Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
linux
Commits
e068209a
Commit
e068209a
authored
Sep 24, 2004
by
David S. Miller
Browse files
Options
Browse Files
Download
Plain Diff
Merge nuts.davemloft.net:/disk1/BK/nf-work-2.6
into nuts.davemloft.net:/disk1/BK/nf-2.6
parents
6caaa717
480a73d5
Changes
32
Show whitespace changes
Inline
Side-by-side
Showing
32 changed files
with
265 additions
and
300 deletions
+265
-300
include/linux/netfilter.h
include/linux/netfilter.h
+1
-1
include/linux/netfilter_ipv4/ip_conntrack.h
include/linux/netfilter_ipv4/ip_conntrack.h
+11
-11
include/linux/netfilter_ipv4/ip_conntrack_core.h
include/linux/netfilter_ipv4/ip_conntrack_core.h
+3
-7
include/linux/netfilter_ipv4/ip_conntrack_protocol.h
include/linux/netfilter_ipv4/ip_conntrack_protocol.h
+9
-3
include/linux/netfilter_ipv4/ip_nat.h
include/linux/netfilter_ipv4/ip_nat.h
+3
-12
include/linux/netfilter_ipv4/ip_nat_core.h
include/linux/netfilter_ipv4/ip_nat_core.h
+0
-6
include/linux/netfilter_ipv4/ip_nat_protocol.h
include/linux/netfilter_ipv4/ip_nat_protocol.h
+14
-2
include/linux/netfilter_ipv4/ipt_comment.h
include/linux/netfilter_ipv4/ipt_comment.h
+10
-0
include/linux/skbuff.h
include/linux/skbuff.h
+8
-10
include/linux/sysctl.h
include/linux/sysctl.h
+1
-0
net/core/netfilter.c
net/core/netfilter.c
+1
-1
net/core/skbuff.c
net/core/skbuff.c
+2
-0
net/ipv4/ip_output.c
net/ipv4/ip_output.c
+1
-0
net/ipv4/netfilter/Kconfig
net/ipv4/netfilter/Kconfig
+10
-0
net/ipv4/netfilter/Makefile
net/ipv4/netfilter/Makefile
+1
-6
net/ipv4/netfilter/ip_conntrack_core.c
net/ipv4/netfilter/ip_conntrack_core.c
+42
-108
net/ipv4/netfilter/ip_conntrack_proto_icmp.c
net/ipv4/netfilter/ip_conntrack_proto_icmp.c
+2
-1
net/ipv4/netfilter/ip_conntrack_proto_sctp.c
net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+5
-6
net/ipv4/netfilter/ip_conntrack_standalone.c
net/ipv4/netfilter/ip_conntrack_standalone.c
+17
-18
net/ipv4/netfilter/ip_fw_compat_masq.c
net/ipv4/netfilter/ip_fw_compat_masq.c
+3
-3
net/ipv4/netfilter/ip_nat_core.c
net/ipv4/netfilter/ip_nat_core.c
+40
-80
net/ipv4/netfilter/ip_nat_proto_icmp.c
net/ipv4/netfilter/ip_nat_proto_icmp.c
+1
-1
net/ipv4/netfilter/ip_nat_proto_tcp.c
net/ipv4/netfilter/ip_nat_proto_tcp.c
+1
-1
net/ipv4/netfilter/ip_nat_proto_udp.c
net/ipv4/netfilter/ip_nat_proto_udp.c
+1
-1
net/ipv4/netfilter/ip_nat_proto_unknown.c
net/ipv4/netfilter/ip_nat_proto_unknown.c
+2
-2
net/ipv4/netfilter/ip_nat_standalone.c
net/ipv4/netfilter/ip_nat_standalone.c
+5
-10
net/ipv4/netfilter/ipt_NOTRACK.c
net/ipv4/netfilter/ipt_NOTRACK.c
+2
-1
net/ipv4/netfilter/ipt_REJECT.c
net/ipv4/netfilter/ipt_REJECT.c
+6
-6
net/ipv4/netfilter/ipt_comment.c
net/ipv4/netfilter/ipt_comment.c
+59
-0
net/ipv4/netfilter/ipt_conntrack.c
net/ipv4/netfilter/ipt_conntrack.c
+1
-1
net/ipv4/netfilter/ipt_state.c
net/ipv4/netfilter/ipt_state.c
+2
-2
net/ipv6/ip6_output.c
net/ipv6/ip6_output.c
+1
-0
No files found.
include/linux/netfilter.h
View file @
e068209a
...
@@ -178,7 +178,7 @@ extern inline struct ip6t_target *
...
@@ -178,7 +178,7 @@ extern inline struct ip6t_target *
ip6t_find_target_lock
(
const
char
*
name
,
int
*
error
,
struct
semaphore
*
mutex
);
ip6t_find_target_lock
(
const
char
*
name
,
int
*
error
,
struct
semaphore
*
mutex
);
extern
inline
struct
arpt_target
*
extern
inline
struct
arpt_target
*
arpt_find_target_lock
(
const
char
*
name
,
int
*
error
,
struct
semaphore
*
mutex
);
arpt_find_target_lock
(
const
char
*
name
,
int
*
error
,
struct
semaphore
*
mutex
);
extern
void
(
*
ip_ct_attach
)(
struct
sk_buff
*
,
struct
nf_ct_info
*
);
extern
void
(
*
ip_ct_attach
)(
struct
sk_buff
*
,
struct
sk_buff
*
);
#ifdef CONFIG_NETFILTER_DEBUG
#ifdef CONFIG_NETFILTER_DEBUG
extern
void
nf_dump_skb
(
int
pf
,
struct
sk_buff
*
skb
);
extern
void
nf_dump_skb
(
int
pf
,
struct
sk_buff
*
skb
);
...
...
include/linux/netfilter_ipv4/ip_conntrack.h
View file @
e068209a
...
@@ -172,9 +172,6 @@ struct ip_conntrack
...
@@ -172,9 +172,6 @@ struct ip_conntrack
plus 1 for any connection(s) we are `master' for */
plus 1 for any connection(s) we are `master' for */
struct
nf_conntrack
ct_general
;
struct
nf_conntrack
ct_general
;
/* These are my tuples; original and reply */
struct
ip_conntrack_tuple_hash
tuplehash
[
IP_CT_DIR_MAX
];
/* Have we seen traffic both ways yet? (bitset) */
/* Have we seen traffic both ways yet? (bitset) */
unsigned
long
status
;
unsigned
long
status
;
...
@@ -199,12 +196,7 @@ struct ip_conntrack
...
@@ -199,12 +196,7 @@ struct ip_conntrack
/* Helper, if any. */
/* Helper, if any. */
struct
ip_conntrack_helper
*
helper
;
struct
ip_conntrack_helper
*
helper
;
/* Our various nf_ct_info structs specify *what* relation this
packet has to the conntrack */
struct
nf_ct_info
infos
[
IP_CT_NUMBER
];
/* Storage reserved for other modules: */
/* Storage reserved for other modules: */
union
ip_conntrack_proto
proto
;
union
ip_conntrack_proto
proto
;
union
ip_conntrack_help
help
;
union
ip_conntrack_help
help
;
...
@@ -220,6 +212,9 @@ struct ip_conntrack
...
@@ -220,6 +212,9 @@ struct ip_conntrack
}
nat
;
}
nat
;
#endif
/* CONFIG_IP_NF_NAT_NEEDED */
#endif
/* CONFIG_IP_NF_NAT_NEEDED */
/* Traversed often, so hopefully in different cacheline to top */
/* These are my tuples; original and reply */
struct
ip_conntrack_tuple_hash
tuplehash
[
IP_CT_DIR_MAX
];
};
};
/* get master conntrack via master expectation */
/* get master conntrack via master expectation */
...
@@ -238,8 +233,12 @@ ip_conntrack_tuple_taken(const struct ip_conntrack_tuple *tuple,
...
@@ -238,8 +233,12 @@ ip_conntrack_tuple_taken(const struct ip_conntrack_tuple *tuple,
const
struct
ip_conntrack
*
ignored_conntrack
);
const
struct
ip_conntrack
*
ignored_conntrack
);
/* Return conntrack_info and tuple hash for given skb. */
/* Return conntrack_info and tuple hash for given skb. */
extern
struct
ip_conntrack
*
static
inline
struct
ip_conntrack
*
ip_conntrack_get
(
struct
sk_buff
*
skb
,
enum
ip_conntrack_info
*
ctinfo
);
ip_conntrack_get
(
const
struct
sk_buff
*
skb
,
enum
ip_conntrack_info
*
ctinfo
)
{
*
ctinfo
=
skb
->
nfctinfo
;
return
(
struct
ip_conntrack
*
)
skb
->
nfct
;
}
/* decrement reference count on a conntrack */
/* decrement reference count on a conntrack */
extern
inline
void
ip_conntrack_put
(
struct
ip_conntrack
*
ct
);
extern
inline
void
ip_conntrack_put
(
struct
ip_conntrack
*
ct
);
...
@@ -306,12 +305,13 @@ struct ip_conntrack_stat
...
@@ -306,12 +305,13 @@ struct ip_conntrack_stat
unsigned
int
insert_failed
;
unsigned
int
insert_failed
;
unsigned
int
drop
;
unsigned
int
drop
;
unsigned
int
early_drop
;
unsigned
int
early_drop
;
unsigned
int
icmp_
error
;
unsigned
int
error
;
unsigned
int
expect_new
;
unsigned
int
expect_new
;
unsigned
int
expect_create
;
unsigned
int
expect_create
;
unsigned
int
expect_delete
;
unsigned
int
expect_delete
;
};
};
#define CONNTRACK_STAT_INC(count) (__get_cpu_var(ip_conntrack_stat).count++)
/* eg. PROVIDES_CONNTRACK(ftp); */
/* eg. PROVIDES_CONNTRACK(ftp); */
#define PROVIDES_CONNTRACK(name) \
#define PROVIDES_CONNTRACK(name) \
...
...
include/linux/netfilter_ipv4/ip_conntrack_core.h
View file @
e068209a
...
@@ -16,10 +16,6 @@ extern int ip_conntrack_init(void);
...
@@ -16,10 +16,6 @@ extern int ip_conntrack_init(void);
extern
void
ip_conntrack_cleanup
(
void
);
extern
void
ip_conntrack_cleanup
(
void
);
struct
ip_conntrack_protocol
;
struct
ip_conntrack_protocol
;
extern
struct
ip_conntrack_protocol
*
ip_ct_find_proto
(
u_int8_t
protocol
);
/* Like above, but you already have conntrack read lock. */
extern
struct
ip_conntrack_protocol
*
__ip_ct_find_proto
(
u_int8_t
protocol
);
extern
struct
list_head
protocol_list
;
extern
int
extern
int
ip_ct_get_tuple
(
const
struct
iphdr
*
iph
,
ip_ct_get_tuple
(
const
struct
iphdr
*
iph
,
...
@@ -38,14 +34,14 @@ struct ip_conntrack_tuple_hash *
...
@@ -38,14 +34,14 @@ struct ip_conntrack_tuple_hash *
ip_conntrack_find_get
(
const
struct
ip_conntrack_tuple
*
tuple
,
ip_conntrack_find_get
(
const
struct
ip_conntrack_tuple
*
tuple
,
const
struct
ip_conntrack
*
ignored_conntrack
);
const
struct
ip_conntrack
*
ignored_conntrack
);
extern
int
__ip_conntrack_confirm
(
struct
nf_ct_info
*
nfct
);
extern
int
__ip_conntrack_confirm
(
struct
sk_buff
*
skb
);
/* Confirm a connection: returns NF_DROP if packet must be dropped. */
/* Confirm a connection: returns NF_DROP if packet must be dropped. */
static
inline
int
ip_conntrack_confirm
(
struct
sk_buff
*
skb
)
static
inline
int
ip_conntrack_confirm
(
struct
sk_buff
*
skb
)
{
{
if
(
skb
->
nfct
if
(
skb
->
nfct
&&
!
is_confirmed
((
struct
ip_conntrack
*
)
skb
->
nfct
->
master
))
&&
!
is_confirmed
((
struct
ip_conntrack
*
)
skb
->
nfct
))
return
__ip_conntrack_confirm
(
skb
->
nfct
);
return
__ip_conntrack_confirm
(
skb
);
return
NF_ACCEPT
;
return
NF_ACCEPT
;
}
}
...
...
include/linux/netfilter_ipv4/ip_conntrack_protocol.h
View file @
e068209a
...
@@ -7,9 +7,6 @@ struct seq_file;
...
@@ -7,9 +7,6 @@ struct seq_file;
struct
ip_conntrack_protocol
struct
ip_conntrack_protocol
{
{
/* Next pointer. */
struct
list_head
list
;
/* Protocol number. */
/* Protocol number. */
u_int8_t
proto
;
u_int8_t
proto
;
...
@@ -58,14 +55,23 @@ struct ip_conntrack_protocol
...
@@ -58,14 +55,23 @@ struct ip_conntrack_protocol
struct
module
*
me
;
struct
module
*
me
;
};
};
#define MAX_IP_CT_PROTO 256
extern
struct
ip_conntrack_protocol
*
ip_ct_protos
[
MAX_IP_CT_PROTO
];
/* Protocol registration. */
/* Protocol registration. */
extern
int
ip_conntrack_protocol_register
(
struct
ip_conntrack_protocol
*
proto
);
extern
int
ip_conntrack_protocol_register
(
struct
ip_conntrack_protocol
*
proto
);
extern
void
ip_conntrack_protocol_unregister
(
struct
ip_conntrack_protocol
*
proto
);
extern
void
ip_conntrack_protocol_unregister
(
struct
ip_conntrack_protocol
*
proto
);
static
inline
struct
ip_conntrack_protocol
*
ip_ct_find_proto
(
u_int8_t
protocol
)
{
return
ip_ct_protos
[
protocol
];
}
/* Existing built-in protocols */
/* Existing built-in protocols */
extern
struct
ip_conntrack_protocol
ip_conntrack_protocol_tcp
;
extern
struct
ip_conntrack_protocol
ip_conntrack_protocol_tcp
;
extern
struct
ip_conntrack_protocol
ip_conntrack_protocol_udp
;
extern
struct
ip_conntrack_protocol
ip_conntrack_protocol_udp
;
extern
struct
ip_conntrack_protocol
ip_conntrack_protocol_icmp
;
extern
struct
ip_conntrack_protocol
ip_conntrack_protocol_icmp
;
extern
struct
ip_conntrack_protocol
ip_conntrack_generic_protocol
;
extern
int
ip_conntrack_protocol_tcp_init
(
void
);
extern
int
ip_conntrack_protocol_tcp_init
(
void
);
/* Log invalid packets */
/* Log invalid packets */
...
...
include/linux/netfilter_ipv4/ip_nat.h
View file @
e068209a
...
@@ -80,27 +80,18 @@ struct ip_nat_info_manip
...
@@ -80,27 +80,18 @@ struct ip_nat_info_manip
/* Protects NAT hash tables, and NAT-private part of conntracks. */
/* Protects NAT hash tables, and NAT-private part of conntracks. */
DECLARE_RWLOCK_EXTERN
(
ip_nat_lock
);
DECLARE_RWLOCK_EXTERN
(
ip_nat_lock
);
/* Hashes for by-source and IP/protocol. */
struct
ip_nat_hash
{
struct
list_head
list
;
/* conntrack we're embedded in: NULL if not in hash. */
struct
ip_conntrack
*
conntrack
;
};
/* The structure embedded in the conntrack structure. */
/* The structure embedded in the conntrack structure. */
struct
ip_nat_info
struct
ip_nat_info
{
{
/* Set to zero when conntrack created: bitmask of maniptypes */
/* Set to zero when conntrack created: bitmask of maniptypes */
in
t
initialized
;
u_int16_
t
initialized
;
u
nsigned
in
t
num_manips
;
u
_int16_
t
num_manips
;
/* Manipulations to be done on this conntrack. */
/* Manipulations to be done on this conntrack. */
struct
ip_nat_info_manip
manips
[
IP_NAT_MAX_MANIPS
];
struct
ip_nat_info_manip
manips
[
IP_NAT_MAX_MANIPS
];
struct
ip_nat_hash
bysource
,
byipsproto
;
struct
list_head
bysource
,
byipsproto
;
/* Helper (NULL if none). */
/* Helper (NULL if none). */
struct
ip_nat_helper
*
helper
;
struct
ip_nat_helper
*
helper
;
...
...
include/linux/netfilter_ipv4/ip_nat_core.h
View file @
e068209a
...
@@ -14,8 +14,6 @@ extern unsigned int do_bindings(struct ip_conntrack *ct,
...
@@ -14,8 +14,6 @@ extern unsigned int do_bindings(struct ip_conntrack *ct,
unsigned
int
hooknum
,
unsigned
int
hooknum
,
struct
sk_buff
**
pskb
);
struct
sk_buff
**
pskb
);
extern
struct
list_head
protos
;
extern
int
icmp_reply_translation
(
struct
sk_buff
**
pskb
,
extern
int
icmp_reply_translation
(
struct
sk_buff
**
pskb
,
struct
ip_conntrack
*
conntrack
,
struct
ip_conntrack
*
conntrack
,
unsigned
int
hooknum
,
unsigned
int
hooknum
,
...
@@ -26,8 +24,4 @@ extern void replace_in_hashes(struct ip_conntrack *conntrack,
...
@@ -26,8 +24,4 @@ extern void replace_in_hashes(struct ip_conntrack *conntrack,
extern
void
place_in_hashes
(
struct
ip_conntrack
*
conntrack
,
extern
void
place_in_hashes
(
struct
ip_conntrack
*
conntrack
,
struct
ip_nat_info
*
info
);
struct
ip_nat_info
*
info
);
/* Built-in protocols. */
extern
struct
ip_nat_protocol
ip_nat_protocol_tcp
;
extern
struct
ip_nat_protocol
ip_nat_protocol_udp
;
extern
struct
ip_nat_protocol
ip_nat_protocol_icmp
;
#endif
/* _IP_NAT_CORE_H */
#endif
/* _IP_NAT_CORE_H */
include/linux/netfilter_ipv4/ip_nat_protocol.h
View file @
e068209a
...
@@ -9,8 +9,6 @@ struct ip_nat_range;
...
@@ -9,8 +9,6 @@ struct ip_nat_range;
struct
ip_nat_protocol
struct
ip_nat_protocol
{
{
struct
list_head
list
;
/* Protocol name */
/* Protocol name */
const
char
*
name
;
const
char
*
name
;
...
@@ -47,10 +45,24 @@ struct ip_nat_protocol
...
@@ -47,10 +45,24 @@ struct ip_nat_protocol
const
struct
ip_nat_range
*
range
);
const
struct
ip_nat_range
*
range
);
};
};
#define MAX_IP_NAT_PROTO 256
extern
struct
ip_nat_protocol
*
ip_nat_protos
[
MAX_IP_NAT_PROTO
];
/* Protocol registration. */
/* Protocol registration. */
extern
int
ip_nat_protocol_register
(
struct
ip_nat_protocol
*
proto
);
extern
int
ip_nat_protocol_register
(
struct
ip_nat_protocol
*
proto
);
extern
void
ip_nat_protocol_unregister
(
struct
ip_nat_protocol
*
proto
);
extern
void
ip_nat_protocol_unregister
(
struct
ip_nat_protocol
*
proto
);
static
inline
struct
ip_nat_protocol
*
ip_nat_find_proto
(
u_int8_t
protocol
)
{
return
ip_nat_protos
[
protocol
];
}
/* Built-in protocols. */
extern
struct
ip_nat_protocol
ip_nat_protocol_tcp
;
extern
struct
ip_nat_protocol
ip_nat_protocol_udp
;
extern
struct
ip_nat_protocol
ip_nat_protocol_icmp
;
extern
struct
ip_nat_protocol
ip_nat_unknown_protocol
;
extern
int
init_protocols
(
void
)
__init
;
extern
int
init_protocols
(
void
)
__init
;
extern
void
cleanup_protocols
(
void
);
extern
void
cleanup_protocols
(
void
);
extern
struct
ip_nat_protocol
*
find_nat_proto
(
u_int16_t
protonum
);
extern
struct
ip_nat_protocol
*
find_nat_proto
(
u_int16_t
protonum
);
...
...
include/linux/netfilter_ipv4/ipt_comment.h
0 → 100644
View file @
e068209a
#ifndef _IPT_COMMENT_H
#define _IPT_COMMENT_H
#define IPT_MAX_COMMENT_LEN 256
struct
ipt_comment_info
{
unsigned
char
comment
[
IPT_MAX_COMMENT_LEN
];
};
#endif
/* _IPT_COMMENT_H */
include/linux/skbuff.h
View file @
e068209a
...
@@ -97,10 +97,6 @@ struct nf_conntrack {
...
@@ -97,10 +97,6 @@ struct nf_conntrack {
void
(
*
destroy
)(
struct
nf_conntrack
*
);
void
(
*
destroy
)(
struct
nf_conntrack
*
);
};
};
struct
nf_ct_info
{
struct
nf_conntrack
*
master
;
};
#ifdef CONFIG_BRIDGE_NETFILTER
#ifdef CONFIG_BRIDGE_NETFILTER
struct
nf_bridge_info
{
struct
nf_bridge_info
{
atomic_t
use
;
atomic_t
use
;
...
@@ -186,6 +182,7 @@ struct skb_shared_info {
...
@@ -186,6 +182,7 @@ struct skb_shared_info {
* @nfmark: Can be used for communication between hooks
* @nfmark: Can be used for communication between hooks
* @nfcache: Cache info
* @nfcache: Cache info
* @nfct: Associated connection, if any
* @nfct: Associated connection, if any
* @nfctinfo: Relationship of this skb to the connection
* @nf_debug: Netfilter debugging
* @nf_debug: Netfilter debugging
* @nf_bridge: Saved data about a bridged frame - see br_netfilter.c
* @nf_bridge: Saved data about a bridged frame - see br_netfilter.c
* @private: Data which is private to the HIPPI implementation
* @private: Data which is private to the HIPPI implementation
...
@@ -253,7 +250,8 @@ struct sk_buff {
...
@@ -253,7 +250,8 @@ struct sk_buff {
#ifdef CONFIG_NETFILTER
#ifdef CONFIG_NETFILTER
unsigned
long
nfmark
;
unsigned
long
nfmark
;
__u32
nfcache
;
__u32
nfcache
;
struct
nf_ct_info
*
nfct
;
struct
nf_conntrack
*
nfct
;
__u32
nfctinfo
;
#ifdef CONFIG_NETFILTER_DEBUG
#ifdef CONFIG_NETFILTER_DEBUG
unsigned
int
nf_debug
;
unsigned
int
nf_debug
;
#endif
#endif
...
@@ -1141,15 +1139,15 @@ extern int skb_iter_next(const struct sk_buff *skb, struct skb_iter *i);
...
@@ -1141,15 +1139,15 @@ extern int skb_iter_next(const struct sk_buff *skb, struct skb_iter *i);
extern
void
skb_iter_abort
(
const
struct
sk_buff
*
skb
,
struct
skb_iter
*
i
);
extern
void
skb_iter_abort
(
const
struct
sk_buff
*
skb
,
struct
skb_iter
*
i
);
#ifdef CONFIG_NETFILTER
#ifdef CONFIG_NETFILTER
static
inline
void
nf_conntrack_put
(
struct
nf_c
t_info
*
nfct
)
static
inline
void
nf_conntrack_put
(
struct
nf_c
onntrack
*
nfct
)
{
{
if
(
nfct
&&
atomic_dec_and_test
(
&
nfct
->
master
->
use
))
if
(
nfct
&&
atomic_dec_and_test
(
&
nfct
->
use
))
nfct
->
master
->
destroy
(
nfct
->
master
);
nfct
->
destroy
(
nfct
);
}
}
static
inline
void
nf_conntrack_get
(
struct
nf_c
t_info
*
nfct
)
static
inline
void
nf_conntrack_get
(
struct
nf_c
onntrack
*
nfct
)
{
{
if
(
nfct
)
if
(
nfct
)
atomic_inc
(
&
nfct
->
master
->
use
);
atomic_inc
(
&
nfct
->
use
);
}
}
static
inline
void
nf_reset
(
struct
sk_buff
*
skb
)
static
inline
void
nf_reset
(
struct
sk_buff
*
skb
)
{
{
...
...
include/linux/sysctl.h
View file @
e068209a
...
@@ -424,6 +424,7 @@ enum
...
@@ -424,6 +424,7 @@ enum
NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_SENT
=
24
,
NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_SENT
=
24
,
NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_RECD
=
25
,
NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_RECD
=
25
,
NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_ACK_SENT
=
26
,
NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_ACK_SENT
=
26
,
NET_IPV4_NF_CONNTRACK_COUNT
=
27
,
};
};
/* /proc/sys/net/ipv6 */
/* /proc/sys/net/ipv6 */
...
...
net/core/netfilter.c
View file @
e068209a
...
@@ -806,7 +806,7 @@ EXPORT_SYMBOL(nf_log_packet);
...
@@ -806,7 +806,7 @@ EXPORT_SYMBOL(nf_log_packet);
tracking in use: without this, connection may not be in hash table,
tracking in use: without this, connection may not be in hash table,
and hence manufactured ICMP or RST packets will not be associated
and hence manufactured ICMP or RST packets will not be associated
with it. */
with it. */
void
(
*
ip_ct_attach
)(
struct
sk_buff
*
,
struct
nf_ct_info
*
);
void
(
*
ip_ct_attach
)(
struct
sk_buff
*
,
struct
sk_buff
*
);
void
__init
netfilter_init
(
void
)
void
__init
netfilter_init
(
void
)
{
{
...
...
net/core/skbuff.c
View file @
e068209a
...
@@ -311,6 +311,7 @@ struct sk_buff *skb_clone(struct sk_buff *skb, int gfp_mask)
...
@@ -311,6 +311,7 @@ struct sk_buff *skb_clone(struct sk_buff *skb, int gfp_mask)
C
(
nfcache
);
C
(
nfcache
);
C
(
nfct
);
C
(
nfct
);
nf_conntrack_get
(
skb
->
nfct
);
nf_conntrack_get
(
skb
->
nfct
);
C
(
nfctinfo
);
#ifdef CONFIG_NETFILTER_DEBUG
#ifdef CONFIG_NETFILTER_DEBUG
C
(
nf_debug
);
C
(
nf_debug
);
#endif
#endif
...
@@ -377,6 +378,7 @@ static void copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
...
@@ -377,6 +378,7 @@ static void copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
new
->
nfcache
=
old
->
nfcache
;
new
->
nfcache
=
old
->
nfcache
;
new
->
nfct
=
old
->
nfct
;
new
->
nfct
=
old
->
nfct
;
nf_conntrack_get
(
old
->
nfct
);
nf_conntrack_get
(
old
->
nfct
);
new
->
nfctinfo
=
old
->
nfctinfo
;
#ifdef CONFIG_NETFILTER_DEBUG
#ifdef CONFIG_NETFILTER_DEBUG
new
->
nf_debug
=
old
->
nf_debug
;
new
->
nf_debug
=
old
->
nf_debug
;
#endif
#endif
...
...
net/ipv4/ip_output.c
View file @
e068209a
...
@@ -422,6 +422,7 @@ static void ip_copy_metadata(struct sk_buff *to, struct sk_buff *from)
...
@@ -422,6 +422,7 @@ static void ip_copy_metadata(struct sk_buff *to, struct sk_buff *from)
nf_conntrack_put
(
to
->
nfct
);
nf_conntrack_put
(
to
->
nfct
);
to
->
nfct
=
from
->
nfct
;
to
->
nfct
=
from
->
nfct
;
nf_conntrack_get
(
to
->
nfct
);
nf_conntrack_get
(
to
->
nfct
);
to
->
nfctinfo
=
from
->
nfctinfo
;
#ifdef CONFIG_BRIDGE_NETFILTER
#ifdef CONFIG_BRIDGE_NETFILTER
nf_bridge_put
(
to
->
nf_bridge
);
nf_bridge_put
(
to
->
nf_bridge
);
to
->
nf_bridge
=
from
->
nf_bridge
;
to
->
nf_bridge
=
from
->
nf_bridge
;
...
...
net/ipv4/netfilter/Kconfig
View file @
e068209a
...
@@ -332,6 +332,16 @@ config IP_NF_MATCH_SCTP
...
@@ -332,6 +332,16 @@ config IP_NF_MATCH_SCTP
If you want to compile it as a module, say M here and read
If you want to compile it as a module, say M here and read
Documentation/modules.txt. If unsure, say `N'.
Documentation/modules.txt. If unsure, say `N'.
config IP_NF_MATCH_COMMENT
tristate 'comment match support'
depends on IP_NF_IPTABLES
help
This option adds a `comment' dummy-match, which allows you to put
comments in your iptables ruleset.
If you want to compile it as a module, say M here and read
Documentation/modules.txt. If unsure, say `N'.
# `filter', generic and specific targets
# `filter', generic and specific targets
config IP_NF_FILTER
config IP_NF_FILTER
tristate "Packet filtering"
tristate "Packet filtering"
...
...
net/ipv4/netfilter/Makefile
View file @
e068209a
...
@@ -50,28 +50,23 @@ obj-$(CONFIG_IP_NF_MATCH_SCTP) += ipt_sctp.o
...
@@ -50,28 +50,23 @@ obj-$(CONFIG_IP_NF_MATCH_SCTP) += ipt_sctp.o
obj-$(CONFIG_IP_NF_MATCH_MARK)
+=
ipt_mark.o
obj-$(CONFIG_IP_NF_MATCH_MARK)
+=
ipt_mark.o
obj-$(CONFIG_IP_NF_MATCH_MAC)
+=
ipt_mac.o
obj-$(CONFIG_IP_NF_MATCH_MAC)
+=
ipt_mac.o
obj-$(CONFIG_IP_NF_MATCH_IPRANGE)
+=
ipt_iprange.o
obj-$(CONFIG_IP_NF_MATCH_IPRANGE)
+=
ipt_iprange.o
obj-$(CONFIG_IP_NF_MATCH_PKTTYPE)
+=
ipt_pkttype.o
obj-$(CONFIG_IP_NF_MATCH_PKTTYPE)
+=
ipt_pkttype.o
obj-$(CONFIG_IP_NF_MATCH_MULTIPORT)
+=
ipt_multiport.o
obj-$(CONFIG_IP_NF_MATCH_MULTIPORT)
+=
ipt_multiport.o
obj-$(CONFIG_IP_NF_MATCH_OWNER)
+=
ipt_owner.o
obj-$(CONFIG_IP_NF_MATCH_OWNER)
+=
ipt_owner.o
obj-$(CONFIG_IP_NF_MATCH_TOS)
+=
ipt_tos.o
obj-$(CONFIG_IP_NF_MATCH_TOS)
+=
ipt_tos.o
obj-$(CONFIG_IP_NF_MATCH_RECENT)
+=
ipt_recent.o
obj-$(CONFIG_IP_NF_MATCH_RECENT)
+=
ipt_recent.o
obj-$(CONFIG_IP_NF_MATCH_ECN)
+=
ipt_ecn.o
obj-$(CONFIG_IP_NF_MATCH_ECN)
+=
ipt_ecn.o
obj-$(CONFIG_IP_NF_MATCH_DSCP)
+=
ipt_dscp.o
obj-$(CONFIG_IP_NF_MATCH_DSCP)
+=
ipt_dscp.o
obj-$(CONFIG_IP_NF_MATCH_AH_ESP)
+=
ipt_ah.o ipt_esp.o
obj-$(CONFIG_IP_NF_MATCH_AH_ESP)
+=
ipt_ah.o ipt_esp.o
obj-$(CONFIG_IP_NF_MATCH_LENGTH)
+=
ipt_length.o
obj-$(CONFIG_IP_NF_MATCH_LENGTH)
+=
ipt_length.o
obj-$(CONFIG_IP_NF_MATCH_TTL)
+=
ipt_ttl.o
obj-$(CONFIG_IP_NF_MATCH_TTL)
+=
ipt_ttl.o
obj-$(CONFIG_IP_NF_MATCH_STATE)
+=
ipt_state.o
obj-$(CONFIG_IP_NF_MATCH_STATE)
+=
ipt_state.o
obj-$(CONFIG_IP_NF_MATCH_CONNTRACK)
+=
ipt_conntrack.o
obj-$(CONFIG_IP_NF_MATCH_CONNTRACK)
+=
ipt_conntrack.o
obj-$(CONFIG_IP_NF_MATCH_TCPMSS)
+=
ipt_tcpmss.o
obj-$(CONFIG_IP_NF_MATCH_TCPMSS)
+=
ipt_tcpmss.o
obj-$(CONFIG_IP_NF_MATCH_REALM)
+=
ipt_realm.o
obj-$(CONFIG_IP_NF_MATCH_REALM)
+=
ipt_realm.o
obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE)
+=
ipt_addrtype.o
obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE)
+=
ipt_addrtype.o
obj-$(CONFIG_IP_NF_MATCH_PHYSDEV)
+=
ipt_physdev.o
obj-$(CONFIG_IP_NF_MATCH_PHYSDEV)
+=
ipt_physdev.o
obj-$(CONFIG_IP_NF_MATCH_COMMENT)
+=
ipt_comment.o
# targets
# targets
obj-$(CONFIG_IP_NF_TARGET_REJECT)
+=
ipt_REJECT.o
obj-$(CONFIG_IP_NF_TARGET_REJECT)
+=
ipt_REJECT.o
...
...
net/ipv4/netfilter/ip_conntrack_core.c
View file @
e068209a
...
@@ -66,7 +66,7 @@ EXPORT_SYMBOL(ip_conntrack_count);
...
@@ -66,7 +66,7 @@ EXPORT_SYMBOL(ip_conntrack_count);
void
(
*
ip_conntrack_destroyed
)(
struct
ip_conntrack
*
conntrack
)
=
NULL
;
void
(
*
ip_conntrack_destroyed
)(
struct
ip_conntrack
*
conntrack
)
=
NULL
;
LIST_HEAD
(
ip_conntrack_expect_list
);
LIST_HEAD
(
ip_conntrack_expect_list
);
LIST_HEAD
(
protocol_list
)
;
struct
ip_conntrack_protocol
*
ip_ct_protos
[
MAX_IP_CT_PROTO
]
;
static
LIST_HEAD
(
helpers
);
static
LIST_HEAD
(
helpers
);
unsigned
int
ip_conntrack_htable_size
=
0
;
unsigned
int
ip_conntrack_htable_size
=
0
;
int
ip_conntrack_max
;
int
ip_conntrack_max
;
...
@@ -77,45 +77,11 @@ struct ip_conntrack ip_conntrack_untracked;
...
@@ -77,45 +77,11 @@ struct ip_conntrack ip_conntrack_untracked;
DEFINE_PER_CPU
(
struct
ip_conntrack_stat
,
ip_conntrack_stat
);
DEFINE_PER_CPU
(
struct
ip_conntrack_stat
,
ip_conntrack_stat
);
extern
struct
ip_conntrack_protocol
ip_conntrack_generic_protocol
;
static
inline
int
proto_cmpfn
(
const
struct
ip_conntrack_protocol
*
curr
,
u_int8_t
protocol
)
{
return
protocol
==
curr
->
proto
;
}
struct
ip_conntrack_protocol
*
__ip_ct_find_proto
(
u_int8_t
protocol
)
{
struct
ip_conntrack_protocol
*
p
;
MUST_BE_READ_LOCKED
(
&
ip_conntrack_lock
);
p
=
LIST_FIND
(
&
protocol_list
,
proto_cmpfn
,
struct
ip_conntrack_protocol
*
,
protocol
);
if
(
!
p
)
p
=
&
ip_conntrack_generic_protocol
;
return
p
;
}
struct
ip_conntrack_protocol
*
ip_ct_find_proto
(
u_int8_t
protocol
)
{
struct
ip_conntrack_protocol
*
p
;
READ_LOCK
(
&
ip_conntrack_lock
);
p
=
__ip_ct_find_proto
(
protocol
);
READ_UNLOCK
(
&
ip_conntrack_lock
);
return
p
;
}
inline
void
inline
void
ip_conntrack_put
(
struct
ip_conntrack
*
ct
)
ip_conntrack_put
(
struct
ip_conntrack
*
ct
)
{
{
IP_NF_ASSERT
(
ct
);
IP_NF_ASSERT
(
ct
);
IP_NF_ASSERT
(
ct
->
infos
[
0
].
master
);
nf_conntrack_put
(
&
ct
->
ct_general
);
/* nf_conntrack_put wants to go via an info struct, so feed it
one at random. */
nf_conntrack_put
(
&
ct
->
infos
[
0
]);
}
}
static
int
ip_conntrack_hash_rnd_initted
;
static
int
ip_conntrack_hash_rnd_initted
;
...
@@ -185,7 +151,7 @@ destroy_expect(struct ip_conntrack_expect *exp)
...
@@ -185,7 +151,7 @@ destroy_expect(struct ip_conntrack_expect *exp)
IP_NF_ASSERT
(
!
timer_pending
(
&
exp
->
timeout
));
IP_NF_ASSERT
(
!
timer_pending
(
&
exp
->
timeout
));
kmem_cache_free
(
ip_conntrack_expect_cachep
,
exp
);
kmem_cache_free
(
ip_conntrack_expect_cachep
,
exp
);
__get_cpu_var
(
ip_conntrack_stat
).
expect_delete
++
;
CONNTRACK_STAT_INC
(
expect_delete
)
;
}
}
inline
void
ip_conntrack_expect_put
(
struct
ip_conntrack_expect
*
exp
)
inline
void
ip_conntrack_expect_put
(
struct
ip_conntrack_expect
*
exp
)
...
@@ -354,14 +320,14 @@ destroy_conntrack(struct nf_conntrack *nfct)
...
@@ -354,14 +320,14 @@ destroy_conntrack(struct nf_conntrack *nfct)
DEBUGP
(
"destroy_conntrack: returning ct=%p to slab
\n
"
,
ct
);
DEBUGP
(
"destroy_conntrack: returning ct=%p to slab
\n
"
,
ct
);
kmem_cache_free
(
ip_conntrack_cachep
,
ct
);
kmem_cache_free
(
ip_conntrack_cachep
,
ct
);
atomic_dec
(
&
ip_conntrack_count
);
atomic_dec
(
&
ip_conntrack_count
);
__get_cpu_var
(
ip_conntrack_stat
).
delete
++
;
CONNTRACK_STAT_INC
(
delete
)
;
}
}
static
void
death_by_timeout
(
unsigned
long
ul_conntrack
)
static
void
death_by_timeout
(
unsigned
long
ul_conntrack
)
{
{
struct
ip_conntrack
*
ct
=
(
void
*
)
ul_conntrack
;
struct
ip_conntrack
*
ct
=
(
void
*
)
ul_conntrack
;
__get_cpu_var
(
ip_conntrack_stat
).
delete_list
++
;
CONNTRACK_STAT_INC
(
delete_list
)
;
WRITE_LOCK
(
&
ip_conntrack_lock
);
WRITE_LOCK
(
&
ip_conntrack_lock
);
clean_from_lists
(
ct
);
clean_from_lists
(
ct
);
...
@@ -416,36 +382,15 @@ ip_conntrack_find_get(const struct ip_conntrack_tuple *tuple,
...
@@ -416,36 +382,15 @@ ip_conntrack_find_get(const struct ip_conntrack_tuple *tuple,
return
h
;
return
h
;
}
}
static
inline
struct
ip_conntrack
*
/* Confirm a connection given skb; places it in hash table */
__ip_conntrack_get
(
struct
nf_ct_info
*
nfct
,
enum
ip_conntrack_info
*
ctinfo
)
{
struct
ip_conntrack
*
ct
=
(
struct
ip_conntrack
*
)
nfct
->
master
;
/* ctinfo is the index of the nfct inside the conntrack */
*
ctinfo
=
nfct
-
ct
->
infos
;
IP_NF_ASSERT
(
*
ctinfo
>=
0
&&
*
ctinfo
<
IP_CT_NUMBER
);
return
ct
;
}
/* Return conntrack and conntrack_info given skb->nfct->master */
struct
ip_conntrack
*
ip_conntrack_get
(
struct
sk_buff
*
skb
,
enum
ip_conntrack_info
*
ctinfo
)
{
if
(
skb
->
nfct
)
return
__ip_conntrack_get
(
skb
->
nfct
,
ctinfo
);
return
NULL
;
}
/* Confirm a connection given skb->nfct; places it in hash table */
int
int
__ip_conntrack_confirm
(
struct
nf_ct_info
*
nfct
)
__ip_conntrack_confirm
(
struct
sk_buff
*
skb
)
{
{
unsigned
int
hash
,
repl_hash
;
unsigned
int
hash
,
repl_hash
;
struct
ip_conntrack
*
ct
;
struct
ip_conntrack
*
ct
;
enum
ip_conntrack_info
ctinfo
;
enum
ip_conntrack_info
ctinfo
;
ct
=
__ip_conntrack_get
(
nfct
,
&
ctinfo
);
ct
=
ip_conntrack_get
(
skb
,
&
ctinfo
);
/* ipt_REJECT uses ip_conntrack_attach to attach related
/* ipt_REJECT uses ip_conntrack_attach to attach related
ICMP/TCP RST packets in other direction. Actual packet
ICMP/TCP RST packets in other direction. Actual packet
...
@@ -491,12 +436,12 @@ __ip_conntrack_confirm(struct nf_ct_info *nfct)
...
@@ -491,12 +436,12 @@ __ip_conntrack_confirm(struct nf_ct_info *nfct)
atomic_inc
(
&
ct
->
ct_general
.
use
);
atomic_inc
(
&
ct
->
ct_general
.
use
);
set_bit
(
IPS_CONFIRMED_BIT
,
&
ct
->
status
);
set_bit
(
IPS_CONFIRMED_BIT
,
&
ct
->
status
);
WRITE_UNLOCK
(
&
ip_conntrack_lock
);
WRITE_UNLOCK
(
&
ip_conntrack_lock
);
__get_cpu_var
(
ip_conntrack_stat
).
insert
++
;
CONNTRACK_STAT_INC
(
insert
)
;
return
NF_ACCEPT
;
return
NF_ACCEPT
;
}
}
WRITE_UNLOCK
(
&
ip_conntrack_lock
);
WRITE_UNLOCK
(
&
ip_conntrack_lock
);
__get_cpu_var
(
ip_conntrack_stat
).
insert_failed
++
;
CONNTRACK_STAT_INC
(
insert_failed
)
;
return
NF_DROP
;
return
NF_DROP
;
}
}
...
@@ -540,7 +485,7 @@ static int early_drop(struct list_head *chain)
...
@@ -540,7 +485,7 @@ static int early_drop(struct list_head *chain)
if
(
del_timer
(
&
h
->
ctrack
->
timeout
))
{
if
(
del_timer
(
&
h
->
ctrack
->
timeout
))
{
death_by_timeout
((
unsigned
long
)
h
->
ctrack
);
death_by_timeout
((
unsigned
long
)
h
->
ctrack
);
dropped
=
1
;
dropped
=
1
;
__get_cpu_var
(
ip_conntrack_stat
).
early_drop
++
;
CONNTRACK_STAT_INC
(
early_drop
)
;
}
}
ip_conntrack_put
(
h
->
ctrack
);
ip_conntrack_put
(
h
->
ctrack
);
return
dropped
;
return
dropped
;
...
@@ -570,8 +515,6 @@ init_conntrack(const struct ip_conntrack_tuple *tuple,
...
@@ -570,8 +515,6 @@ init_conntrack(const struct ip_conntrack_tuple *tuple,
struct
ip_conntrack_tuple
repl_tuple
;
struct
ip_conntrack_tuple
repl_tuple
;
size_t
hash
;
size_t
hash
;
struct
ip_conntrack_expect
*
expected
;
struct
ip_conntrack_expect
*
expected
;
int
i
;
static
unsigned
int
drop_next
;
if
(
!
ip_conntrack_hash_rnd_initted
)
{
if
(
!
ip_conntrack_hash_rnd_initted
)
{
get_random_bytes
(
&
ip_conntrack_hash_rnd
,
4
);
get_random_bytes
(
&
ip_conntrack_hash_rnd
,
4
);
...
@@ -580,15 +523,10 @@ init_conntrack(const struct ip_conntrack_tuple *tuple,
...
@@ -580,15 +523,10 @@ init_conntrack(const struct ip_conntrack_tuple *tuple,
hash
=
hash_conntrack
(
tuple
);
hash
=
hash_conntrack
(
tuple
);
if
(
ip_conntrack_max
&&
if
(
ip_conntrack_max
atomic_read
(
&
ip_conntrack_count
)
>=
ip_conntrack_max
)
{
&&
atomic_read
(
&
ip_conntrack_count
)
>=
ip_conntrack_max
)
{
/* Try dropping from random chain, or else from the
/* Try dropping from this hash chain. */
chain about to put into (in case they're trying to
if
(
!
early_drop
(
&
ip_conntrack_hash
[
hash
]))
{
bomb one hash chain). */
unsigned
int
next
=
(
drop_next
++
)
%
ip_conntrack_htable_size
;
if
(
!
early_drop
(
&
ip_conntrack_hash
[
next
])
&&
!
early_drop
(
&
ip_conntrack_hash
[
hash
]))
{
if
(
net_ratelimit
())
if
(
net_ratelimit
())
printk
(
KERN_WARNING
printk
(
KERN_WARNING
"ip_conntrack: table full, dropping"
"ip_conntrack: table full, dropping"
...
@@ -615,9 +553,6 @@ init_conntrack(const struct ip_conntrack_tuple *tuple,
...
@@ -615,9 +553,6 @@ init_conntrack(const struct ip_conntrack_tuple *tuple,
conntrack
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
ctrack
=
conntrack
;
conntrack
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
ctrack
=
conntrack
;
conntrack
->
tuplehash
[
IP_CT_DIR_REPLY
].
tuple
=
repl_tuple
;
conntrack
->
tuplehash
[
IP_CT_DIR_REPLY
].
tuple
=
repl_tuple
;
conntrack
->
tuplehash
[
IP_CT_DIR_REPLY
].
ctrack
=
conntrack
;
conntrack
->
tuplehash
[
IP_CT_DIR_REPLY
].
ctrack
=
conntrack
;
for
(
i
=
0
;
i
<
IP_CT_NUMBER
;
i
++
)
conntrack
->
infos
[
i
].
master
=
&
conntrack
->
ct_general
;
if
(
!
protocol
->
new
(
conntrack
,
skb
))
{
if
(
!
protocol
->
new
(
conntrack
,
skb
))
{
kmem_cache_free
(
ip_conntrack_cachep
,
conntrack
);
kmem_cache_free
(
ip_conntrack_cachep
,
conntrack
);
return
NULL
;
return
NULL
;
...
@@ -655,13 +590,13 @@ init_conntrack(const struct ip_conntrack_tuple *tuple,
...
@@ -655,13 +590,13 @@ init_conntrack(const struct ip_conntrack_tuple *tuple,
DEBUGP
(
"conntrack: expectation arrives ct=%p exp=%p
\n
"
,
DEBUGP
(
"conntrack: expectation arrives ct=%p exp=%p
\n
"
,
conntrack
,
expected
);
conntrack
,
expected
);
/* Welcome, Mr. Bond. We've been expecting you... */
/* Welcome, Mr. Bond. We've been expecting you... */
IP_NF_ASSERT
(
master_ct
(
conntrack
)
);
IP_NF_ASSERT
(
expected
->
expectant
);
__set_bit
(
IPS_EXPECTED_BIT
,
&
conntrack
->
status
);
__set_bit
(
IPS_EXPECTED_BIT
,
&
conntrack
->
status
);
conntrack
->
master
=
expected
;
conntrack
->
master
=
expected
;
expected
->
sibling
=
conntrack
;
expected
->
sibling
=
conntrack
;
LIST_DELETE
(
&
ip_conntrack_expect_list
,
expected
);
LIST_DELETE
(
&
ip_conntrack_expect_list
,
expected
);
expected
->
expectant
->
expecting
--
;
expected
->
expectant
->
expecting
--
;
nf_conntrack_get
(
&
master_ct
(
conntrack
)
->
infos
[
0
]
);
nf_conntrack_get
(
&
master_ct
(
conntrack
)
->
ct_general
);
/* this is a braindead... --pablo */
/* this is a braindead... --pablo */
atomic_inc
(
&
ip_conntrack_count
);
atomic_inc
(
&
ip_conntrack_count
);
...
@@ -670,13 +605,13 @@ init_conntrack(const struct ip_conntrack_tuple *tuple,
...
@@ -670,13 +605,13 @@ init_conntrack(const struct ip_conntrack_tuple *tuple,
if
(
expected
->
expectfn
)
if
(
expected
->
expectfn
)
expected
->
expectfn
(
conntrack
);
expected
->
expectfn
(
conntrack
);
__get_cpu_var
(
ip_conntrack_stat
).
expect_new
++
;
CONNTRACK_STAT_INC
(
expect_new
)
;
goto
ret
;
goto
ret
;
}
else
{
}
else
{
conntrack
->
helper
=
ip_ct_find_helper
(
&
repl_tuple
);
conntrack
->
helper
=
ip_ct_find_helper
(
&
repl_tuple
);
__get_cpu_var
(
ip_conntrack_stat
).
new
++
;
CONNTRACK_STAT_INC
(
new
)
;
}
}
end:
atomic_inc
(
&
ip_conntrack_count
);
end:
atomic_inc
(
&
ip_conntrack_count
);
...
@@ -734,7 +669,8 @@ resolve_normal_ct(struct sk_buff *skb,
...
@@ -734,7 +669,8 @@ resolve_normal_ct(struct sk_buff *skb,
}
}
*
set_reply
=
0
;
*
set_reply
=
0
;
}
}
skb
->
nfct
=
&
h
->
ctrack
->
infos
[
*
ctinfo
];
skb
->
nfct
=
&
h
->
ctrack
->
ct_general
;
skb
->
nfctinfo
=
*
ctinfo
;
return
h
->
ctrack
;
return
h
->
ctrack
;
}
}
...
@@ -780,7 +716,7 @@ unsigned int ip_conntrack_in(unsigned int hooknum,
...
@@ -780,7 +716,7 @@ unsigned int ip_conntrack_in(unsigned int hooknum,
/* Previously seen (loopback or untracked)? Ignore. */
/* Previously seen (loopback or untracked)? Ignore. */
if
((
*
pskb
)
->
nfct
)
{
if
((
*
pskb
)
->
nfct
)
{
__get_cpu_var
(
ip_conntrack_stat
).
ignore
++
;
CONNTRACK_STAT_INC
(
ignore
)
;
return
NF_ACCEPT
;
return
NF_ACCEPT
;
}
}
...
@@ -791,19 +727,20 @@ unsigned int ip_conntrack_in(unsigned int hooknum,
...
@@ -791,19 +727,20 @@ unsigned int ip_conntrack_in(unsigned int hooknum,
* core what to do with the packet. */
* core what to do with the packet. */
if
(
proto
->
error
!=
NULL
if
(
proto
->
error
!=
NULL
&&
(
ret
=
proto
->
error
(
*
pskb
,
&
ctinfo
,
hooknum
))
<=
0
)
{
&&
(
ret
=
proto
->
error
(
*
pskb
,
&
ctinfo
,
hooknum
))
<=
0
)
{
__get_cpu_var
(
ip_conntrack_stat
).
icmp_error
++
;
CONNTRACK_STAT_INC
(
error
);
CONNTRACK_STAT_INC
(
invalid
);
return
-
ret
;
return
-
ret
;
}
}
if
(
!
(
ct
=
resolve_normal_ct
(
*
pskb
,
proto
,
&
set_reply
,
hooknum
,
&
ctinfo
)))
{
if
(
!
(
ct
=
resolve_normal_ct
(
*
pskb
,
proto
,
&
set_reply
,
hooknum
,
&
ctinfo
)))
{
/* Not valid part of a connection */
/* Not valid part of a connection */
__get_cpu_var
(
ip_conntrack_stat
).
invalid
++
;
CONNTRACK_STAT_INC
(
invalid
)
;
return
NF_ACCEPT
;
return
NF_ACCEPT
;
}
}
if
(
IS_ERR
(
ct
))
{
if
(
IS_ERR
(
ct
))
{
/* Too stressed to deal. */
/* Too stressed to deal. */
__get_cpu_var
(
ip_conntrack_stat
).
drop
++
;
CONNTRACK_STAT_INC
(
drop
)
;
return
NF_DROP
;
return
NF_DROP
;
}
}
...
@@ -815,7 +752,7 @@ unsigned int ip_conntrack_in(unsigned int hooknum,
...
@@ -815,7 +752,7 @@ unsigned int ip_conntrack_in(unsigned int hooknum,
* the netfilter core what to do*/
* the netfilter core what to do*/
nf_conntrack_put
((
*
pskb
)
->
nfct
);
nf_conntrack_put
((
*
pskb
)
->
nfct
);
(
*
pskb
)
->
nfct
=
NULL
;
(
*
pskb
)
->
nfct
=
NULL
;
__get_cpu_var
(
ip_conntrack_stat
).
invalid
++
;
CONNTRACK_STAT_INC
(
invalid
)
;
return
-
ret
;
return
-
ret
;
}
}
...
@@ -823,7 +760,7 @@ unsigned int ip_conntrack_in(unsigned int hooknum,
...
@@ -823,7 +760,7 @@ unsigned int ip_conntrack_in(unsigned int hooknum,
ret
=
ct
->
helper
->
help
(
*
pskb
,
ct
,
ctinfo
);
ret
=
ct
->
helper
->
help
(
*
pskb
,
ct
,
ctinfo
);
if
(
ret
==
-
1
)
{
if
(
ret
==
-
1
)
{
/* Invalid */
/* Invalid */
__get_cpu_var
(
ip_conntrack_stat
).
invalid
++
;
CONNTRACK_STAT_INC
(
invalid
)
;
nf_conntrack_put
((
*
pskb
)
->
nfct
);
nf_conntrack_put
((
*
pskb
)
->
nfct
);
(
*
pskb
)
->
nfct
=
NULL
;
(
*
pskb
)
->
nfct
=
NULL
;
return
NF_ACCEPT
;
return
NF_ACCEPT
;
...
@@ -1027,7 +964,7 @@ out: ip_conntrack_expect_insert(expect, related_to);
...
@@ -1027,7 +964,7 @@ out: ip_conntrack_expect_insert(expect, related_to);
WRITE_UNLOCK
(
&
ip_conntrack_lock
);
WRITE_UNLOCK
(
&
ip_conntrack_lock
);
__get_cpu_var
(
ip_conntrack_stat
).
expect_create
++
;
CONNTRACK_STAT_INC
(
expect_create
)
;
return
ret
;
return
ret
;
}
}
...
@@ -1219,23 +1156,23 @@ ip_ct_gather_frags(struct sk_buff *skb)
...
@@ -1219,23 +1156,23 @@ ip_ct_gather_frags(struct sk_buff *skb)
}
}
/* Used by ipt_REJECT. */
/* Used by ipt_REJECT. */
static
void
ip_conntrack_attach
(
struct
sk_buff
*
nskb
,
struct
nf_ct_info
*
nfct
)
static
void
ip_conntrack_attach
(
struct
sk_buff
*
nskb
,
struct
sk_buff
*
skb
)
{
{
struct
ip_conntrack
*
ct
;
struct
ip_conntrack
*
ct
;
enum
ip_conntrack_info
ctinfo
;
enum
ip_conntrack_info
ctinfo
;
ct
=
__ip_conntrack_get
(
nfct
,
&
ctinfo
);
/* This ICMP is in reverse direction to the packet which caused it */
ct
=
ip_conntrack_get
(
skb
,
&
ctinfo
);
/* This ICMP is in reverse direction to the packet which
caused it */
if
(
CTINFO2DIR
(
ctinfo
)
==
IP_CT_DIR_ORIGINAL
)
if
(
CTINFO2DIR
(
ctinfo
)
==
IP_CT_DIR_ORIGINAL
)
ctinfo
=
IP_CT_RELATED
+
IP_CT_IS_REPLY
;
ctinfo
=
IP_CT_RELATED
+
IP_CT_IS_REPLY
;
else
else
ctinfo
=
IP_CT_RELATED
;
ctinfo
=
IP_CT_RELATED
;
/* Attach new skbuff, and increment count */
/* Attach to new skbuff, and increment count */
nskb
->
nfct
=
&
ct
->
infos
[
ctinfo
];
nskb
->
nfct
=
&
ct
->
ct_general
;
atomic_inc
(
&
ct
->
ct_general
.
use
);
nskb
->
nfctinfo
=
ctinfo
;
nf_conntrack_get
(
nskb
->
nfct
);
}
}
static
inline
int
static
inline
int
...
@@ -1430,10 +1367,12 @@ int __init ip_conntrack_init(void)
...
@@ -1430,10 +1367,12 @@ int __init ip_conntrack_init(void)
/* Don't NEED lock here, but good form anyway. */
/* Don't NEED lock here, but good form anyway. */
WRITE_LOCK
(
&
ip_conntrack_lock
);
WRITE_LOCK
(
&
ip_conntrack_lock
);
for
(
i
=
0
;
i
<
MAX_IP_CT_PROTO
;
i
++
)
ip_ct_protos
[
i
]
=
&
ip_conntrack_generic_protocol
;
/* Sew in builtin protocols. */
/* Sew in builtin protocols. */
list_append
(
&
protocol_list
,
&
ip_conntrack_protocol_tcp
)
;
ip_ct_protos
[
IPPROTO_TCP
]
=
&
ip_conntrack_protocol_tcp
;
list_append
(
&
protocol_list
,
&
ip_conntrack_protocol_udp
)
;
ip_ct_protos
[
IPPROTO_UDP
]
=
&
ip_conntrack_protocol_udp
;
list_append
(
&
protocol_list
,
&
ip_conntrack_protocol_icmp
)
;
ip_ct_protos
[
IPPROTO_ICMP
]
=
&
ip_conntrack_protocol_icmp
;
WRITE_UNLOCK
(
&
ip_conntrack_lock
);
WRITE_UNLOCK
(
&
ip_conntrack_lock
);
for
(
i
=
0
;
i
<
ip_conntrack_htable_size
;
i
++
)
for
(
i
=
0
;
i
<
ip_conntrack_htable_size
;
i
++
)
...
@@ -1447,11 +1386,6 @@ int __init ip_conntrack_init(void)
...
@@ -1447,11 +1386,6 @@ int __init ip_conntrack_init(void)
atomic_set
(
&
ip_conntrack_untracked
.
ct_general
.
use
,
1
);
atomic_set
(
&
ip_conntrack_untracked
.
ct_general
.
use
,
1
);
/* - and look it like as a confirmed connection */
/* - and look it like as a confirmed connection */
set_bit
(
IPS_CONFIRMED_BIT
,
&
ip_conntrack_untracked
.
status
);
set_bit
(
IPS_CONFIRMED_BIT
,
&
ip_conntrack_untracked
.
status
);
/* - and prepare the ctinfo field for REJECT & NAT. */
ip_conntrack_untracked
.
infos
[
IP_CT_NEW
].
master
=
ip_conntrack_untracked
.
infos
[
IP_CT_RELATED
].
master
=
ip_conntrack_untracked
.
infos
[
IP_CT_RELATED
+
IP_CT_IS_REPLY
].
master
=
&
ip_conntrack_untracked
.
ct_general
;
return
ret
;
return
ret
;
...
...
net/ipv4/netfilter/ip_conntrack_proto_icmp.c
View file @
e068209a
...
@@ -195,7 +195,8 @@ icmp_error_message(struct sk_buff *skb,
...
@@ -195,7 +195,8 @@ icmp_error_message(struct sk_buff *skb,
}
}
/* Update skb to refer to this connection */
/* Update skb to refer to this connection */
skb
->
nfct
=
&
h
->
ctrack
->
infos
[
*
ctinfo
];
skb
->
nfct
=
&
h
->
ctrack
->
ct_general
;
skb
->
nfctinfo
=
*
ctinfo
;
return
-
NF_ACCEPT
;
return
-
NF_ACCEPT
;
}
}
...
...
net/ipv4/netfilter/ip_conntrack_proto_sctp.c
View file @
e068209a
...
@@ -430,16 +430,16 @@ static int sctp_new(struct ip_conntrack *conntrack,
...
@@ -430,16 +430,16 @@ static int sctp_new(struct ip_conntrack *conntrack,
DEBUGP
(
"
\n
"
);
DEBUGP
(
"
\n
"
);
if
(
skb_copy_bits
(
skb
,
skb
->
nh
.
iph
->
ihl
*
4
,
&
sctph
,
sizeof
(
sctph
))
!=
0
)
if
(
skb_copy_bits
(
skb
,
skb
->
nh
.
iph
->
ihl
*
4
,
&
sctph
,
sizeof
(
sctph
))
!=
0
)
return
-
1
;
return
0
;
if
(
do_basic_checks
(
conntrack
,
skb
,
map
)
!=
0
)
if
(
do_basic_checks
(
conntrack
,
skb
,
map
)
!=
0
)
return
-
1
;
return
0
;
/* If an OOTB packet has any of these chunks discard (Sec 8.4) */
/* If an OOTB packet has any of these chunks discard (Sec 8.4) */
if
((
test_bit
(
SCTP_CID_ABORT
,
(
void
*
)
map
))
if
((
test_bit
(
SCTP_CID_ABORT
,
(
void
*
)
map
))
||
(
test_bit
(
SCTP_CID_SHUTDOWN_COMPLETE
,
(
void
*
)
map
))
||
(
test_bit
(
SCTP_CID_SHUTDOWN_COMPLETE
,
(
void
*
)
map
))
||
(
test_bit
(
SCTP_CID_COOKIE_ACK
,
(
void
*
)
map
)))
{
||
(
test_bit
(
SCTP_CID_COOKIE_ACK
,
(
void
*
)
map
)))
{
return
-
1
;
return
0
;
}
}
newconntrack
=
SCTP_CONNTRACK_MAX
;
newconntrack
=
SCTP_CONNTRACK_MAX
;
...
@@ -461,7 +461,7 @@ static int sctp_new(struct ip_conntrack *conntrack,
...
@@ -461,7 +461,7 @@ static int sctp_new(struct ip_conntrack *conntrack,
if
(
skb_copy_bits
(
skb
,
offset
+
sizeof
(
sctp_chunkhdr_t
),
if
(
skb_copy_bits
(
skb
,
offset
+
sizeof
(
sctp_chunkhdr_t
),
&
inithdr
,
sizeof
(
inithdr
))
!=
0
)
{
&
inithdr
,
sizeof
(
inithdr
))
!=
0
)
{
return
-
1
;
return
0
;
}
}
DEBUGP
(
"Setting vtag %x for new conn
\n
"
,
DEBUGP
(
"Setting vtag %x for new conn
\n
"
,
...
@@ -471,7 +471,7 @@ static int sctp_new(struct ip_conntrack *conntrack,
...
@@ -471,7 +471,7 @@ static int sctp_new(struct ip_conntrack *conntrack,
inithdr
.
init_tag
;
inithdr
.
init_tag
;
}
else
{
}
else
{
/* Sec 8.5.1 (A) */
/* Sec 8.5.1 (A) */
return
-
1
;
return
0
;
}
}
}
}
/* If it is a shutdown ack OOTB packet, we expect a return
/* If it is a shutdown ack OOTB packet, we expect a return
...
@@ -496,7 +496,6 @@ static int sctp_exp_matches_pkt(struct ip_conntrack_expect *exp,
...
@@ -496,7 +496,6 @@ static int sctp_exp_matches_pkt(struct ip_conntrack_expect *exp,
}
}
struct
ip_conntrack_protocol
ip_conntrack_protocol_sctp
=
{
struct
ip_conntrack_protocol
ip_conntrack_protocol_sctp
=
{
.
list
=
{
NULL
,
NULL
},
.
proto
=
IPPROTO_SCTP
,
.
proto
=
IPPROTO_SCTP
,
.
name
=
"sctp"
,
.
name
=
"sctp"
,
.
pkt_to_tuple
=
sctp_pkt_to_tuple
,
.
pkt_to_tuple
=
sctp_pkt_to_tuple
,
...
...
net/ipv4/netfilter/ip_conntrack_standalone.c
View file @
e068209a
...
@@ -112,7 +112,7 @@ static int ct_seq_real_show(const struct ip_conntrack_tuple_hash *hash,
...
@@ -112,7 +112,7 @@ static int ct_seq_real_show(const struct ip_conntrack_tuple_hash *hash,
if
(
DIRECTION
(
hash
))
if
(
DIRECTION
(
hash
))
return
0
;
return
0
;
proto
=
__
ip_ct_find_proto
(
conntrack
->
tuplehash
[
IP_CT_DIR_ORIGINAL
]
proto
=
ip_ct_find_proto
(
conntrack
->
tuplehash
[
IP_CT_DIR_ORIGINAL
]
.
tuple
.
dst
.
protonum
);
.
tuple
.
dst
.
protonum
);
IP_NF_ASSERT
(
proto
);
IP_NF_ASSERT
(
proto
);
...
@@ -242,7 +242,7 @@ static int exp_seq_show(struct seq_file *s, void *v)
...
@@ -242,7 +242,7 @@ static int exp_seq_show(struct seq_file *s, void *v)
expect
->
tuple
.
dst
.
protonum
);
expect
->
tuple
.
dst
.
protonum
);
print_tuple
(
s
,
&
expect
->
tuple
,
print_tuple
(
s
,
&
expect
->
tuple
,
__
ip_ct_find_proto
(
expect
->
tuple
.
dst
.
protonum
));
ip_ct_find_proto
(
expect
->
tuple
.
dst
.
protonum
));
return
seq_putc
(
s
,
'\n'
);
return
seq_putc
(
s
,
'\n'
);
}
}
...
@@ -317,7 +317,7 @@ static int ct_cpu_seq_show(struct seq_file *seq, void *v)
...
@@ -317,7 +317,7 @@ static int ct_cpu_seq_show(struct seq_file *seq, void *v)
st
->
insert_failed
,
st
->
insert_failed
,
st
->
drop
,
st
->
drop
,
st
->
early_drop
,
st
->
early_drop
,
st
->
icmp_
error
,
st
->
error
,
st
->
expect_new
,
st
->
expect_new
,
st
->
expect_create
,
st
->
expect_create
,
...
@@ -515,6 +515,14 @@ static ctl_table ip_ct_sysctl_table[] = {
...
@@ -515,6 +515,14 @@ static ctl_table ip_ct_sysctl_table[] = {
.
mode
=
0644
,
.
mode
=
0644
,
.
proc_handler
=
&
proc_dointvec
,
.
proc_handler
=
&
proc_dointvec
,
},
},
{
.
ctl_name
=
NET_IPV4_NF_CONNTRACK_COUNT
,
.
procname
=
"ip_conntrack_count"
,
.
data
=
&
ip_conntrack_count
,
.
maxlen
=
sizeof
(
int
),
.
mode
=
0444
,
.
proc_handler
=
&
proc_dointvec
,
},
{
{
.
ctl_name
=
NET_IPV4_NF_CONNTRACK_BUCKETS
,
.
ctl_name
=
NET_IPV4_NF_CONNTRACK_BUCKETS
,
.
procname
=
"ip_conntrack_buckets"
,
.
procname
=
"ip_conntrack_buckets"
,
...
@@ -816,19 +824,13 @@ static int init_or_cleanup(int init)
...
@@ -816,19 +824,13 @@ static int init_or_cleanup(int init)
int
ip_conntrack_protocol_register
(
struct
ip_conntrack_protocol
*
proto
)
int
ip_conntrack_protocol_register
(
struct
ip_conntrack_protocol
*
proto
)
{
{
int
ret
=
0
;
int
ret
=
0
;
struct
list_head
*
i
;
WRITE_LOCK
(
&
ip_conntrack_lock
);
WRITE_LOCK
(
&
ip_conntrack_lock
);
list_for_each
(
i
,
&
protocol_list
)
{
if
(
ip_ct_protos
[
proto
->
proto
]
!=
&
ip_conntrack_generic_protocol
)
{
if
(((
struct
ip_conntrack_protocol
*
)
i
)
->
proto
==
proto
->
proto
)
{
ret
=
-
EBUSY
;
ret
=
-
EBUSY
;
goto
out
;
goto
out
;
}
}
}
ip_ct_protos
[
proto
->
proto
]
=
proto
;
list_prepend
(
&
protocol_list
,
proto
);
out:
out:
WRITE_UNLOCK
(
&
ip_conntrack_lock
);
WRITE_UNLOCK
(
&
ip_conntrack_lock
);
return
ret
;
return
ret
;
...
@@ -837,10 +839,7 @@ int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto)
...
@@ -837,10 +839,7 @@ int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto)
void
ip_conntrack_protocol_unregister
(
struct
ip_conntrack_protocol
*
proto
)
void
ip_conntrack_protocol_unregister
(
struct
ip_conntrack_protocol
*
proto
)
{
{
WRITE_LOCK
(
&
ip_conntrack_lock
);
WRITE_LOCK
(
&
ip_conntrack_lock
);
ip_ct_protos
[
proto
->
proto
]
=
&
ip_conntrack_generic_protocol
;
/* ip_ct_find_proto() returns proto_generic in case there is no protocol
* helper. So this should be enough - HW */
LIST_DELETE
(
&
protocol_list
,
proto
);
WRITE_UNLOCK
(
&
ip_conntrack_lock
);
WRITE_UNLOCK
(
&
ip_conntrack_lock
);
/* Somebody could be still looking at the proto in bh. */
/* Somebody could be still looking at the proto in bh. */
...
@@ -880,8 +879,8 @@ EXPORT_SYMBOL(ip_conntrack_helper_register);
...
@@ -880,8 +879,8 @@ EXPORT_SYMBOL(ip_conntrack_helper_register);
EXPORT_SYMBOL
(
ip_conntrack_helper_unregister
);
EXPORT_SYMBOL
(
ip_conntrack_helper_unregister
);
EXPORT_SYMBOL
(
ip_ct_selective_cleanup
);
EXPORT_SYMBOL
(
ip_ct_selective_cleanup
);
EXPORT_SYMBOL
(
ip_ct_refresh_acct
);
EXPORT_SYMBOL
(
ip_ct_refresh_acct
);
EXPORT_SYMBOL
(
ip_ct_protos
);
EXPORT_SYMBOL
(
ip_ct_find_proto
);
EXPORT_SYMBOL
(
ip_ct_find_proto
);
EXPORT_SYMBOL
(
__ip_ct_find_proto
);
EXPORT_SYMBOL
(
ip_ct_find_helper
);
EXPORT_SYMBOL
(
ip_ct_find_helper
);
EXPORT_SYMBOL
(
ip_conntrack_expect_alloc
);
EXPORT_SYMBOL
(
ip_conntrack_expect_alloc
);
EXPORT_SYMBOL
(
ip_conntrack_expect_related
);
EXPORT_SYMBOL
(
ip_conntrack_expect_related
);
...
...
net/ipv4/netfilter/ip_fw_compat_masq.c
View file @
e068209a
...
@@ -146,7 +146,7 @@ check_for_demasq(struct sk_buff **pskb)
...
@@ -146,7 +146,7 @@ check_for_demasq(struct sk_buff **pskb)
case
IPPROTO_ICMP
:
case
IPPROTO_ICMP
:
/* ICMP errors. */
/* ICMP errors. */
protocol
->
error
(
*
pskb
,
&
ctinfo
,
NF_IP_PRE_ROUTING
);
protocol
->
error
(
*
pskb
,
&
ctinfo
,
NF_IP_PRE_ROUTING
);
ct
=
(
struct
ip_conntrack
*
)(
*
pskb
)
->
nfct
->
master
;
ct
=
(
struct
ip_conntrack
*
)(
*
pskb
)
->
nfct
;
if
(
ct
)
{
if
(
ct
)
{
/* We only do SNAT in the compatibility layer.
/* We only do SNAT in the compatibility layer.
So we can manipulate ICMP errors from
So we can manipulate ICMP errors from
...
@@ -187,7 +187,7 @@ check_for_demasq(struct sk_buff **pskb)
...
@@ -187,7 +187,7 @@ check_for_demasq(struct sk_buff **pskb)
NULL
,
NULL
,
NULL
);
NULL
,
NULL
,
NULL
);
/* Put back the reference gained from find_get */
/* Put back the reference gained from find_get */
nf_conntrack_put
(
&
h
->
ctrack
->
infos
[
0
]
);
nf_conntrack_put
(
&
h
->
ctrack
->
ct_general
);
if
(
ret
==
NF_ACCEPT
)
{
if
(
ret
==
NF_ACCEPT
)
{
struct
ip_conntrack
*
ct
;
struct
ip_conntrack
*
ct
;
ct
=
ip_conntrack_get
(
*
pskb
,
&
ctinfo
);
ct
=
ip_conntrack_get
(
*
pskb
,
&
ctinfo
);
...
@@ -206,7 +206,7 @@ check_for_demasq(struct sk_buff **pskb)
...
@@ -206,7 +206,7 @@ check_for_demasq(struct sk_buff **pskb)
}
else
{
}
else
{
if
(
h
)
if
(
h
)
/* Put back the reference gained from find_get */
/* Put back the reference gained from find_get */
nf_conntrack_put
(
&
h
->
ctrack
->
infos
[
0
]
);
nf_conntrack_put
(
&
h
->
ctrack
->
ct_general
);
ret
=
NF_ACCEPT
;
ret
=
NF_ACCEPT
;
}
}
...
...
net/ipv4/netfilter/ip_nat_core.c
View file @
e068209a
...
@@ -48,9 +48,8 @@ static unsigned int ip_nat_htable_size;
...
@@ -48,9 +48,8 @@ static unsigned int ip_nat_htable_size;
static
struct
list_head
*
bysource
;
static
struct
list_head
*
bysource
;
static
struct
list_head
*
byipsproto
;
static
struct
list_head
*
byipsproto
;
LIST_HEAD
(
protos
)
;
struct
ip_nat_protocol
*
ip_nat_protos
[
MAX_IP_NAT_PROTO
]
;
extern
struct
ip_nat_protocol
unknown_nat_protocol
;
/* We keep extra hashes for each conntrack, for fast searching. */
/* We keep extra hashes for each conntrack, for fast searching. */
static
inline
size_t
static
inline
size_t
...
@@ -77,9 +76,6 @@ static void ip_nat_cleanup_conntrack(struct ip_conntrack *conn)
...
@@ -77,9 +76,6 @@ static void ip_nat_cleanup_conntrack(struct ip_conntrack *conn)
if
(
!
info
->
initialized
)
if
(
!
info
->
initialized
)
return
;
return
;
IP_NF_ASSERT
(
info
->
bysource
.
conntrack
);
IP_NF_ASSERT
(
info
->
byipsproto
.
conntrack
);
hs
=
hash_by_src
(
&
conn
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
src
,
hs
=
hash_by_src
(
&
conn
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
src
,
conn
->
tuplehash
[
IP_CT_DIR_ORIGINAL
]
conn
->
tuplehash
[
IP_CT_DIR_ORIGINAL
]
.
tuple
.
dst
.
protonum
);
.
tuple
.
dst
.
protonum
);
...
@@ -90,8 +86,8 @@ static void ip_nat_cleanup_conntrack(struct ip_conntrack *conn)
...
@@ -90,8 +86,8 @@ static void ip_nat_cleanup_conntrack(struct ip_conntrack *conn)
.
tuple
.
dst
.
protonum
);
.
tuple
.
dst
.
protonum
);
WRITE_LOCK
(
&
ip_nat_lock
);
WRITE_LOCK
(
&
ip_nat_lock
);
LIST_DELETE
(
&
bysource
[
hs
],
&
info
->
bysource
);
list_del
(
&
info
->
bysource
);
LIST_DELETE
(
&
byipsproto
[
hp
],
&
info
->
byipsproto
);
list_del
(
&
info
->
byipsproto
);
WRITE_UNLOCK
(
&
ip_nat_lock
);
WRITE_UNLOCK
(
&
ip_nat_lock
);
}
}
...
@@ -106,23 +102,6 @@ ip_nat_cheat_check(u_int32_t oldvalinv, u_int32_t newval, u_int16_t oldcheck)
...
@@ -106,23 +102,6 @@ ip_nat_cheat_check(u_int32_t oldvalinv, u_int32_t newval, u_int16_t oldcheck)
oldcheck
^
0xFFFF
));
oldcheck
^
0xFFFF
));
}
}
static
inline
int
cmp_proto
(
const
struct
ip_nat_protocol
*
i
,
int
proto
)
{
return
i
->
protonum
==
proto
;
}
struct
ip_nat_protocol
*
find_nat_proto
(
u_int16_t
protonum
)
{
struct
ip_nat_protocol
*
i
;
MUST_BE_READ_LOCKED
(
&
ip_nat_lock
);
i
=
LIST_FIND
(
&
protos
,
cmp_proto
,
struct
ip_nat_protocol
*
,
protonum
);
if
(
!
i
)
i
=
&
unknown_nat_protocol
;
return
i
;
}
/* Is this tuple already taken? (not by us) */
/* Is this tuple already taken? (not by us) */
int
int
ip_nat_used_tuple
(
const
struct
ip_conntrack_tuple
*
tuple
,
ip_nat_used_tuple
(
const
struct
ip_conntrack_tuple
*
tuple
,
...
@@ -145,7 +124,7 @@ in_range(const struct ip_conntrack_tuple *tuple,
...
@@ -145,7 +124,7 @@ in_range(const struct ip_conntrack_tuple *tuple,
const
struct
ip_conntrack_manip
*
manip
,
const
struct
ip_conntrack_manip
*
manip
,
const
struct
ip_nat_multi_range
*
mr
)
const
struct
ip_nat_multi_range
*
mr
)
{
{
struct
ip_nat_protocol
*
proto
=
find_nat
_proto
(
tuple
->
dst
.
protonum
);
struct
ip_nat_protocol
*
proto
=
ip_nat_find
_proto
(
tuple
->
dst
.
protonum
);
unsigned
int
i
;
unsigned
int
i
;
struct
ip_conntrack_tuple
newtuple
=
{
*
manip
,
tuple
->
dst
};
struct
ip_conntrack_tuple
newtuple
=
{
*
manip
,
tuple
->
dst
};
...
@@ -171,20 +150,18 @@ in_range(const struct ip_conntrack_tuple *tuple,
...
@@ -171,20 +150,18 @@ in_range(const struct ip_conntrack_tuple *tuple,
}
}
static
inline
int
static
inline
int
src_cmp
(
const
struct
ip_
nat_hash
*
i
,
src_cmp
(
const
struct
ip_
conntrack
*
ct
,
const
struct
ip_conntrack_tuple
*
tuple
,
const
struct
ip_conntrack_tuple
*
tuple
,
const
struct
ip_nat_multi_range
*
mr
)
const
struct
ip_nat_multi_range
*
mr
)
{
{
return
(
i
->
conntrack
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
dst
.
protonum
return
(
ct
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
dst
.
protonum
==
tuple
->
dst
.
protonum
==
tuple
->
dst
.
protonum
&&
i
->
conntrack
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
src
.
ip
&&
ct
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
src
.
ip
==
tuple
->
src
.
ip
==
tuple
->
src
.
ip
&&
i
->
conntrack
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
src
.
u
.
all
&&
ct
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
src
.
u
.
all
==
tuple
->
src
.
u
.
all
==
tuple
->
src
.
u
.
all
&&
in_range
(
tuple
,
&&
in_range
(
tuple
,
&
i
->
conntrack
->
tuplehash
[
IP_CT_DIR_ORIGINAL
]
&
ct
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
src
,
mr
));
.
tuple
.
src
,
mr
));
}
}
/* Only called for SRC manip */
/* Only called for SRC manip */
...
@@ -193,13 +170,12 @@ find_appropriate_src(const struct ip_conntrack_tuple *tuple,
...
@@ -193,13 +170,12 @@ find_appropriate_src(const struct ip_conntrack_tuple *tuple,
const
struct
ip_nat_multi_range
*
mr
)
const
struct
ip_nat_multi_range
*
mr
)
{
{
unsigned
int
h
=
hash_by_src
(
&
tuple
->
src
,
tuple
->
dst
.
protonum
);
unsigned
int
h
=
hash_by_src
(
&
tuple
->
src
,
tuple
->
dst
.
protonum
);
struct
ip_
nat_hash
*
i
;
struct
ip_
conntrack
*
ct
;
MUST_BE_READ_LOCKED
(
&
ip_nat_lock
);
MUST_BE_READ_LOCKED
(
&
ip_nat_lock
);
i
=
LIST_FIND
(
&
bysource
[
h
],
src_cmp
,
struct
ip_nat_hash
*
,
tuple
,
mr
);
list_for_each_entry
(
ct
,
&
bysource
[
h
],
nat
.
info
.
bysource
)
if
(
i
)
if
(
src_cmp
(
ct
,
tuple
,
mr
))
return
&
i
->
conntrack
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
src
;
return
&
ct
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
src
;
else
return
NULL
;
return
NULL
;
}
}
...
@@ -226,19 +202,17 @@ do_extra_mangle(u_int32_t var_ip, u_int32_t *other_ipp)
...
@@ -226,19 +202,17 @@ do_extra_mangle(u_int32_t var_ip, u_int32_t *other_ipp)
#endif
#endif
/* Simple way to iterate through all. */
/* Simple way to iterate through all. */
static
inline
int
fake_cmp
(
const
struct
ip_
nat_hash
*
i
,
static
inline
int
fake_cmp
(
const
struct
ip_
conntrack
*
ct
,
u_int32_t
src
,
u_int32_t
dst
,
u_int16_t
protonum
,
u_int32_t
src
,
u_int32_t
dst
,
u_int16_t
protonum
,
unsigned
int
*
score
,
unsigned
int
*
score
,
const
struct
ip_conntrack
*
ct2
)
const
struct
ip_conntrack
*
conntrack
)
{
{
/* Compare backwards: we're dealing with OUTGOING tuples, and
/* Compare backwards: we're dealing with OUTGOING tuples, and
inside the conntrack is the REPLY tuple. Don't count this
inside the conntrack is the REPLY tuple. Don't count this
conntrack. */
conntrack. */
if
(
i
->
conntrack
!=
conntrack
if
(
ct
!=
ct2
&&
i
->
conntrack
->
tuplehash
[
IP_CT_DIR_REPLY
].
tuple
.
src
.
ip
==
dst
&&
ct
->
tuplehash
[
IP_CT_DIR_REPLY
].
tuple
.
src
.
ip
==
dst
&&
i
->
conntrack
->
tuplehash
[
IP_CT_DIR_REPLY
].
tuple
.
dst
.
ip
==
src
&&
ct
->
tuplehash
[
IP_CT_DIR_REPLY
].
tuple
.
dst
.
ip
==
src
&&
(
i
->
conntrack
->
tuplehash
[
IP_CT_DIR_REPLY
].
tuple
.
dst
.
protonum
&&
(
ct
->
tuplehash
[
IP_CT_DIR_REPLY
].
tuple
.
dst
.
protonum
==
protonum
))
==
protonum
))
(
*
score
)
++
;
(
*
score
)
++
;
return
0
;
return
0
;
}
}
...
@@ -247,13 +221,14 @@ static inline unsigned int
...
@@ -247,13 +221,14 @@ static inline unsigned int
count_maps
(
u_int32_t
src
,
u_int32_t
dst
,
u_int16_t
protonum
,
count_maps
(
u_int32_t
src
,
u_int32_t
dst
,
u_int16_t
protonum
,
const
struct
ip_conntrack
*
conntrack
)
const
struct
ip_conntrack
*
conntrack
)
{
{
struct
ip_conntrack
*
ct
;
unsigned
int
score
=
0
;
unsigned
int
score
=
0
;
unsigned
int
h
;
unsigned
int
h
;
MUST_BE_READ_LOCKED
(
&
ip_nat_lock
);
MUST_BE_READ_LOCKED
(
&
ip_nat_lock
);
h
=
hash_by_ipsproto
(
src
,
dst
,
protonum
);
h
=
hash_by_ipsproto
(
src
,
dst
,
protonum
);
LIST_FIND
(
&
byipsproto
[
h
],
fake_cmp
,
struct
ip_nat_hash
*
,
list_for_each_entry
(
ct
,
&
byipsproto
[
h
],
nat
.
info
.
byipsproto
)
src
,
dst
,
protonum
,
&
score
,
conntrack
);
fake_cmp
(
ct
,
src
,
dst
,
protonum
,
&
score
,
conntrack
);
return
score
;
return
score
;
}
}
...
@@ -401,7 +376,7 @@ get_unique_tuple(struct ip_conntrack_tuple *tuple,
...
@@ -401,7 +376,7 @@ get_unique_tuple(struct ip_conntrack_tuple *tuple,
unsigned
int
hooknum
)
unsigned
int
hooknum
)
{
{
struct
ip_nat_protocol
*
proto
struct
ip_nat_protocol
*
proto
=
find_nat
_proto
(
orig_tuple
->
dst
.
protonum
);
=
ip_nat_find
_proto
(
orig_tuple
->
dst
.
protonum
);
struct
ip_nat_range
*
rptr
;
struct
ip_nat_range
*
rptr
;
unsigned
int
i
;
unsigned
int
i
;
int
ret
;
int
ret
;
...
@@ -640,12 +615,10 @@ ip_nat_setup_info(struct ip_conntrack *conntrack,
...
@@ -640,12 +615,10 @@ ip_nat_setup_info(struct ip_conntrack *conntrack,
/* It's done. */
/* It's done. */
info
->
initialized
|=
(
1
<<
HOOK2MANIP
(
hooknum
));
info
->
initialized
|=
(
1
<<
HOOK2MANIP
(
hooknum
));
if
(
in_hashes
)
{
if
(
in_hashes
)
IP_NF_ASSERT
(
info
->
bysource
.
conntrack
);
replace_in_hashes
(
conntrack
,
info
);
replace_in_hashes
(
conntrack
,
info
);
}
else
{
else
place_in_hashes
(
conntrack
,
info
);
place_in_hashes
(
conntrack
,
info
);
}
return
NF_ACCEPT
;
return
NF_ACCEPT
;
}
}
...
@@ -669,14 +642,9 @@ void replace_in_hashes(struct ip_conntrack *conntrack,
...
@@ -669,14 +642,9 @@ void replace_in_hashes(struct ip_conntrack *conntrack,
conntrack
->
tuplehash
[
IP_CT_DIR_REPLY
]
conntrack
->
tuplehash
[
IP_CT_DIR_REPLY
]
.
tuple
.
dst
.
protonum
);
.
tuple
.
dst
.
protonum
);
IP_NF_ASSERT
(
info
->
bysource
.
conntrack
==
conntrack
);
MUST_BE_WRITE_LOCKED
(
&
ip_nat_lock
);
MUST_BE_WRITE_LOCKED
(
&
ip_nat_lock
);
list_move
(
&
info
->
bysource
,
&
bysource
[
srchash
]);
list_del
(
&
info
->
bysource
.
list
);
list_move
(
&
info
->
byipsproto
,
&
byipsproto
[
ipsprotohash
]);
list_del
(
&
info
->
byipsproto
.
list
);
list_prepend
(
&
bysource
[
srchash
],
&
info
->
bysource
);
list_prepend
(
&
byipsproto
[
ipsprotohash
],
&
info
->
byipsproto
);
}
}
void
place_in_hashes
(
struct
ip_conntrack
*
conntrack
,
void
place_in_hashes
(
struct
ip_conntrack
*
conntrack
,
...
@@ -697,14 +665,9 @@ void place_in_hashes(struct ip_conntrack *conntrack,
...
@@ -697,14 +665,9 @@ void place_in_hashes(struct ip_conntrack *conntrack,
conntrack
->
tuplehash
[
IP_CT_DIR_REPLY
]
conntrack
->
tuplehash
[
IP_CT_DIR_REPLY
]
.
tuple
.
dst
.
protonum
);
.
tuple
.
dst
.
protonum
);
IP_NF_ASSERT
(
!
info
->
bysource
.
conntrack
);
MUST_BE_WRITE_LOCKED
(
&
ip_nat_lock
);
MUST_BE_WRITE_LOCKED
(
&
ip_nat_lock
);
info
->
byipsproto
.
conntrack
=
conntrack
;
list_add
(
&
info
->
bysource
,
&
bysource
[
srchash
]);
info
->
bysource
.
conntrack
=
conntrack
;
list_add
(
&
info
->
byipsproto
,
&
byipsproto
[
ipsprotohash
]);
list_prepend
(
&
bysource
[
srchash
],
&
info
->
bysource
);
list_prepend
(
&
byipsproto
[
ipsprotohash
],
&
info
->
byipsproto
);
}
}
/* Returns true if succeeded. */
/* Returns true if succeeded. */
...
@@ -724,8 +687,7 @@ manip_pkt(u_int16_t proto,
...
@@ -724,8 +687,7 @@ manip_pkt(u_int16_t proto,
iph
=
(
void
*
)(
*
pskb
)
->
data
+
iphdroff
;
iph
=
(
void
*
)(
*
pskb
)
->
data
+
iphdroff
;
/* Manipulate protcol part. */
/* Manipulate protcol part. */
if
(
!
find_nat_proto
(
proto
)
->
manip_pkt
(
pskb
,
if
(
!
ip_nat_find_proto
(
proto
)
->
manip_pkt
(
pskb
,
iphdroff
+
iph
->
ihl
*
4
,
iphdroff
+
iph
->
ihl
*
4
,
manip
,
maniptype
))
manip
,
maniptype
))
return
0
;
return
0
;
...
@@ -750,7 +712,7 @@ static inline int exp_for_packet(struct ip_conntrack_expect *exp,
...
@@ -750,7 +712,7 @@ static inline int exp_for_packet(struct ip_conntrack_expect *exp,
int
ret
=
1
;
int
ret
=
1
;
MUST_BE_READ_LOCKED
(
&
ip_conntrack_lock
);
MUST_BE_READ_LOCKED
(
&
ip_conntrack_lock
);
proto
=
__
ip_ct_find_proto
(
skb
->
nh
.
iph
->
protocol
);
proto
=
ip_ct_find_proto
(
skb
->
nh
.
iph
->
protocol
);
if
(
proto
->
exp_matches_pkt
)
if
(
proto
->
exp_matches_pkt
)
ret
=
proto
->
exp_matches_pkt
(
exp
,
skb
);
ret
=
proto
->
exp_matches_pkt
(
exp
,
skb
);
...
@@ -890,12 +852,8 @@ icmp_reply_translation(struct sk_buff **pskb,
...
@@ -890,12 +852,8 @@ icmp_reply_translation(struct sk_buff **pskb,
}
}
/* Must be RELATED */
/* Must be RELATED */
IP_NF_ASSERT
((
*
pskb
)
->
nfct
IP_NF_ASSERT
((
*
pskb
)
->
nfctinfo
==
IP_CT_RELATED
||
-
((
struct
ip_conntrack
*
)(
*
pskb
)
->
nfct
->
master
)
->
infos
(
*
pskb
)
->
nfctinfo
==
IP_CT_RELATED
+
IP_CT_IS_REPLY
);
==
IP_CT_RELATED
||
(
*
pskb
)
->
nfct
-
((
struct
ip_conntrack
*
)(
*
pskb
)
->
nfct
->
master
)
->
infos
==
IP_CT_RELATED
+
IP_CT_IS_REPLY
);
/* Redirects on non-null nats must be dropped, else they'll
/* Redirects on non-null nats must be dropped, else they'll
start talking to each other without our translation, and be
start talking to each other without our translation, and be
...
@@ -995,9 +953,11 @@ int __init ip_nat_init(void)
...
@@ -995,9 +953,11 @@ int __init ip_nat_init(void)
/* Sew in builtin protocols. */
/* Sew in builtin protocols. */
WRITE_LOCK
(
&
ip_nat_lock
);
WRITE_LOCK
(
&
ip_nat_lock
);
list_append
(
&
protos
,
&
ip_nat_protocol_tcp
);
for
(
i
=
0
;
i
<
MAX_IP_NAT_PROTO
;
i
++
)
list_append
(
&
protos
,
&
ip_nat_protocol_udp
);
ip_nat_protos
[
i
]
=
&
ip_nat_unknown_protocol
;
list_append
(
&
protos
,
&
ip_nat_protocol_icmp
);
ip_nat_protos
[
IPPROTO_TCP
]
=
&
ip_nat_protocol_tcp
;
ip_nat_protos
[
IPPROTO_UDP
]
=
&
ip_nat_protocol_udp
;
ip_nat_protos
[
IPPROTO_ICMP
]
=
&
ip_nat_protocol_icmp
;
WRITE_UNLOCK
(
&
ip_nat_lock
);
WRITE_UNLOCK
(
&
ip_nat_lock
);
for
(
i
=
0
;
i
<
ip_nat_htable_size
;
i
++
)
{
for
(
i
=
0
;
i
<
ip_nat_htable_size
;
i
++
)
{
...
...
net/ipv4/netfilter/ip_nat_proto_icmp.c
View file @
e068209a
...
@@ -104,7 +104,7 @@ icmp_print_range(char *buffer, const struct ip_nat_range *range)
...
@@ -104,7 +104,7 @@ icmp_print_range(char *buffer, const struct ip_nat_range *range)
}
}
struct
ip_nat_protocol
ip_nat_protocol_icmp
struct
ip_nat_protocol
ip_nat_protocol_icmp
=
{
{
NULL
,
NULL
},
"ICMP"
,
IPPROTO_ICMP
,
=
{
"ICMP"
,
IPPROTO_ICMP
,
icmp_manip_pkt
,
icmp_manip_pkt
,
icmp_in_range
,
icmp_in_range
,
icmp_unique_tuple
,
icmp_unique_tuple
,
...
...
net/ipv4/netfilter/ip_nat_proto_tcp.c
View file @
e068209a
...
@@ -162,7 +162,7 @@ tcp_print_range(char *buffer, const struct ip_nat_range *range)
...
@@ -162,7 +162,7 @@ tcp_print_range(char *buffer, const struct ip_nat_range *range)
}
}
struct
ip_nat_protocol
ip_nat_protocol_tcp
struct
ip_nat_protocol
ip_nat_protocol_tcp
=
{
{
NULL
,
NULL
},
"TCP"
,
IPPROTO_TCP
,
=
{
"TCP"
,
IPPROTO_TCP
,
tcp_manip_pkt
,
tcp_manip_pkt
,
tcp_in_range
,
tcp_in_range
,
tcp_unique_tuple
,
tcp_unique_tuple
,
...
...
net/ipv4/netfilter/ip_nat_proto_udp.c
View file @
e068209a
...
@@ -148,7 +148,7 @@ udp_print_range(char *buffer, const struct ip_nat_range *range)
...
@@ -148,7 +148,7 @@ udp_print_range(char *buffer, const struct ip_nat_range *range)
}
}
struct
ip_nat_protocol
ip_nat_protocol_udp
struct
ip_nat_protocol
ip_nat_protocol_udp
=
{
{
NULL
,
NULL
},
"UDP"
,
IPPROTO_UDP
,
=
{
"UDP"
,
IPPROTO_UDP
,
udp_manip_pkt
,
udp_manip_pkt
,
udp_in_range
,
udp_in_range
,
udp_unique_tuple
,
udp_unique_tuple
,
...
...
net/ipv4/netfilter/ip_nat_proto_unknown.c
View file @
e068209a
...
@@ -60,8 +60,8 @@ unknown_print_range(char *buffer, const struct ip_nat_range *range)
...
@@ -60,8 +60,8 @@ unknown_print_range(char *buffer, const struct ip_nat_range *range)
return
0
;
return
0
;
}
}
struct
ip_nat_protocol
unknown_nat
_protocol
=
{
struct
ip_nat_protocol
ip_nat_unknown
_protocol
=
{
{
NULL
,
NULL
},
"unknown"
,
0
,
"unknown"
,
0
,
unknown_manip_pkt
,
unknown_manip_pkt
,
unknown_in_range
,
unknown_in_range
,
unknown_unique_tuple
,
unknown_unique_tuple
,
...
...
net/ipv4/netfilter/ip_nat_standalone.c
View file @
e068209a
...
@@ -283,18 +283,13 @@ static struct nf_hook_ops ip_nat_local_in_ops = {
...
@@ -283,18 +283,13 @@ static struct nf_hook_ops ip_nat_local_in_ops = {
int
ip_nat_protocol_register
(
struct
ip_nat_protocol
*
proto
)
int
ip_nat_protocol_register
(
struct
ip_nat_protocol
*
proto
)
{
{
int
ret
=
0
;
int
ret
=
0
;
struct
list_head
*
i
;
WRITE_LOCK
(
&
ip_nat_lock
);
WRITE_LOCK
(
&
ip_nat_lock
);
list_for_each
(
i
,
&
protos
)
{
if
(
ip_nat_protos
[
proto
->
protonum
]
!=
&
ip_nat_unknown_protocol
)
{
if
(((
struct
ip_nat_protocol
*
)
i
)
->
protonum
==
proto
->
protonum
)
{
ret
=
-
EBUSY
;
ret
=
-
EBUSY
;
goto
out
;
goto
out
;
}
}
}
ip_nat_protos
[
proto
->
protonum
]
=
proto
;
list_prepend
(
&
protos
,
proto
);
out:
out:
WRITE_UNLOCK
(
&
ip_nat_lock
);
WRITE_UNLOCK
(
&
ip_nat_lock
);
return
ret
;
return
ret
;
...
@@ -304,7 +299,7 @@ int ip_nat_protocol_register(struct ip_nat_protocol *proto)
...
@@ -304,7 +299,7 @@ int ip_nat_protocol_register(struct ip_nat_protocol *proto)
void
ip_nat_protocol_unregister
(
struct
ip_nat_protocol
*
proto
)
void
ip_nat_protocol_unregister
(
struct
ip_nat_protocol
*
proto
)
{
{
WRITE_LOCK
(
&
ip_nat_lock
);
WRITE_LOCK
(
&
ip_nat_lock
);
LIST_DELETE
(
&
protos
,
proto
)
;
ip_nat_protos
[
proto
->
protonum
]
=
&
ip_nat_unknown_protocol
;
WRITE_UNLOCK
(
&
ip_nat_lock
);
WRITE_UNLOCK
(
&
ip_nat_lock
);
/* Someone could be still looking at the proto in a bh. */
/* Someone could be still looking at the proto in a bh. */
...
...
net/ipv4/netfilter/ipt_NOTRACK.c
View file @
e068209a
...
@@ -23,7 +23,8 @@ target(struct sk_buff **pskb,
...
@@ -23,7 +23,8 @@ target(struct sk_buff **pskb,
If there is a real ct entry correspondig to this packet,
If there is a real ct entry correspondig to this packet,
it'll hang aroun till timing out. We don't deal with it
it'll hang aroun till timing out. We don't deal with it
for performance reasons. JK */
for performance reasons. JK */
(
*
pskb
)
->
nfct
=
&
ip_conntrack_untracked
.
infos
[
IP_CT_NEW
];
(
*
pskb
)
->
nfct
=
&
ip_conntrack_untracked
.
ct_general
;
(
*
pskb
)
->
nfctinfo
=
IP_CT_NEW
;
nf_conntrack_get
((
*
pskb
)
->
nfct
);
nf_conntrack_get
((
*
pskb
)
->
nfct
);
return
IPT_CONTINUE
;
return
IPT_CONTINUE
;
...
...
net/ipv4/netfilter/ipt_REJECT.c
View file @
e068209a
...
@@ -41,14 +41,14 @@ MODULE_DESCRIPTION("iptables REJECT target module");
...
@@ -41,14 +41,14 @@ MODULE_DESCRIPTION("iptables REJECT target module");
/* If the original packet is part of a connection, but the connection
/* If the original packet is part of a connection, but the connection
is not confirmed, our manufactured reply will not be associated
is not confirmed, our manufactured reply will not be associated
with it, so we need to do this manually. */
with it, so we need to do this manually. */
static
void
connection_attach
(
struct
sk_buff
*
new_skb
,
struct
nf_ct_info
*
nfct
)
static
void
connection_attach
(
struct
sk_buff
*
new_skb
,
struct
sk_buff
*
skb
)
{
{
void
(
*
attach
)(
struct
sk_buff
*
,
struct
nf_ct_info
*
);
void
(
*
attach
)(
struct
sk_buff
*
,
struct
sk_buff
*
);
/* Avoid module unload race with ip_ct_attach being NULLed out */
/* Avoid module unload race with ip_ct_attach being NULLed out */
if
(
nfct
&&
(
attach
=
ip_ct_attach
)
!=
NULL
)
{
if
(
skb
->
nfct
&&
(
attach
=
ip_ct_attach
)
!=
NULL
)
{
mb
();
/* Just to be sure: must be read before executing this */
mb
();
/* Just to be sure: must be read before executing this */
attach
(
new_skb
,
nfct
);
attach
(
new_skb
,
skb
);
}
}
}
}
...
@@ -209,7 +209,7 @@ static void send_reset(struct sk_buff *oldskb, int hook)
...
@@ -209,7 +209,7 @@ static void send_reset(struct sk_buff *oldskb, int hook)
if
(
nskb
->
len
>
dst_pmtu
(
nskb
->
dst
))
if
(
nskb
->
len
>
dst_pmtu
(
nskb
->
dst
))
goto
free_nskb
;
goto
free_nskb
;
connection_attach
(
nskb
,
oldskb
->
nfct
);
connection_attach
(
nskb
,
oldskb
);
NF_HOOK
(
PF_INET
,
NF_IP_LOCAL_OUT
,
nskb
,
NULL
,
nskb
->
dst
->
dev
,
NF_HOOK
(
PF_INET
,
NF_IP_LOCAL_OUT
,
nskb
,
NULL
,
nskb
->
dst
->
dev
,
ip_finish_output
);
ip_finish_output
);
...
@@ -360,7 +360,7 @@ static void send_unreach(struct sk_buff *skb_in, int code)
...
@@ -360,7 +360,7 @@ static void send_unreach(struct sk_buff *skb_in, int code)
icmph
->
checksum
=
ip_compute_csum
((
unsigned
char
*
)
icmph
,
icmph
->
checksum
=
ip_compute_csum
((
unsigned
char
*
)
icmph
,
length
-
sizeof
(
struct
iphdr
));
length
-
sizeof
(
struct
iphdr
));
connection_attach
(
nskb
,
skb_in
->
nfct
);
connection_attach
(
nskb
,
skb_in
);
NF_HOOK
(
PF_INET
,
NF_IP_LOCAL_OUT
,
nskb
,
NULL
,
nskb
->
dst
->
dev
,
NF_HOOK
(
PF_INET
,
NF_IP_LOCAL_OUT
,
nskb
,
NULL
,
nskb
->
dst
->
dev
,
ip_finish_output
);
ip_finish_output
);
...
...
net/ipv4/netfilter/ipt_comment.c
0 → 100644
View file @
e068209a
/*
* Implements a dummy match to allow attaching comments to rules
*
* 2003-05-13 Brad Fisher (brad@info-link.net)
*/
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ipt_comment.h>
MODULE_AUTHOR
(
"Brad Fisher <brad@info-link.net>"
);
MODULE_DESCRIPTION
(
"iptables comment match module"
);
MODULE_LICENSE
(
"GPL"
);
static
int
match
(
const
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
void
*
matchinfo
,
int
offset
,
int
*
hotdrop
)
{
/* We always match */
return
1
;
}
static
int
checkentry
(
const
char
*
tablename
,
const
struct
ipt_ip
*
ip
,
void
*
matchinfo
,
unsigned
int
matchsize
,
unsigned
int
hook_mask
)
{
/* Check the size */
if
(
matchsize
!=
IPT_ALIGN
(
sizeof
(
struct
ipt_comment_info
)))
return
0
;
return
1
;
}
static
struct
ipt_match
comment_match
=
{
.
name
=
"comment"
,
.
match
=
match
,
.
checkentry
=
checkentry
,
.
me
=
THIS_MODULE
};
static
int
__init
init
(
void
)
{
return
ipt_register_match
(
&
comment_match
);
}
static
void
__exit
fini
(
void
)
{
ipt_unregister_match
(
&
comment_match
);
}
module_init
(
init
);
module_exit
(
fini
);
net/ipv4/netfilter/ipt_conntrack.c
View file @
e068209a
...
@@ -35,7 +35,7 @@ match(const struct sk_buff *skb,
...
@@ -35,7 +35,7 @@ match(const struct sk_buff *skb,
#define FWINV(bool,invflg) ((bool) ^ !!(sinfo->invflags & invflg))
#define FWINV(bool,invflg) ((bool) ^ !!(sinfo->invflags & invflg))
if
(
skb
->
nfct
==
&
ip_conntrack_untracked
.
infos
[
IP_CT_NEW
]
)
if
(
ct
==
&
ip_conntrack_untracked
)
statebit
=
IPT_CONNTRACK_STATE_UNTRACKED
;
statebit
=
IPT_CONNTRACK_STATE_UNTRACKED
;
else
if
(
ct
)
else
if
(
ct
)
statebit
=
IPT_CONNTRACK_STATE_BIT
(
ctinfo
);
statebit
=
IPT_CONNTRACK_STATE_BIT
(
ctinfo
);
...
...
net/ipv4/netfilter/ipt_state.c
View file @
e068209a
...
@@ -30,9 +30,9 @@ match(const struct sk_buff *skb,
...
@@ -30,9 +30,9 @@ match(const struct sk_buff *skb,
enum
ip_conntrack_info
ctinfo
;
enum
ip_conntrack_info
ctinfo
;
unsigned
int
statebit
;
unsigned
int
statebit
;
if
(
skb
->
nfct
==
&
ip_conntrack_untracked
.
infos
[
IP_CT_NEW
]
)
if
(
skb
->
nfct
==
&
ip_conntrack_untracked
.
ct_general
)
statebit
=
IPT_STATE_UNTRACKED
;
statebit
=
IPT_STATE_UNTRACKED
;
else
if
(
!
ip_conntrack_get
(
(
struct
sk_buff
*
)
skb
,
&
ctinfo
))
else
if
(
!
ip_conntrack_get
(
skb
,
&
ctinfo
))
statebit
=
IPT_STATE_INVALID
;
statebit
=
IPT_STATE_INVALID
;
else
else
statebit
=
IPT_STATE_BIT
(
ctinfo
);
statebit
=
IPT_STATE_BIT
(
ctinfo
);
...
...
net/ipv6/ip6_output.c
View file @
e068209a
...
@@ -477,6 +477,7 @@ static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from)
...
@@ -477,6 +477,7 @@ static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from)
/* Connection association is same as pre-frag packet */
/* Connection association is same as pre-frag packet */
to
->
nfct
=
from
->
nfct
;
to
->
nfct
=
from
->
nfct
;
nf_conntrack_get
(
to
->
nfct
);
nf_conntrack_get
(
to
->
nfct
);
to
->
nfctinfo
=
from
->
nfctinfo
;
#ifdef CONFIG_BRIDGE_NETFILTER
#ifdef CONFIG_BRIDGE_NETFILTER
nf_bridge_put
(
to
->
nf_bridge
);
nf_bridge_put
(
to
->
nf_bridge
);
to
->
nf_bridge
=
from
->
nf_bridge
;
to
->
nf_bridge
=
from
->
nf_bridge
;
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment