diff options
Diffstat (limited to 'net')
26 files changed, 204 insertions, 920 deletions
diff --git a/net/bridge/netfilter/ebtable_filter.c b/net/bridge/netfilter/ebtable_filter.c index a5eea72938a6..4b988db3cd4d 100644 --- a/net/bridge/netfilter/ebtable_filter.c +++ b/net/bridge/netfilter/ebtable_filter.c | |||
@@ -77,21 +77,21 @@ static struct nf_hook_ops ebt_ops_filter[] __read_mostly = { | |||
77 | { | 77 | { |
78 | .hook = ebt_in_hook, | 78 | .hook = ebt_in_hook, |
79 | .owner = THIS_MODULE, | 79 | .owner = THIS_MODULE, |
80 | .pf = PF_BRIDGE, | 80 | .pf = NFPROTO_BRIDGE, |
81 | .hooknum = NF_BR_LOCAL_IN, | 81 | .hooknum = NF_BR_LOCAL_IN, |
82 | .priority = NF_BR_PRI_FILTER_BRIDGED, | 82 | .priority = NF_BR_PRI_FILTER_BRIDGED, |
83 | }, | 83 | }, |
84 | { | 84 | { |
85 | .hook = ebt_in_hook, | 85 | .hook = ebt_in_hook, |
86 | .owner = THIS_MODULE, | 86 | .owner = THIS_MODULE, |
87 | .pf = PF_BRIDGE, | 87 | .pf = NFPROTO_BRIDGE, |
88 | .hooknum = NF_BR_FORWARD, | 88 | .hooknum = NF_BR_FORWARD, |
89 | .priority = NF_BR_PRI_FILTER_BRIDGED, | 89 | .priority = NF_BR_PRI_FILTER_BRIDGED, |
90 | }, | 90 | }, |
91 | { | 91 | { |
92 | .hook = ebt_out_hook, | 92 | .hook = ebt_out_hook, |
93 | .owner = THIS_MODULE, | 93 | .owner = THIS_MODULE, |
94 | .pf = PF_BRIDGE, | 94 | .pf = NFPROTO_BRIDGE, |
95 | .hooknum = NF_BR_LOCAL_OUT, | 95 | .hooknum = NF_BR_LOCAL_OUT, |
96 | .priority = NF_BR_PRI_FILTER_OTHER, | 96 | .priority = NF_BR_PRI_FILTER_OTHER, |
97 | }, | 97 | }, |
diff --git a/net/bridge/netfilter/ebtable_nat.c b/net/bridge/netfilter/ebtable_nat.c index 6024c551f9a9..4a98804203b0 100644 --- a/net/bridge/netfilter/ebtable_nat.c +++ b/net/bridge/netfilter/ebtable_nat.c | |||
@@ -77,21 +77,21 @@ static struct nf_hook_ops ebt_ops_nat[] __read_mostly = { | |||
77 | { | 77 | { |
78 | .hook = ebt_nat_out, | 78 | .hook = ebt_nat_out, |
79 | .owner = THIS_MODULE, | 79 | .owner = THIS_MODULE, |
80 | .pf = PF_BRIDGE, | 80 | .pf = NFPROTO_BRIDGE, |
81 | .hooknum = NF_BR_LOCAL_OUT, | 81 | .hooknum = NF_BR_LOCAL_OUT, |
82 | .priority = NF_BR_PRI_NAT_DST_OTHER, | 82 | .priority = NF_BR_PRI_NAT_DST_OTHER, |
83 | }, | 83 | }, |
84 | { | 84 | { |
85 | .hook = ebt_nat_out, | 85 | .hook = ebt_nat_out, |
86 | .owner = THIS_MODULE, | 86 | .owner = THIS_MODULE, |
87 | .pf = PF_BRIDGE, | 87 | .pf = NFPROTO_BRIDGE, |
88 | .hooknum = NF_BR_POST_ROUTING, | 88 | .hooknum = NF_BR_POST_ROUTING, |
89 | .priority = NF_BR_PRI_NAT_SRC, | 89 | .priority = NF_BR_PRI_NAT_SRC, |
90 | }, | 90 | }, |
91 | { | 91 | { |
92 | .hook = ebt_nat_in, | 92 | .hook = ebt_nat_in, |
93 | .owner = THIS_MODULE, | 93 | .owner = THIS_MODULE, |
94 | .pf = PF_BRIDGE, | 94 | .pf = NFPROTO_BRIDGE, |
95 | .hooknum = NF_BR_PRE_ROUTING, | 95 | .hooknum = NF_BR_PRE_ROUTING, |
96 | .priority = NF_BR_PRI_NAT_DST_BRIDGED, | 96 | .priority = NF_BR_PRI_NAT_DST_BRIDGED, |
97 | }, | 97 | }, |
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index 7505dff4ffdf..7bc11ffbb845 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c | |||
@@ -8,7 +8,7 @@ | |||
8 | * Copyright (C) 2002 David S. Miller (davem@redhat.com) | 8 | * Copyright (C) 2002 David S. Miller (davem@redhat.com) |
9 | * | 9 | * |
10 | */ | 10 | */ |
11 | 11 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
12 | #include <linux/kernel.h> | 12 | #include <linux/kernel.h> |
13 | #include <linux/skbuff.h> | 13 | #include <linux/skbuff.h> |
14 | #include <linux/netdevice.h> | 14 | #include <linux/netdevice.h> |
@@ -341,15 +341,11 @@ unsigned int arpt_do_table(struct sk_buff *skb, | |||
341 | } | 341 | } |
342 | 342 | ||
343 | /* All zeroes == unconditional rule. */ | 343 | /* All zeroes == unconditional rule. */ |
344 | static inline int unconditional(const struct arpt_arp *arp) | 344 | static inline bool unconditional(const struct arpt_arp *arp) |
345 | { | 345 | { |
346 | unsigned int i; | 346 | static const struct arpt_arp uncond; |
347 | 347 | ||
348 | for (i = 0; i < sizeof(*arp)/sizeof(__u32); i++) | 348 | return memcmp(arp, &uncond, sizeof(uncond)) == 0; |
349 | if (((__u32 *)arp)[i]) | ||
350 | return 0; | ||
351 | |||
352 | return 1; | ||
353 | } | 349 | } |
354 | 350 | ||
355 | /* Figures out from what hook each rule can be called: returns 0 if | 351 | /* Figures out from what hook each rule can be called: returns 0 if |
@@ -537,12 +533,28 @@ out: | |||
537 | return ret; | 533 | return ret; |
538 | } | 534 | } |
539 | 535 | ||
536 | static bool check_underflow(struct arpt_entry *e) | ||
537 | { | ||
538 | const struct arpt_entry_target *t; | ||
539 | unsigned int verdict; | ||
540 | |||
541 | if (!unconditional(&e->arp)) | ||
542 | return false; | ||
543 | t = arpt_get_target(e); | ||
544 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) | ||
545 | return false; | ||
546 | verdict = ((struct arpt_standard_target *)t)->verdict; | ||
547 | verdict = -verdict - 1; | ||
548 | return verdict == NF_DROP || verdict == NF_ACCEPT; | ||
549 | } | ||
550 | |||
540 | static inline int check_entry_size_and_hooks(struct arpt_entry *e, | 551 | static inline int check_entry_size_and_hooks(struct arpt_entry *e, |
541 | struct xt_table_info *newinfo, | 552 | struct xt_table_info *newinfo, |
542 | unsigned char *base, | 553 | unsigned char *base, |
543 | unsigned char *limit, | 554 | unsigned char *limit, |
544 | const unsigned int *hook_entries, | 555 | const unsigned int *hook_entries, |
545 | const unsigned int *underflows, | 556 | const unsigned int *underflows, |
557 | unsigned int valid_hooks, | ||
546 | unsigned int *i) | 558 | unsigned int *i) |
547 | { | 559 | { |
548 | unsigned int h; | 560 | unsigned int h; |
@@ -562,15 +574,21 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e, | |||
562 | 574 | ||
563 | /* Check hooks & underflows */ | 575 | /* Check hooks & underflows */ |
564 | for (h = 0; h < NF_ARP_NUMHOOKS; h++) { | 576 | for (h = 0; h < NF_ARP_NUMHOOKS; h++) { |
577 | if (!(valid_hooks & (1 << h))) | ||
578 | continue; | ||
565 | if ((unsigned char *)e - base == hook_entries[h]) | 579 | if ((unsigned char *)e - base == hook_entries[h]) |
566 | newinfo->hook_entry[h] = hook_entries[h]; | 580 | newinfo->hook_entry[h] = hook_entries[h]; |
567 | if ((unsigned char *)e - base == underflows[h]) | 581 | if ((unsigned char *)e - base == underflows[h]) { |
582 | if (!check_underflow(e)) { | ||
583 | pr_err("Underflows must be unconditional and " | ||
584 | "use the STANDARD target with " | ||
585 | "ACCEPT/DROP\n"); | ||
586 | return -EINVAL; | ||
587 | } | ||
568 | newinfo->underflow[h] = underflows[h]; | 588 | newinfo->underflow[h] = underflows[h]; |
589 | } | ||
569 | } | 590 | } |
570 | 591 | ||
571 | /* FIXME: underflows must be unconditional, standard verdicts | ||
572 | < 0 (not ARPT_RETURN). --RR */ | ||
573 | |||
574 | /* Clear counters and comefrom */ | 592 | /* Clear counters and comefrom */ |
575 | e->counters = ((struct xt_counters) { 0, 0 }); | 593 | e->counters = ((struct xt_counters) { 0, 0 }); |
576 | e->comefrom = 0; | 594 | e->comefrom = 0; |
@@ -630,7 +648,7 @@ static int translate_table(const char *name, | |||
630 | newinfo, | 648 | newinfo, |
631 | entry0, | 649 | entry0, |
632 | entry0 + size, | 650 | entry0 + size, |
633 | hook_entries, underflows, &i); | 651 | hook_entries, underflows, valid_hooks, &i); |
634 | duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret); | 652 | duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret); |
635 | if (ret != 0) | 653 | if (ret != 0) |
636 | return ret; | 654 | return ret; |
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index fdefae6b5dfc..0b43fd7ca04a 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c | |||
@@ -8,6 +8,7 @@ | |||
8 | * it under the terms of the GNU General Public License version 2 as | 8 | * it under the terms of the GNU General Public License version 2 as |
9 | * published by the Free Software Foundation. | 9 | * published by the Free Software Foundation. |
10 | */ | 10 | */ |
11 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | ||
11 | #include <linux/cache.h> | 12 | #include <linux/cache.h> |
12 | #include <linux/capability.h> | 13 | #include <linux/capability.h> |
13 | #include <linux/skbuff.h> | 14 | #include <linux/skbuff.h> |
@@ -190,16 +191,11 @@ get_entry(void *base, unsigned int offset) | |||
190 | 191 | ||
191 | /* All zeroes == unconditional rule. */ | 192 | /* All zeroes == unconditional rule. */ |
192 | /* Mildly perf critical (only if packet tracing is on) */ | 193 | /* Mildly perf critical (only if packet tracing is on) */ |
193 | static inline int | 194 | static inline bool unconditional(const struct ipt_ip *ip) |
194 | unconditional(const struct ipt_ip *ip) | ||
195 | { | 195 | { |
196 | unsigned int i; | 196 | static const struct ipt_ip uncond; |
197 | |||
198 | for (i = 0; i < sizeof(*ip)/sizeof(__u32); i++) | ||
199 | if (((__u32 *)ip)[i]) | ||
200 | return 0; | ||
201 | 197 | ||
202 | return 1; | 198 | return memcmp(ip, &uncond, sizeof(uncond)) == 0; |
203 | #undef FWINV | 199 | #undef FWINV |
204 | } | 200 | } |
205 | 201 | ||
@@ -315,7 +311,6 @@ ipt_do_table(struct sk_buff *skb, | |||
315 | 311 | ||
316 | static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); | 312 | static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); |
317 | const struct iphdr *ip; | 313 | const struct iphdr *ip; |
318 | u_int16_t datalen; | ||
319 | bool hotdrop = false; | 314 | bool hotdrop = false; |
320 | /* Initializing verdict to NF_DROP keeps gcc happy. */ | 315 | /* Initializing verdict to NF_DROP keeps gcc happy. */ |
321 | unsigned int verdict = NF_DROP; | 316 | unsigned int verdict = NF_DROP; |
@@ -328,7 +323,6 @@ ipt_do_table(struct sk_buff *skb, | |||
328 | 323 | ||
329 | /* Initialization */ | 324 | /* Initialization */ |
330 | ip = ip_hdr(skb); | 325 | ip = ip_hdr(skb); |
331 | datalen = skb->len - ip->ihl * 4; | ||
332 | indev = in ? in->name : nulldevname; | 326 | indev = in ? in->name : nulldevname; |
333 | outdev = out ? out->name : nulldevname; | 327 | outdev = out ? out->name : nulldevname; |
334 | /* We handle fragments by dealing with the first fragment as | 328 | /* We handle fragments by dealing with the first fragment as |
@@ -427,8 +421,6 @@ ipt_do_table(struct sk_buff *skb, | |||
427 | #endif | 421 | #endif |
428 | /* Target might have changed stuff. */ | 422 | /* Target might have changed stuff. */ |
429 | ip = ip_hdr(skb); | 423 | ip = ip_hdr(skb); |
430 | datalen = skb->len - ip->ihl * 4; | ||
431 | |||
432 | if (verdict == IPT_CONTINUE) | 424 | if (verdict == IPT_CONTINUE) |
433 | e = ipt_next_entry(e); | 425 | e = ipt_next_entry(e); |
434 | else | 426 | else |
@@ -716,6 +708,21 @@ find_check_entry(struct ipt_entry *e, const char *name, unsigned int size, | |||
716 | return ret; | 708 | return ret; |
717 | } | 709 | } |
718 | 710 | ||
711 | static bool check_underflow(struct ipt_entry *e) | ||
712 | { | ||
713 | const struct ipt_entry_target *t; | ||
714 | unsigned int verdict; | ||
715 | |||
716 | if (!unconditional(&e->ip)) | ||
717 | return false; | ||
718 | t = ipt_get_target(e); | ||
719 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) | ||
720 | return false; | ||
721 | verdict = ((struct ipt_standard_target *)t)->verdict; | ||
722 | verdict = -verdict - 1; | ||
723 | return verdict == NF_DROP || verdict == NF_ACCEPT; | ||
724 | } | ||
725 | |||
719 | static int | 726 | static int |
720 | check_entry_size_and_hooks(struct ipt_entry *e, | 727 | check_entry_size_and_hooks(struct ipt_entry *e, |
721 | struct xt_table_info *newinfo, | 728 | struct xt_table_info *newinfo, |
@@ -723,6 +730,7 @@ check_entry_size_and_hooks(struct ipt_entry *e, | |||
723 | unsigned char *limit, | 730 | unsigned char *limit, |
724 | const unsigned int *hook_entries, | 731 | const unsigned int *hook_entries, |
725 | const unsigned int *underflows, | 732 | const unsigned int *underflows, |
733 | unsigned int valid_hooks, | ||
726 | unsigned int *i) | 734 | unsigned int *i) |
727 | { | 735 | { |
728 | unsigned int h; | 736 | unsigned int h; |
@@ -742,15 +750,21 @@ check_entry_size_and_hooks(struct ipt_entry *e, | |||
742 | 750 | ||
743 | /* Check hooks & underflows */ | 751 | /* Check hooks & underflows */ |
744 | for (h = 0; h < NF_INET_NUMHOOKS; h++) { | 752 | for (h = 0; h < NF_INET_NUMHOOKS; h++) { |
753 | if (!(valid_hooks & (1 << h))) | ||
754 | continue; | ||
745 | if ((unsigned char *)e - base == hook_entries[h]) | 755 | if ((unsigned char *)e - base == hook_entries[h]) |
746 | newinfo->hook_entry[h] = hook_entries[h]; | 756 | newinfo->hook_entry[h] = hook_entries[h]; |
747 | if ((unsigned char *)e - base == underflows[h]) | 757 | if ((unsigned char *)e - base == underflows[h]) { |
758 | if (!check_underflow(e)) { | ||
759 | pr_err("Underflows must be unconditional and " | ||
760 | "use the STANDARD target with " | ||
761 | "ACCEPT/DROP\n"); | ||
762 | return -EINVAL; | ||
763 | } | ||
748 | newinfo->underflow[h] = underflows[h]; | 764 | newinfo->underflow[h] = underflows[h]; |
765 | } | ||
749 | } | 766 | } |
750 | 767 | ||
751 | /* FIXME: underflows must be unconditional, standard verdicts | ||
752 | < 0 (not IPT_RETURN). --RR */ | ||
753 | |||
754 | /* Clear counters and comefrom */ | 768 | /* Clear counters and comefrom */ |
755 | e->counters = ((struct xt_counters) { 0, 0 }); | 769 | e->counters = ((struct xt_counters) { 0, 0 }); |
756 | e->comefrom = 0; | 770 | e->comefrom = 0; |
@@ -813,7 +827,7 @@ translate_table(const char *name, | |||
813 | newinfo, | 827 | newinfo, |
814 | entry0, | 828 | entry0, |
815 | entry0 + size, | 829 | entry0 + size, |
816 | hook_entries, underflows, &i); | 830 | hook_entries, underflows, valid_hooks, &i); |
817 | if (ret != 0) | 831 | if (ret != 0) |
818 | return ret; | 832 | return ret; |
819 | 833 | ||
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c index c30a969724f8..97dbd94a8e37 100644 --- a/net/ipv4/netfilter/iptable_filter.c +++ b/net/ipv4/netfilter/iptable_filter.c | |||
@@ -57,7 +57,7 @@ static struct xt_table packet_filter = { | |||
57 | .name = "filter", | 57 | .name = "filter", |
58 | .valid_hooks = FILTER_VALID_HOOKS, | 58 | .valid_hooks = FILTER_VALID_HOOKS, |
59 | .me = THIS_MODULE, | 59 | .me = THIS_MODULE, |
60 | .af = AF_INET, | 60 | .af = NFPROTO_IPV4, |
61 | }; | 61 | }; |
62 | 62 | ||
63 | /* The work comes in here from netfilter.c. */ | 63 | /* The work comes in here from netfilter.c. */ |
@@ -102,21 +102,21 @@ static struct nf_hook_ops ipt_ops[] __read_mostly = { | |||
102 | { | 102 | { |
103 | .hook = ipt_local_in_hook, | 103 | .hook = ipt_local_in_hook, |
104 | .owner = THIS_MODULE, | 104 | .owner = THIS_MODULE, |
105 | .pf = PF_INET, | 105 | .pf = NFPROTO_IPV4, |
106 | .hooknum = NF_INET_LOCAL_IN, | 106 | .hooknum = NF_INET_LOCAL_IN, |
107 | .priority = NF_IP_PRI_FILTER, | 107 | .priority = NF_IP_PRI_FILTER, |
108 | }, | 108 | }, |
109 | { | 109 | { |
110 | .hook = ipt_hook, | 110 | .hook = ipt_hook, |
111 | .owner = THIS_MODULE, | 111 | .owner = THIS_MODULE, |
112 | .pf = PF_INET, | 112 | .pf = NFPROTO_IPV4, |
113 | .hooknum = NF_INET_FORWARD, | 113 | .hooknum = NF_INET_FORWARD, |
114 | .priority = NF_IP_PRI_FILTER, | 114 | .priority = NF_IP_PRI_FILTER, |
115 | }, | 115 | }, |
116 | { | 116 | { |
117 | .hook = ipt_local_out_hook, | 117 | .hook = ipt_local_out_hook, |
118 | .owner = THIS_MODULE, | 118 | .owner = THIS_MODULE, |
119 | .pf = PF_INET, | 119 | .pf = NFPROTO_IPV4, |
120 | .hooknum = NF_INET_LOCAL_OUT, | 120 | .hooknum = NF_INET_LOCAL_OUT, |
121 | .priority = NF_IP_PRI_FILTER, | 121 | .priority = NF_IP_PRI_FILTER, |
122 | }, | 122 | }, |
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c index 4087614d9519..28647f10aa7e 100644 --- a/net/ipv4/netfilter/iptable_mangle.c +++ b/net/ipv4/netfilter/iptable_mangle.c | |||
@@ -68,7 +68,7 @@ static struct xt_table packet_mangler = { | |||
68 | .name = "mangle", | 68 | .name = "mangle", |
69 | .valid_hooks = MANGLE_VALID_HOOKS, | 69 | .valid_hooks = MANGLE_VALID_HOOKS, |
70 | .me = THIS_MODULE, | 70 | .me = THIS_MODULE, |
71 | .af = AF_INET, | 71 | .af = NFPROTO_IPV4, |
72 | }; | 72 | }; |
73 | 73 | ||
74 | /* The work comes in here from netfilter.c. */ | 74 | /* The work comes in here from netfilter.c. */ |
@@ -162,35 +162,35 @@ static struct nf_hook_ops ipt_ops[] __read_mostly = { | |||
162 | { | 162 | { |
163 | .hook = ipt_pre_routing_hook, | 163 | .hook = ipt_pre_routing_hook, |
164 | .owner = THIS_MODULE, | 164 | .owner = THIS_MODULE, |
165 | .pf = PF_INET, | 165 | .pf = NFPROTO_IPV4, |
166 | .hooknum = NF_INET_PRE_ROUTING, | 166 | .hooknum = NF_INET_PRE_ROUTING, |
167 | .priority = NF_IP_PRI_MANGLE, | 167 | .priority = NF_IP_PRI_MANGLE, |
168 | }, | 168 | }, |
169 | { | 169 | { |
170 | .hook = ipt_local_in_hook, | 170 | .hook = ipt_local_in_hook, |
171 | .owner = THIS_MODULE, | 171 | .owner = THIS_MODULE, |
172 | .pf = PF_INET, | 172 | .pf = NFPROTO_IPV4, |
173 | .hooknum = NF_INET_LOCAL_IN, | 173 | .hooknum = NF_INET_LOCAL_IN, |
174 | .priority = NF_IP_PRI_MANGLE, | 174 | .priority = NF_IP_PRI_MANGLE, |
175 | }, | 175 | }, |
176 | { | 176 | { |
177 | .hook = ipt_forward_hook, | 177 | .hook = ipt_forward_hook, |
178 | .owner = THIS_MODULE, | 178 | .owner = THIS_MODULE, |
179 | .pf = PF_INET, | 179 | .pf = NFPROTO_IPV4, |
180 | .hooknum = NF_INET_FORWARD, | 180 | .hooknum = NF_INET_FORWARD, |
181 | .priority = NF_IP_PRI_MANGLE, | 181 | .priority = NF_IP_PRI_MANGLE, |
182 | }, | 182 | }, |
183 | { | 183 | { |
184 | .hook = ipt_local_hook, | 184 | .hook = ipt_local_hook, |
185 | .owner = THIS_MODULE, | 185 | .owner = THIS_MODULE, |
186 | .pf = PF_INET, | 186 | .pf = NFPROTO_IPV4, |
187 | .hooknum = NF_INET_LOCAL_OUT, | 187 | .hooknum = NF_INET_LOCAL_OUT, |
188 | .priority = NF_IP_PRI_MANGLE, | 188 | .priority = NF_IP_PRI_MANGLE, |
189 | }, | 189 | }, |
190 | { | 190 | { |
191 | .hook = ipt_post_routing_hook, | 191 | .hook = ipt_post_routing_hook, |
192 | .owner = THIS_MODULE, | 192 | .owner = THIS_MODULE, |
193 | .pf = PF_INET, | 193 | .pf = NFPROTO_IPV4, |
194 | .hooknum = NF_INET_POST_ROUTING, | 194 | .hooknum = NF_INET_POST_ROUTING, |
195 | .priority = NF_IP_PRI_MANGLE, | 195 | .priority = NF_IP_PRI_MANGLE, |
196 | }, | 196 | }, |
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c index e5356da1fb54..494784c999eb 100644 --- a/net/ipv4/netfilter/iptable_raw.c +++ b/net/ipv4/netfilter/iptable_raw.c | |||
@@ -40,7 +40,7 @@ static struct xt_table packet_raw = { | |||
40 | .name = "raw", | 40 | .name = "raw", |
41 | .valid_hooks = RAW_VALID_HOOKS, | 41 | .valid_hooks = RAW_VALID_HOOKS, |
42 | .me = THIS_MODULE, | 42 | .me = THIS_MODULE, |
43 | .af = AF_INET, | 43 | .af = NFPROTO_IPV4, |
44 | }; | 44 | }; |
45 | 45 | ||
46 | /* The work comes in here from netfilter.c. */ | 46 | /* The work comes in here from netfilter.c. */ |
@@ -74,14 +74,14 @@ ipt_local_hook(unsigned int hook, | |||
74 | static struct nf_hook_ops ipt_ops[] __read_mostly = { | 74 | static struct nf_hook_ops ipt_ops[] __read_mostly = { |
75 | { | 75 | { |
76 | .hook = ipt_hook, | 76 | .hook = ipt_hook, |
77 | .pf = PF_INET, | 77 | .pf = NFPROTO_IPV4, |
78 | .hooknum = NF_INET_PRE_ROUTING, | 78 | .hooknum = NF_INET_PRE_ROUTING, |
79 | .priority = NF_IP_PRI_RAW, | 79 | .priority = NF_IP_PRI_RAW, |
80 | .owner = THIS_MODULE, | 80 | .owner = THIS_MODULE, |
81 | }, | 81 | }, |
82 | { | 82 | { |
83 | .hook = ipt_local_hook, | 83 | .hook = ipt_local_hook, |
84 | .pf = PF_INET, | 84 | .pf = NFPROTO_IPV4, |
85 | .hooknum = NF_INET_LOCAL_OUT, | 85 | .hooknum = NF_INET_LOCAL_OUT, |
86 | .priority = NF_IP_PRI_RAW, | 86 | .priority = NF_IP_PRI_RAW, |
87 | .owner = THIS_MODULE, | 87 | .owner = THIS_MODULE, |
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c index 29ab630f240a..8804e1a0f915 100644 --- a/net/ipv4/netfilter/iptable_security.c +++ b/net/ipv4/netfilter/iptable_security.c | |||
@@ -61,7 +61,7 @@ static struct xt_table security_table = { | |||
61 | .name = "security", | 61 | .name = "security", |
62 | .valid_hooks = SECURITY_VALID_HOOKS, | 62 | .valid_hooks = SECURITY_VALID_HOOKS, |
63 | .me = THIS_MODULE, | 63 | .me = THIS_MODULE, |
64 | .af = AF_INET, | 64 | .af = NFPROTO_IPV4, |
65 | }; | 65 | }; |
66 | 66 | ||
67 | static unsigned int | 67 | static unsigned int |
@@ -105,21 +105,21 @@ static struct nf_hook_ops ipt_ops[] __read_mostly = { | |||
105 | { | 105 | { |
106 | .hook = ipt_local_in_hook, | 106 | .hook = ipt_local_in_hook, |
107 | .owner = THIS_MODULE, | 107 | .owner = THIS_MODULE, |
108 | .pf = PF_INET, | 108 | .pf = NFPROTO_IPV4, |
109 | .hooknum = NF_INET_LOCAL_IN, | 109 | .hooknum = NF_INET_LOCAL_IN, |
110 | .priority = NF_IP_PRI_SECURITY, | 110 | .priority = NF_IP_PRI_SECURITY, |
111 | }, | 111 | }, |
112 | { | 112 | { |
113 | .hook = ipt_forward_hook, | 113 | .hook = ipt_forward_hook, |
114 | .owner = THIS_MODULE, | 114 | .owner = THIS_MODULE, |
115 | .pf = PF_INET, | 115 | .pf = NFPROTO_IPV4, |
116 | .hooknum = NF_INET_FORWARD, | 116 | .hooknum = NF_INET_FORWARD, |
117 | .priority = NF_IP_PRI_SECURITY, | 117 | .priority = NF_IP_PRI_SECURITY, |
118 | }, | 118 | }, |
119 | { | 119 | { |
120 | .hook = ipt_local_out_hook, | 120 | .hook = ipt_local_out_hook, |
121 | .owner = THIS_MODULE, | 121 | .owner = THIS_MODULE, |
122 | .pf = PF_INET, | 122 | .pf = NFPROTO_IPV4, |
123 | .hooknum = NF_INET_LOCAL_OUT, | 123 | .hooknum = NF_INET_LOCAL_OUT, |
124 | .priority = NF_IP_PRI_SECURITY, | 124 | .priority = NF_IP_PRI_SECURITY, |
125 | }, | 125 | }, |
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c index 05a9bc8df536..9ac2fdc36ecc 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | |||
@@ -158,28 +158,28 @@ static struct nf_hook_ops ipv4_conntrack_ops[] __read_mostly = { | |||
158 | { | 158 | { |
159 | .hook = ipv4_conntrack_in, | 159 | .hook = ipv4_conntrack_in, |
160 | .owner = THIS_MODULE, | 160 | .owner = THIS_MODULE, |
161 | .pf = PF_INET, | 161 | .pf = NFPROTO_IPV4, |
162 | .hooknum = NF_INET_PRE_ROUTING, | 162 | .hooknum = NF_INET_PRE_ROUTING, |
163 | .priority = NF_IP_PRI_CONNTRACK, | 163 | .priority = NF_IP_PRI_CONNTRACK, |
164 | }, | 164 | }, |
165 | { | 165 | { |
166 | .hook = ipv4_conntrack_local, | 166 | .hook = ipv4_conntrack_local, |
167 | .owner = THIS_MODULE, | 167 | .owner = THIS_MODULE, |
168 | .pf = PF_INET, | 168 | .pf = NFPROTO_IPV4, |
169 | .hooknum = NF_INET_LOCAL_OUT, | 169 | .hooknum = NF_INET_LOCAL_OUT, |
170 | .priority = NF_IP_PRI_CONNTRACK, | 170 | .priority = NF_IP_PRI_CONNTRACK, |
171 | }, | 171 | }, |
172 | { | 172 | { |
173 | .hook = ipv4_confirm, | 173 | .hook = ipv4_confirm, |
174 | .owner = THIS_MODULE, | 174 | .owner = THIS_MODULE, |
175 | .pf = PF_INET, | 175 | .pf = NFPROTO_IPV4, |
176 | .hooknum = NF_INET_POST_ROUTING, | 176 | .hooknum = NF_INET_POST_ROUTING, |
177 | .priority = NF_IP_PRI_CONNTRACK_CONFIRM, | 177 | .priority = NF_IP_PRI_CONNTRACK_CONFIRM, |
178 | }, | 178 | }, |
179 | { | 179 | { |
180 | .hook = ipv4_confirm, | 180 | .hook = ipv4_confirm, |
181 | .owner = THIS_MODULE, | 181 | .owner = THIS_MODULE, |
182 | .pf = PF_INET, | 182 | .pf = NFPROTO_IPV4, |
183 | .hooknum = NF_INET_LOCAL_IN, | 183 | .hooknum = NF_INET_LOCAL_IN, |
184 | .priority = NF_IP_PRI_CONNTRACK_CONFIRM, | 184 | .priority = NF_IP_PRI_CONNTRACK_CONFIRM, |
185 | }, | 185 | }, |
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c index 6348a793936e..6448a9b7d6f0 100644 --- a/net/ipv4/netfilter/nf_nat_rule.c +++ b/net/ipv4/netfilter/nf_nat_rule.c | |||
@@ -62,7 +62,7 @@ static struct xt_table nat_table = { | |||
62 | .name = "nat", | 62 | .name = "nat", |
63 | .valid_hooks = NAT_VALID_HOOKS, | 63 | .valid_hooks = NAT_VALID_HOOKS, |
64 | .me = THIS_MODULE, | 64 | .me = THIS_MODULE, |
65 | .af = AF_INET, | 65 | .af = NFPROTO_IPV4, |
66 | }; | 66 | }; |
67 | 67 | ||
68 | /* Source NAT */ | 68 | /* Source NAT */ |
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c index 5567bd0d0750..5f41d017ddd8 100644 --- a/net/ipv4/netfilter/nf_nat_standalone.c +++ b/net/ipv4/netfilter/nf_nat_standalone.c | |||
@@ -251,7 +251,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = { | |||
251 | { | 251 | { |
252 | .hook = nf_nat_in, | 252 | .hook = nf_nat_in, |
253 | .owner = THIS_MODULE, | 253 | .owner = THIS_MODULE, |
254 | .pf = PF_INET, | 254 | .pf = NFPROTO_IPV4, |
255 | .hooknum = NF_INET_PRE_ROUTING, | 255 | .hooknum = NF_INET_PRE_ROUTING, |
256 | .priority = NF_IP_PRI_NAT_DST, | 256 | .priority = NF_IP_PRI_NAT_DST, |
257 | }, | 257 | }, |
@@ -259,7 +259,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = { | |||
259 | { | 259 | { |
260 | .hook = nf_nat_out, | 260 | .hook = nf_nat_out, |
261 | .owner = THIS_MODULE, | 261 | .owner = THIS_MODULE, |
262 | .pf = PF_INET, | 262 | .pf = NFPROTO_IPV4, |
263 | .hooknum = NF_INET_POST_ROUTING, | 263 | .hooknum = NF_INET_POST_ROUTING, |
264 | .priority = NF_IP_PRI_NAT_SRC, | 264 | .priority = NF_IP_PRI_NAT_SRC, |
265 | }, | 265 | }, |
@@ -267,7 +267,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = { | |||
267 | { | 267 | { |
268 | .hook = nf_nat_local_fn, | 268 | .hook = nf_nat_local_fn, |
269 | .owner = THIS_MODULE, | 269 | .owner = THIS_MODULE, |
270 | .pf = PF_INET, | 270 | .pf = NFPROTO_IPV4, |
271 | .hooknum = NF_INET_LOCAL_OUT, | 271 | .hooknum = NF_INET_LOCAL_OUT, |
272 | .priority = NF_IP_PRI_NAT_DST, | 272 | .priority = NF_IP_PRI_NAT_DST, |
273 | }, | 273 | }, |
@@ -275,7 +275,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = { | |||
275 | { | 275 | { |
276 | .hook = nf_nat_fn, | 276 | .hook = nf_nat_fn, |
277 | .owner = THIS_MODULE, | 277 | .owner = THIS_MODULE, |
278 | .pf = PF_INET, | 278 | .pf = NFPROTO_IPV4, |
279 | .hooknum = NF_INET_LOCAL_IN, | 279 | .hooknum = NF_INET_LOCAL_IN, |
280 | .priority = NF_IP_PRI_NAT_SRC, | 280 | .priority = NF_IP_PRI_NAT_SRC, |
281 | }, | 281 | }, |
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index ced1f2c0cb65..a5d0c27cc26f 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c | |||
@@ -8,7 +8,7 @@ | |||
8 | * it under the terms of the GNU General Public License version 2 as | 8 | * it under the terms of the GNU General Public License version 2 as |
9 | * published by the Free Software Foundation. | 9 | * published by the Free Software Foundation. |
10 | */ | 10 | */ |
11 | 11 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
12 | #include <linux/capability.h> | 12 | #include <linux/capability.h> |
13 | #include <linux/in.h> | 13 | #include <linux/in.h> |
14 | #include <linux/skbuff.h> | 14 | #include <linux/skbuff.h> |
@@ -222,16 +222,11 @@ get_entry(void *base, unsigned int offset) | |||
222 | 222 | ||
223 | /* All zeroes == unconditional rule. */ | 223 | /* All zeroes == unconditional rule. */ |
224 | /* Mildly perf critical (only if packet tracing is on) */ | 224 | /* Mildly perf critical (only if packet tracing is on) */ |
225 | static inline int | 225 | static inline bool unconditional(const struct ip6t_ip6 *ipv6) |
226 | unconditional(const struct ip6t_ip6 *ipv6) | ||
227 | { | 226 | { |
228 | unsigned int i; | 227 | static const struct ip6t_ip6 uncond; |
229 | |||
230 | for (i = 0; i < sizeof(*ipv6); i++) | ||
231 | if (((char *)ipv6)[i]) | ||
232 | break; | ||
233 | 228 | ||
234 | return (i == sizeof(*ipv6)); | 229 | return memcmp(ipv6, &uncond, sizeof(uncond)) == 0; |
235 | } | 230 | } |
236 | 231 | ||
237 | #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ | 232 | #if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \ |
@@ -745,6 +740,21 @@ find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size, | |||
745 | return ret; | 740 | return ret; |
746 | } | 741 | } |
747 | 742 | ||
743 | static bool check_underflow(struct ip6t_entry *e) | ||
744 | { | ||
745 | const struct ip6t_entry_target *t; | ||
746 | unsigned int verdict; | ||
747 | |||
748 | if (!unconditional(&e->ipv6)) | ||
749 | return false; | ||
750 | t = ip6t_get_target(e); | ||
751 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0) | ||
752 | return false; | ||
753 | verdict = ((struct ip6t_standard_target *)t)->verdict; | ||
754 | verdict = -verdict - 1; | ||
755 | return verdict == NF_DROP || verdict == NF_ACCEPT; | ||
756 | } | ||
757 | |||
748 | static int | 758 | static int |
749 | check_entry_size_and_hooks(struct ip6t_entry *e, | 759 | check_entry_size_and_hooks(struct ip6t_entry *e, |
750 | struct xt_table_info *newinfo, | 760 | struct xt_table_info *newinfo, |
@@ -752,6 +762,7 @@ check_entry_size_and_hooks(struct ip6t_entry *e, | |||
752 | unsigned char *limit, | 762 | unsigned char *limit, |
753 | const unsigned int *hook_entries, | 763 | const unsigned int *hook_entries, |
754 | const unsigned int *underflows, | 764 | const unsigned int *underflows, |
765 | unsigned int valid_hooks, | ||
755 | unsigned int *i) | 766 | unsigned int *i) |
756 | { | 767 | { |
757 | unsigned int h; | 768 | unsigned int h; |
@@ -771,15 +782,21 @@ check_entry_size_and_hooks(struct ip6t_entry *e, | |||
771 | 782 | ||
772 | /* Check hooks & underflows */ | 783 | /* Check hooks & underflows */ |
773 | for (h = 0; h < NF_INET_NUMHOOKS; h++) { | 784 | for (h = 0; h < NF_INET_NUMHOOKS; h++) { |
785 | if (!(valid_hooks & (1 << h))) | ||
786 | continue; | ||
774 | if ((unsigned char *)e - base == hook_entries[h]) | 787 | if ((unsigned char *)e - base == hook_entries[h]) |
775 | newinfo->hook_entry[h] = hook_entries[h]; | 788 | newinfo->hook_entry[h] = hook_entries[h]; |
776 | if ((unsigned char *)e - base == underflows[h]) | 789 | if ((unsigned char *)e - base == underflows[h]) { |
790 | if (!check_underflow(e)) { | ||
791 | pr_err("Underflows must be unconditional and " | ||
792 | "use the STANDARD target with " | ||
793 | "ACCEPT/DROP\n"); | ||
794 | return -EINVAL; | ||
795 | } | ||
777 | newinfo->underflow[h] = underflows[h]; | 796 | newinfo->underflow[h] = underflows[h]; |
797 | } | ||
778 | } | 798 | } |
779 | 799 | ||
780 | /* FIXME: underflows must be unconditional, standard verdicts | ||
781 | < 0 (not IP6T_RETURN). --RR */ | ||
782 | |||
783 | /* Clear counters and comefrom */ | 800 | /* Clear counters and comefrom */ |
784 | e->counters = ((struct xt_counters) { 0, 0 }); | 801 | e->counters = ((struct xt_counters) { 0, 0 }); |
785 | e->comefrom = 0; | 802 | e->comefrom = 0; |
@@ -842,7 +859,7 @@ translate_table(const char *name, | |||
842 | newinfo, | 859 | newinfo, |
843 | entry0, | 860 | entry0, |
844 | entry0 + size, | 861 | entry0 + size, |
845 | hook_entries, underflows, &i); | 862 | hook_entries, underflows, valid_hooks, &i); |
846 | if (ret != 0) | 863 | if (ret != 0) |
847 | return ret; | 864 | return ret; |
848 | 865 | ||
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c index ef5a0a32bf8e..0a3ae48ac4d5 100644 --- a/net/ipv6/netfilter/ip6table_filter.c +++ b/net/ipv6/netfilter/ip6table_filter.c | |||
@@ -55,7 +55,7 @@ static struct xt_table packet_filter = { | |||
55 | .name = "filter", | 55 | .name = "filter", |
56 | .valid_hooks = FILTER_VALID_HOOKS, | 56 | .valid_hooks = FILTER_VALID_HOOKS, |
57 | .me = THIS_MODULE, | 57 | .me = THIS_MODULE, |
58 | .af = AF_INET6, | 58 | .af = NFPROTO_IPV6, |
59 | }; | 59 | }; |
60 | 60 | ||
61 | /* The work comes in here from netfilter.c. */ | 61 | /* The work comes in here from netfilter.c. */ |
@@ -95,21 +95,21 @@ static struct nf_hook_ops ip6t_ops[] __read_mostly = { | |||
95 | { | 95 | { |
96 | .hook = ip6t_in_hook, | 96 | .hook = ip6t_in_hook, |
97 | .owner = THIS_MODULE, | 97 | .owner = THIS_MODULE, |
98 | .pf = PF_INET6, | 98 | .pf = NFPROTO_IPV6, |
99 | .hooknum = NF_INET_LOCAL_IN, | 99 | .hooknum = NF_INET_LOCAL_IN, |
100 | .priority = NF_IP6_PRI_FILTER, | 100 | .priority = NF_IP6_PRI_FILTER, |
101 | }, | 101 | }, |
102 | { | 102 | { |
103 | .hook = ip6t_in_hook, | 103 | .hook = ip6t_in_hook, |
104 | .owner = THIS_MODULE, | 104 | .owner = THIS_MODULE, |
105 | .pf = PF_INET6, | 105 | .pf = NFPROTO_IPV6, |
106 | .hooknum = NF_INET_FORWARD, | 106 | .hooknum = NF_INET_FORWARD, |
107 | .priority = NF_IP6_PRI_FILTER, | 107 | .priority = NF_IP6_PRI_FILTER, |
108 | }, | 108 | }, |
109 | { | 109 | { |
110 | .hook = ip6t_local_out_hook, | 110 | .hook = ip6t_local_out_hook, |
111 | .owner = THIS_MODULE, | 111 | .owner = THIS_MODULE, |
112 | .pf = PF_INET6, | 112 | .pf = NFPROTO_IPV6, |
113 | .hooknum = NF_INET_LOCAL_OUT, | 113 | .hooknum = NF_INET_LOCAL_OUT, |
114 | .priority = NF_IP6_PRI_FILTER, | 114 | .priority = NF_IP6_PRI_FILTER, |
115 | }, | 115 | }, |
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c index ab0d398a2ba7..0f49e005a8c5 100644 --- a/net/ipv6/netfilter/ip6table_mangle.c +++ b/net/ipv6/netfilter/ip6table_mangle.c | |||
@@ -61,7 +61,7 @@ static struct xt_table packet_mangler = { | |||
61 | .name = "mangle", | 61 | .name = "mangle", |
62 | .valid_hooks = MANGLE_VALID_HOOKS, | 62 | .valid_hooks = MANGLE_VALID_HOOKS, |
63 | .me = THIS_MODULE, | 63 | .me = THIS_MODULE, |
64 | .af = AF_INET6, | 64 | .af = NFPROTO_IPV6, |
65 | }; | 65 | }; |
66 | 66 | ||
67 | /* The work comes in here from netfilter.c. */ | 67 | /* The work comes in here from netfilter.c. */ |
@@ -136,35 +136,35 @@ static struct nf_hook_ops ip6t_ops[] __read_mostly = { | |||
136 | { | 136 | { |
137 | .hook = ip6t_in_hook, | 137 | .hook = ip6t_in_hook, |
138 | .owner = THIS_MODULE, | 138 | .owner = THIS_MODULE, |
139 | .pf = PF_INET6, | 139 | .pf = NFPROTO_IPV6, |
140 | .hooknum = NF_INET_PRE_ROUTING, | 140 | .hooknum = NF_INET_PRE_ROUTING, |
141 | .priority = NF_IP6_PRI_MANGLE, | 141 | .priority = NF_IP6_PRI_MANGLE, |
142 | }, | 142 | }, |
143 | { | 143 | { |
144 | .hook = ip6t_in_hook, | 144 | .hook = ip6t_in_hook, |
145 | .owner = THIS_MODULE, | 145 | .owner = THIS_MODULE, |
146 | .pf = PF_INET6, | 146 | .pf = NFPROTO_IPV6, |
147 | .hooknum = NF_INET_LOCAL_IN, | 147 | .hooknum = NF_INET_LOCAL_IN, |
148 | .priority = NF_IP6_PRI_MANGLE, | 148 | .priority = NF_IP6_PRI_MANGLE, |
149 | }, | 149 | }, |
150 | { | 150 | { |
151 | .hook = ip6t_in_hook, | 151 | .hook = ip6t_in_hook, |
152 | .owner = THIS_MODULE, | 152 | .owner = THIS_MODULE, |
153 | .pf = PF_INET6, | 153 | .pf = NFPROTO_IPV6, |
154 | .hooknum = NF_INET_FORWARD, | 154 | .hooknum = NF_INET_FORWARD, |
155 | .priority = NF_IP6_PRI_MANGLE, | 155 | .priority = NF_IP6_PRI_MANGLE, |
156 | }, | 156 | }, |
157 | { | 157 | { |
158 | .hook = ip6t_local_out_hook, | 158 | .hook = ip6t_local_out_hook, |
159 | .owner = THIS_MODULE, | 159 | .owner = THIS_MODULE, |
160 | .pf = PF_INET6, | 160 | .pf = NFPROTO_IPV6, |
161 | .hooknum = NF_INET_LOCAL_OUT, | 161 | .hooknum = NF_INET_LOCAL_OUT, |
162 | .priority = NF_IP6_PRI_MANGLE, | 162 | .priority = NF_IP6_PRI_MANGLE, |
163 | }, | 163 | }, |
164 | { | 164 | { |
165 | .hook = ip6t_post_routing_hook, | 165 | .hook = ip6t_post_routing_hook, |
166 | .owner = THIS_MODULE, | 166 | .owner = THIS_MODULE, |
167 | .pf = PF_INET6, | 167 | .pf = NFPROTO_IPV6, |
168 | .hooknum = NF_INET_POST_ROUTING, | 168 | .hooknum = NF_INET_POST_ROUTING, |
169 | .priority = NF_IP6_PRI_MANGLE, | 169 | .priority = NF_IP6_PRI_MANGLE, |
170 | }, | 170 | }, |
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c index 4b792b6ca321..679865e3d5ff 100644 --- a/net/ipv6/netfilter/ip6table_raw.c +++ b/net/ipv6/netfilter/ip6table_raw.c | |||
@@ -39,7 +39,7 @@ static struct xt_table packet_raw = { | |||
39 | .name = "raw", | 39 | .name = "raw", |
40 | .valid_hooks = RAW_VALID_HOOKS, | 40 | .valid_hooks = RAW_VALID_HOOKS, |
41 | .me = THIS_MODULE, | 41 | .me = THIS_MODULE, |
42 | .af = AF_INET6, | 42 | .af = NFPROTO_IPV6, |
43 | }; | 43 | }; |
44 | 44 | ||
45 | /* The work comes in here from netfilter.c. */ | 45 | /* The work comes in here from netfilter.c. */ |
@@ -68,14 +68,14 @@ ip6t_local_out_hook(unsigned int hook, | |||
68 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { | 68 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { |
69 | { | 69 | { |
70 | .hook = ip6t_pre_routing_hook, | 70 | .hook = ip6t_pre_routing_hook, |
71 | .pf = PF_INET6, | 71 | .pf = NFPROTO_IPV6, |
72 | .hooknum = NF_INET_PRE_ROUTING, | 72 | .hooknum = NF_INET_PRE_ROUTING, |
73 | .priority = NF_IP6_PRI_FIRST, | 73 | .priority = NF_IP6_PRI_FIRST, |
74 | .owner = THIS_MODULE, | 74 | .owner = THIS_MODULE, |
75 | }, | 75 | }, |
76 | { | 76 | { |
77 | .hook = ip6t_local_out_hook, | 77 | .hook = ip6t_local_out_hook, |
78 | .pf = PF_INET6, | 78 | .pf = NFPROTO_IPV6, |
79 | .hooknum = NF_INET_LOCAL_OUT, | 79 | .hooknum = NF_INET_LOCAL_OUT, |
80 | .priority = NF_IP6_PRI_FIRST, | 80 | .priority = NF_IP6_PRI_FIRST, |
81 | .owner = THIS_MODULE, | 81 | .owner = THIS_MODULE, |
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c index 0ea37ff15d56..822afabbdc88 100644 --- a/net/ipv6/netfilter/ip6table_security.c +++ b/net/ipv6/netfilter/ip6table_security.c | |||
@@ -60,7 +60,7 @@ static struct xt_table security_table = { | |||
60 | .name = "security", | 60 | .name = "security", |
61 | .valid_hooks = SECURITY_VALID_HOOKS, | 61 | .valid_hooks = SECURITY_VALID_HOOKS, |
62 | .me = THIS_MODULE, | 62 | .me = THIS_MODULE, |
63 | .af = AF_INET6, | 63 | .af = NFPROTO_IPV6, |
64 | }; | 64 | }; |
65 | 65 | ||
66 | static unsigned int | 66 | static unsigned int |
@@ -101,21 +101,21 @@ static struct nf_hook_ops ip6t_ops[] __read_mostly = { | |||
101 | { | 101 | { |
102 | .hook = ip6t_local_in_hook, | 102 | .hook = ip6t_local_in_hook, |
103 | .owner = THIS_MODULE, | 103 | .owner = THIS_MODULE, |
104 | .pf = PF_INET6, | 104 | .pf = NFPROTO_IPV6, |
105 | .hooknum = NF_INET_LOCAL_IN, | 105 | .hooknum = NF_INET_LOCAL_IN, |
106 | .priority = NF_IP6_PRI_SECURITY, | 106 | .priority = NF_IP6_PRI_SECURITY, |
107 | }, | 107 | }, |
108 | { | 108 | { |
109 | .hook = ip6t_forward_hook, | 109 | .hook = ip6t_forward_hook, |
110 | .owner = THIS_MODULE, | 110 | .owner = THIS_MODULE, |
111 | .pf = PF_INET6, | 111 | .pf = NFPROTO_IPV6, |
112 | .hooknum = NF_INET_FORWARD, | 112 | .hooknum = NF_INET_FORWARD, |
113 | .priority = NF_IP6_PRI_SECURITY, | 113 | .priority = NF_IP6_PRI_SECURITY, |
114 | }, | 114 | }, |
115 | { | 115 | { |
116 | .hook = ip6t_local_out_hook, | 116 | .hook = ip6t_local_out_hook, |
117 | .owner = THIS_MODULE, | 117 | .owner = THIS_MODULE, |
118 | .pf = PF_INET6, | 118 | .pf = NFPROTO_IPV6, |
119 | .hooknum = NF_INET_LOCAL_OUT, | 119 | .hooknum = NF_INET_LOCAL_OUT, |
120 | .priority = NF_IP6_PRI_SECURITY, | 120 | .priority = NF_IP6_PRI_SECURITY, |
121 | }, | 121 | }, |
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c index 2a15c2d66c69..a7f4cd607356 100644 --- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c +++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | |||
@@ -265,42 +265,42 @@ static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = { | |||
265 | { | 265 | { |
266 | .hook = ipv6_defrag, | 266 | .hook = ipv6_defrag, |
267 | .owner = THIS_MODULE, | 267 | .owner = THIS_MODULE, |
268 | .pf = PF_INET6, | 268 | .pf = NFPROTO_IPV6, |
269 | .hooknum = NF_INET_PRE_ROUTING, | 269 | .hooknum = NF_INET_PRE_ROUTING, |
270 | .priority = NF_IP6_PRI_CONNTRACK_DEFRAG, | 270 | .priority = NF_IP6_PRI_CONNTRACK_DEFRAG, |
271 | }, | 271 | }, |
272 | { | 272 | { |
273 | .hook = ipv6_conntrack_in, | 273 | .hook = ipv6_conntrack_in, |
274 | .owner = THIS_MODULE, | 274 | .owner = THIS_MODULE, |
275 | .pf = PF_INET6, | 275 | .pf = NFPROTO_IPV6, |
276 | .hooknum = NF_INET_PRE_ROUTING, | 276 | .hooknum = NF_INET_PRE_ROUTING, |
277 | .priority = NF_IP6_PRI_CONNTRACK, | 277 | .priority = NF_IP6_PRI_CONNTRACK, |
278 | }, | 278 | }, |
279 | { | 279 | { |
280 | .hook = ipv6_conntrack_local, | 280 | .hook = ipv6_conntrack_local, |
281 | .owner = THIS_MODULE, | 281 | .owner = THIS_MODULE, |
282 | .pf = PF_INET6, | 282 | .pf = NFPROTO_IPV6, |
283 | .hooknum = NF_INET_LOCAL_OUT, | 283 | .hooknum = NF_INET_LOCAL_OUT, |
284 | .priority = NF_IP6_PRI_CONNTRACK, | 284 | .priority = NF_IP6_PRI_CONNTRACK, |
285 | }, | 285 | }, |
286 | { | 286 | { |
287 | .hook = ipv6_defrag, | 287 | .hook = ipv6_defrag, |
288 | .owner = THIS_MODULE, | 288 | .owner = THIS_MODULE, |
289 | .pf = PF_INET6, | 289 | .pf = NFPROTO_IPV6, |
290 | .hooknum = NF_INET_LOCAL_OUT, | 290 | .hooknum = NF_INET_LOCAL_OUT, |
291 | .priority = NF_IP6_PRI_CONNTRACK_DEFRAG, | 291 | .priority = NF_IP6_PRI_CONNTRACK_DEFRAG, |
292 | }, | 292 | }, |
293 | { | 293 | { |
294 | .hook = ipv6_confirm, | 294 | .hook = ipv6_confirm, |
295 | .owner = THIS_MODULE, | 295 | .owner = THIS_MODULE, |
296 | .pf = PF_INET6, | 296 | .pf = NFPROTO_IPV6, |
297 | .hooknum = NF_INET_POST_ROUTING, | 297 | .hooknum = NF_INET_POST_ROUTING, |
298 | .priority = NF_IP6_PRI_LAST, | 298 | .priority = NF_IP6_PRI_LAST, |
299 | }, | 299 | }, |
300 | { | 300 | { |
301 | .hook = ipv6_confirm, | 301 | .hook = ipv6_confirm, |
302 | .owner = THIS_MODULE, | 302 | .owner = THIS_MODULE, |
303 | .pf = PF_INET6, | 303 | .pf = NFPROTO_IPV6, |
304 | .hooknum = NF_INET_LOCAL_IN, | 304 | .hooknum = NF_INET_LOCAL_IN, |
305 | .priority = NF_IP6_PRI_LAST-1, | 305 | .priority = NF_IP6_PRI_LAST-1, |
306 | }, | 306 | }, |
diff --git a/net/netfilter/xt_CONNMARK.c b/net/netfilter/xt_CONNMARK.c index d6e5ab463277..593457068ae1 100644 --- a/net/netfilter/xt_CONNMARK.c +++ b/net/netfilter/xt_CONNMARK.c | |||
@@ -36,45 +36,6 @@ MODULE_ALIAS("ip6t_CONNMARK"); | |||
36 | #include <net/netfilter/nf_conntrack_ecache.h> | 36 | #include <net/netfilter/nf_conntrack_ecache.h> |
37 | 37 | ||
38 | static unsigned int | 38 | static unsigned int |
39 | connmark_tg_v0(struct sk_buff *skb, const struct xt_target_param *par) | ||
40 | { | ||
41 | const struct xt_connmark_target_info *markinfo = par->targinfo; | ||
42 | struct nf_conn *ct; | ||
43 | enum ip_conntrack_info ctinfo; | ||
44 | u_int32_t diff; | ||
45 | u_int32_t mark; | ||
46 | u_int32_t newmark; | ||
47 | |||
48 | ct = nf_ct_get(skb, &ctinfo); | ||
49 | if (ct) { | ||
50 | switch(markinfo->mode) { | ||
51 | case XT_CONNMARK_SET: | ||
52 | newmark = (ct->mark & ~markinfo->mask) | markinfo->mark; | ||
53 | if (newmark != ct->mark) { | ||
54 | ct->mark = newmark; | ||
55 | nf_conntrack_event_cache(IPCT_MARK, ct); | ||
56 | } | ||
57 | break; | ||
58 | case XT_CONNMARK_SAVE: | ||
59 | newmark = (ct->mark & ~markinfo->mask) | | ||
60 | (skb->mark & markinfo->mask); | ||
61 | if (ct->mark != newmark) { | ||
62 | ct->mark = newmark; | ||
63 | nf_conntrack_event_cache(IPCT_MARK, ct); | ||
64 | } | ||
65 | break; | ||
66 | case XT_CONNMARK_RESTORE: | ||
67 | mark = skb->mark; | ||
68 | diff = (ct->mark ^ mark) & markinfo->mask; | ||
69 | skb->mark = mark ^ diff; | ||
70 | break; | ||
71 | } | ||
72 | } | ||
73 | |||
74 | return XT_CONTINUE; | ||
75 | } | ||
76 | |||
77 | static unsigned int | ||
78 | connmark_tg(struct sk_buff *skb, const struct xt_target_param *par) | 39 | connmark_tg(struct sk_buff *skb, const struct xt_target_param *par) |
79 | { | 40 | { |
80 | const struct xt_connmark_tginfo1 *info = par->targinfo; | 41 | const struct xt_connmark_tginfo1 *info = par->targinfo; |
@@ -112,30 +73,6 @@ connmark_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
112 | return XT_CONTINUE; | 73 | return XT_CONTINUE; |
113 | } | 74 | } |
114 | 75 | ||
115 | static bool connmark_tg_check_v0(const struct xt_tgchk_param *par) | ||
116 | { | ||
117 | const struct xt_connmark_target_info *matchinfo = par->targinfo; | ||
118 | |||
119 | if (matchinfo->mode == XT_CONNMARK_RESTORE) { | ||
120 | if (strcmp(par->table, "mangle") != 0) { | ||
121 | printk(KERN_WARNING "CONNMARK: restore can only be " | ||
122 | "called from \"mangle\" table, not \"%s\"\n", | ||
123 | par->table); | ||
124 | return false; | ||
125 | } | ||
126 | } | ||
127 | if (matchinfo->mark > 0xffffffff || matchinfo->mask > 0xffffffff) { | ||
128 | printk(KERN_WARNING "CONNMARK: Only supports 32bit mark\n"); | ||
129 | return false; | ||
130 | } | ||
131 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { | ||
132 | printk(KERN_WARNING "can't load conntrack support for " | ||
133 | "proto=%u\n", par->family); | ||
134 | return false; | ||
135 | } | ||
136 | return true; | ||
137 | } | ||
138 | |||
139 | static bool connmark_tg_check(const struct xt_tgchk_param *par) | 76 | static bool connmark_tg_check(const struct xt_tgchk_param *par) |
140 | { | 77 | { |
141 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { | 78 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { |
@@ -151,74 +88,25 @@ static void connmark_tg_destroy(const struct xt_tgdtor_param *par) | |||
151 | nf_ct_l3proto_module_put(par->family); | 88 | nf_ct_l3proto_module_put(par->family); |
152 | } | 89 | } |
153 | 90 | ||
154 | #ifdef CONFIG_COMPAT | 91 | static struct xt_target connmark_tg_reg __read_mostly = { |
155 | struct compat_xt_connmark_target_info { | 92 | .name = "CONNMARK", |
156 | compat_ulong_t mark, mask; | 93 | .revision = 1, |
157 | u_int8_t mode; | 94 | .family = NFPROTO_UNSPEC, |
158 | u_int8_t __pad1; | 95 | .checkentry = connmark_tg_check, |
159 | u_int16_t __pad2; | 96 | .target = connmark_tg, |
160 | }; | 97 | .targetsize = sizeof(struct xt_connmark_tginfo1), |
161 | 98 | .destroy = connmark_tg_destroy, | |
162 | static void connmark_tg_compat_from_user_v0(void *dst, void *src) | 99 | .me = THIS_MODULE, |
163 | { | ||
164 | const struct compat_xt_connmark_target_info *cm = src; | ||
165 | struct xt_connmark_target_info m = { | ||
166 | .mark = cm->mark, | ||
167 | .mask = cm->mask, | ||
168 | .mode = cm->mode, | ||
169 | }; | ||
170 | memcpy(dst, &m, sizeof(m)); | ||
171 | } | ||
172 | |||
173 | static int connmark_tg_compat_to_user_v0(void __user *dst, void *src) | ||
174 | { | ||
175 | const struct xt_connmark_target_info *m = src; | ||
176 | struct compat_xt_connmark_target_info cm = { | ||
177 | .mark = m->mark, | ||
178 | .mask = m->mask, | ||
179 | .mode = m->mode, | ||
180 | }; | ||
181 | return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0; | ||
182 | } | ||
183 | #endif /* CONFIG_COMPAT */ | ||
184 | |||
185 | static struct xt_target connmark_tg_reg[] __read_mostly = { | ||
186 | { | ||
187 | .name = "CONNMARK", | ||
188 | .revision = 0, | ||
189 | .family = NFPROTO_UNSPEC, | ||
190 | .checkentry = connmark_tg_check_v0, | ||
191 | .destroy = connmark_tg_destroy, | ||
192 | .target = connmark_tg_v0, | ||
193 | .targetsize = sizeof(struct xt_connmark_target_info), | ||
194 | #ifdef CONFIG_COMPAT | ||
195 | .compatsize = sizeof(struct compat_xt_connmark_target_info), | ||
196 | .compat_from_user = connmark_tg_compat_from_user_v0, | ||
197 | .compat_to_user = connmark_tg_compat_to_user_v0, | ||
198 | #endif | ||
199 | .me = THIS_MODULE | ||
200 | }, | ||
201 | { | ||
202 | .name = "CONNMARK", | ||
203 | .revision = 1, | ||
204 | .family = NFPROTO_UNSPEC, | ||
205 | .checkentry = connmark_tg_check, | ||
206 | .target = connmark_tg, | ||
207 | .targetsize = sizeof(struct xt_connmark_tginfo1), | ||
208 | .destroy = connmark_tg_destroy, | ||
209 | .me = THIS_MODULE, | ||
210 | }, | ||
211 | }; | 100 | }; |
212 | 101 | ||
213 | static int __init connmark_tg_init(void) | 102 | static int __init connmark_tg_init(void) |
214 | { | 103 | { |
215 | return xt_register_targets(connmark_tg_reg, | 104 | return xt_register_target(&connmark_tg_reg); |
216 | ARRAY_SIZE(connmark_tg_reg)); | ||
217 | } | 105 | } |
218 | 106 | ||
219 | static void __exit connmark_tg_exit(void) | 107 | static void __exit connmark_tg_exit(void) |
220 | { | 108 | { |
221 | xt_unregister_targets(connmark_tg_reg, ARRAY_SIZE(connmark_tg_reg)); | 109 | xt_unregister_target(&connmark_tg_reg); |
222 | } | 110 | } |
223 | 111 | ||
224 | module_init(connmark_tg_init); | 112 | module_init(connmark_tg_init); |
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c index 6a347e768f86..74ce89260056 100644 --- a/net/netfilter/xt_DSCP.c +++ b/net/netfilter/xt_DSCP.c | |||
@@ -18,7 +18,6 @@ | |||
18 | 18 | ||
19 | #include <linux/netfilter/x_tables.h> | 19 | #include <linux/netfilter/x_tables.h> |
20 | #include <linux/netfilter/xt_DSCP.h> | 20 | #include <linux/netfilter/xt_DSCP.h> |
21 | #include <linux/netfilter_ipv4/ipt_TOS.h> | ||
22 | 21 | ||
23 | MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); | 22 | MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); |
24 | MODULE_DESCRIPTION("Xtables: DSCP/TOS field modification"); | 23 | MODULE_DESCRIPTION("Xtables: DSCP/TOS field modification"); |
@@ -73,41 +72,6 @@ static bool dscp_tg_check(const struct xt_tgchk_param *par) | |||
73 | } | 72 | } |
74 | 73 | ||
75 | static unsigned int | 74 | static unsigned int |
76 | tos_tg_v0(struct sk_buff *skb, const struct xt_target_param *par) | ||
77 | { | ||
78 | const struct ipt_tos_target_info *info = par->targinfo; | ||
79 | struct iphdr *iph = ip_hdr(skb); | ||
80 | u_int8_t oldtos; | ||
81 | |||
82 | if ((iph->tos & IPTOS_TOS_MASK) != info->tos) { | ||
83 | if (!skb_make_writable(skb, sizeof(struct iphdr))) | ||
84 | return NF_DROP; | ||
85 | |||
86 | iph = ip_hdr(skb); | ||
87 | oldtos = iph->tos; | ||
88 | iph->tos = (iph->tos & IPTOS_PREC_MASK) | info->tos; | ||
89 | csum_replace2(&iph->check, htons(oldtos), htons(iph->tos)); | ||
90 | } | ||
91 | |||
92 | return XT_CONTINUE; | ||
93 | } | ||
94 | |||
95 | static bool tos_tg_check_v0(const struct xt_tgchk_param *par) | ||
96 | { | ||
97 | const struct ipt_tos_target_info *info = par->targinfo; | ||
98 | const uint8_t tos = info->tos; | ||
99 | |||
100 | if (tos != IPTOS_LOWDELAY && tos != IPTOS_THROUGHPUT && | ||
101 | tos != IPTOS_RELIABILITY && tos != IPTOS_MINCOST && | ||
102 | tos != IPTOS_NORMALSVC) { | ||
103 | printk(KERN_WARNING "TOS: bad tos value %#x\n", tos); | ||
104 | return false; | ||
105 | } | ||
106 | |||
107 | return true; | ||
108 | } | ||
109 | |||
110 | static unsigned int | ||
111 | tos_tg(struct sk_buff *skb, const struct xt_target_param *par) | 75 | tos_tg(struct sk_buff *skb, const struct xt_target_param *par) |
112 | { | 76 | { |
113 | const struct xt_tos_target_info *info = par->targinfo; | 77 | const struct xt_tos_target_info *info = par->targinfo; |
@@ -168,16 +132,6 @@ static struct xt_target dscp_tg_reg[] __read_mostly = { | |||
168 | }, | 132 | }, |
169 | { | 133 | { |
170 | .name = "TOS", | 134 | .name = "TOS", |
171 | .revision = 0, | ||
172 | .family = NFPROTO_IPV4, | ||
173 | .table = "mangle", | ||
174 | .target = tos_tg_v0, | ||
175 | .targetsize = sizeof(struct ipt_tos_target_info), | ||
176 | .checkentry = tos_tg_check_v0, | ||
177 | .me = THIS_MODULE, | ||
178 | }, | ||
179 | { | ||
180 | .name = "TOS", | ||
181 | .revision = 1, | 135 | .revision = 1, |
182 | .family = NFPROTO_IPV4, | 136 | .family = NFPROTO_IPV4, |
183 | .table = "mangle", | 137 | .table = "mangle", |
diff --git a/net/netfilter/xt_MARK.c b/net/netfilter/xt_MARK.c index 67574bcfb8ac..225f8d11e173 100644 --- a/net/netfilter/xt_MARK.c +++ b/net/netfilter/xt_MARK.c | |||
@@ -25,39 +25,6 @@ MODULE_ALIAS("ipt_MARK"); | |||
25 | MODULE_ALIAS("ip6t_MARK"); | 25 | MODULE_ALIAS("ip6t_MARK"); |
26 | 26 | ||
27 | static unsigned int | 27 | static unsigned int |
28 | mark_tg_v0(struct sk_buff *skb, const struct xt_target_param *par) | ||
29 | { | ||
30 | const struct xt_mark_target_info *markinfo = par->targinfo; | ||
31 | |||
32 | skb->mark = markinfo->mark; | ||
33 | return XT_CONTINUE; | ||
34 | } | ||
35 | |||
36 | static unsigned int | ||
37 | mark_tg_v1(struct sk_buff *skb, const struct xt_target_param *par) | ||
38 | { | ||
39 | const struct xt_mark_target_info_v1 *markinfo = par->targinfo; | ||
40 | int mark = 0; | ||
41 | |||
42 | switch (markinfo->mode) { | ||
43 | case XT_MARK_SET: | ||
44 | mark = markinfo->mark; | ||
45 | break; | ||
46 | |||
47 | case XT_MARK_AND: | ||
48 | mark = skb->mark & markinfo->mark; | ||
49 | break; | ||
50 | |||
51 | case XT_MARK_OR: | ||
52 | mark = skb->mark | markinfo->mark; | ||
53 | break; | ||
54 | } | ||
55 | |||
56 | skb->mark = mark; | ||
57 | return XT_CONTINUE; | ||
58 | } | ||
59 | |||
60 | static unsigned int | ||
61 | mark_tg(struct sk_buff *skb, const struct xt_target_param *par) | 28 | mark_tg(struct sk_buff *skb, const struct xt_target_param *par) |
62 | { | 29 | { |
63 | const struct xt_mark_tginfo2 *info = par->targinfo; | 30 | const struct xt_mark_tginfo2 *info = par->targinfo; |
@@ -66,135 +33,23 @@ mark_tg(struct sk_buff *skb, const struct xt_target_param *par) | |||
66 | return XT_CONTINUE; | 33 | return XT_CONTINUE; |
67 | } | 34 | } |
68 | 35 | ||
69 | static bool mark_tg_check_v0(const struct xt_tgchk_param *par) | 36 | static struct xt_target mark_tg_reg __read_mostly = { |
70 | { | 37 | .name = "MARK", |
71 | const struct xt_mark_target_info *markinfo = par->targinfo; | 38 | .revision = 2, |
72 | 39 | .family = NFPROTO_UNSPEC, | |
73 | if (markinfo->mark > 0xffffffff) { | 40 | .target = mark_tg, |
74 | printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n"); | 41 | .targetsize = sizeof(struct xt_mark_tginfo2), |
75 | return false; | 42 | .me = THIS_MODULE, |
76 | } | ||
77 | return true; | ||
78 | } | ||
79 | |||
80 | static bool mark_tg_check_v1(const struct xt_tgchk_param *par) | ||
81 | { | ||
82 | const struct xt_mark_target_info_v1 *markinfo = par->targinfo; | ||
83 | |||
84 | if (markinfo->mode != XT_MARK_SET | ||
85 | && markinfo->mode != XT_MARK_AND | ||
86 | && markinfo->mode != XT_MARK_OR) { | ||
87 | printk(KERN_WARNING "MARK: unknown mode %u\n", | ||
88 | markinfo->mode); | ||
89 | return false; | ||
90 | } | ||
91 | if (markinfo->mark > 0xffffffff) { | ||
92 | printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n"); | ||
93 | return false; | ||
94 | } | ||
95 | return true; | ||
96 | } | ||
97 | |||
98 | #ifdef CONFIG_COMPAT | ||
99 | struct compat_xt_mark_target_info { | ||
100 | compat_ulong_t mark; | ||
101 | }; | ||
102 | |||
103 | static void mark_tg_compat_from_user_v0(void *dst, void *src) | ||
104 | { | ||
105 | const struct compat_xt_mark_target_info *cm = src; | ||
106 | struct xt_mark_target_info m = { | ||
107 | .mark = cm->mark, | ||
108 | }; | ||
109 | memcpy(dst, &m, sizeof(m)); | ||
110 | } | ||
111 | |||
112 | static int mark_tg_compat_to_user_v0(void __user *dst, void *src) | ||
113 | { | ||
114 | const struct xt_mark_target_info *m = src; | ||
115 | struct compat_xt_mark_target_info cm = { | ||
116 | .mark = m->mark, | ||
117 | }; | ||
118 | return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0; | ||
119 | } | ||
120 | |||
121 | struct compat_xt_mark_target_info_v1 { | ||
122 | compat_ulong_t mark; | ||
123 | u_int8_t mode; | ||
124 | u_int8_t __pad1; | ||
125 | u_int16_t __pad2; | ||
126 | }; | ||
127 | |||
128 | static void mark_tg_compat_from_user_v1(void *dst, void *src) | ||
129 | { | ||
130 | const struct compat_xt_mark_target_info_v1 *cm = src; | ||
131 | struct xt_mark_target_info_v1 m = { | ||
132 | .mark = cm->mark, | ||
133 | .mode = cm->mode, | ||
134 | }; | ||
135 | memcpy(dst, &m, sizeof(m)); | ||
136 | } | ||
137 | |||
138 | static int mark_tg_compat_to_user_v1(void __user *dst, void *src) | ||
139 | { | ||
140 | const struct xt_mark_target_info_v1 *m = src; | ||
141 | struct compat_xt_mark_target_info_v1 cm = { | ||
142 | .mark = m->mark, | ||
143 | .mode = m->mode, | ||
144 | }; | ||
145 | return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0; | ||
146 | } | ||
147 | #endif /* CONFIG_COMPAT */ | ||
148 | |||
149 | static struct xt_target mark_tg_reg[] __read_mostly = { | ||
150 | { | ||
151 | .name = "MARK", | ||
152 | .family = NFPROTO_UNSPEC, | ||
153 | .revision = 0, | ||
154 | .checkentry = mark_tg_check_v0, | ||
155 | .target = mark_tg_v0, | ||
156 | .targetsize = sizeof(struct xt_mark_target_info), | ||
157 | #ifdef CONFIG_COMPAT | ||
158 | .compatsize = sizeof(struct compat_xt_mark_target_info), | ||
159 | .compat_from_user = mark_tg_compat_from_user_v0, | ||
160 | .compat_to_user = mark_tg_compat_to_user_v0, | ||
161 | #endif | ||
162 | .table = "mangle", | ||
163 | .me = THIS_MODULE, | ||
164 | }, | ||
165 | { | ||
166 | .name = "MARK", | ||
167 | .family = NFPROTO_UNSPEC, | ||
168 | .revision = 1, | ||
169 | .checkentry = mark_tg_check_v1, | ||
170 | .target = mark_tg_v1, | ||
171 | .targetsize = sizeof(struct xt_mark_target_info_v1), | ||
172 | #ifdef CONFIG_COMPAT | ||
173 | .compatsize = sizeof(struct compat_xt_mark_target_info_v1), | ||
174 | .compat_from_user = mark_tg_compat_from_user_v1, | ||
175 | .compat_to_user = mark_tg_compat_to_user_v1, | ||
176 | #endif | ||
177 | .table = "mangle", | ||
178 | .me = THIS_MODULE, | ||
179 | }, | ||
180 | { | ||
181 | .name = "MARK", | ||
182 | .revision = 2, | ||
183 | .family = NFPROTO_UNSPEC, | ||
184 | .target = mark_tg, | ||
185 | .targetsize = sizeof(struct xt_mark_tginfo2), | ||
186 | .me = THIS_MODULE, | ||
187 | }, | ||
188 | }; | 43 | }; |
189 | 44 | ||
190 | static int __init mark_tg_init(void) | 45 | static int __init mark_tg_init(void) |
191 | { | 46 | { |
192 | return xt_register_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg)); | 47 | return xt_register_target(&mark_tg_reg); |
193 | } | 48 | } |
194 | 49 | ||
195 | static void __exit mark_tg_exit(void) | 50 | static void __exit mark_tg_exit(void) |
196 | { | 51 | { |
197 | xt_unregister_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg)); | 52 | xt_unregister_target(&mark_tg_reg); |
198 | } | 53 | } |
199 | 54 | ||
200 | module_init(mark_tg_init); | 55 | module_init(mark_tg_init); |
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c index 86cacab7a4a3..122aa8b0147b 100644 --- a/net/netfilter/xt_connmark.c +++ b/net/netfilter/xt_connmark.c | |||
@@ -47,36 +47,6 @@ connmark_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
47 | return ((ct->mark & info->mask) == info->mark) ^ info->invert; | 47 | return ((ct->mark & info->mask) == info->mark) ^ info->invert; |
48 | } | 48 | } |
49 | 49 | ||
50 | static bool | ||
51 | connmark_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par) | ||
52 | { | ||
53 | const struct xt_connmark_info *info = par->matchinfo; | ||
54 | const struct nf_conn *ct; | ||
55 | enum ip_conntrack_info ctinfo; | ||
56 | |||
57 | ct = nf_ct_get(skb, &ctinfo); | ||
58 | if (!ct) | ||
59 | return false; | ||
60 | |||
61 | return ((ct->mark & info->mask) == info->mark) ^ info->invert; | ||
62 | } | ||
63 | |||
64 | static bool connmark_mt_check_v0(const struct xt_mtchk_param *par) | ||
65 | { | ||
66 | const struct xt_connmark_info *cm = par->matchinfo; | ||
67 | |||
68 | if (cm->mark > 0xffffffff || cm->mask > 0xffffffff) { | ||
69 | printk(KERN_WARNING "connmark: only support 32bit mark\n"); | ||
70 | return false; | ||
71 | } | ||
72 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { | ||
73 | printk(KERN_WARNING "can't load conntrack support for " | ||
74 | "proto=%u\n", par->family); | ||
75 | return false; | ||
76 | } | ||
77 | return true; | ||
78 | } | ||
79 | |||
80 | static bool connmark_mt_check(const struct xt_mtchk_param *par) | 50 | static bool connmark_mt_check(const struct xt_mtchk_param *par) |
81 | { | 51 | { |
82 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { | 52 | if (nf_ct_l3proto_try_module_get(par->family) < 0) { |
@@ -92,74 +62,25 @@ static void connmark_mt_destroy(const struct xt_mtdtor_param *par) | |||
92 | nf_ct_l3proto_module_put(par->family); | 62 | nf_ct_l3proto_module_put(par->family); |
93 | } | 63 | } |
94 | 64 | ||
95 | #ifdef CONFIG_COMPAT | 65 | static struct xt_match connmark_mt_reg __read_mostly = { |
96 | struct compat_xt_connmark_info { | 66 | .name = "connmark", |
97 | compat_ulong_t mark, mask; | 67 | .revision = 1, |
98 | u_int8_t invert; | 68 | .family = NFPROTO_UNSPEC, |
99 | u_int8_t __pad1; | 69 | .checkentry = connmark_mt_check, |
100 | u_int16_t __pad2; | 70 | .match = connmark_mt, |
101 | }; | 71 | .matchsize = sizeof(struct xt_connmark_mtinfo1), |
102 | 72 | .destroy = connmark_mt_destroy, | |
103 | static void connmark_mt_compat_from_user_v0(void *dst, void *src) | 73 | .me = THIS_MODULE, |
104 | { | ||
105 | const struct compat_xt_connmark_info *cm = src; | ||
106 | struct xt_connmark_info m = { | ||
107 | .mark = cm->mark, | ||
108 | .mask = cm->mask, | ||
109 | .invert = cm->invert, | ||
110 | }; | ||
111 | memcpy(dst, &m, sizeof(m)); | ||
112 | } | ||
113 | |||
114 | static int connmark_mt_compat_to_user_v0(void __user *dst, void *src) | ||
115 | { | ||
116 | const struct xt_connmark_info *m = src; | ||
117 | struct compat_xt_connmark_info cm = { | ||
118 | .mark = m->mark, | ||
119 | .mask = m->mask, | ||
120 | .invert = m->invert, | ||
121 | }; | ||
122 | return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0; | ||
123 | } | ||
124 | #endif /* CONFIG_COMPAT */ | ||
125 | |||
126 | static struct xt_match connmark_mt_reg[] __read_mostly = { | ||
127 | { | ||
128 | .name = "connmark", | ||
129 | .revision = 0, | ||
130 | .family = NFPROTO_UNSPEC, | ||
131 | .checkentry = connmark_mt_check_v0, | ||
132 | .match = connmark_mt_v0, | ||
133 | .destroy = connmark_mt_destroy, | ||
134 | .matchsize = sizeof(struct xt_connmark_info), | ||
135 | #ifdef CONFIG_COMPAT | ||
136 | .compatsize = sizeof(struct compat_xt_connmark_info), | ||
137 | .compat_from_user = connmark_mt_compat_from_user_v0, | ||
138 | .compat_to_user = connmark_mt_compat_to_user_v0, | ||
139 | #endif | ||
140 | .me = THIS_MODULE | ||
141 | }, | ||
142 | { | ||
143 | .name = "connmark", | ||
144 | .revision = 1, | ||
145 | .family = NFPROTO_UNSPEC, | ||
146 | .checkentry = connmark_mt_check, | ||
147 | .match = connmark_mt, | ||
148 | .matchsize = sizeof(struct xt_connmark_mtinfo1), | ||
149 | .destroy = connmark_mt_destroy, | ||
150 | .me = THIS_MODULE, | ||
151 | }, | ||
152 | }; | 74 | }; |
153 | 75 | ||
154 | static int __init connmark_mt_init(void) | 76 | static int __init connmark_mt_init(void) |
155 | { | 77 | { |
156 | return xt_register_matches(connmark_mt_reg, | 78 | return xt_register_match(&connmark_mt_reg); |
157 | ARRAY_SIZE(connmark_mt_reg)); | ||
158 | } | 79 | } |
159 | 80 | ||
160 | static void __exit connmark_mt_exit(void) | 81 | static void __exit connmark_mt_exit(void) |
161 | { | 82 | { |
162 | xt_unregister_matches(connmark_mt_reg, ARRAY_SIZE(connmark_mt_reg)); | 83 | xt_unregister_match(&connmark_mt_reg); |
163 | } | 84 | } |
164 | 85 | ||
165 | module_init(connmark_mt_init); | 86 | module_init(connmark_mt_init); |
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c index fc581800698e..6dc4652f2fe8 100644 --- a/net/netfilter/xt_conntrack.c +++ b/net/netfilter/xt_conntrack.c | |||
@@ -19,101 +19,12 @@ | |||
19 | 19 | ||
20 | MODULE_LICENSE("GPL"); | 20 | MODULE_LICENSE("GPL"); |
21 | MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>"); | 21 | MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>"); |
22 | MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>"); | 22 | MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>"); |
23 | MODULE_DESCRIPTION("Xtables: connection tracking state match"); | 23 | MODULE_DESCRIPTION("Xtables: connection tracking state match"); |
24 | MODULE_ALIAS("ipt_conntrack"); | 24 | MODULE_ALIAS("ipt_conntrack"); |
25 | MODULE_ALIAS("ip6t_conntrack"); | 25 | MODULE_ALIAS("ip6t_conntrack"); |
26 | 26 | ||
27 | static bool | 27 | static bool |
28 | conntrack_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par) | ||
29 | { | ||
30 | const struct xt_conntrack_info *sinfo = par->matchinfo; | ||
31 | const struct nf_conn *ct; | ||
32 | enum ip_conntrack_info ctinfo; | ||
33 | unsigned int statebit; | ||
34 | |||
35 | ct = nf_ct_get(skb, &ctinfo); | ||
36 | |||
37 | #define FWINV(bool, invflg) ((bool) ^ !!(sinfo->invflags & (invflg))) | ||
38 | |||
39 | if (ct == &nf_conntrack_untracked) | ||
40 | statebit = XT_CONNTRACK_STATE_UNTRACKED; | ||
41 | else if (ct) | ||
42 | statebit = XT_CONNTRACK_STATE_BIT(ctinfo); | ||
43 | else | ||
44 | statebit = XT_CONNTRACK_STATE_INVALID; | ||
45 | |||
46 | if (sinfo->flags & XT_CONNTRACK_STATE) { | ||
47 | if (ct) { | ||
48 | if (test_bit(IPS_SRC_NAT_BIT, &ct->status)) | ||
49 | statebit |= XT_CONNTRACK_STATE_SNAT; | ||
50 | if (test_bit(IPS_DST_NAT_BIT, &ct->status)) | ||
51 | statebit |= XT_CONNTRACK_STATE_DNAT; | ||
52 | } | ||
53 | if (FWINV((statebit & sinfo->statemask) == 0, | ||
54 | XT_CONNTRACK_STATE)) | ||
55 | return false; | ||
56 | } | ||
57 | |||
58 | if (ct == NULL) { | ||
59 | if (sinfo->flags & ~XT_CONNTRACK_STATE) | ||
60 | return false; | ||
61 | return true; | ||
62 | } | ||
63 | |||
64 | if (sinfo->flags & XT_CONNTRACK_PROTO && | ||
65 | FWINV(nf_ct_protonum(ct) != | ||
66 | sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum, | ||
67 | XT_CONNTRACK_PROTO)) | ||
68 | return false; | ||
69 | |||
70 | if (sinfo->flags & XT_CONNTRACK_ORIGSRC && | ||
71 | FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip & | ||
72 | sinfo->sipmsk[IP_CT_DIR_ORIGINAL].s_addr) != | ||
73 | sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip, | ||
74 | XT_CONNTRACK_ORIGSRC)) | ||
75 | return false; | ||
76 | |||
77 | if (sinfo->flags & XT_CONNTRACK_ORIGDST && | ||
78 | FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.ip & | ||
79 | sinfo->dipmsk[IP_CT_DIR_ORIGINAL].s_addr) != | ||
80 | sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip, | ||
81 | XT_CONNTRACK_ORIGDST)) | ||
82 | return false; | ||
83 | |||
84 | if (sinfo->flags & XT_CONNTRACK_REPLSRC && | ||
85 | FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip & | ||
86 | sinfo->sipmsk[IP_CT_DIR_REPLY].s_addr) != | ||
87 | sinfo->tuple[IP_CT_DIR_REPLY].src.ip, | ||
88 | XT_CONNTRACK_REPLSRC)) | ||
89 | return false; | ||
90 | |||
91 | if (sinfo->flags & XT_CONNTRACK_REPLDST && | ||
92 | FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip & | ||
93 | sinfo->dipmsk[IP_CT_DIR_REPLY].s_addr) != | ||
94 | sinfo->tuple[IP_CT_DIR_REPLY].dst.ip, | ||
95 | XT_CONNTRACK_REPLDST)) | ||
96 | return false; | ||
97 | |||
98 | if (sinfo->flags & XT_CONNTRACK_STATUS && | ||
99 | FWINV((ct->status & sinfo->statusmask) == 0, | ||
100 | XT_CONNTRACK_STATUS)) | ||
101 | return false; | ||
102 | |||
103 | if(sinfo->flags & XT_CONNTRACK_EXPIRES) { | ||
104 | unsigned long expires = timer_pending(&ct->timeout) ? | ||
105 | (ct->timeout.expires - jiffies)/HZ : 0; | ||
106 | |||
107 | if (FWINV(!(expires >= sinfo->expires_min && | ||
108 | expires <= sinfo->expires_max), | ||
109 | XT_CONNTRACK_EXPIRES)) | ||
110 | return false; | ||
111 | } | ||
112 | return true; | ||
113 | #undef FWINV | ||
114 | } | ||
115 | |||
116 | static bool | ||
117 | conntrack_addrcmp(const union nf_inet_addr *kaddr, | 28 | conntrack_addrcmp(const union nf_inet_addr *kaddr, |
118 | const union nf_inet_addr *uaddr, | 29 | const union nf_inet_addr *uaddr, |
119 | const union nf_inet_addr *umask, unsigned int l3proto) | 30 | const union nf_inet_addr *umask, unsigned int l3proto) |
@@ -337,73 +248,9 @@ static void conntrack_mt_destroy_v1(const struct xt_mtdtor_param *par) | |||
337 | conntrack_mt_destroy(par); | 248 | conntrack_mt_destroy(par); |
338 | } | 249 | } |
339 | 250 | ||
340 | #ifdef CONFIG_COMPAT | ||
341 | struct compat_xt_conntrack_info | ||
342 | { | ||
343 | compat_uint_t statemask; | ||
344 | compat_uint_t statusmask; | ||
345 | struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX]; | ||
346 | struct in_addr sipmsk[IP_CT_DIR_MAX]; | ||
347 | struct in_addr dipmsk[IP_CT_DIR_MAX]; | ||
348 | compat_ulong_t expires_min; | ||
349 | compat_ulong_t expires_max; | ||
350 | u_int8_t flags; | ||
351 | u_int8_t invflags; | ||
352 | }; | ||
353 | |||
354 | static void conntrack_mt_compat_from_user_v0(void *dst, void *src) | ||
355 | { | ||
356 | const struct compat_xt_conntrack_info *cm = src; | ||
357 | struct xt_conntrack_info m = { | ||
358 | .statemask = cm->statemask, | ||
359 | .statusmask = cm->statusmask, | ||
360 | .expires_min = cm->expires_min, | ||
361 | .expires_max = cm->expires_max, | ||
362 | .flags = cm->flags, | ||
363 | .invflags = cm->invflags, | ||
364 | }; | ||
365 | memcpy(m.tuple, cm->tuple, sizeof(m.tuple)); | ||
366 | memcpy(m.sipmsk, cm->sipmsk, sizeof(m.sipmsk)); | ||
367 | memcpy(m.dipmsk, cm->dipmsk, sizeof(m.dipmsk)); | ||
368 | memcpy(dst, &m, sizeof(m)); | ||
369 | } | ||
370 | |||
371 | static int conntrack_mt_compat_to_user_v0(void __user *dst, void *src) | ||
372 | { | ||
373 | const struct xt_conntrack_info *m = src; | ||
374 | struct compat_xt_conntrack_info cm = { | ||
375 | .statemask = m->statemask, | ||
376 | .statusmask = m->statusmask, | ||
377 | .expires_min = m->expires_min, | ||
378 | .expires_max = m->expires_max, | ||
379 | .flags = m->flags, | ||
380 | .invflags = m->invflags, | ||
381 | }; | ||
382 | memcpy(cm.tuple, m->tuple, sizeof(cm.tuple)); | ||
383 | memcpy(cm.sipmsk, m->sipmsk, sizeof(cm.sipmsk)); | ||
384 | memcpy(cm.dipmsk, m->dipmsk, sizeof(cm.dipmsk)); | ||
385 | return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0; | ||
386 | } | ||
387 | #endif | ||
388 | |||
389 | static struct xt_match conntrack_mt_reg[] __read_mostly = { | 251 | static struct xt_match conntrack_mt_reg[] __read_mostly = { |
390 | { | 252 | { |
391 | .name = "conntrack", | 253 | .name = "conntrack", |
392 | .revision = 0, | ||
393 | .family = NFPROTO_IPV4, | ||
394 | .match = conntrack_mt_v0, | ||
395 | .checkentry = conntrack_mt_check, | ||
396 | .destroy = conntrack_mt_destroy, | ||
397 | .matchsize = sizeof(struct xt_conntrack_info), | ||
398 | .me = THIS_MODULE, | ||
399 | #ifdef CONFIG_COMPAT | ||
400 | .compatsize = sizeof(struct compat_xt_conntrack_info), | ||
401 | .compat_from_user = conntrack_mt_compat_from_user_v0, | ||
402 | .compat_to_user = conntrack_mt_compat_to_user_v0, | ||
403 | #endif | ||
404 | }, | ||
405 | { | ||
406 | .name = "conntrack", | ||
407 | .revision = 1, | 254 | .revision = 1, |
408 | .family = NFPROTO_UNSPEC, | 255 | .family = NFPROTO_UNSPEC, |
409 | .matchsize = sizeof(struct xt_conntrack_mtinfo1), | 256 | .matchsize = sizeof(struct xt_conntrack_mtinfo1), |
diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c index c3f8085460d7..0280d3a8c161 100644 --- a/net/netfilter/xt_dscp.c +++ b/net/netfilter/xt_dscp.c | |||
@@ -15,7 +15,6 @@ | |||
15 | 15 | ||
16 | #include <linux/netfilter/x_tables.h> | 16 | #include <linux/netfilter/x_tables.h> |
17 | #include <linux/netfilter/xt_dscp.h> | 17 | #include <linux/netfilter/xt_dscp.h> |
18 | #include <linux/netfilter_ipv4/ipt_tos.h> | ||
19 | 18 | ||
20 | MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); | 19 | MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); |
21 | MODULE_DESCRIPTION("Xtables: DSCP/TOS field match"); | 20 | MODULE_DESCRIPTION("Xtables: DSCP/TOS field match"); |
@@ -55,14 +54,6 @@ static bool dscp_mt_check(const struct xt_mtchk_param *par) | |||
55 | return true; | 54 | return true; |
56 | } | 55 | } |
57 | 56 | ||
58 | static bool | ||
59 | tos_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par) | ||
60 | { | ||
61 | const struct ipt_tos_info *info = par->matchinfo; | ||
62 | |||
63 | return (ip_hdr(skb)->tos == info->tos) ^ info->invert; | ||
64 | } | ||
65 | |||
66 | static bool tos_mt(const struct sk_buff *skb, const struct xt_match_param *par) | 57 | static bool tos_mt(const struct sk_buff *skb, const struct xt_match_param *par) |
67 | { | 58 | { |
68 | const struct xt_tos_match_info *info = par->matchinfo; | 59 | const struct xt_tos_match_info *info = par->matchinfo; |
@@ -94,14 +85,6 @@ static struct xt_match dscp_mt_reg[] __read_mostly = { | |||
94 | }, | 85 | }, |
95 | { | 86 | { |
96 | .name = "tos", | 87 | .name = "tos", |
97 | .revision = 0, | ||
98 | .family = NFPROTO_IPV4, | ||
99 | .match = tos_mt_v0, | ||
100 | .matchsize = sizeof(struct ipt_tos_info), | ||
101 | .me = THIS_MODULE, | ||
102 | }, | ||
103 | { | ||
104 | .name = "tos", | ||
105 | .revision = 1, | 88 | .revision = 1, |
106 | .family = NFPROTO_IPV4, | 89 | .family = NFPROTO_IPV4, |
107 | .match = tos_mt, | 90 | .match = tos_mt, |
diff --git a/net/netfilter/xt_iprange.c b/net/netfilter/xt_iprange.c index 501f9b623188..ffc96387d556 100644 --- a/net/netfilter/xt_iprange.c +++ b/net/netfilter/xt_iprange.c | |||
@@ -14,40 +14,6 @@ | |||
14 | #include <linux/ipv6.h> | 14 | #include <linux/ipv6.h> |
15 | #include <linux/netfilter/x_tables.h> | 15 | #include <linux/netfilter/x_tables.h> |
16 | #include <linux/netfilter/xt_iprange.h> | 16 | #include <linux/netfilter/xt_iprange.h> |
17 | #include <linux/netfilter_ipv4/ipt_iprange.h> | ||
18 | |||
19 | static bool | ||
20 | iprange_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par) | ||
21 | { | ||
22 | const struct ipt_iprange_info *info = par->matchinfo; | ||
23 | const struct iphdr *iph = ip_hdr(skb); | ||
24 | |||
25 | if (info->flags & IPRANGE_SRC) { | ||
26 | if ((ntohl(iph->saddr) < ntohl(info->src.min_ip) | ||
27 | || ntohl(iph->saddr) > ntohl(info->src.max_ip)) | ||
28 | ^ !!(info->flags & IPRANGE_SRC_INV)) { | ||
29 | pr_debug("src IP %pI4 NOT in range %s%pI4-%pI4\n", | ||
30 | &iph->saddr, | ||
31 | info->flags & IPRANGE_SRC_INV ? "(INV) " : "", | ||
32 | &info->src.min_ip, | ||
33 | &info->src.max_ip); | ||
34 | return false; | ||
35 | } | ||
36 | } | ||
37 | if (info->flags & IPRANGE_DST) { | ||
38 | if ((ntohl(iph->daddr) < ntohl(info->dst.min_ip) | ||
39 | || ntohl(iph->daddr) > ntohl(info->dst.max_ip)) | ||
40 | ^ !!(info->flags & IPRANGE_DST_INV)) { | ||
41 | pr_debug("dst IP %pI4 NOT in range %s%pI4-%pI4\n", | ||
42 | &iph->daddr, | ||
43 | info->flags & IPRANGE_DST_INV ? "(INV) " : "", | ||
44 | &info->dst.min_ip, | ||
45 | &info->dst.max_ip); | ||
46 | return false; | ||
47 | } | ||
48 | } | ||
49 | return true; | ||
50 | } | ||
51 | 17 | ||
52 | static bool | 18 | static bool |
53 | iprange_mt4(const struct sk_buff *skb, const struct xt_match_param *par) | 19 | iprange_mt4(const struct sk_buff *skb, const struct xt_match_param *par) |
@@ -127,14 +93,6 @@ iprange_mt6(const struct sk_buff *skb, const struct xt_match_param *par) | |||
127 | static struct xt_match iprange_mt_reg[] __read_mostly = { | 93 | static struct xt_match iprange_mt_reg[] __read_mostly = { |
128 | { | 94 | { |
129 | .name = "iprange", | 95 | .name = "iprange", |
130 | .revision = 0, | ||
131 | .family = NFPROTO_IPV4, | ||
132 | .match = iprange_mt_v0, | ||
133 | .matchsize = sizeof(struct ipt_iprange_info), | ||
134 | .me = THIS_MODULE, | ||
135 | }, | ||
136 | { | ||
137 | .name = "iprange", | ||
138 | .revision = 1, | 96 | .revision = 1, |
139 | .family = NFPROTO_IPV4, | 97 | .family = NFPROTO_IPV4, |
140 | .match = iprange_mt4, | 98 | .match = iprange_mt4, |
@@ -164,7 +122,8 @@ static void __exit iprange_mt_exit(void) | |||
164 | module_init(iprange_mt_init); | 122 | module_init(iprange_mt_init); |
165 | module_exit(iprange_mt_exit); | 123 | module_exit(iprange_mt_exit); |
166 | MODULE_LICENSE("GPL"); | 124 | MODULE_LICENSE("GPL"); |
167 | MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>, Jan Engelhardt <jengelh@computergmbh.de>"); | 125 | MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); |
126 | MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>"); | ||
168 | MODULE_DESCRIPTION("Xtables: arbitrary IPv4 range matching"); | 127 | MODULE_DESCRIPTION("Xtables: arbitrary IPv4 range matching"); |
169 | MODULE_ALIAS("ipt_iprange"); | 128 | MODULE_ALIAS("ipt_iprange"); |
170 | MODULE_ALIAS("ip6t_iprange"); | 129 | MODULE_ALIAS("ip6t_iprange"); |
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c index 10b9e34bbc5b..1db07d8125f8 100644 --- a/net/netfilter/xt_mark.c +++ b/net/netfilter/xt_mark.c | |||
@@ -3,7 +3,7 @@ | |||
3 | * | 3 | * |
4 | * (C) 1999-2001 Marc Boucher <marc@mbsi.ca> | 4 | * (C) 1999-2001 Marc Boucher <marc@mbsi.ca> |
5 | * Copyright © CC Computer Consultants GmbH, 2007 - 2008 | 5 | * Copyright © CC Computer Consultants GmbH, 2007 - 2008 |
6 | * Jan Engelhardt <jengelh@computergmbh.de> | 6 | * Jan Engelhardt <jengelh@medozas.de> |
7 | * | 7 | * |
8 | * This program is free software; you can redistribute it and/or modify | 8 | * This program is free software; you can redistribute it and/or modify |
9 | * it under the terms of the GNU General Public License version 2 as | 9 | * it under the terms of the GNU General Public License version 2 as |
@@ -23,14 +23,6 @@ MODULE_ALIAS("ipt_mark"); | |||
23 | MODULE_ALIAS("ip6t_mark"); | 23 | MODULE_ALIAS("ip6t_mark"); |
24 | 24 | ||
25 | static bool | 25 | static bool |
26 | mark_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par) | ||
27 | { | ||
28 | const struct xt_mark_info *info = par->matchinfo; | ||
29 | |||
30 | return ((skb->mark & info->mask) == info->mark) ^ info->invert; | ||
31 | } | ||
32 | |||
33 | static bool | ||
34 | mark_mt(const struct sk_buff *skb, const struct xt_match_param *par) | 26 | mark_mt(const struct sk_buff *skb, const struct xt_match_param *par) |
35 | { | 27 | { |
36 | const struct xt_mark_mtinfo1 *info = par->matchinfo; | 28 | const struct xt_mark_mtinfo1 *info = par->matchinfo; |
@@ -38,81 +30,23 @@ mark_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
38 | return ((skb->mark & info->mask) == info->mark) ^ info->invert; | 30 | return ((skb->mark & info->mask) == info->mark) ^ info->invert; |
39 | } | 31 | } |
40 | 32 | ||
41 | static bool mark_mt_check_v0(const struct xt_mtchk_param *par) | 33 | static struct xt_match mark_mt_reg __read_mostly = { |
42 | { | 34 | .name = "mark", |
43 | const struct xt_mark_info *minfo = par->matchinfo; | 35 | .revision = 1, |
44 | 36 | .family = NFPROTO_UNSPEC, | |
45 | if (minfo->mark > 0xffffffff || minfo->mask > 0xffffffff) { | 37 | .match = mark_mt, |
46 | printk(KERN_WARNING "mark: only supports 32bit mark\n"); | 38 | .matchsize = sizeof(struct xt_mark_mtinfo1), |
47 | return false; | 39 | .me = THIS_MODULE, |
48 | } | ||
49 | return true; | ||
50 | } | ||
51 | |||
52 | #ifdef CONFIG_COMPAT | ||
53 | struct compat_xt_mark_info { | ||
54 | compat_ulong_t mark, mask; | ||
55 | u_int8_t invert; | ||
56 | u_int8_t __pad1; | ||
57 | u_int16_t __pad2; | ||
58 | }; | ||
59 | |||
60 | static void mark_mt_compat_from_user_v0(void *dst, void *src) | ||
61 | { | ||
62 | const struct compat_xt_mark_info *cm = src; | ||
63 | struct xt_mark_info m = { | ||
64 | .mark = cm->mark, | ||
65 | .mask = cm->mask, | ||
66 | .invert = cm->invert, | ||
67 | }; | ||
68 | memcpy(dst, &m, sizeof(m)); | ||
69 | } | ||
70 | |||
71 | static int mark_mt_compat_to_user_v0(void __user *dst, void *src) | ||
72 | { | ||
73 | const struct xt_mark_info *m = src; | ||
74 | struct compat_xt_mark_info cm = { | ||
75 | .mark = m->mark, | ||
76 | .mask = m->mask, | ||
77 | .invert = m->invert, | ||
78 | }; | ||
79 | return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0; | ||
80 | } | ||
81 | #endif /* CONFIG_COMPAT */ | ||
82 | |||
83 | static struct xt_match mark_mt_reg[] __read_mostly = { | ||
84 | { | ||
85 | .name = "mark", | ||
86 | .revision = 0, | ||
87 | .family = NFPROTO_UNSPEC, | ||
88 | .checkentry = mark_mt_check_v0, | ||
89 | .match = mark_mt_v0, | ||
90 | .matchsize = sizeof(struct xt_mark_info), | ||
91 | #ifdef CONFIG_COMPAT | ||
92 | .compatsize = sizeof(struct compat_xt_mark_info), | ||
93 | .compat_from_user = mark_mt_compat_from_user_v0, | ||
94 | .compat_to_user = mark_mt_compat_to_user_v0, | ||
95 | #endif | ||
96 | .me = THIS_MODULE, | ||
97 | }, | ||
98 | { | ||
99 | .name = "mark", | ||
100 | .revision = 1, | ||
101 | .family = NFPROTO_UNSPEC, | ||
102 | .match = mark_mt, | ||
103 | .matchsize = sizeof(struct xt_mark_mtinfo1), | ||
104 | .me = THIS_MODULE, | ||
105 | }, | ||
106 | }; | 40 | }; |
107 | 41 | ||
108 | static int __init mark_mt_init(void) | 42 | static int __init mark_mt_init(void) |
109 | { | 43 | { |
110 | return xt_register_matches(mark_mt_reg, ARRAY_SIZE(mark_mt_reg)); | 44 | return xt_register_match(&mark_mt_reg); |
111 | } | 45 | } |
112 | 46 | ||
113 | static void __exit mark_mt_exit(void) | 47 | static void __exit mark_mt_exit(void) |
114 | { | 48 | { |
115 | xt_unregister_matches(mark_mt_reg, ARRAY_SIZE(mark_mt_reg)); | 49 | xt_unregister_match(&mark_mt_reg); |
116 | } | 50 | } |
117 | 51 | ||
118 | module_init(mark_mt_init); | 52 | module_init(mark_mt_init); |
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c index 22b2a5e881ea..d24c76dffee2 100644 --- a/net/netfilter/xt_owner.c +++ b/net/netfilter/xt_owner.c | |||
@@ -5,7 +5,6 @@ | |||
5 | * (C) 2000 Marc Boucher <marc@mbsi.ca> | 5 | * (C) 2000 Marc Boucher <marc@mbsi.ca> |
6 | * | 6 | * |
7 | * Copyright © CC Computer Consultants GmbH, 2007 - 2008 | 7 | * Copyright © CC Computer Consultants GmbH, 2007 - 2008 |
8 | * <jengelh@computergmbh.de> | ||
9 | * | 8 | * |
10 | * This program is free software; you can redistribute it and/or modify | 9 | * This program is free software; you can redistribute it and/or modify |
11 | * it under the terms of the GNU General Public License version 2 as | 10 | * it under the terms of the GNU General Public License version 2 as |
@@ -17,60 +16,6 @@ | |||
17 | #include <net/sock.h> | 16 | #include <net/sock.h> |
18 | #include <linux/netfilter/x_tables.h> | 17 | #include <linux/netfilter/x_tables.h> |
19 | #include <linux/netfilter/xt_owner.h> | 18 | #include <linux/netfilter/xt_owner.h> |
20 | #include <linux/netfilter_ipv4/ipt_owner.h> | ||
21 | #include <linux/netfilter_ipv6/ip6t_owner.h> | ||
22 | |||
23 | static bool | ||
24 | owner_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par) | ||
25 | { | ||
26 | const struct ipt_owner_info *info = par->matchinfo; | ||
27 | const struct file *filp; | ||
28 | |||
29 | if (skb->sk == NULL || skb->sk->sk_socket == NULL) | ||
30 | return false; | ||
31 | |||
32 | filp = skb->sk->sk_socket->file; | ||
33 | if (filp == NULL) | ||
34 | return false; | ||
35 | |||
36 | if (info->match & IPT_OWNER_UID) | ||
37 | if ((filp->f_cred->fsuid != info->uid) ^ | ||
38 | !!(info->invert & IPT_OWNER_UID)) | ||
39 | return false; | ||
40 | |||
41 | if (info->match & IPT_OWNER_GID) | ||
42 | if ((filp->f_cred->fsgid != info->gid) ^ | ||
43 | !!(info->invert & IPT_OWNER_GID)) | ||
44 | return false; | ||
45 | |||
46 | return true; | ||
47 | } | ||
48 | |||
49 | static bool | ||
50 | owner_mt6_v0(const struct sk_buff *skb, const struct xt_match_param *par) | ||
51 | { | ||
52 | const struct ip6t_owner_info *info = par->matchinfo; | ||
53 | const struct file *filp; | ||
54 | |||
55 | if (skb->sk == NULL || skb->sk->sk_socket == NULL) | ||
56 | return false; | ||
57 | |||
58 | filp = skb->sk->sk_socket->file; | ||
59 | if (filp == NULL) | ||
60 | return false; | ||
61 | |||
62 | if (info->match & IP6T_OWNER_UID) | ||
63 | if ((filp->f_cred->fsuid != info->uid) ^ | ||
64 | !!(info->invert & IP6T_OWNER_UID)) | ||
65 | return false; | ||
66 | |||
67 | if (info->match & IP6T_OWNER_GID) | ||
68 | if ((filp->f_cred->fsgid != info->gid) ^ | ||
69 | !!(info->invert & IP6T_OWNER_GID)) | ||
70 | return false; | ||
71 | |||
72 | return true; | ||
73 | } | ||
74 | 19 | ||
75 | static bool | 20 | static bool |
76 | owner_mt(const struct sk_buff *skb, const struct xt_match_param *par) | 21 | owner_mt(const struct sk_buff *skb, const struct xt_match_param *par) |
@@ -107,81 +52,30 @@ owner_mt(const struct sk_buff *skb, const struct xt_match_param *par) | |||
107 | return true; | 52 | return true; |
108 | } | 53 | } |
109 | 54 | ||
110 | static bool owner_mt_check_v0(const struct xt_mtchk_param *par) | 55 | static struct xt_match owner_mt_reg __read_mostly = { |
111 | { | 56 | .name = "owner", |
112 | const struct ipt_owner_info *info = par->matchinfo; | 57 | .revision = 1, |
113 | 58 | .family = NFPROTO_UNSPEC, | |
114 | if (info->match & (IPT_OWNER_PID | IPT_OWNER_SID | IPT_OWNER_COMM)) { | 59 | .match = owner_mt, |
115 | printk(KERN_WARNING KBUILD_MODNAME | 60 | .matchsize = sizeof(struct xt_owner_match_info), |
116 | ": PID, SID and command matching is not " | 61 | .hooks = (1 << NF_INET_LOCAL_OUT) | |
117 | "supported anymore\n"); | 62 | (1 << NF_INET_POST_ROUTING), |
118 | return false; | 63 | .me = THIS_MODULE, |
119 | } | ||
120 | |||
121 | return true; | ||
122 | } | ||
123 | |||
124 | static bool owner_mt6_check_v0(const struct xt_mtchk_param *par) | ||
125 | { | ||
126 | const struct ip6t_owner_info *info = par->matchinfo; | ||
127 | |||
128 | if (info->match & (IP6T_OWNER_PID | IP6T_OWNER_SID)) { | ||
129 | printk(KERN_WARNING KBUILD_MODNAME | ||
130 | ": PID and SID matching is not supported anymore\n"); | ||
131 | return false; | ||
132 | } | ||
133 | |||
134 | return true; | ||
135 | } | ||
136 | |||
137 | static struct xt_match owner_mt_reg[] __read_mostly = { | ||
138 | { | ||
139 | .name = "owner", | ||
140 | .revision = 0, | ||
141 | .family = NFPROTO_IPV4, | ||
142 | .match = owner_mt_v0, | ||
143 | .matchsize = sizeof(struct ipt_owner_info), | ||
144 | .checkentry = owner_mt_check_v0, | ||
145 | .hooks = (1 << NF_INET_LOCAL_OUT) | | ||
146 | (1 << NF_INET_POST_ROUTING), | ||
147 | .me = THIS_MODULE, | ||
148 | }, | ||
149 | { | ||
150 | .name = "owner", | ||
151 | .revision = 0, | ||
152 | .family = NFPROTO_IPV6, | ||
153 | .match = owner_mt6_v0, | ||
154 | .matchsize = sizeof(struct ip6t_owner_info), | ||
155 | .checkentry = owner_mt6_check_v0, | ||
156 | .hooks = (1 << NF_INET_LOCAL_OUT) | | ||
157 | (1 << NF_INET_POST_ROUTING), | ||
158 | .me = THIS_MODULE, | ||
159 | }, | ||
160 | { | ||
161 | .name = "owner", | ||
162 | .revision = 1, | ||
163 | .family = NFPROTO_UNSPEC, | ||
164 | .match = owner_mt, | ||
165 | .matchsize = sizeof(struct xt_owner_match_info), | ||
166 | .hooks = (1 << NF_INET_LOCAL_OUT) | | ||
167 | (1 << NF_INET_POST_ROUTING), | ||
168 | .me = THIS_MODULE, | ||
169 | }, | ||
170 | }; | 64 | }; |
171 | 65 | ||
172 | static int __init owner_mt_init(void) | 66 | static int __init owner_mt_init(void) |
173 | { | 67 | { |
174 | return xt_register_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg)); | 68 | return xt_register_match(&owner_mt_reg); |
175 | } | 69 | } |
176 | 70 | ||
177 | static void __exit owner_mt_exit(void) | 71 | static void __exit owner_mt_exit(void) |
178 | { | 72 | { |
179 | xt_unregister_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg)); | 73 | xt_unregister_match(&owner_mt_reg); |
180 | } | 74 | } |
181 | 75 | ||
182 | module_init(owner_mt_init); | 76 | module_init(owner_mt_init); |
183 | module_exit(owner_mt_exit); | 77 | module_exit(owner_mt_exit); |
184 | MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>"); | 78 | MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>"); |
185 | MODULE_DESCRIPTION("Xtables: socket owner matching"); | 79 | MODULE_DESCRIPTION("Xtables: socket owner matching"); |
186 | MODULE_LICENSE("GPL"); | 80 | MODULE_LICENSE("GPL"); |
187 | MODULE_ALIAS("ipt_owner"); | 81 | MODULE_ALIAS("ipt_owner"); |