPV4, | 59 | .checkentry = state_mt_check, |
59 | .checkentry = state_mt_check, | 60 | .match = state_mt, |
60 | .match = state_mt, | 61 | .destroy = state_mt_destroy, |
61 | .destroy = state_mt_destroy, | 62 | .matchsize = sizeof(struct xt_state_info), |
62 | .matchsize = sizeof(struct xt_state_info), | 63 | .me = THIS_MODULE, |
63 | .me = THIS_MODULE, | ||
64 | }, | ||
65 | { | ||
66 | .name = "state", | ||
67 | .family = NFPROTO_IPV6, | ||
68 | .checkentry = state_mt_check, | ||
69 | .match = state_mt, | ||
70 | .destroy = state_mt_destroy, | ||
71 | .matchsize = sizeof(struct xt_state_info), | ||
72 | .me = THIS_MODULE, | ||
73 | }, | ||
74 | }; | 64 | }; |
75 | 65 | ||
76 | static int __init state_mt_init(void) | 66 | static int __init state_mt_init(void) |
77 | { | 67 | { |
78 | return xt_register_matches(state_mt_reg, ARRAY_SIZE(state_mt_reg)); | 68 | return xt_register_match(&state_mt_reg); |
79 | } | 69 | } |
80 | 70 | ||
81 | static void __exit state_mt_exit(void) | 71 | static void __exit state_mt_exit(void) |
82 | { | 72 | { |
83 | xt_unregister_matches(state_mt_reg, ARRAY_SIZE(state_mt_reg)); | 73 | xt_unregister_match(&state_mt_reg); |
84 | } | 74 | } |
85 | 75 | ||
86 | module_init(state_mt_init); | 76 | module_init(state_mt_init); |
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c index 937ce0633e99..5aeca1d023d8 100644 --- a/net/netfilter/xt_statistic.c +++ b/net/netfilter/xt_statistic.c | |||
@@ -53,22 +53,20 @@ statistic_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
53 | return ret; | 53 | return ret; |
54 | } | 54 | } |
55 | 55 | ||
56 | static bool statistic_mt_check(const struct xt_mtchk_param *par) | 56 | static int statistic_mt_check(const struct xt_mtchk_param *par) |
57 | { | 57 | { |
58 | struct xt_statistic_info *info = par->matchinfo; | 58 | struct xt_statistic_info *info = par->matchinfo; |
59 | 59 | ||
60 | if (info->mode > XT_STATISTIC_MODE_MAX || | 60 | if (info->mode > XT_STATISTIC_MODE_MAX || |
61 | info->flags & ~XT_STATISTIC_MASK) | 61 | info->flags & ~XT_STATISTIC_MASK) |
62 | return false; | 62 | return -EINVAL; |
63 | 63 | ||
64 | info->master = kzalloc(sizeof(*info->master), GFP_KERNEL); | 64 | info->master = kzalloc(sizeof(*info->master), GFP_KERNEL); |
65 | if (info->master == NULL) { | 65 | if (info->master == NULL) |
66 | printk(KERN_ERR KBUILD_MODNAME ": Out of memory\n"); | 66 | return -ENOMEM; |
67 | return false; | ||
68 | } | ||
69 | info->master->count = info->u.nth.count; | 67 | info->master->count = info->u.nth.count; |
70 | 68 | ||
71 | return true; | 69 | return 0; |
72 | } | 70 | } |
73 | 71 | ||
74 | static void statistic_mt_destroy(const struct xt_mtdtor_param *par) | 72 | static void statistic_mt_destroy(const struct xt_mtdtor_param *par) |
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c index 96801ffd8af8..f6d5112175e6 100644 --- a/net/netfilter/xt_string.c +++ b/net/netfilter/xt_string.c | |||
@@ -27,12 +27,10 @@ string_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
27 | { | 27 | { |
28 | const struct xt_string_info *conf = par->matchinfo; | 28 | const struct xt_string_info *conf = par->matchinfo; |
29 | struct ts_state state; | 29 | struct ts_state state; |
30 | int invert; | 30 | bool invert; |
31 | 31 | ||
32 | memset(&state, 0, sizeof(struct ts_state)); | 32 | memset(&state, 0, sizeof(struct ts_state)); |
33 | 33 | invert = conf->u.v1.flags & XT_STRING_FLAG_INVERT; | |
34 | invert = (par->match->revision == 0 ? conf->u.v0.invert : | ||
35 | conf->u.v1.flags & XT_STRING_FLAG_INVERT); | ||
36 | 34 | ||
37 | return (skb_find_text((struct sk_buff *)skb, conf->from_offset, | 35 | return (skb_find_text((struct sk_buff *)skb, conf->from_offset, |
38 | conf->to_offset, conf->config, &state) | 36 | conf->to_offset, conf->config, &state) |
@@ -41,7 +39,7 @@ string_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
41 | 39 | ||
42 | #define STRING_TEXT_PRIV(m) ((struct xt_string_info *)(m)) | 40 | #define STRING_TEXT_PRIV(m) ((struct xt_string_info *)(m)) |
43 | 41 | ||
44 | static bool string_mt_check(const struct xt_mtchk_param *par) | 42 | static int string_mt_check(const struct xt_mtchk_param *par) |
45 | { | 43 | { |
46 | struct xt_string_info *conf = par->matchinfo; | 44 | struct xt_string_info *conf = par->matchinfo; |
47 | struct ts_config *ts_conf; | 45 | struct ts_config *ts_conf; |
@@ -49,26 +47,23 @@ static bool string_mt_check(const struct xt_mtchk_param *par) | |||
49 | 47 | ||
50 | /* Damn, can't handle this case properly with iptables... */ | 48 | /* Damn, can't handle this case properly with iptables... */ |
51 | if (conf->from_offset > conf->to_offset) | 49 | if (conf->from_offset > conf->to_offset) |
52 | return false; | 50 | return -EINVAL; |
53 | if (conf->algo[XT_STRING_MAX_ALGO_NAME_SIZE - 1] != '\0') | 51 | if (conf->algo[XT_STRING_MAX_ALGO_NAME_SIZE - 1] != '\0') |
54 | return false; | 52 | return -EINVAL; |
55 | if (conf->patlen > XT_STRING_MAX_PATTERN_SIZE) | 53 | if (conf->patlen > XT_STRING_MAX_PATTERN_SIZE) |
56 | return false; | 54 | return -EINVAL; |
57 | if (par->match->revision == 1) { | 55 | if (conf->u.v1.flags & |
58 | if (conf->u.v1.flags & | 56 | ~(XT_STRING_FLAG_IGNORECASE | XT_STRING_FLAG_INVERT)) |
59 | ~(XT_STRING_FLAG_IGNORECASE | XT_STRING_FLAG_INVERT)) | 57 | return -EINVAL; |
60 | return false; | 58 | if (conf->u.v1.flags & XT_STRING_FLAG_IGNORECASE) |
61 | if (conf->u.v1.flags & XT_STRING_FLAG_IGNORECASE) | 59 | flags |= TS_IGNORECASE; |
62 | flags |= TS_IGNORECASE; | ||
63 | } | ||
64 | ts_conf = textsearch_prepare(conf->algo, conf->pattern, conf->patlen, | 60 | ts_conf = textsearch_prepare(conf->algo, conf->pattern, conf->patlen, |
65 | GFP_KERNEL, flags); | 61 | GFP_KERNEL, flags); |
66 | if (IS_ERR(ts_conf)) | 62 | if (IS_ERR(ts_conf)) |
67 | return false; | 63 | return PTR_ERR(ts_conf); |
68 | 64 | ||
69 | conf->config = ts_conf; | 65 | conf->config = ts_conf; |
70 | 66 | return 0; | |
71 | return true; | ||
72 | } | 67 | } |
73 | 68 | ||
74 | static void string_mt_destroy(const struct xt_mtdtor_param *par) | 69 | static void string_mt_destroy(const struct xt_mtdtor_param *par) |
@@ -76,38 +71,25 @@ static void string_mt_destroy(const struct xt_mtdtor_param *par) | |||
76 | textsearch_destroy(STRING_TEXT_PRIV(par->matchinfo)->config); | 71 | textsearch_destroy(STRING_TEXT_PRIV(par->matchinfo)->config); |
77 | } | 72 | } |
78 | 73 | ||
79 | static struct xt_match xt_string_mt_reg[] __read_mostly = { | 74 | static struct xt_match xt_string_mt_reg __read_mostly = { |
80 | { | 75 | .name = "string", |
81 | .name = "string", | 76 | .revision = 1, |
82 | .revision = 0, | 77 | .family = NFPROTO_UNSPEC, |
83 | .family = NFPROTO_UNSPEC, | 78 | .checkentry = string_mt_check, |
84 | .checkentry = string_mt_check, | 79 | .match = string_mt, |
85 | .match = string_mt, | 80 | .destroy = string_mt_destroy, |
86 | .destroy = string_mt_destroy, | 81 | .matchsize = sizeof(struct xt_string_info), |
87 | .matchsize = sizeof(struct xt_string_info), | 82 | .me = THIS_MODULE, |
88 | .me = THIS_MODULE | ||
89 | }, | ||
90 | { | ||
91 | .name = "string", | ||
92 | .revision = 1, | ||
93 | .family = NFPROTO_UNSPEC, | ||
94 | .checkentry = string_mt_check, | ||
95 | .match = string_mt, | ||
96 | .destroy = string_mt_destroy, | ||
97 | .matchsize = sizeof(struct xt_string_info), | ||
98 | .me = THIS_MODULE | ||
99 | }, | ||
100 | }; | 83 | }; |
101 | 84 | ||
102 | static int __init string_mt_init(void) | 85 | static int __init string_mt_init(void) |
103 | { | 86 | { |
104 | return xt_register_matches(xt_string_mt_reg, | 87 | return xt_register_match(&xt_string_mt_reg); |
105 | ARRAY_SIZE(xt_string_mt_reg)); | ||
106 | } | 88 | } |
107 | 89 | ||
108 | static void __exit string_mt_exit(void) | 90 | static void __exit string_mt_exit(void) |
109 | { | 91 | { |
110 | xt_unregister_matches(xt_string_mt_reg, ARRAY_SIZE(xt_string_mt_reg)); | 92 | xt_unregister_match(&xt_string_mt_reg); |
111 | } | 93 | } |
112 | 94 | ||
113 | module_init(string_mt_init); | 95 | module_init(string_mt_init); |
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c index 1ebdc4934eed..efa2ede24ae6 100644 --- a/net/netfilter/xt_tcpudp.c +++ b/net/netfilter/xt_tcpudp.c | |||
@@ -1,3 +1,4 @@ | |||
1 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | ||
1 | #include <linux/types.h> | 2 | #include <linux/types.h> |
2 | #include <linux/module.h> | 3 | #include <linux/module.h> |
3 | #include <net/ip.h> | 4 | #include <net/ip.h> |
@@ -19,13 +20,6 @@ MODULE_ALIAS("ipt_tcp"); | |||
19 | MODULE_ALIAS("ip6t_udp"); | 20 | MODULE_ALIAS("ip6t_udp"); |
20 | MODULE_ALIAS("ip6t_tcp"); | 21 | MODULE_ALIAS("ip6t_tcp"); |
21 | 22 | ||
22 | #ifdef DEBUG_IP_FIREWALL_USER | ||
23 | #define duprintf(format, args...) printk(format , ## args) | ||
24 | #else | ||
25 | #define duprintf(format, args...) | ||
26 | #endif | ||
27 | |||
28 | |||
29 | /* Returns 1 if the port is matched by the range, 0 otherwise */ | 23 | /* Returns 1 if the port is matched by the range, 0 otherwise */ |
30 | static inline bool | 24 | static inline bool |
31 | port_match(u_int16_t min, u_int16_t max, u_int16_t port, bool invert) | 25 | port_match(u_int16_t min, u_int16_t max, u_int16_t port, bool invert) |
@@ -46,7 +40,7 @@ tcp_find_option(u_int8_t option, | |||
46 | u_int8_t _opt[60 - sizeof(struct tcphdr)]; | 40 | u_int8_t _opt[60 - sizeof(struct tcphdr)]; |
47 | unsigned int i; | 41 | unsigned int i; |
48 | 42 | ||
49 | duprintf("tcp_match: finding option\n"); | 43 | pr_debug("finding option\n"); |
50 | 44 | ||
51 | if (!optlen) | 45 | if (!optlen) |
52 | return invert; | 46 | return invert; |
@@ -82,7 +76,7 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
82 | flag overwrite to pass the direction checks. | 76 | flag overwrite to pass the direction checks. |
83 | */ | 77 | */ |
84 | if (par->fragoff == 1) { | 78 | if (par->fragoff == 1) { |
85 | duprintf("Dropping evil TCP offset=1 frag.\n"); | 79 | pr_debug("Dropping evil TCP offset=1 frag.\n"); |
86 | *par->hotdrop = true; | 80 | *par->hotdrop = true; |
87 | } | 81 | } |
88 | /* Must not be a fragment. */ | 82 | /* Must not be a fragment. */ |
@@ -95,7 +89,7 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
95 | if (th == NULL) { | 89 | if (th == NULL) { |
96 | /* We've been asked to examine this packet, and we | 90 | /* We've been asked to examine this packet, and we |
97 | can't. Hence, no choice but to drop. */ | 91 | can't. Hence, no choice but to drop. */ |
98 | duprintf("Dropping evil TCP offset=0 tinygram.\n"); | 92 | pr_debug("Dropping evil TCP offset=0 tinygram.\n"); |
99 | *par->hotdrop = true; | 93 | *par->hotdrop = true; |
100 | return false; | 94 | return false; |
101 | } | 95 | } |
@@ -126,12 +120,12 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
126 | return true; | 120 | return true; |
127 | } | 121 | } |
128 | 122 | ||
129 | static bool tcp_mt_check(const struct xt_mtchk_param *par) | 123 | static int tcp_mt_check(const struct xt_mtchk_param *par) |
130 | { | 124 | { |
131 | const struct xt_tcp *tcpinfo = par->matchinfo; | 125 | const struct xt_tcp *tcpinfo = par->matchinfo; |
132 | 126 | ||
133 | /* Must specify no unknown invflags */ | 127 | /* Must specify no unknown invflags */ |
134 | return !(tcpinfo->invflags & ~XT_TCP_INV_MASK); | 128 | return (tcpinfo->invflags & ~XT_TCP_INV_MASK) ? -EINVAL : 0; |
135 | } | 129 | } |
136 | 130 | ||
137 | static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par) | 131 | static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par) |
@@ -148,7 +142,7 @@ static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
148 | if (uh == NULL) { | 142 | if (uh == NULL) { |
149 | /* We've been asked to examine this packet, and we | 143 | /* We've been asked to examine this packet, and we |
150 | can't. Hence, no choice but to drop. */ | 144 | can't. Hence, no choice but to drop. */ |
151 | duprintf("Dropping evil UDP tinygram.\n"); | 145 | pr_debug("Dropping evil UDP tinygram.\n"); |
152 | *par->hotdrop = true; | 146 | *par->hotdrop = true; |
153 | return false; | 147 | return false; |
154 | } | 148 | } |
@@ -161,12 +155,12 @@ static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
161 | !!(udpinfo->invflags & XT_UDP_INV_DSTPT)); | 155 | !!(udpinfo->invflags & XT_UDP_INV_DSTPT)); |
162 | } | 156 | } |
163 | 157 | ||
164 | static bool udp_mt_check(const struct xt_mtchk_param *par) | 158 | static int udp_mt_check(const struct xt_mtchk_param *par) |
165 | { | 159 | { |
166 | const struct xt_udp *udpinfo = par->matchinfo; | 160 | const struct xt_udp *udpinfo = par->matchinfo; |
167 | 161 | ||
168 | /* Must specify no unknown invflags */ | 162 | /* Must specify no unknown invflags */ |
169 | return !(udpinfo->invflags & ~XT_UDP_INV_MASK); | 163 | return (udpinfo->invflags & ~XT_UDP_INV_MASK) ? -EINVAL : 0; |
170 | } | 164 | } |
171 | 165 | ||
172 | static struct xt_match tcpudp_mt_reg[] __read_mostly = { | 166 | static struct xt_match tcpudp_mt_reg[] __read_mostly = { |
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c index 93acaa59d108..d8556fdda440 100644 --- a/net/netfilter/xt_time.c +++ b/net/netfilter/xt_time.c | |||
@@ -1,7 +1,6 @@ | |||
1 | /* | 1 | /* |
2 | * xt_time | 2 | * xt_time |
3 | * Copyright © CC Computer Consultants GmbH, 2007 | 3 | * Copyright © CC Computer Consultants GmbH, 2007 |
4 | * Contact: <jengelh@computergmbh.de> | ||
5 | * | 4 | * |
6 | * based on ipt_time by Fabrice MARIE <fabrice@netfilter.org> | 5 | * based on ipt_time by Fabrice MARIE <fabrice@netfilter.org> |
7 | * This is a module which is used for time matching | 6 | * This is a module which is used for time matching |
@@ -218,18 +217,18 @@ time_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
218 | return true; | 217 | return true; |
219 | } | 218 | } |
220 | 219 | ||
221 | static bool time_mt_check(const struct xt_mtchk_param *par) | 220 | static int time_mt_check(const struct xt_mtchk_param *par) |
222 | { | 221 | { |
223 | const struct xt_time_info *info = par->matchinfo; | 222 | const struct xt_time_info *info = par->matchinfo; |
224 | 223 | ||
225 | if (info->daytime_start > XT_TIME_MAX_DAYTIME || | 224 | if (info->daytime_start > XT_TIME_MAX_DAYTIME || |
226 | info->daytime_stop > XT_TIME_MAX_DAYTIME) { | 225 | info->daytime_stop > XT_TIME_MAX_DAYTIME) { |
227 | printk(KERN_WARNING "xt_time: invalid argument - start or " | 226 | pr_info("invalid argument - start or " |
228 | "stop time greater than 23:59:59\n"); | 227 | "stop time greater than 23:59:59\n"); |
229 | return false; | 228 | return -EDOM; |
230 | } | 229 | } |
231 | 230 | ||
232 | return true; | 231 | return 0; |
233 | } | 232 | } |
234 | 233 | ||
235 | static struct xt_match xt_time_mt_reg __read_mostly = { | 234 | static struct xt_match xt_time_mt_reg __read_mostly = { |
@@ -264,7 +263,7 @@ static void __exit time_mt_exit(void) | |||
264 | 263 | ||
265 | module_init(time_mt_init); | 264 | module_init(time_mt_init); |
266 | module_exit(time_mt_exit); | 265 | module_exit(time_mt_exit); |
267 | MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>"); | 266 | MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>"); |
268 | MODULE_DESCRIPTION("Xtables: time-based matching"); | 267 | MODULE_DESCRIPTION("Xtables: time-based matching"); |
269 | MODULE_LICENSE("GPL"); | 268 | MODULE_LICENSE("GPL"); |
270 | MODULE_ALIAS("ipt_time"); | 269 | MODULE_ALIAS("ipt_time"); |
diff --git a/net/netfilter/xt_u32.c b/net/netfilter/xt_u32.c index 24a527624500..d7c05f03a7e7 100644 --- a/net/netfilter/xt_u32.c +++ b/net/netfilter/xt_u32.c | |||
@@ -3,7 +3,6 @@ | |||
3 | * | 3 | * |
4 | * Original author: Don Cohen <don@isis.cs3-inc.com> | 4 | * Original author: Don Cohen <don@isis.cs3-inc.com> |
5 | * (C) CC Computer Consultants GmbH, 2007 | 5 | * (C) CC Computer Consultants GmbH, 2007 |
6 | * Contact: <jengelh@computergmbh.de> | ||
7 | */ | 6 | */ |
8 | 7 | ||
9 | #include <linux/module.h> | 8 | #include <linux/module.h> |
@@ -117,7 +116,7 @@ static void __exit u32_mt_exit(void) | |||
117 | 116 | ||
118 | module_init(u32_mt_init); | 117 | module_init(u32_mt_init); |
119 | module_exit(u32_mt_exit); | 118 | module_exit(u32_mt_exit); |
120 | MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>"); | 119 | MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>"); |
121 | MODULE_DESCRIPTION("Xtables: arbitrary byte matching"); | 120 | MODULE_DESCRIPTION("Xtables: arbitrary byte matching"); |
122 | MODULE_LICENSE("GPL"); | 121 | MODULE_LICENSE("GPL"); |
123 | MODULE_ALIAS("ipt_u32"); | 122 | MODULE_ALIAS("ipt_u32"); |
diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c index da27a170b6b7..03f80a0fa167 100644 --- a/net/sched/act_ipt.c +++ b/net/sched/act_ipt.c | |||
@@ -47,8 +47,8 @@ static int ipt_init_target(struct ipt_entry_target *t, char *table, unsigned int | |||
47 | 47 | ||
48 | target = xt_request_find_target(AF_INET, t->u.user.name, | 48 | target = xt_request_find_target(AF_INET, t->u.user.name, |
49 | t->u.user.revision); | 49 | t->u.user.revision); |
50 | if (!target) | 50 | if (IS_ERR(target)) |
51 | return -ENOENT; | 51 | return PTR_ERR(target); |
52 | 52 | ||
53 | t->u.kernel.target = target; | 53 | t->u.kernel.target = target; |
54 | par.table = table; | 54 | par.table = table; |