Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
516e49e0
Commit
516e49e0
authored
Mar 29, 2004
by
Harald Welte
Committed by
Linus Torvalds
Mar 29, 2004
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
[NETFILTER]: Add 'raw' table, from Jozsef Kadlecsik.
parent
284bd053
Changes
16
Show whitespace changes
Inline
Side-by-side
Showing
16 changed files
with
514 additions
and
16 deletions
+514
-16
include/linux/netfilter_ipv4.h
include/linux/netfilter_ipv4.h
+2
-0
include/linux/netfilter_ipv4/ip_conntrack.h
include/linux/netfilter_ipv4/ip_conntrack.h
+3
-0
include/linux/netfilter_ipv4/ipt_conntrack.h
include/linux/netfilter_ipv4/ipt_conntrack.h
+1
-0
include/linux/netfilter_ipv4/ipt_state.h
include/linux/netfilter_ipv4/ipt_state.h
+2
-0
net/ipv4/netfilter/Kconfig
net/ipv4/netfilter/Kconfig
+24
-0
net/ipv4/netfilter/Makefile
net/ipv4/netfilter/Makefile
+2
-0
net/ipv4/netfilter/ip_conntrack_core.c
net/ipv4/netfilter/ip_conntrack_core.c
+23
-9
net/ipv4/netfilter/ip_conntrack_standalone.c
net/ipv4/netfilter/ip_conntrack_standalone.c
+52
-1
net/ipv4/netfilter/ip_nat_core.c
net/ipv4/netfilter/ip_nat_core.c
+4
-0
net/ipv4/netfilter/ipt_NOTRACK.c
net/ipv4/netfilter/ipt_NOTRACK.c
+75
-0
net/ipv4/netfilter/ipt_conntrack.c
net/ipv4/netfilter/ipt_conntrack.c
+7
-5
net/ipv4/netfilter/ipt_state.c
net/ipv4/netfilter/ipt_state.c
+3
-1
net/ipv4/netfilter/iptable_raw.c
net/ipv4/netfilter/iptable_raw.c
+149
-0
net/ipv6/netfilter/Kconfig
net/ipv6/netfilter/Kconfig
+12
-0
net/ipv6/netfilter/Makefile
net/ipv6/netfilter/Makefile
+1
-0
net/ipv6/netfilter/ip6table_raw.c
net/ipv6/netfilter/ip6table_raw.c
+154
-0
No files found.
include/linux/netfilter_ipv4.h
View file @
516e49e0
...
@@ -51,6 +51,8 @@
...
@@ -51,6 +51,8 @@
enum
nf_ip_hook_priorities
{
enum
nf_ip_hook_priorities
{
NF_IP_PRI_FIRST
=
INT_MIN
,
NF_IP_PRI_FIRST
=
INT_MIN
,
NF_IP_PRI_CONNTRACK_DEFRAG
=
-
400
,
NF_IP_PRI_RAW
=
-
300
,
NF_IP_PRI_SELINUX_FIRST
=
-
225
,
NF_IP_PRI_SELINUX_FIRST
=
-
225
,
NF_IP_PRI_CONNTRACK
=
-
200
,
NF_IP_PRI_CONNTRACK
=
-
200
,
NF_IP_PRI_BRIDGE_SABOTAGE_FORWARD
=
-
175
,
NF_IP_PRI_BRIDGE_SABOTAGE_FORWARD
=
-
175
,
...
...
include/linux/netfilter_ipv4/ip_conntrack.h
View file @
516e49e0
...
@@ -251,6 +251,9 @@ extern void ip_ct_refresh(struct ip_conntrack *ct,
...
@@ -251,6 +251,9 @@ extern void ip_ct_refresh(struct ip_conntrack *ct,
/* Call me when a conntrack is destroyed. */
/* Call me when a conntrack is destroyed. */
extern
void
(
*
ip_conntrack_destroyed
)(
struct
ip_conntrack
*
conntrack
);
extern
void
(
*
ip_conntrack_destroyed
)(
struct
ip_conntrack
*
conntrack
);
/* Fake conntrack entry for untracked connections */
extern
struct
ip_conntrack
ip_conntrack_untracked
;
/* Returns new sk_buff, or NULL */
/* Returns new sk_buff, or NULL */
struct
sk_buff
*
struct
sk_buff
*
ip_ct_gather_frags
(
struct
sk_buff
*
skb
);
ip_ct_gather_frags
(
struct
sk_buff
*
skb
);
...
...
include/linux/netfilter_ipv4/ipt_conntrack.h
View file @
516e49e0
...
@@ -10,6 +10,7 @@
...
@@ -10,6 +10,7 @@
#define IPT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
#define IPT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
#define IPT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
#define IPT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
#define IPT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
/* flags, invflags: */
/* flags, invflags: */
#define IPT_CONNTRACK_STATE 0x01
#define IPT_CONNTRACK_STATE 0x01
...
...
include/linux/netfilter_ipv4/ipt_state.h
View file @
516e49e0
...
@@ -4,6 +4,8 @@
...
@@ -4,6 +4,8 @@
#define IPT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
#define IPT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
#define IPT_STATE_INVALID (1 << 0)
#define IPT_STATE_INVALID (1 << 0)
#define IPT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1))
struct
ipt_state_info
struct
ipt_state_info
{
{
unsigned
int
statemask
;
unsigned
int
statemask
;
...
...
net/ipv4/netfilter/Kconfig
View file @
516e49e0
...
@@ -579,5 +579,29 @@ config IP_NF_COMPAT_IPFWADM
...
@@ -579,5 +579,29 @@ config IP_NF_COMPAT_IPFWADM
To compile it as a module, choose M here. If unsure, say N.
To compile it as a module, choose M here. If unsure, say N.
config IP_NF_TARGET_NOTRACK
tristate 'NOTRACK target support'
depends on IP_NF_RAW
help
The NOTRACK target allows a select rule to specify
which packets *not* to enter the conntrack/NAT
subsystem with all the consequences (no ICMP error tracking,
no protocol helpers for the selected packets).
If you want to compile it as a module, say M here and read
<file:Documentation/modules.txt>. If unsure, say `N'.
config IP_NF_RAW
tristate 'raw table support (required for NOTRACK/TRACE)'
depends on IP_NF_IPTABLES
help
This option adds a `raw' table to iptables. This table is the very
first in the netfilter framework and hooks in at the PREROUTING
and OUTPUT chains.
If you want to compile it as a module, say M here and read
<file:Documentation/modules.txt>. If unsure, say `N'.
help
endmenu
endmenu
net/ipv4/netfilter/Makefile
View file @
516e49e0
...
@@ -38,6 +38,7 @@ obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o
...
@@ -38,6 +38,7 @@ obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o
obj-$(CONFIG_IP_NF_FILTER)
+=
iptable_filter.o
obj-$(CONFIG_IP_NF_FILTER)
+=
iptable_filter.o
obj-$(CONFIG_IP_NF_MANGLE)
+=
iptable_mangle.o
obj-$(CONFIG_IP_NF_MANGLE)
+=
iptable_mangle.o
obj-$(CONFIG_IP_NF_NAT)
+=
iptable_nat.o
obj-$(CONFIG_IP_NF_NAT)
+=
iptable_nat.o
obj-$(CONFIG_IP_NF_RAW)
+=
iptable_raw.o
# matches
# matches
obj-$(CONFIG_IP_NF_MATCH_HELPER)
+=
ipt_helper.o
obj-$(CONFIG_IP_NF_MATCH_HELPER)
+=
ipt_helper.o
...
@@ -81,6 +82,7 @@ obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
...
@@ -81,6 +82,7 @@ obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
obj-$(CONFIG_IP_NF_TARGET_LOG)
+=
ipt_LOG.o
obj-$(CONFIG_IP_NF_TARGET_LOG)
+=
ipt_LOG.o
obj-$(CONFIG_IP_NF_TARGET_ULOG)
+=
ipt_ULOG.o
obj-$(CONFIG_IP_NF_TARGET_ULOG)
+=
ipt_ULOG.o
obj-$(CONFIG_IP_NF_TARGET_TCPMSS)
+=
ipt_TCPMSS.o
obj-$(CONFIG_IP_NF_TARGET_TCPMSS)
+=
ipt_TCPMSS.o
obj-$(CONFIG_IP_NF_TARGET_NOTRACK)
+=
ipt_NOTRACK.o
# generic ARP tables
# generic ARP tables
obj-$(CONFIG_IP_NF_ARPTABLES)
+=
arp_tables.o
obj-$(CONFIG_IP_NF_ARPTABLES)
+=
arp_tables.o
...
...
net/ipv4/netfilter/ip_conntrack_core.c
View file @
516e49e0
...
@@ -67,6 +67,7 @@ int ip_conntrack_max;
...
@@ -67,6 +67,7 @@ int ip_conntrack_max;
static
atomic_t
ip_conntrack_count
=
ATOMIC_INIT
(
0
);
static
atomic_t
ip_conntrack_count
=
ATOMIC_INIT
(
0
);
struct
list_head
*
ip_conntrack_hash
;
struct
list_head
*
ip_conntrack_hash
;
static
kmem_cache_t
*
ip_conntrack_cachep
;
static
kmem_cache_t
*
ip_conntrack_cachep
;
struct
ip_conntrack
ip_conntrack_untracked
;
extern
struct
ip_conntrack_protocol
ip_conntrack_generic_protocol
;
extern
struct
ip_conntrack_protocol
ip_conntrack_generic_protocol
;
...
@@ -794,6 +795,15 @@ unsigned int ip_conntrack_in(unsigned int hooknum,
...
@@ -794,6 +795,15 @@ unsigned int ip_conntrack_in(unsigned int hooknum,
int
set_reply
;
int
set_reply
;
int
ret
;
int
ret
;
/* Never happen */
if
((
*
pskb
)
->
nh
.
iph
->
frag_off
&
htons
(
IP_OFFSET
))
{
if
(
net_ratelimit
())
{
printk
(
KERN_ERR
"ip_conntrack_in: Frag of proto %u (hook=%u)
\n
"
,
(
*
pskb
)
->
nh
.
iph
->
protocol
,
hooknum
);
}
return
NF_DROP
;
}
/* FIXME: Do this right please. --RR */
/* FIXME: Do this right please. --RR */
(
*
pskb
)
->
nfcache
|=
NFC_UNKNOWN
;
(
*
pskb
)
->
nfcache
|=
NFC_UNKNOWN
;
...
@@ -812,18 +822,10 @@ unsigned int ip_conntrack_in(unsigned int hooknum,
...
@@ -812,18 +822,10 @@ unsigned int ip_conntrack_in(unsigned int hooknum,
}
}
#endif
#endif
/* Previously seen (loopback)? Ignore. Do this before
/* Previously seen (loopback or untracked)? Ignore. */
fragment check. */
if
((
*
pskb
)
->
nfct
)
if
((
*
pskb
)
->
nfct
)
return
NF_ACCEPT
;
return
NF_ACCEPT
;
/* Gather fragments. */
if
((
*
pskb
)
->
nh
.
iph
->
frag_off
&
htons
(
IP_MF
|
IP_OFFSET
))
{
*
pskb
=
ip_ct_gather_frags
(
*
pskb
);
if
(
!*
pskb
)
return
NF_STOLEN
;
}
proto
=
ip_ct_find_proto
((
*
pskb
)
->
nh
.
iph
->
protocol
);
proto
=
ip_ct_find_proto
((
*
pskb
)
->
nh
.
iph
->
protocol
);
/* It may be an icmp error... */
/* It may be an icmp error... */
...
@@ -1442,6 +1444,18 @@ int __init ip_conntrack_init(void)
...
@@ -1442,6 +1444,18 @@ int __init ip_conntrack_init(void)
/* For use by ipt_REJECT */
/* For use by ipt_REJECT */
ip_ct_attach
=
ip_conntrack_attach
;
ip_ct_attach
=
ip_conntrack_attach
;
/* Set up fake conntrack:
- to never be deleted, not in any hashes */
atomic_set
(
&
ip_conntrack_untracked
.
ct_general
.
use
,
1
);
/* - and look it like as a confirmed connection */
set_bit
(
IPS_CONFIRMED_BIT
,
&
ip_conntrack_untracked
.
status
);
/* - and prepare the ctinfo field for REJECT & NAT. */
ip_conntrack_untracked
.
infos
[
IP_CT_NEW
].
master
=
ip_conntrack_untracked
.
infos
[
IP_CT_RELATED
].
master
=
ip_conntrack_untracked
.
infos
[
IP_CT_RELATED
+
IP_CT_IS_REPLY
].
master
=
&
ip_conntrack_untracked
.
ct_general
;
return
ret
;
return
ret
;
err_free_hash:
err_free_hash:
...
...
net/ipv4/netfilter/ip_conntrack_standalone.c
View file @
516e49e0
...
@@ -194,6 +194,26 @@ static unsigned int ip_confirm(unsigned int hooknum,
...
@@ -194,6 +194,26 @@ static unsigned int ip_confirm(unsigned int hooknum,
return
ip_conntrack_confirm
(
*
pskb
);
return
ip_conntrack_confirm
(
*
pskb
);
}
}
static
unsigned
int
ip_conntrack_defrag
(
unsigned
int
hooknum
,
struct
sk_buff
**
pskb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
/* Previously seen (loopback)? Ignore. Do this before
fragment check. */
if
((
*
pskb
)
->
nfct
)
return
NF_ACCEPT
;
/* Gather fragments. */
if
((
*
pskb
)
->
nh
.
iph
->
frag_off
&
htons
(
IP_MF
|
IP_OFFSET
))
{
*
pskb
=
ip_ct_gather_frags
(
*
pskb
);
if
(
!*
pskb
)
return
NF_STOLEN
;
}
return
NF_ACCEPT
;
}
static
unsigned
int
ip_refrag
(
unsigned
int
hooknum
,
static
unsigned
int
ip_refrag
(
unsigned
int
hooknum
,
struct
sk_buff
**
pskb
,
struct
sk_buff
**
pskb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
in
,
...
@@ -236,6 +256,14 @@ static unsigned int ip_conntrack_local(unsigned int hooknum,
...
@@ -236,6 +256,14 @@ static unsigned int ip_conntrack_local(unsigned int hooknum,
/* Connection tracking may drop packets, but never alters them, so
/* Connection tracking may drop packets, but never alters them, so
make it the first hook. */
make it the first hook. */
static
struct
nf_hook_ops
ip_conntrack_defrag_ops
=
{
.
hook
=
ip_conntrack_defrag
,
.
owner
=
THIS_MODULE
,
.
pf
=
PF_INET
,
.
hooknum
=
NF_IP_PRE_ROUTING
,
.
priority
=
NF_IP_PRI_CONNTRACK_DEFRAG
,
};
static
struct
nf_hook_ops
ip_conntrack_in_ops
=
{
static
struct
nf_hook_ops
ip_conntrack_in_ops
=
{
.
hook
=
ip_conntrack_in
,
.
hook
=
ip_conntrack_in
,
.
owner
=
THIS_MODULE
,
.
owner
=
THIS_MODULE
,
...
@@ -244,6 +272,14 @@ static struct nf_hook_ops ip_conntrack_in_ops = {
...
@@ -244,6 +272,14 @@ static struct nf_hook_ops ip_conntrack_in_ops = {
.
priority
=
NF_IP_PRI_CONNTRACK
,
.
priority
=
NF_IP_PRI_CONNTRACK
,
};
};
static
struct
nf_hook_ops
ip_conntrack_defrag_local_out_ops
=
{
.
hook
=
ip_conntrack_defrag
,
.
owner
=
THIS_MODULE
,
.
pf
=
PF_INET
,
.
hooknum
=
NF_IP_LOCAL_OUT
,
.
priority
=
NF_IP_PRI_CONNTRACK_DEFRAG
,
};
static
struct
nf_hook_ops
ip_conntrack_local_out_ops
=
{
static
struct
nf_hook_ops
ip_conntrack_local_out_ops
=
{
.
hook
=
ip_conntrack_local
,
.
hook
=
ip_conntrack_local
,
.
owner
=
THIS_MODULE
,
.
owner
=
THIS_MODULE
,
...
@@ -470,10 +506,20 @@ static int init_or_cleanup(int init)
...
@@ -470,10 +506,20 @@ static int init_or_cleanup(int init)
if
(
!
proc
)
goto
cleanup_init
;
if
(
!
proc
)
goto
cleanup_init
;
proc
->
owner
=
THIS_MODULE
;
proc
->
owner
=
THIS_MODULE
;
ret
=
nf_register_hook
(
&
ip_conntrack_defrag_ops
);
if
(
ret
<
0
)
{
printk
(
"ip_conntrack: can't register pre-routing defrag hook.
\n
"
);
goto
cleanup_proc
;
}
ret
=
nf_register_hook
(
&
ip_conntrack_defrag_local_out_ops
);
if
(
ret
<
0
)
{
printk
(
"ip_conntrack: can't register local_out defrag hook.
\n
"
);
goto
cleanup_defragops
;
}
ret
=
nf_register_hook
(
&
ip_conntrack_in_ops
);
ret
=
nf_register_hook
(
&
ip_conntrack_in_ops
);
if
(
ret
<
0
)
{
if
(
ret
<
0
)
{
printk
(
"ip_conntrack: can't register pre-routing hook.
\n
"
);
printk
(
"ip_conntrack: can't register pre-routing hook.
\n
"
);
goto
cleanup_
proc
;
goto
cleanup_
defraglocalops
;
}
}
ret
=
nf_register_hook
(
&
ip_conntrack_local_out_ops
);
ret
=
nf_register_hook
(
&
ip_conntrack_local_out_ops
);
if
(
ret
<
0
)
{
if
(
ret
<
0
)
{
...
@@ -511,6 +557,10 @@ static int init_or_cleanup(int init)
...
@@ -511,6 +557,10 @@ static int init_or_cleanup(int init)
nf_unregister_hook
(
&
ip_conntrack_local_out_ops
);
nf_unregister_hook
(
&
ip_conntrack_local_out_ops
);
cleanup_inops:
cleanup_inops:
nf_unregister_hook
(
&
ip_conntrack_in_ops
);
nf_unregister_hook
(
&
ip_conntrack_in_ops
);
cleanup_defraglocalops:
nf_unregister_hook
(
&
ip_conntrack_defrag_local_out_ops
);
cleanup_defragops:
nf_unregister_hook
(
&
ip_conntrack_defrag_ops
);
cleanup_proc:
cleanup_proc:
proc_net_remove
(
"ip_conntrack"
);
proc_net_remove
(
"ip_conntrack"
);
cleanup_init:
cleanup_init:
...
@@ -603,5 +653,6 @@ EXPORT_SYMBOL(ip_conntrack_htable_size);
...
@@ -603,5 +653,6 @@ EXPORT_SYMBOL(ip_conntrack_htable_size);
EXPORT_SYMBOL
(
ip_conntrack_expect_list
);
EXPORT_SYMBOL
(
ip_conntrack_expect_list
);
EXPORT_SYMBOL
(
ip_conntrack_lock
);
EXPORT_SYMBOL
(
ip_conntrack_lock
);
EXPORT_SYMBOL
(
ip_conntrack_hash
);
EXPORT_SYMBOL
(
ip_conntrack_hash
);
EXPORT_SYMBOL
(
ip_conntrack_untracked
);
EXPORT_SYMBOL_GPL
(
ip_conntrack_find_get
);
EXPORT_SYMBOL_GPL
(
ip_conntrack_find_get
);
EXPORT_SYMBOL_GPL
(
ip_conntrack_put
);
EXPORT_SYMBOL_GPL
(
ip_conntrack_put
);
net/ipv4/netfilter/ip_nat_core.c
View file @
516e49e0
...
@@ -1017,6 +1017,10 @@ int __init ip_nat_init(void)
...
@@ -1017,6 +1017,10 @@ int __init ip_nat_init(void)
IP_NF_ASSERT
(
ip_conntrack_destroyed
==
NULL
);
IP_NF_ASSERT
(
ip_conntrack_destroyed
==
NULL
);
ip_conntrack_destroyed
=
&
ip_nat_cleanup_conntrack
;
ip_conntrack_destroyed
=
&
ip_nat_cleanup_conntrack
;
/* Initialize fake conntrack so that NAT will skip it */
ip_conntrack_untracked
.
nat
.
info
.
initialized
|=
(
1
<<
IP_NAT_MANIP_SRC
)
|
(
1
<<
IP_NAT_MANIP_DST
);
return
0
;
return
0
;
}
}
...
...
net/ipv4/netfilter/ipt_NOTRACK.c
0 → 100644
View file @
516e49e0
/* This is a module which is used for setting up fake conntracks
* on packets so that they are not seen by the conntrack/NAT code.
*/
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ip_conntrack.h>
static
unsigned
int
target
(
struct
sk_buff
**
pskb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
unsigned
int
hooknum
,
const
void
*
targinfo
,
void
*
userinfo
)
{
/* Previously seen (loopback)? Ignore. */
if
((
*
pskb
)
->
nfct
!=
NULL
)
return
IPT_CONTINUE
;
/* Attach fake conntrack entry.
If there is a real ct entry correspondig to this packet,
it'll hang aroun till timing out. We don't deal with it
for performance reasons. JK */
(
*
pskb
)
->
nfct
=
&
ip_conntrack_untracked
.
infos
[
IP_CT_NEW
];
nf_conntrack_get
((
*
pskb
)
->
nfct
);
return
IPT_CONTINUE
;
}
static
int
checkentry
(
const
char
*
tablename
,
const
struct
ipt_entry
*
e
,
void
*
targinfo
,
unsigned
int
targinfosize
,
unsigned
int
hook_mask
)
{
if
(
targinfosize
!=
0
)
{
printk
(
KERN_WARNING
"NOTRACK: targinfosize %u != 0
\n
"
,
targinfosize
);
return
0
;
}
if
(
strcmp
(
tablename
,
"raw"
)
!=
0
)
{
printk
(
KERN_WARNING
"NOTRACK: can only be called from
\"
raw
\"
table, not
\"
%s
\"\n
"
,
tablename
);
return
0
;
}
return
1
;
}
static
struct
ipt_target
ipt_notrack_reg
=
{
.
name
=
"NOTRACK"
,
.
target
=
target
,
.
checkentry
=
checkentry
,
.
me
=
THIS_MODULE
};
static
int
__init
init
(
void
)
{
if
(
ipt_register_target
(
&
ipt_notrack_reg
))
return
-
EINVAL
;
return
0
;
}
static
void
__exit
fini
(
void
)
{
ipt_unregister_target
(
&
ipt_notrack_reg
);
}
module_init
(
init
);
module_exit
(
fini
);
MODULE_LICENSE
(
"GPL"
);
net/ipv4/netfilter/ipt_conntrack.c
View file @
516e49e0
...
@@ -35,7 +35,9 @@ match(const struct sk_buff *skb,
...
@@ -35,7 +35,9 @@ match(const struct sk_buff *skb,
#define FWINV(bool,invflg) ((bool) ^ !!(sinfo->invflags & invflg))
#define FWINV(bool,invflg) ((bool) ^ !!(sinfo->invflags & invflg))
if
(
ct
)
if
(
skb
->
nfct
==
&
ip_conntrack_untracked
.
infos
[
IP_CT_NEW
])
statebit
=
IPT_CONNTRACK_STATE_UNTRACKED
;
else
if
(
ct
)
statebit
=
IPT_CONNTRACK_STATE_BIT
(
ctinfo
);
statebit
=
IPT_CONNTRACK_STATE_BIT
(
ctinfo
);
else
else
statebit
=
IPT_CONNTRACK_STATE_INVALID
;
statebit
=
IPT_CONNTRACK_STATE_INVALID
;
...
...
net/ipv4/netfilter/ipt_state.c
View file @
516e49e0
...
@@ -30,7 +30,9 @@ match(const struct sk_buff *skb,
...
@@ -30,7 +30,9 @@ match(const struct sk_buff *skb,
enum
ip_conntrack_info
ctinfo
;
enum
ip_conntrack_info
ctinfo
;
unsigned
int
statebit
;
unsigned
int
statebit
;
if
(
!
ip_conntrack_get
((
struct
sk_buff
*
)
skb
,
&
ctinfo
))
if
(
skb
->
nfct
==
&
ip_conntrack_untracked
.
infos
[
IP_CT_NEW
])
statebit
=
IPT_STATE_UNTRACKED
;
else
if
(
!
ip_conntrack_get
((
struct
sk_buff
*
)
skb
,
&
ctinfo
))
statebit
=
IPT_STATE_INVALID
;
statebit
=
IPT_STATE_INVALID
;
else
else
statebit
=
IPT_STATE_BIT
(
ctinfo
);
statebit
=
IPT_STATE_BIT
(
ctinfo
);
...
...
net/ipv4/netfilter/iptable_raw.c
0 → 100644
View file @
516e49e0
/*
* 'raw' table, which is the very first hooked in at PRE_ROUTING and LOCAL_OUT .
*
* Copyright (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
*/
#include <linux/module.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#define RAW_VALID_HOOKS ((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT))
/* Standard entry. */
struct
ipt_standard
{
struct
ipt_entry
entry
;
struct
ipt_standard_target
target
;
};
struct
ipt_error_target
{
struct
ipt_entry_target
target
;
char
errorname
[
IPT_FUNCTION_MAXNAMELEN
];
};
struct
ipt_error
{
struct
ipt_entry
entry
;
struct
ipt_error_target
target
;
};
static
struct
{
struct
ipt_replace
repl
;
struct
ipt_standard
entries
[
2
];
struct
ipt_error
term
;
}
initial_table
__initdata
=
{
{
"raw"
,
RAW_VALID_HOOKS
,
3
,
sizeof
(
struct
ipt_standard
)
*
2
+
sizeof
(
struct
ipt_error
),
{
[
NF_IP_PRE_ROUTING
]
0
,
[
NF_IP_LOCAL_OUT
]
sizeof
(
struct
ipt_standard
)
},
{
[
NF_IP_PRE_ROUTING
]
0
,
[
NF_IP_LOCAL_OUT
]
sizeof
(
struct
ipt_standard
)
},
0
,
NULL
,
{
}
},
{
/* PRE_ROUTING */
{
{
{
{
0
},
{
0
},
{
0
},
{
0
},
""
,
""
,
{
0
},
{
0
},
0
,
0
,
0
},
0
,
sizeof
(
struct
ipt_entry
),
sizeof
(
struct
ipt_standard
),
0
,
{
0
,
0
},
{
}
},
{
{
{
{
IPT_ALIGN
(
sizeof
(
struct
ipt_standard_target
)),
""
}
},
{
}
},
-
NF_ACCEPT
-
1
}
},
/* LOCAL_OUT */
{
{
{
{
0
},
{
0
},
{
0
},
{
0
},
""
,
""
,
{
0
},
{
0
},
0
,
0
,
0
},
0
,
sizeof
(
struct
ipt_entry
),
sizeof
(
struct
ipt_standard
),
0
,
{
0
,
0
},
{
}
},
{
{
{
{
IPT_ALIGN
(
sizeof
(
struct
ipt_standard_target
)),
""
}
},
{
}
},
-
NF_ACCEPT
-
1
}
}
},
/* ERROR */
{
{
{
{
0
},
{
0
},
{
0
},
{
0
},
""
,
""
,
{
0
},
{
0
},
0
,
0
,
0
},
0
,
sizeof
(
struct
ipt_entry
),
sizeof
(
struct
ipt_error
),
0
,
{
0
,
0
},
{
}
},
{
{
{
{
IPT_ALIGN
(
sizeof
(
struct
ipt_error_target
)),
IPT_ERROR_TARGET
}
},
{
}
},
"ERROR"
}
}
};
static
struct
ipt_table
packet_raw
=
{
.
name
=
"raw"
,
.
table
=
&
initial_table
.
repl
,
.
valid_hooks
=
RAW_VALID_HOOKS
,
.
lock
=
RW_LOCK_UNLOCKED
,
.
me
=
THIS_MODULE
};
/* The work comes in here from netfilter.c. */
static
unsigned
int
ipt_hook
(
unsigned
int
hook
,
struct
sk_buff
**
pskb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
return
ipt_do_table
(
pskb
,
hook
,
in
,
out
,
&
packet_raw
,
NULL
);
}
/* 'raw' is the very first table. */
static
struct
nf_hook_ops
ipt_ops
[]
=
{
{
.
hook
=
ipt_hook
,
.
pf
=
PF_INET
,
.
hooknum
=
NF_IP_PRE_ROUTING
,
.
priority
=
NF_IP_PRI_RAW
},
{
.
hook
=
ipt_hook
,
.
pf
=
PF_INET
,
.
hooknum
=
NF_IP_LOCAL_OUT
,
.
priority
=
NF_IP_PRI_RAW
},
};
static
int
__init
init
(
void
)
{
int
ret
;
/* Register table */
ret
=
ipt_register_table
(
&
packet_raw
);
if
(
ret
<
0
)
return
ret
;
/* Register hooks */
ret
=
nf_register_hook
(
&
ipt_ops
[
0
]);
if
(
ret
<
0
)
goto
cleanup_table
;
ret
=
nf_register_hook
(
&
ipt_ops
[
1
]);
if
(
ret
<
0
)
goto
cleanup_hook0
;
return
ret
;
cleanup_hook0:
nf_unregister_hook
(
&
ipt_ops
[
0
]);
cleanup_table:
ipt_unregister_table
(
&
packet_raw
);
return
ret
;
}
static
void
__exit
fini
(
void
)
{
unsigned
int
i
;
for
(
i
=
0
;
i
<
sizeof
(
ipt_ops
)
/
sizeof
(
struct
nf_hook_ops
);
i
++
)
nf_unregister_hook
(
&
ipt_ops
[
i
]);
ipt_unregister_table
(
&
packet_raw
);
}
module_init
(
init
);
module_exit
(
fini
);
MODULE_LICENSE
(
"GPL"
);
net/ipv6/netfilter/Kconfig
View file @
516e49e0
...
@@ -218,5 +218,17 @@ config IP6_NF_TARGET_MARK
...
@@ -218,5 +218,17 @@ config IP6_NF_TARGET_MARK
To compile it as a module, choose M here. If unsure, say N.
To compile it as a module, choose M here. If unsure, say N.
#dep_tristate ' LOG target support' CONFIG_IP6_NF_TARGET_LOG $CONFIG_IP6_NF_IPTABLES
#dep_tristate ' LOG target support' CONFIG_IP6_NF_TARGET_LOG $CONFIG_IP6_NF_IPTABLES
config IP6_NF_RAW
tristate 'raw table support (required for TRACE)'
depends on IP6_NF_IPTABLES
help
This option adds a `raw' table to ip6tables. This table is the very
first in the netfilter framework and hooks in at the PREROUTING
and OUTPUT chains.
If you want to compile it as a module, say M here and read
<file:Documentation/modules.txt>. If unsure, say `N'.
help
endmenu
endmenu
net/ipv6/netfilter/Makefile
View file @
516e49e0
...
@@ -21,4 +21,5 @@ obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o
...
@@ -21,4 +21,5 @@ obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o
obj-$(CONFIG_IP6_NF_TARGET_MARK)
+=
ip6t_MARK.o
obj-$(CONFIG_IP6_NF_TARGET_MARK)
+=
ip6t_MARK.o
obj-$(CONFIG_IP6_NF_QUEUE)
+=
ip6_queue.o
obj-$(CONFIG_IP6_NF_QUEUE)
+=
ip6_queue.o
obj-$(CONFIG_IP6_NF_TARGET_LOG)
+=
ip6t_LOG.o
obj-$(CONFIG_IP6_NF_TARGET_LOG)
+=
ip6t_LOG.o
obj-$(CONFIG_IP6_NF_RAW)
+=
ip6table_raw.o
obj-$(CONFIG_IP6_NF_MATCH_HL)
+=
ip6t_hl.o
obj-$(CONFIG_IP6_NF_MATCH_HL)
+=
ip6t_hl.o
net/ipv6/netfilter/ip6table_raw.c
0 → 100644
View file @
516e49e0
/*
* IPv6 raw table, a port of the IPv4 raw table to IPv6
*
* Copyright (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
*/
#include <linux/module.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#define RAW_VALID_HOOKS ((1 << NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_OUT))
#if 0
#define DEBUGP(x, args...) printk(KERN_DEBUG x, ## args)
#else
#define DEBUGP(x, args...)
#endif
/* Standard entry. */
struct
ip6t_standard
{
struct
ip6t_entry
entry
;
struct
ip6t_standard_target
target
;
};
struct
ip6t_error_target
{
struct
ip6t_entry_target
target
;
char
errorname
[
IP6T_FUNCTION_MAXNAMELEN
];
};
struct
ip6t_error
{
struct
ip6t_entry
entry
;
struct
ip6t_error_target
target
;
};
static
struct
{
struct
ip6t_replace
repl
;
struct
ip6t_standard
entries
[
2
];
struct
ip6t_error
term
;
}
initial_table
__initdata
=
{
{
"raw"
,
RAW_VALID_HOOKS
,
3
,
sizeof
(
struct
ip6t_standard
)
*
2
+
sizeof
(
struct
ip6t_error
),
{
[
NF_IP6_PRE_ROUTING
]
0
,
[
NF_IP6_LOCAL_OUT
]
sizeof
(
struct
ip6t_standard
)
},
{
[
NF_IP6_PRE_ROUTING
]
0
,
[
NF_IP6_LOCAL_OUT
]
sizeof
(
struct
ip6t_standard
)
},
0
,
NULL
,
{
}
},
{
/* PRE_ROUTING */
{
{
{
{
{
{
0
}
}
},
{
{
{
0
}
}
},
{
{
{
0
}
}
},
{
{
{
0
}
}
},
""
,
""
,
{
0
},
{
0
},
0
,
0
,
0
},
0
,
sizeof
(
struct
ip6t_entry
),
sizeof
(
struct
ip6t_standard
),
0
,
{
0
,
0
},
{
}
},
{
{
{
{
IP6T_ALIGN
(
sizeof
(
struct
ip6t_standard_target
)),
""
}
},
{
}
},
-
NF_ACCEPT
-
1
}
},
/* LOCAL_OUT */
{
{
{
{
{
{
0
}
}
},
{
{
{
0
}
}
},
{
{
{
0
}
}
},
{
{
{
0
}
}
},
""
,
""
,
{
0
},
{
0
},
0
,
0
,
0
},
0
,
sizeof
(
struct
ip6t_entry
),
sizeof
(
struct
ip6t_standard
),
0
,
{
0
,
0
},
{
}
},
{
{
{
{
IP6T_ALIGN
(
sizeof
(
struct
ip6t_standard_target
)),
""
}
},
{
}
},
-
NF_ACCEPT
-
1
}
},
},
/* ERROR */
{
{
{
{
{
{
0
}
}
},
{
{
{
0
}
}
},
{
{
{
0
}
}
},
{
{
{
0
}
}
},
""
,
""
,
{
0
},
{
0
},
0
,
0
,
0
},
0
,
sizeof
(
struct
ip6t_entry
),
sizeof
(
struct
ip6t_error
),
0
,
{
0
,
0
},
{
}
},
{
{
{
{
IP6T_ALIGN
(
sizeof
(
struct
ip6t_error_target
)),
IP6T_ERROR_TARGET
}
},
{
}
},
"ERROR"
}
}
};
static
struct
ip6t_table
packet_raw
=
{
.
name
=
"raw"
,
.
table
=
&
initial_table
.
repl
,
.
valid_hooks
=
RAW_VALID_HOOKS
,
.
lock
=
RW_LOCK_UNLOCKED
,
.
me
=
THIS_MODULE
};
/* The work comes in here from netfilter.c. */
static
unsigned
int
ip6t_hook
(
unsigned
int
hook
,
struct
sk_buff
**
pskb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
return
ip6t_do_table
(
pskb
,
hook
,
in
,
out
,
&
packet_raw
,
NULL
);
}
static
struct
nf_hook_ops
ip6t_ops
[]
=
{
{
.
hook
=
ip6t_hook
,
.
pf
=
PF_INET6
,
.
hooknum
=
NF_IP6_PRE_ROUTING
,
.
priority
=
NF_IP6_PRI_FIRST
},
{
.
hook
=
ip6t_hook
,
.
pf
=
PF_INET6
,
.
hooknum
=
NF_IP6_LOCAL_OUT
,
.
priority
=
NF_IP6_PRI_FIRST
},
};
static
int
__init
init
(
void
)
{
int
ret
;
/* Register table */
ret
=
ip6t_register_table
(
&
packet_raw
);
if
(
ret
<
0
)
return
ret
;
/* Register hooks */
ret
=
nf_register_hook
(
&
ip6t_ops
[
0
]);
if
(
ret
<
0
)
goto
cleanup_table
;
ret
=
nf_register_hook
(
&
ip6t_ops
[
1
]);
if
(
ret
<
0
)
goto
cleanup_hook0
;
return
ret
;
cleanup_hook0:
nf_unregister_hook
(
&
ip6t_ops
[
0
]);
cleanup_table:
ip6t_unregister_table
(
&
packet_raw
);
return
ret
;
}
static
void
__exit
fini
(
void
)
{
unsigned
int
i
;
for
(
i
=
0
;
i
<
sizeof
(
ip6t_ops
)
/
sizeof
(
struct
nf_hook_ops
);
i
++
)
nf_unregister_hook
(
&
ip6t_ops
[
i
]);
ip6t_unregister_table
(
&
packet_raw
);
}
module_init
(
init
);
module_exit
(
fini
);
MODULE_LICENSE
(
"GPL"
);
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment