Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
875bd5ab
Commit
875bd5ab
authored
Sep 19, 2005
by
Linus Torvalds
Browse files
Options
Browse Files
Download
Plain Diff
Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
parents
6d1cfe3f
e14c3caf
Changes
28
Expand all
Show whitespace changes
Inline
Side-by-side
Showing
28 changed files
with
2382 additions
and
496 deletions
+2382
-496
drivers/net/wan/hdlc_cisco.c
drivers/net/wan/hdlc_cisco.c
+1
-1
include/linux/if_vlan.h
include/linux/if_vlan.h
+4
-4
include/linux/netfilter_ipv4/ip_conntrack.h
include/linux/netfilter_ipv4/ip_conntrack.h
+13
-1
include/linux/netfilter_ipv4/ip_conntrack_pptp.h
include/linux/netfilter_ipv4/ip_conntrack_pptp.h
+332
-0
include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h
include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h
+114
-0
include/linux/netfilter_ipv4/ip_conntrack_tuple.h
include/linux/netfilter_ipv4/ip_conntrack_tuple.h
+7
-0
include/linux/netfilter_ipv4/ip_nat_pptp.h
include/linux/netfilter_ipv4/ip_nat_pptp.h
+11
-0
include/linux/netfilter_ipv6/ip6_tables.h
include/linux/netfilter_ipv6/ip6_tables.h
+3
-0
net/8021q/vlan_dev.c
net/8021q/vlan_dev.c
+1
-1
net/ipv4/fib_trie.c
net/ipv4/fib_trie.c
+17
-17
net/ipv4/netfilter/Kconfig
net/ipv4/netfilter/Kconfig
+22
-0
net/ipv4/netfilter/Makefile
net/ipv4/netfilter/Makefile
+5
-0
net/ipv4/netfilter/ip_conntrack_core.c
net/ipv4/netfilter/ip_conntrack_core.c
+1
-1
net/ipv4/netfilter/ip_conntrack_helper_pptp.c
net/ipv4/netfilter/ip_conntrack_helper_pptp.c
+805
-0
net/ipv4/netfilter/ip_conntrack_netlink.c
net/ipv4/netfilter/ip_conntrack_netlink.c
+2
-2
net/ipv4/netfilter/ip_conntrack_proto_gre.c
net/ipv4/netfilter/ip_conntrack_proto_gre.c
+327
-0
net/ipv4/netfilter/ip_conntrack_standalone.c
net/ipv4/netfilter/ip_conntrack_standalone.c
+2
-2
net/ipv4/netfilter/ip_nat_core.c
net/ipv4/netfilter/ip_nat_core.c
+2
-0
net/ipv4/netfilter/ip_nat_helper_pptp.c
net/ipv4/netfilter/ip_nat_helper_pptp.c
+401
-0
net/ipv4/netfilter/ip_nat_proto_gre.c
net/ipv4/netfilter/ip_nat_proto_gre.c
+214
-0
net/ipv4/tcp_output.c
net/ipv4/tcp_output.c
+7
-3
net/ipv6/netfilter/ip6_tables.c
net/ipv6/netfilter/ip6_tables.c
+52
-0
net/ipv6/netfilter/ip6t_ah.c
net/ipv6/netfilter/ip6t_ah.c
+5
-76
net/ipv6/netfilter/ip6t_dst.c
net/ipv6/netfilter/ip6t_dst.c
+7
-81
net/ipv6/netfilter/ip6t_esp.c
net/ipv6/netfilter/ip6t_esp.c
+4
-69
net/ipv6/netfilter/ip6t_frag.c
net/ipv6/netfilter/ip6t_frag.c
+9
-81
net/ipv6/netfilter/ip6t_hbh.c
net/ipv6/netfilter/ip6t_hbh.c
+7
-81
net/ipv6/netfilter/ip6t_rt.c
net/ipv6/netfilter/ip6t_rt.c
+7
-76
No files found.
drivers/net/wan/hdlc_cisco.c
View file @
875bd5ab
...
@@ -72,7 +72,7 @@ static void cisco_keepalive_send(struct net_device *dev, u32 type,
...
@@ -72,7 +72,7 @@ static void cisco_keepalive_send(struct net_device *dev, u32 type,
}
}
skb_reserve
(
skb
,
4
);
skb_reserve
(
skb
,
4
);
cisco_hard_header
(
skb
,
dev
,
CISCO_KEEPALIVE
,
NULL
,
NULL
,
0
);
cisco_hard_header
(
skb
,
dev
,
CISCO_KEEPALIVE
,
NULL
,
NULL
,
0
);
data
=
(
cisco_packet
*
)
skb
->
data
;
data
=
(
cisco_packet
*
)
(
skb
->
data
+
4
)
;
data
->
type
=
htonl
(
type
);
data
->
type
=
htonl
(
type
);
data
->
par1
=
htonl
(
par1
);
data
->
par1
=
htonl
(
par1
);
...
...
include/linux/if_vlan.h
View file @
875bd5ab
...
@@ -42,8 +42,8 @@ struct hlist_node;
...
@@ -42,8 +42,8 @@ struct hlist_node;
struct
vlan_ethhdr
{
struct
vlan_ethhdr
{
unsigned
char
h_dest
[
ETH_ALEN
];
/* destination eth addr */
unsigned
char
h_dest
[
ETH_ALEN
];
/* destination eth addr */
unsigned
char
h_source
[
ETH_ALEN
];
/* source ether addr */
unsigned
char
h_source
[
ETH_ALEN
];
/* source ether addr */
unsigned
short
h_vlan_proto
;
/* Should always be 0x8100 */
__be16
h_vlan_proto
;
/* Should always be 0x8100 */
unsigned
short
h_vlan_TCI
;
/* Encapsulates priority and VLAN ID */
__be16
h_vlan_TCI
;
/* Encapsulates priority and VLAN ID */
unsigned
short
h_vlan_encapsulated_proto
;
/* packet type ID field (or len) */
unsigned
short
h_vlan_encapsulated_proto
;
/* packet type ID field (or len) */
};
};
...
@@ -55,8 +55,8 @@ static inline struct vlan_ethhdr *vlan_eth_hdr(const struct sk_buff *skb)
...
@@ -55,8 +55,8 @@ static inline struct vlan_ethhdr *vlan_eth_hdr(const struct sk_buff *skb)
}
}
struct
vlan_hdr
{
struct
vlan_hdr
{
unsigned
short
h_vlan_TCI
;
/* Encapsulates priority and VLAN ID */
__be16
h_vlan_TCI
;
/* Encapsulates priority and VLAN ID */
unsigned
short
h_vlan_encapsulated_proto
;
/* packet type ID field (or len) */
__be16
h_vlan_encapsulated_proto
;
/* packet type ID field (or len) */
};
};
#define VLAN_VID_MASK 0xfff
#define VLAN_VID_MASK 0xfff
...
...
include/linux/netfilter_ipv4/ip_conntrack.h
View file @
875bd5ab
...
@@ -133,11 +133,13 @@ enum ip_conntrack_expect_events {
...
@@ -133,11 +133,13 @@ enum ip_conntrack_expect_events {
#include <linux/netfilter_ipv4/ip_conntrack_tcp.h>
#include <linux/netfilter_ipv4/ip_conntrack_tcp.h>
#include <linux/netfilter_ipv4/ip_conntrack_icmp.h>
#include <linux/netfilter_ipv4/ip_conntrack_icmp.h>
#include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h>
#include <linux/netfilter_ipv4/ip_conntrack_sctp.h>
#include <linux/netfilter_ipv4/ip_conntrack_sctp.h>
/* per conntrack: protocol private data */
/* per conntrack: protocol private data */
union
ip_conntrack_proto
{
union
ip_conntrack_proto
{
/* insert conntrack proto private data here */
/* insert conntrack proto private data here */
struct
ip_ct_gre
gre
;
struct
ip_ct_sctp
sctp
;
struct
ip_ct_sctp
sctp
;
struct
ip_ct_tcp
tcp
;
struct
ip_ct_tcp
tcp
;
struct
ip_ct_icmp
icmp
;
struct
ip_ct_icmp
icmp
;
...
@@ -148,6 +150,7 @@ union ip_conntrack_expect_proto {
...
@@ -148,6 +150,7 @@ union ip_conntrack_expect_proto {
};
};
/* Add protocol helper include file here */
/* Add protocol helper include file here */
#include <linux/netfilter_ipv4/ip_conntrack_pptp.h>
#include <linux/netfilter_ipv4/ip_conntrack_amanda.h>
#include <linux/netfilter_ipv4/ip_conntrack_amanda.h>
#include <linux/netfilter_ipv4/ip_conntrack_ftp.h>
#include <linux/netfilter_ipv4/ip_conntrack_ftp.h>
#include <linux/netfilter_ipv4/ip_conntrack_irc.h>
#include <linux/netfilter_ipv4/ip_conntrack_irc.h>
...
@@ -155,12 +158,20 @@ union ip_conntrack_expect_proto {
...
@@ -155,12 +158,20 @@ union ip_conntrack_expect_proto {
/* per conntrack: application helper private data */
/* per conntrack: application helper private data */
union
ip_conntrack_help
{
union
ip_conntrack_help
{
/* insert conntrack helper private data (master) here */
/* insert conntrack helper private data (master) here */
struct
ip_ct_pptp_master
ct_pptp_info
;
struct
ip_ct_ftp_master
ct_ftp_info
;
struct
ip_ct_ftp_master
ct_ftp_info
;
struct
ip_ct_irc_master
ct_irc_info
;
struct
ip_ct_irc_master
ct_irc_info
;
};
};
#ifdef CONFIG_IP_NF_NAT_NEEDED
#ifdef CONFIG_IP_NF_NAT_NEEDED
#include <linux/netfilter_ipv4/ip_nat.h>
#include <linux/netfilter_ipv4/ip_nat.h>
#include <linux/netfilter_ipv4/ip_nat_pptp.h>
/* per conntrack: nat application helper private data */
union
ip_conntrack_nat_help
{
/* insert nat helper private data here */
struct
ip_nat_pptp
nat_pptp_info
;
};
#endif
#endif
#include <linux/types.h>
#include <linux/types.h>
...
@@ -223,6 +234,7 @@ struct ip_conntrack
...
@@ -223,6 +234,7 @@ struct ip_conntrack
#ifdef CONFIG_IP_NF_NAT_NEEDED
#ifdef CONFIG_IP_NF_NAT_NEEDED
struct
{
struct
{
struct
ip_nat_info
info
;
struct
ip_nat_info
info
;
union
ip_conntrack_nat_help
help
;
#if defined(CONFIG_IP_NF_TARGET_MASQUERADE) || \
#if defined(CONFIG_IP_NF_TARGET_MASQUERADE) || \
defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE)
defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE)
int
masq_index
;
int
masq_index
;
...
@@ -372,7 +384,7 @@ extern struct ip_conntrack_expect *
...
@@ -372,7 +384,7 @@ extern struct ip_conntrack_expect *
__ip_conntrack_expect_find
(
const
struct
ip_conntrack_tuple
*
tuple
);
__ip_conntrack_expect_find
(
const
struct
ip_conntrack_tuple
*
tuple
);
extern
struct
ip_conntrack_expect
*
extern
struct
ip_conntrack_expect
*
ip_conntrack_expect_find
_get
(
const
struct
ip_conntrack_tuple
*
tuple
);
ip_conntrack_expect_find
(
const
struct
ip_conntrack_tuple
*
tuple
);
extern
struct
ip_conntrack_tuple_hash
*
extern
struct
ip_conntrack_tuple_hash
*
__ip_conntrack_find
(
const
struct
ip_conntrack_tuple
*
tuple
,
__ip_conntrack_find
(
const
struct
ip_conntrack_tuple
*
tuple
,
...
...
include/linux/netfilter_ipv4/ip_conntrack_pptp.h
0 → 100644
View file @
875bd5ab
/* PPTP constants and structs */
#ifndef _CONNTRACK_PPTP_H
#define _CONNTRACK_PPTP_H
/* state of the control session */
enum
pptp_ctrlsess_state
{
PPTP_SESSION_NONE
,
/* no session present */
PPTP_SESSION_ERROR
,
/* some session error */
PPTP_SESSION_STOPREQ
,
/* stop_sess request seen */
PPTP_SESSION_REQUESTED
,
/* start_sess request seen */
PPTP_SESSION_CONFIRMED
,
/* session established */
};
/* state of the call inside the control session */
enum
pptp_ctrlcall_state
{
PPTP_CALL_NONE
,
PPTP_CALL_ERROR
,
PPTP_CALL_OUT_REQ
,
PPTP_CALL_OUT_CONF
,
PPTP_CALL_IN_REQ
,
PPTP_CALL_IN_REP
,
PPTP_CALL_IN_CONF
,
PPTP_CALL_CLEAR_REQ
,
};
/* conntrack private data */
struct
ip_ct_pptp_master
{
enum
pptp_ctrlsess_state
sstate
;
/* session state */
/* everything below is going to be per-expectation in newnat,
* since there could be more than one call within one session */
enum
pptp_ctrlcall_state
cstate
;
/* call state */
u_int16_t
pac_call_id
;
/* call id of PAC, host byte order */
u_int16_t
pns_call_id
;
/* call id of PNS, host byte order */
/* in pre-2.6.11 this used to be per-expect. Now it is per-conntrack
* and therefore imposes a fixed limit on the number of maps */
struct
ip_ct_gre_keymap
*
keymap_orig
,
*
keymap_reply
;
};
/* conntrack_expect private member */
struct
ip_ct_pptp_expect
{
enum
pptp_ctrlcall_state
cstate
;
/* call state */
u_int16_t
pac_call_id
;
/* call id of PAC */
u_int16_t
pns_call_id
;
/* call id of PNS */
};
#ifdef __KERNEL__
#define IP_CONNTR_PPTP PPTP_CONTROL_PORT
#define PPTP_CONTROL_PORT 1723
#define PPTP_PACKET_CONTROL 1
#define PPTP_PACKET_MGMT 2
#define PPTP_MAGIC_COOKIE 0x1a2b3c4d
struct
pptp_pkt_hdr
{
__u16
packetLength
;
__u16
packetType
;
__u32
magicCookie
;
};
/* PptpControlMessageType values */
#define PPTP_START_SESSION_REQUEST 1
#define PPTP_START_SESSION_REPLY 2
#define PPTP_STOP_SESSION_REQUEST 3
#define PPTP_STOP_SESSION_REPLY 4
#define PPTP_ECHO_REQUEST 5
#define PPTP_ECHO_REPLY 6
#define PPTP_OUT_CALL_REQUEST 7
#define PPTP_OUT_CALL_REPLY 8
#define PPTP_IN_CALL_REQUEST 9
#define PPTP_IN_CALL_REPLY 10
#define PPTP_IN_CALL_CONNECT 11
#define PPTP_CALL_CLEAR_REQUEST 12
#define PPTP_CALL_DISCONNECT_NOTIFY 13
#define PPTP_WAN_ERROR_NOTIFY 14
#define PPTP_SET_LINK_INFO 15
#define PPTP_MSG_MAX 15
/* PptpGeneralError values */
#define PPTP_ERROR_CODE_NONE 0
#define PPTP_NOT_CONNECTED 1
#define PPTP_BAD_FORMAT 2
#define PPTP_BAD_VALUE 3
#define PPTP_NO_RESOURCE 4
#define PPTP_BAD_CALLID 5
#define PPTP_REMOVE_DEVICE_ERROR 6
struct
PptpControlHeader
{
__u16
messageType
;
__u16
reserved
;
};
/* FramingCapability Bitmap Values */
#define PPTP_FRAME_CAP_ASYNC 0x1
#define PPTP_FRAME_CAP_SYNC 0x2
/* BearerCapability Bitmap Values */
#define PPTP_BEARER_CAP_ANALOG 0x1
#define PPTP_BEARER_CAP_DIGITAL 0x2
struct
PptpStartSessionRequest
{
__u16
protocolVersion
;
__u8
reserved1
;
__u8
reserved2
;
__u32
framingCapability
;
__u32
bearerCapability
;
__u16
maxChannels
;
__u16
firmwareRevision
;
__u8
hostName
[
64
];
__u8
vendorString
[
64
];
};
/* PptpStartSessionResultCode Values */
#define PPTP_START_OK 1
#define PPTP_START_GENERAL_ERROR 2
#define PPTP_START_ALREADY_CONNECTED 3
#define PPTP_START_NOT_AUTHORIZED 4
#define PPTP_START_UNKNOWN_PROTOCOL 5
struct
PptpStartSessionReply
{
__u16
protocolVersion
;
__u8
resultCode
;
__u8
generalErrorCode
;
__u32
framingCapability
;
__u32
bearerCapability
;
__u16
maxChannels
;
__u16
firmwareRevision
;
__u8
hostName
[
64
];
__u8
vendorString
[
64
];
};
/* PptpStopReasons */
#define PPTP_STOP_NONE 1
#define PPTP_STOP_PROTOCOL 2
#define PPTP_STOP_LOCAL_SHUTDOWN 3
struct
PptpStopSessionRequest
{
__u8
reason
;
};
/* PptpStopSessionResultCode */
#define PPTP_STOP_OK 1
#define PPTP_STOP_GENERAL_ERROR 2
struct
PptpStopSessionReply
{
__u8
resultCode
;
__u8
generalErrorCode
;
};
struct
PptpEchoRequest
{
__u32
identNumber
;
};
/* PptpEchoReplyResultCode */
#define PPTP_ECHO_OK 1
#define PPTP_ECHO_GENERAL_ERROR 2
struct
PptpEchoReply
{
__u32
identNumber
;
__u8
resultCode
;
__u8
generalErrorCode
;
__u16
reserved
;
};
/* PptpFramingType */
#define PPTP_ASYNC_FRAMING 1
#define PPTP_SYNC_FRAMING 2
#define PPTP_DONT_CARE_FRAMING 3
/* PptpCallBearerType */
#define PPTP_ANALOG_TYPE 1
#define PPTP_DIGITAL_TYPE 2
#define PPTP_DONT_CARE_BEARER_TYPE 3
struct
PptpOutCallRequest
{
__u16
callID
;
__u16
callSerialNumber
;
__u32
minBPS
;
__u32
maxBPS
;
__u32
bearerType
;
__u32
framingType
;
__u16
packetWindow
;
__u16
packetProcDelay
;
__u16
reserved1
;
__u16
phoneNumberLength
;
__u16
reserved2
;
__u8
phoneNumber
[
64
];
__u8
subAddress
[
64
];
};
/* PptpCallResultCode */
#define PPTP_OUTCALL_CONNECT 1
#define PPTP_OUTCALL_GENERAL_ERROR 2
#define PPTP_OUTCALL_NO_CARRIER 3
#define PPTP_OUTCALL_BUSY 4
#define PPTP_OUTCALL_NO_DIAL_TONE 5
#define PPTP_OUTCALL_TIMEOUT 6
#define PPTP_OUTCALL_DONT_ACCEPT 7
struct
PptpOutCallReply
{
__u16
callID
;
__u16
peersCallID
;
__u8
resultCode
;
__u8
generalErrorCode
;
__u16
causeCode
;
__u32
connectSpeed
;
__u16
packetWindow
;
__u16
packetProcDelay
;
__u32
physChannelID
;
};
struct
PptpInCallRequest
{
__u16
callID
;
__u16
callSerialNumber
;
__u32
callBearerType
;
__u32
physChannelID
;
__u16
dialedNumberLength
;
__u16
dialingNumberLength
;
__u8
dialedNumber
[
64
];
__u8
dialingNumber
[
64
];
__u8
subAddress
[
64
];
};
/* PptpInCallResultCode */
#define PPTP_INCALL_ACCEPT 1
#define PPTP_INCALL_GENERAL_ERROR 2
#define PPTP_INCALL_DONT_ACCEPT 3
struct
PptpInCallReply
{
__u16
callID
;
__u16
peersCallID
;
__u8
resultCode
;
__u8
generalErrorCode
;
__u16
packetWindow
;
__u16
packetProcDelay
;
__u16
reserved
;
};
struct
PptpInCallConnected
{
__u16
peersCallID
;
__u16
reserved
;
__u32
connectSpeed
;
__u16
packetWindow
;
__u16
packetProcDelay
;
__u32
callFramingType
;
};
struct
PptpClearCallRequest
{
__u16
callID
;
__u16
reserved
;
};
struct
PptpCallDisconnectNotify
{
__u16
callID
;
__u8
resultCode
;
__u8
generalErrorCode
;
__u16
causeCode
;
__u16
reserved
;
__u8
callStatistics
[
128
];
};
struct
PptpWanErrorNotify
{
__u16
peersCallID
;
__u16
reserved
;
__u32
crcErrors
;
__u32
framingErrors
;
__u32
hardwareOverRuns
;
__u32
bufferOverRuns
;
__u32
timeoutErrors
;
__u32
alignmentErrors
;
};
struct
PptpSetLinkInfo
{
__u16
peersCallID
;
__u16
reserved
;
__u32
sendAccm
;
__u32
recvAccm
;
};
struct
pptp_priv_data
{
__u16
call_id
;
__u16
mcall_id
;
__u16
pcall_id
;
};
union
pptp_ctrl_union
{
struct
PptpStartSessionRequest
sreq
;
struct
PptpStartSessionReply
srep
;
struct
PptpStopSessionRequest
streq
;
struct
PptpStopSessionReply
strep
;
struct
PptpOutCallRequest
ocreq
;
struct
PptpOutCallReply
ocack
;
struct
PptpInCallRequest
icreq
;
struct
PptpInCallReply
icack
;
struct
PptpInCallConnected
iccon
;
struct
PptpClearCallRequest
clrreq
;
struct
PptpCallDisconnectNotify
disc
;
struct
PptpWanErrorNotify
wanerr
;
struct
PptpSetLinkInfo
setlink
;
};
extern
int
(
*
ip_nat_pptp_hook_outbound
)(
struct
sk_buff
**
pskb
,
struct
ip_conntrack
*
ct
,
enum
ip_conntrack_info
ctinfo
,
struct
PptpControlHeader
*
ctlh
,
union
pptp_ctrl_union
*
pptpReq
);
extern
int
(
*
ip_nat_pptp_hook_inbound
)(
struct
sk_buff
**
pskb
,
struct
ip_conntrack
*
ct
,
enum
ip_conntrack_info
ctinfo
,
struct
PptpControlHeader
*
ctlh
,
union
pptp_ctrl_union
*
pptpReq
);
extern
int
(
*
ip_nat_pptp_hook_exp_gre
)(
struct
ip_conntrack_expect
*
exp_orig
,
struct
ip_conntrack_expect
*
exp_reply
);
extern
void
(
*
ip_nat_pptp_hook_expectfn
)(
struct
ip_conntrack
*
ct
,
struct
ip_conntrack_expect
*
exp
);
#endif
/* __KERNEL__ */
#endif
/* _CONNTRACK_PPTP_H */
include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h
0 → 100644
View file @
875bd5ab
#ifndef _CONNTRACK_PROTO_GRE_H
#define _CONNTRACK_PROTO_GRE_H
#include <asm/byteorder.h>
/* GRE PROTOCOL HEADER */
/* GRE Version field */
#define GRE_VERSION_1701 0x0
#define GRE_VERSION_PPTP 0x1
/* GRE Protocol field */
#define GRE_PROTOCOL_PPTP 0x880B
/* GRE Flags */
#define GRE_FLAG_C 0x80
#define GRE_FLAG_R 0x40
#define GRE_FLAG_K 0x20
#define GRE_FLAG_S 0x10
#define GRE_FLAG_A 0x80
#define GRE_IS_C(f) ((f)&GRE_FLAG_C)
#define GRE_IS_R(f) ((f)&GRE_FLAG_R)
#define GRE_IS_K(f) ((f)&GRE_FLAG_K)
#define GRE_IS_S(f) ((f)&GRE_FLAG_S)
#define GRE_IS_A(f) ((f)&GRE_FLAG_A)
/* GRE is a mess: Four different standards */
struct
gre_hdr
{
#if defined(__LITTLE_ENDIAN_BITFIELD)
__u16
rec
:
3
,
srr:
1
,
seq:
1
,
key:
1
,
routing:
1
,
csum:
1
,
version:
3
,
reserved:
4
,
ack:
1
;
#elif defined(__BIG_ENDIAN_BITFIELD)
__u16
csum
:
1
,
routing:
1
,
key:
1
,
seq:
1
,
srr:
1
,
rec:
3
,
ack:
1
,
reserved:
4
,
version:
3
;
#else
#error "Adjust your <asm/byteorder.h> defines"
#endif
__u16
protocol
;
};
/* modified GRE header for PPTP */
struct
gre_hdr_pptp
{
__u8
flags
;
/* bitfield */
__u8
version
;
/* should be GRE_VERSION_PPTP */
__u16
protocol
;
/* should be GRE_PROTOCOL_PPTP */
__u16
payload_len
;
/* size of ppp payload, not inc. gre header */
__u16
call_id
;
/* peer's call_id for this session */
__u32
seq
;
/* sequence number. Present if S==1 */
__u32
ack
;
/* seq number of highest packet recieved by */
/* sender in this session */
};
/* this is part of ip_conntrack */
struct
ip_ct_gre
{
unsigned
int
stream_timeout
;
unsigned
int
timeout
;
};
#ifdef __KERNEL__
struct
ip_conntrack_expect
;
struct
ip_conntrack
;
/* structure for original <-> reply keymap */
struct
ip_ct_gre_keymap
{
struct
list_head
list
;
struct
ip_conntrack_tuple
tuple
;
};
/* add new tuple->key_reply pair to keymap */
int
ip_ct_gre_keymap_add
(
struct
ip_conntrack
*
ct
,
struct
ip_conntrack_tuple
*
t
,
int
reply
);
/* delete keymap entries */
void
ip_ct_gre_keymap_destroy
(
struct
ip_conntrack
*
ct
);
/* get pointer to gre key, if present */
static
inline
u_int32_t
*
gre_key
(
struct
gre_hdr
*
greh
)
{
if
(
!
greh
->
key
)
return
NULL
;
if
(
greh
->
csum
||
greh
->
routing
)
return
(
u_int32_t
*
)
(
greh
+
sizeof
(
*
greh
)
+
4
);
return
(
u_int32_t
*
)
(
greh
+
sizeof
(
*
greh
));
}
/* get pointer ot gre csum, if present */
static
inline
u_int16_t
*
gre_csum
(
struct
gre_hdr
*
greh
)
{
if
(
!
greh
->
csum
)
return
NULL
;
return
(
u_int16_t
*
)
(
greh
+
sizeof
(
*
greh
));
}
#endif
/* __KERNEL__ */
#endif
/* _CONNTRACK_PROTO_GRE_H */
include/linux/netfilter_ipv4/ip_conntrack_tuple.h
View file @
875bd5ab
...
@@ -28,6 +28,9 @@ union ip_conntrack_manip_proto
...
@@ -28,6 +28,9 @@ union ip_conntrack_manip_proto
struct
{
struct
{
u_int16_t
port
;
u_int16_t
port
;
}
sctp
;
}
sctp
;
struct
{
u_int16_t
key
;
/* key is 32bit, pptp only uses 16 */
}
gre
;
};
};
/* The manipulable part of the tuple. */
/* The manipulable part of the tuple. */
...
@@ -61,6 +64,10 @@ struct ip_conntrack_tuple
...
@@ -61,6 +64,10 @@ struct ip_conntrack_tuple
struct
{
struct
{
u_int16_t
port
;
u_int16_t
port
;
}
sctp
;
}
sctp
;
struct
{
u_int16_t
key
;
/* key is 32bit,
* pptp only uses 16 */
}
gre
;
}
u
;
}
u
;
/* The protocol. */
/* The protocol. */
...
...
include/linux/netfilter_ipv4/ip_nat_pptp.h
0 → 100644
View file @
875bd5ab
/* PPTP constants and structs */
#ifndef _NAT_PPTP_H
#define _NAT_PPTP_H
/* conntrack private data */
struct
ip_nat_pptp
{
u_int16_t
pns_call_id
;
/* NAT'ed PNS call id */
u_int16_t
pac_call_id
;
/* NAT'ed PAC call id */
};
#endif
/* _NAT_PPTP_H */
include/linux/netfilter_ipv6/ip6_tables.h
View file @
875bd5ab
...
@@ -455,6 +455,9 @@ extern unsigned int ip6t_do_table(struct sk_buff **pskb,
...
@@ -455,6 +455,9 @@ extern unsigned int ip6t_do_table(struct sk_buff **pskb,
/* Check for an extension */
/* Check for an extension */
extern
int
ip6t_ext_hdr
(
u8
nexthdr
);
extern
int
ip6t_ext_hdr
(
u8
nexthdr
);
/* find specified header and get offset to it */
extern
int
ipv6_find_hdr
(
const
struct
sk_buff
*
skb
,
unsigned
int
*
offset
,
u8
target
);
#define IP6T_ALIGN(s) (((s) + (__alignof__(struct ip6t_entry)-1)) & ~(__alignof__(struct ip6t_entry)-1))
#define IP6T_ALIGN(s) (((s) + (__alignof__(struct ip6t_entry)-1)) & ~(__alignof__(struct ip6t_entry)-1))
...
...
net/8021q/vlan_dev.c
View file @
875bd5ab
...
@@ -120,7 +120,7 @@ int vlan_skb_recv(struct sk_buff *skb, struct net_device *dev,
...
@@ -120,7 +120,7 @@ int vlan_skb_recv(struct sk_buff *skb, struct net_device *dev,
unsigned
short
vid
;
unsigned
short
vid
;
struct
net_device_stats
*
stats
;
struct
net_device_stats
*
stats
;
unsigned
short
vlan_TCI
;
unsigned
short
vlan_TCI
;
unsigned
short
proto
;
__be16
proto
;
/* vlan_TCI = ntohs(get_unaligned(&vhdr->h_vlan_TCI)); */
/* vlan_TCI = ntohs(get_unaligned(&vhdr->h_vlan_TCI)); */
vlan_TCI
=
ntohs
(
vhdr
->
h_vlan_TCI
);
vlan_TCI
=
ntohs
(
vhdr
->
h_vlan_TCI
);
...
...
net/ipv4/fib_trie.c
View file @
875bd5ab
...
@@ -43,7 +43,7 @@
...
@@ -43,7 +43,7 @@
* 2 of the License, or (at your option) any later version.
* 2 of the License, or (at your option) any later version.
*/
*/
#define VERSION "0.40
3
"
#define VERSION "0.40
4
"
#include <linux/config.h>
#include <linux/config.h>
#include <asm/uaccess.h>
#include <asm/uaccess.h>
...
@@ -224,7 +224,7 @@ static inline int tkey_mismatch(t_key a, int offset, t_key b)
...
@@ -224,7 +224,7 @@ static inline int tkey_mismatch(t_key a, int offset, t_key b)
Consider a node 'n' and its parent 'tp'.
Consider a node 'n' and its parent 'tp'.
If n is a leaf, every bit in its key is significant. Its presence is
If n is a leaf, every bit in its key is significant. Its presence is
necessita
d
ed by path compression, since during a tree traversal (when
necessita
t
ed by path compression, since during a tree traversal (when
searching for a leaf - unless we are doing an insertion) we will completely
searching for a leaf - unless we are doing an insertion) we will completely
ignore all skipped bits we encounter. Thus we need to verify, at the end of
ignore all skipped bits we encounter. Thus we need to verify, at the end of
a potentially successful search, that we have indeed been walking the
a potentially successful search, that we have indeed been walking the
...
@@ -836,11 +836,12 @@ static void trie_init(struct trie *t)
...
@@ -836,11 +836,12 @@ static void trie_init(struct trie *t)
#endif
#endif
}
}
/* readside m
o
st use rcu_read_lock currently dump routines
/* readside m
u
st use rcu_read_lock currently dump routines
via get_fa_head and dump */
via get_fa_head and dump */
static
struct
leaf_info
*
find_leaf_info
(
struct
hlist_head
*
head
,
int
plen
)
static
struct
leaf_info
*
find_leaf_info
(
struct
leaf
*
l
,
int
plen
)
{
{
struct
hlist_head
*
head
=
&
l
->
list
;
struct
hlist_node
*
node
;
struct
hlist_node
*
node
;
struct
leaf_info
*
li
;
struct
leaf_info
*
li
;
...
@@ -853,7 +854,7 @@ static struct leaf_info *find_leaf_info(struct hlist_head *head, int plen)
...
@@ -853,7 +854,7 @@ static struct leaf_info *find_leaf_info(struct hlist_head *head, int plen)
static
inline
struct
list_head
*
get_fa_head
(
struct
leaf
*
l
,
int
plen
)
static
inline
struct
list_head
*
get_fa_head
(
struct
leaf
*
l
,
int
plen
)
{
{
struct
leaf_info
*
li
=
find_leaf_info
(
&
l
->
list
,
plen
);
struct
leaf_info
*
li
=
find_leaf_info
(
l
,
plen
);
if
(
!
li
)
if
(
!
li
)
return
NULL
;
return
NULL
;
...
@@ -1248,7 +1249,7 @@ fn_trie_insert(struct fib_table *tb, struct rtmsg *r, struct kern_rta *rta,
...
@@ -1248,7 +1249,7 @@ fn_trie_insert(struct fib_table *tb, struct rtmsg *r, struct kern_rta *rta,
}
}
/* should be c
l
alled with rcu_read_lock */
/* should be called with rcu_read_lock */
static
inline
int
check_leaf
(
struct
trie
*
t
,
struct
leaf
*
l
,
static
inline
int
check_leaf
(
struct
trie
*
t
,
struct
leaf
*
l
,
t_key
key
,
int
*
plen
,
const
struct
flowi
*
flp
,
t_key
key
,
int
*
plen
,
const
struct
flowi
*
flp
,
struct
fib_result
*
res
)
struct
fib_result
*
res
)
...
@@ -1590,7 +1591,7 @@ fn_trie_delete(struct fib_table *tb, struct rtmsg *r, struct kern_rta *rta,
...
@@ -1590,7 +1591,7 @@ fn_trie_delete(struct fib_table *tb, struct rtmsg *r, struct kern_rta *rta,
rtmsg_fib
(
RTM_DELROUTE
,
htonl
(
key
),
fa
,
plen
,
tb
->
tb_id
,
nlhdr
,
req
);
rtmsg_fib
(
RTM_DELROUTE
,
htonl
(
key
),
fa
,
plen
,
tb
->
tb_id
,
nlhdr
,
req
);
l
=
fib_find_node
(
t
,
key
);
l
=
fib_find_node
(
t
,
key
);
li
=
find_leaf_info
(
&
l
->
list
,
plen
);
li
=
find_leaf_info
(
l
,
plen
);
list_del_rcu
(
&
fa
->
fa_list
);
list_del_rcu
(
&
fa
->
fa_list
);
...
@@ -1714,7 +1715,6 @@ static int fn_trie_flush(struct fib_table *tb)
...
@@ -1714,7 +1715,6 @@ static int fn_trie_flush(struct fib_table *tb)
t
->
revision
++
;
t
->
revision
++
;
rcu_read_lock
();
for
(
h
=
0
;
(
l
=
nextleaf
(
t
,
l
))
!=
NULL
;
h
++
)
{
for
(
h
=
0
;
(
l
=
nextleaf
(
t
,
l
))
!=
NULL
;
h
++
)
{
found
+=
trie_flush_leaf
(
t
,
l
);
found
+=
trie_flush_leaf
(
t
,
l
);
...
@@ -1722,7 +1722,6 @@ static int fn_trie_flush(struct fib_table *tb)
...
@@ -1722,7 +1722,6 @@ static int fn_trie_flush(struct fib_table *tb)
trie_leaf_remove
(
t
,
ll
->
key
);
trie_leaf_remove
(
t
,
ll
->
key
);
ll
=
l
;
ll
=
l
;
}
}
rcu_read_unlock
();
if
(
ll
&&
hlist_empty
(
&
ll
->
list
))
if
(
ll
&&
hlist_empty
(
&
ll
->
list
))
trie_leaf_remove
(
t
,
ll
->
key
);
trie_leaf_remove
(
t
,
ll
->
key
);
...
@@ -2029,7 +2028,7 @@ static struct node *fib_trie_get_first(struct fib_trie_iter *iter,
...
@@ -2029,7 +2028,7 @@ static struct node *fib_trie_get_first(struct fib_trie_iter *iter,
iter
->
tnode
=
(
struct
tnode
*
)
n
;
iter
->
tnode
=
(
struct
tnode
*
)
n
;
iter
->
trie
=
t
;
iter
->
trie
=
t
;
iter
->
index
=
0
;
iter
->
index
=
0
;
iter
->
depth
=
0
;
iter
->
depth
=
1
;
return
n
;
return
n
;
}
}
return
NULL
;
return
NULL
;
...
@@ -2274,11 +2273,12 @@ static int fib_trie_seq_show(struct seq_file *seq, void *v)
...
@@ -2274,11 +2273,12 @@ static int fib_trie_seq_show(struct seq_file *seq, void *v)
seq_puts
(
seq
,
"<local>:
\n
"
);
seq_puts
(
seq
,
"<local>:
\n
"
);
else
else
seq_puts
(
seq
,
"<main>:
\n
"
);
seq_puts
(
seq
,
"<main>:
\n
"
);
}
else
{
seq_indent
(
seq
,
iter
->
depth
-
1
);
seq_printf
(
seq
,
" +-- %d.%d.%d.%d/%d
\n
"
,
NIPQUAD
(
prf
),
tn
->
pos
);
}
}
seq_indent
(
seq
,
iter
->
depth
-
1
);
seq_printf
(
seq
,
" +-- %d.%d.%d.%d/%d %d %d %d
\n
"
,
NIPQUAD
(
prf
),
tn
->
pos
,
tn
->
bits
,
tn
->
full_children
,
tn
->
empty_children
);
}
else
{
}
else
{
struct
leaf
*
l
=
(
struct
leaf
*
)
n
;
struct
leaf
*
l
=
(
struct
leaf
*
)
n
;
int
i
;
int
i
;
...
@@ -2287,7 +2287,7 @@ static int fib_trie_seq_show(struct seq_file *seq, void *v)
...
@@ -2287,7 +2287,7 @@ static int fib_trie_seq_show(struct seq_file *seq, void *v)
seq_indent
(
seq
,
iter
->
depth
);
seq_indent
(
seq
,
iter
->
depth
);
seq_printf
(
seq
,
" |-- %d.%d.%d.%d
\n
"
,
NIPQUAD
(
val
));
seq_printf
(
seq
,
" |-- %d.%d.%d.%d
\n
"
,
NIPQUAD
(
val
));
for
(
i
=
32
;
i
>=
0
;
i
--
)
{
for
(
i
=
32
;
i
>=
0
;
i
--
)
{
struct
leaf_info
*
li
=
find_leaf_info
(
&
l
->
list
,
i
);
struct
leaf_info
*
li
=
find_leaf_info
(
l
,
i
);
if
(
li
)
{
if
(
li
)
{
struct
fib_alias
*
fa
;
struct
fib_alias
*
fa
;
list_for_each_entry_rcu
(
fa
,
&
li
->
falh
,
fa_list
)
{
list_for_each_entry_rcu
(
fa
,
&
li
->
falh
,
fa_list
)
{
...
@@ -2383,7 +2383,7 @@ static int fib_route_seq_show(struct seq_file *seq, void *v)
...
@@ -2383,7 +2383,7 @@ static int fib_route_seq_show(struct seq_file *seq, void *v)
return
0
;
return
0
;
for
(
i
=
32
;
i
>=
0
;
i
--
)
{
for
(
i
=
32
;
i
>=
0
;
i
--
)
{
struct
leaf_info
*
li
=
find_leaf_info
(
&
l
->
list
,
i
);
struct
leaf_info
*
li
=
find_leaf_info
(
l
,
i
);
struct
fib_alias
*
fa
;
struct
fib_alias
*
fa
;
u32
mask
,
prefix
;
u32
mask
,
prefix
;
...
...
net/ipv4/netfilter/Kconfig
View file @
875bd5ab
...
@@ -137,6 +137,22 @@ config IP_NF_AMANDA
...
@@ -137,6 +137,22 @@ config IP_NF_AMANDA
To compile it as a module, choose M here. If unsure, say Y.
To compile it as a module, choose M here. If unsure, say Y.
config IP_NF_PPTP
tristate 'PPTP protocol support'
help
This module adds support for PPTP (Point to Point Tunnelling
Protocol, RFC2637) conncection tracking and NAT.
If you are running PPTP sessions over a stateful firewall or NAT
box, you may want to enable this feature.
Please note that not all PPTP modes of operation are supported yet.
For more info, read top of the file
net/ipv4/netfilter/ip_conntrack_pptp.c
If you want to compile it as a module, say M here and read
Documentation/modules.txt. If unsure, say `N'.
config IP_NF_QUEUE
config IP_NF_QUEUE
tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
help
help
...
@@ -621,6 +637,12 @@ config IP_NF_NAT_AMANDA
...
@@ -621,6 +637,12 @@ config IP_NF_NAT_AMANDA
default IP_NF_NAT if IP_NF_AMANDA=y
default IP_NF_NAT if IP_NF_AMANDA=y
default m if IP_NF_AMANDA=m
default m if IP_NF_AMANDA=m
config IP_NF_NAT_PPTP
tristate
depends on IP_NF_NAT!=n && IP_NF_PPTP!=n
default IP_NF_NAT if IP_NF_PPTP=y
default m if IP_NF_PPTP=m
# mangle + specific targets
# mangle + specific targets
config IP_NF_MANGLE
config IP_NF_MANGLE
tristate "Packet mangling"
tristate "Packet mangling"
...
...
net/ipv4/netfilter/Makefile
View file @
875bd5ab
...
@@ -6,6 +6,9 @@
...
@@ -6,6 +6,9 @@
ip_conntrack-objs
:=
ip_conntrack_standalone.o ip_conntrack_core.o ip_conntrack_proto_generic.o ip_conntrack_proto_tcp.o ip_conntrack_proto_udp.o ip_conntrack_proto_icmp.o
ip_conntrack-objs
:=
ip_conntrack_standalone.o ip_conntrack_core.o ip_conntrack_proto_generic.o ip_conntrack_proto_tcp.o ip_conntrack_proto_udp.o ip_conntrack_proto_icmp.o
iptable_nat-objs
:=
ip_nat_standalone.o ip_nat_rule.o ip_nat_core.o ip_nat_helper.o ip_nat_proto_unknown.o ip_nat_proto_tcp.o ip_nat_proto_udp.o ip_nat_proto_icmp.o
iptable_nat-objs
:=
ip_nat_standalone.o ip_nat_rule.o ip_nat_core.o ip_nat_helper.o ip_nat_proto_unknown.o ip_nat_proto_tcp.o ip_nat_proto_udp.o ip_nat_proto_icmp.o
ip_conntrack_pptp-objs
:=
ip_conntrack_helper_pptp.o ip_conntrack_proto_gre.o
ip_nat_pptp-objs
:=
ip_nat_helper_pptp.o ip_nat_proto_gre.o
# connection tracking
# connection tracking
obj-$(CONFIG_IP_NF_CONNTRACK)
+=
ip_conntrack.o
obj-$(CONFIG_IP_NF_CONNTRACK)
+=
ip_conntrack.o
...
@@ -17,6 +20,7 @@ obj-$(CONFIG_IP_NF_CONNTRACK_NETLINK) += ip_conntrack_netlink.o
...
@@ -17,6 +20,7 @@ obj-$(CONFIG_IP_NF_CONNTRACK_NETLINK) += ip_conntrack_netlink.o
obj-$(CONFIG_IP_NF_CT_PROTO_SCTP)
+=
ip_conntrack_proto_sctp.o
obj-$(CONFIG_IP_NF_CT_PROTO_SCTP)
+=
ip_conntrack_proto_sctp.o
# connection tracking helpers
# connection tracking helpers
obj-$(CONFIG_IP_NF_PPTP)
+=
ip_conntrack_pptp.o
obj-$(CONFIG_IP_NF_AMANDA)
+=
ip_conntrack_amanda.o
obj-$(CONFIG_IP_NF_AMANDA)
+=
ip_conntrack_amanda.o
obj-$(CONFIG_IP_NF_TFTP)
+=
ip_conntrack_tftp.o
obj-$(CONFIG_IP_NF_TFTP)
+=
ip_conntrack_tftp.o
obj-$(CONFIG_IP_NF_FTP)
+=
ip_conntrack_ftp.o
obj-$(CONFIG_IP_NF_FTP)
+=
ip_conntrack_ftp.o
...
@@ -24,6 +28,7 @@ obj-$(CONFIG_IP_NF_IRC) += ip_conntrack_irc.o
...
@@ -24,6 +28,7 @@ obj-$(CONFIG_IP_NF_IRC) += ip_conntrack_irc.o
obj-$(CONFIG_IP_NF_NETBIOS_NS)
+=
ip_conntrack_netbios_ns.o
obj-$(CONFIG_IP_NF_NETBIOS_NS)
+=
ip_conntrack_netbios_ns.o
# NAT helpers
# NAT helpers
obj-$(CONFIG_IP_NF_NAT_PPTP)
+=
ip_nat_pptp.o
obj-$(CONFIG_IP_NF_NAT_AMANDA)
+=
ip_nat_amanda.o
obj-$(CONFIG_IP_NF_NAT_AMANDA)
+=
ip_nat_amanda.o
obj-$(CONFIG_IP_NF_NAT_TFTP)
+=
ip_nat_tftp.o
obj-$(CONFIG_IP_NF_NAT_TFTP)
+=
ip_nat_tftp.o
obj-$(CONFIG_IP_NF_NAT_FTP)
+=
ip_nat_ftp.o
obj-$(CONFIG_IP_NF_NAT_FTP)
+=
ip_nat_ftp.o
...
...
net/ipv4/netfilter/ip_conntrack_core.c
View file @
875bd5ab
...
@@ -233,7 +233,7 @@ __ip_conntrack_expect_find(const struct ip_conntrack_tuple *tuple)
...
@@ -233,7 +233,7 @@ __ip_conntrack_expect_find(const struct ip_conntrack_tuple *tuple)
/* Just find a expectation corresponding to a tuple. */
/* Just find a expectation corresponding to a tuple. */
struct
ip_conntrack_expect
*
struct
ip_conntrack_expect
*
ip_conntrack_expect_find
_get
(
const
struct
ip_conntrack_tuple
*
tuple
)
ip_conntrack_expect_find
(
const
struct
ip_conntrack_tuple
*
tuple
)
{
{
struct
ip_conntrack_expect
*
i
;
struct
ip_conntrack_expect
*
i
;
...
...
net/ipv4/netfilter/ip_conntrack_helper_pptp.c
0 → 100644
View file @
875bd5ab
This diff is collapsed.
Click to expand it.
net/ipv4/netfilter/ip_conntrack_netlink.c
View file @
875bd5ab
...
@@ -1270,7 +1270,7 @@ ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
...
@@ -1270,7 +1270,7 @@ ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
if
(
err
<
0
)
if
(
err
<
0
)
return
err
;
return
err
;
exp
=
ip_conntrack_expect_find
_get
(
&
tuple
);
exp
=
ip_conntrack_expect_find
(
&
tuple
);
if
(
!
exp
)
if
(
!
exp
)
return
-
ENOENT
;
return
-
ENOENT
;
...
@@ -1318,7 +1318,7 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
...
@@ -1318,7 +1318,7 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
return
err
;
return
err
;
/* bump usage count to 2 */
/* bump usage count to 2 */
exp
=
ip_conntrack_expect_find
_get
(
&
tuple
);
exp
=
ip_conntrack_expect_find
(
&
tuple
);
if
(
!
exp
)
if
(
!
exp
)
return
-
ENOENT
;
return
-
ENOENT
;
...
...
net/ipv4/netfilter/ip_conntrack_proto_gre.c
0 → 100644
View file @
875bd5ab
/*
* ip_conntrack_proto_gre.c - Version 3.0
*
* Connection tracking protocol helper module for GRE.
*
* GRE is a generic encapsulation protocol, which is generally not very
* suited for NAT, as it has no protocol-specific part as port numbers.
*
* It has an optional key field, which may help us distinguishing two
* connections between the same two hosts.
*
* GRE is defined in RFC 1701 and RFC 1702, as well as RFC 2784
*
* PPTP is built on top of a modified version of GRE, and has a mandatory
* field called "CallID", which serves us for the same purpose as the key
* field in plain GRE.
*
* Documentation about PPTP can be found in RFC 2637
*
* (C) 2000-2005 by Harald Welte <laforge@gnumonks.org>
*
* Development of this code funded by Astaro AG (http://www.astaro.com/)
*
*/
#include <linux/config.h>
#include <linux/module.h>
#include <linux/types.h>
#include <linux/timer.h>
#include <linux/netfilter.h>
#include <linux/ip.h>
#include <linux/in.h>
#include <linux/list.h>
static
DEFINE_RWLOCK
(
ip_ct_gre_lock
);
#define ASSERT_READ_LOCK(x)
#define ASSERT_WRITE_LOCK(x)
#include <linux/netfilter_ipv4/listhelp.h>
#include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
#include <linux/netfilter_ipv4/ip_conntrack_core.h>
#include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h>
#include <linux/netfilter_ipv4/ip_conntrack_pptp.h>
MODULE_LICENSE
(
"GPL"
);
MODULE_AUTHOR
(
"Harald Welte <laforge@gnumonks.org>"
);
MODULE_DESCRIPTION
(
"netfilter connection tracking protocol helper for GRE"
);
/* shamelessly stolen from ip_conntrack_proto_udp.c */
#define GRE_TIMEOUT (30*HZ)
#define GRE_STREAM_TIMEOUT (180*HZ)
#if 0
#define DEBUGP(format, args...) printk(KERN_DEBUG "%s:%s: " format, __FILE__, __FUNCTION__, ## args)
#define DUMP_TUPLE_GRE(x) printk("%u.%u.%u.%u:0x%x -> %u.%u.%u.%u:0x%x\n", \
NIPQUAD((x)->src.ip), ntohs((x)->src.u.gre.key), \
NIPQUAD((x)->dst.ip), ntohs((x)->dst.u.gre.key))
#else
#define DEBUGP(x, args...)
#define DUMP_TUPLE_GRE(x)
#endif
/* GRE KEYMAP HANDLING FUNCTIONS */
static
LIST_HEAD
(
gre_keymap_list
);
static
inline
int
gre_key_cmpfn
(
const
struct
ip_ct_gre_keymap
*
km
,
const
struct
ip_conntrack_tuple
*
t
)
{
return
((
km
->
tuple
.
src
.
ip
==
t
->
src
.
ip
)
&&
(
km
->
tuple
.
dst
.
ip
==
t
->
dst
.
ip
)
&&
(
km
->
tuple
.
dst
.
protonum
==
t
->
dst
.
protonum
)
&&
(
km
->
tuple
.
dst
.
u
.
all
==
t
->
dst
.
u
.
all
));
}
/* look up the source key for a given tuple */
static
u_int32_t
gre_keymap_lookup
(
struct
ip_conntrack_tuple
*
t
)
{
struct
ip_ct_gre_keymap
*
km
;
u_int32_t
key
=
0
;
read_lock_bh
(
&
ip_ct_gre_lock
);
km
=
LIST_FIND
(
&
gre_keymap_list
,
gre_key_cmpfn
,
struct
ip_ct_gre_keymap
*
,
t
);
if
(
km
)
key
=
km
->
tuple
.
src
.
u
.
gre
.
key
;
read_unlock_bh
(
&
ip_ct_gre_lock
);
DEBUGP
(
"lookup src key 0x%x up key for "
,
key
);
DUMP_TUPLE_GRE
(
t
);
return
key
;
}
/* add a single keymap entry, associate with specified master ct */
int
ip_ct_gre_keymap_add
(
struct
ip_conntrack
*
ct
,
struct
ip_conntrack_tuple
*
t
,
int
reply
)
{
struct
ip_ct_gre_keymap
**
exist_km
,
*
km
,
*
old
;
if
(
!
ct
->
helper
||
strcmp
(
ct
->
helper
->
name
,
"pptp"
))
{
DEBUGP
(
"refusing to add GRE keymap to non-pptp session
\n
"
);
return
-
1
;
}
if
(
!
reply
)
exist_km
=
&
ct
->
help
.
ct_pptp_info
.
keymap_orig
;
else
exist_km
=
&
ct
->
help
.
ct_pptp_info
.
keymap_reply
;
if
(
*
exist_km
)
{
/* check whether it's a retransmission */
old
=
LIST_FIND
(
&
gre_keymap_list
,
gre_key_cmpfn
,
struct
ip_ct_gre_keymap
*
,
t
);
if
(
old
==
*
exist_km
)
{
DEBUGP
(
"retransmission
\n
"
);
return
0
;
}
DEBUGP
(
"trying to override keymap_%s for ct %p
\n
"
,
reply
?
"reply"
:
"orig"
,
ct
);
return
-
EEXIST
;
}
km
=
kmalloc
(
sizeof
(
*
km
),
GFP_ATOMIC
);
if
(
!
km
)
return
-
ENOMEM
;
memcpy
(
&
km
->
tuple
,
t
,
sizeof
(
*
t
));
*
exist_km
=
km
;
DEBUGP
(
"adding new entry %p: "
,
km
);
DUMP_TUPLE_GRE
(
&
km
->
tuple
);
write_lock_bh
(
&
ip_ct_gre_lock
);
list_append
(
&
gre_keymap_list
,
km
);
write_unlock_bh
(
&
ip_ct_gre_lock
);
return
0
;
}
/* destroy the keymap entries associated with specified master ct */
void
ip_ct_gre_keymap_destroy
(
struct
ip_conntrack
*
ct
)
{
DEBUGP
(
"entering for ct %p
\n
"
,
ct
);
if
(
!
ct
->
helper
||
strcmp
(
ct
->
helper
->
name
,
"pptp"
))
{
DEBUGP
(
"refusing to destroy GRE keymap to non-pptp session
\n
"
);
return
;
}
write_lock_bh
(
&
ip_ct_gre_lock
);
if
(
ct
->
help
.
ct_pptp_info
.
keymap_orig
)
{
DEBUGP
(
"removing %p from list
\n
"
,
ct
->
help
.
ct_pptp_info
.
keymap_orig
);
list_del
(
&
ct
->
help
.
ct_pptp_info
.
keymap_orig
->
list
);
kfree
(
ct
->
help
.
ct_pptp_info
.
keymap_orig
);
ct
->
help
.
ct_pptp_info
.
keymap_orig
=
NULL
;
}
if
(
ct
->
help
.
ct_pptp_info
.
keymap_reply
)
{
DEBUGP
(
"removing %p from list
\n
"
,
ct
->
help
.
ct_pptp_info
.
keymap_reply
);
list_del
(
&
ct
->
help
.
ct_pptp_info
.
keymap_reply
->
list
);
kfree
(
ct
->
help
.
ct_pptp_info
.
keymap_reply
);
ct
->
help
.
ct_pptp_info
.
keymap_reply
=
NULL
;
}
write_unlock_bh
(
&
ip_ct_gre_lock
);
}
/* PUBLIC CONNTRACK PROTO HELPER FUNCTIONS */
/* invert gre part of tuple */
static
int
gre_invert_tuple
(
struct
ip_conntrack_tuple
*
tuple
,
const
struct
ip_conntrack_tuple
*
orig
)
{
tuple
->
dst
.
u
.
gre
.
key
=
orig
->
src
.
u
.
gre
.
key
;
tuple
->
src
.
u
.
gre
.
key
=
orig
->
dst
.
u
.
gre
.
key
;
return
1
;
}
/* gre hdr info to tuple */
static
int
gre_pkt_to_tuple
(
const
struct
sk_buff
*
skb
,
unsigned
int
dataoff
,
struct
ip_conntrack_tuple
*
tuple
)
{
struct
gre_hdr_pptp
_pgrehdr
,
*
pgrehdr
;
u_int32_t
srckey
;
struct
gre_hdr
_grehdr
,
*
grehdr
;
/* first only delinearize old RFC1701 GRE header */
grehdr
=
skb_header_pointer
(
skb
,
dataoff
,
sizeof
(
_grehdr
),
&
_grehdr
);
if
(
!
grehdr
||
grehdr
->
version
!=
GRE_VERSION_PPTP
)
{
/* try to behave like "ip_conntrack_proto_generic" */
tuple
->
src
.
u
.
all
=
0
;
tuple
->
dst
.
u
.
all
=
0
;
return
1
;
}
/* PPTP header is variable length, only need up to the call_id field */
pgrehdr
=
skb_header_pointer
(
skb
,
dataoff
,
8
,
&
_pgrehdr
);
if
(
!
pgrehdr
)
return
1
;
if
(
ntohs
(
grehdr
->
protocol
)
!=
GRE_PROTOCOL_PPTP
)
{
DEBUGP
(
"GRE_VERSION_PPTP but unknown proto
\n
"
);
return
0
;
}
tuple
->
dst
.
u
.
gre
.
key
=
pgrehdr
->
call_id
;
srckey
=
gre_keymap_lookup
(
tuple
);
tuple
->
src
.
u
.
gre
.
key
=
srckey
;
return
1
;
}
/* print gre part of tuple */
static
int
gre_print_tuple
(
struct
seq_file
*
s
,
const
struct
ip_conntrack_tuple
*
tuple
)
{
return
seq_printf
(
s
,
"srckey=0x%x dstkey=0x%x "
,
ntohs
(
tuple
->
src
.
u
.
gre
.
key
),
ntohs
(
tuple
->
dst
.
u
.
gre
.
key
));
}
/* print private data for conntrack */
static
int
gre_print_conntrack
(
struct
seq_file
*
s
,
const
struct
ip_conntrack
*
ct
)
{
return
seq_printf
(
s
,
"timeout=%u, stream_timeout=%u "
,
(
ct
->
proto
.
gre
.
timeout
/
HZ
),
(
ct
->
proto
.
gre
.
stream_timeout
/
HZ
));
}
/* Returns verdict for packet, and may modify conntrack */
static
int
gre_packet
(
struct
ip_conntrack
*
ct
,
const
struct
sk_buff
*
skb
,
enum
ip_conntrack_info
conntrackinfo
)
{
/* If we've seen traffic both ways, this is a GRE connection.
* Extend timeout. */
if
(
ct
->
status
&
IPS_SEEN_REPLY
)
{
ip_ct_refresh_acct
(
ct
,
conntrackinfo
,
skb
,
ct
->
proto
.
gre
.
stream_timeout
);
/* Also, more likely to be important, and not a probe. */
set_bit
(
IPS_ASSURED_BIT
,
&
ct
->
status
);
}
else
ip_ct_refresh_acct
(
ct
,
conntrackinfo
,
skb
,
ct
->
proto
.
gre
.
timeout
);
return
NF_ACCEPT
;
}
/* Called when a new connection for this protocol found. */
static
int
gre_new
(
struct
ip_conntrack
*
ct
,
const
struct
sk_buff
*
skb
)
{
DEBUGP
(
": "
);
DUMP_TUPLE_GRE
(
&
ct
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
);
/* initialize to sane value. Ideally a conntrack helper
* (e.g. in case of pptp) is increasing them */
ct
->
proto
.
gre
.
stream_timeout
=
GRE_STREAM_TIMEOUT
;
ct
->
proto
.
gre
.
timeout
=
GRE_TIMEOUT
;
return
1
;
}
/* Called when a conntrack entry has already been removed from the hashes
* and is about to be deleted from memory */
static
void
gre_destroy
(
struct
ip_conntrack
*
ct
)
{
struct
ip_conntrack
*
master
=
ct
->
master
;
DEBUGP
(
" entering
\n
"
);
if
(
!
master
)
DEBUGP
(
"no master !?!
\n
"
);
else
ip_ct_gre_keymap_destroy
(
master
);
}
/* protocol helper struct */
static
struct
ip_conntrack_protocol
gre
=
{
.
proto
=
IPPROTO_GRE
,
.
name
=
"gre"
,
.
pkt_to_tuple
=
gre_pkt_to_tuple
,
.
invert_tuple
=
gre_invert_tuple
,
.
print_tuple
=
gre_print_tuple
,
.
print_conntrack
=
gre_print_conntrack
,
.
packet
=
gre_packet
,
.
new
=
gre_new
,
.
destroy
=
gre_destroy
,
.
me
=
THIS_MODULE
,
#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
.
tuple_to_nfattr
=
ip_ct_port_tuple_to_nfattr
,
.
nfattr_to_tuple
=
ip_ct_port_nfattr_to_tuple
,
#endif
};
/* ip_conntrack_proto_gre initialization */
int
__init
ip_ct_proto_gre_init
(
void
)
{
return
ip_conntrack_protocol_register
(
&
gre
);
}
void
__exit
ip_ct_proto_gre_fini
(
void
)
{
struct
list_head
*
pos
,
*
n
;
/* delete all keymap entries */
write_lock_bh
(
&
ip_ct_gre_lock
);
list_for_each_safe
(
pos
,
n
,
&
gre_keymap_list
)
{
DEBUGP
(
"deleting keymap %p at module unload time
\n
"
,
pos
);
list_del
(
pos
);
kfree
(
pos
);
}
write_unlock_bh
(
&
ip_ct_gre_lock
);
ip_conntrack_protocol_unregister
(
&
gre
);
}
EXPORT_SYMBOL
(
ip_ct_gre_keymap_add
);
EXPORT_SYMBOL
(
ip_ct_gre_keymap_destroy
);
net/ipv4/netfilter/ip_conntrack_standalone.c
View file @
875bd5ab
...
@@ -993,11 +993,11 @@ EXPORT_SYMBOL(ip_ct_refresh_acct);
...
@@ -993,11 +993,11 @@ EXPORT_SYMBOL(ip_ct_refresh_acct);
EXPORT_SYMBOL
(
ip_conntrack_expect_alloc
);
EXPORT_SYMBOL
(
ip_conntrack_expect_alloc
);
EXPORT_SYMBOL
(
ip_conntrack_expect_put
);
EXPORT_SYMBOL
(
ip_conntrack_expect_put
);
EXPORT_SYMBOL_GPL
(
ip_conntrack_expect_find_get
);
EXPORT_SYMBOL_GPL
(
__ip_conntrack_expect_find
);
EXPORT_SYMBOL_GPL
(
ip_conntrack_expect_find
);
EXPORT_SYMBOL
(
ip_conntrack_expect_related
);
EXPORT_SYMBOL
(
ip_conntrack_expect_related
);
EXPORT_SYMBOL
(
ip_conntrack_unexpect_related
);
EXPORT_SYMBOL
(
ip_conntrack_unexpect_related
);
EXPORT_SYMBOL_GPL
(
ip_conntrack_expect_list
);
EXPORT_SYMBOL_GPL
(
ip_conntrack_expect_list
);
EXPORT_SYMBOL_GPL
(
__ip_conntrack_expect_find
);
EXPORT_SYMBOL_GPL
(
ip_ct_unlink_expect
);
EXPORT_SYMBOL_GPL
(
ip_ct_unlink_expect
);
EXPORT_SYMBOL
(
ip_conntrack_tuple_taken
);
EXPORT_SYMBOL
(
ip_conntrack_tuple_taken
);
...
...
net/ipv4/netfilter/ip_nat_core.c
View file @
875bd5ab
...
@@ -578,6 +578,8 @@ ip_nat_port_nfattr_to_range(struct nfattr *tb[], struct ip_nat_range *range)
...
@@ -578,6 +578,8 @@ ip_nat_port_nfattr_to_range(struct nfattr *tb[], struct ip_nat_range *range)
return
ret
;
return
ret
;
}
}
EXPORT_SYMBOL_GPL
(
ip_nat_port_nfattr_to_range
);
EXPORT_SYMBOL_GPL
(
ip_nat_port_range_to_nfattr
);
#endif
#endif
int
__init
ip_nat_init
(
void
)
int
__init
ip_nat_init
(
void
)
...
...
net/ipv4/netfilter/ip_nat_helper_pptp.c
0 → 100644
View file @
875bd5ab
This diff is collapsed.
Click to expand it.
net/ipv4/netfilter/ip_nat_proto_gre.c
0 → 100644
View file @
875bd5ab
/*
* ip_nat_proto_gre.c - Version 2.0
*
* NAT protocol helper module for GRE.
*
* GRE is a generic encapsulation protocol, which is generally not very
* suited for NAT, as it has no protocol-specific part as port numbers.
*
* It has an optional key field, which may help us distinguishing two
* connections between the same two hosts.
*
* GRE is defined in RFC 1701 and RFC 1702, as well as RFC 2784
*
* PPTP is built on top of a modified version of GRE, and has a mandatory
* field called "CallID", which serves us for the same purpose as the key
* field in plain GRE.
*
* Documentation about PPTP can be found in RFC 2637
*
* (C) 2000-2005 by Harald Welte <laforge@gnumonks.org>
*
* Development of this code funded by Astaro AG (http://www.astaro.com/)
*
*/
#include <linux/config.h>
#include <linux/module.h>
#include <linux/ip.h>
#include <linux/netfilter_ipv4/ip_nat.h>
#include <linux/netfilter_ipv4/ip_nat_rule.h>
#include <linux/netfilter_ipv4/ip_nat_protocol.h>
#include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h>
MODULE_LICENSE
(
"GPL"
);
MODULE_AUTHOR
(
"Harald Welte <laforge@gnumonks.org>"
);
MODULE_DESCRIPTION
(
"Netfilter NAT protocol helper module for GRE"
);
#if 0
#define DEBUGP(format, args...) printk(KERN_DEBUG "%s:%s: " format, __FILE__, \
__FUNCTION__, ## args)
#else
#define DEBUGP(x, args...)
#endif
/* is key in given range between min and max */
static
int
gre_in_range
(
const
struct
ip_conntrack_tuple
*
tuple
,
enum
ip_nat_manip_type
maniptype
,
const
union
ip_conntrack_manip_proto
*
min
,
const
union
ip_conntrack_manip_proto
*
max
)
{
u_int32_t
key
;
if
(
maniptype
==
IP_NAT_MANIP_SRC
)
key
=
tuple
->
src
.
u
.
gre
.
key
;
else
key
=
tuple
->
dst
.
u
.
gre
.
key
;
return
ntohl
(
key
)
>=
ntohl
(
min
->
gre
.
key
)
&&
ntohl
(
key
)
<=
ntohl
(
max
->
gre
.
key
);
}
/* generate unique tuple ... */
static
int
gre_unique_tuple
(
struct
ip_conntrack_tuple
*
tuple
,
const
struct
ip_nat_range
*
range
,
enum
ip_nat_manip_type
maniptype
,
const
struct
ip_conntrack
*
conntrack
)
{
static
u_int16_t
key
;
u_int16_t
*
keyptr
;
unsigned
int
min
,
i
,
range_size
;
if
(
maniptype
==
IP_NAT_MANIP_SRC
)
keyptr
=
&
tuple
->
src
.
u
.
gre
.
key
;
else
keyptr
=
&
tuple
->
dst
.
u
.
gre
.
key
;
if
(
!
(
range
->
flags
&
IP_NAT_RANGE_PROTO_SPECIFIED
))
{
DEBUGP
(
"%p: NATing GRE PPTP
\n
"
,
conntrack
);
min
=
1
;
range_size
=
0xffff
;
}
else
{
min
=
ntohl
(
range
->
min
.
gre
.
key
);
range_size
=
ntohl
(
range
->
max
.
gre
.
key
)
-
min
+
1
;
}
DEBUGP
(
"min = %u, range_size = %u
\n
"
,
min
,
range_size
);
for
(
i
=
0
;
i
<
range_size
;
i
++
,
key
++
)
{
*
keyptr
=
htonl
(
min
+
key
%
range_size
);
if
(
!
ip_nat_used_tuple
(
tuple
,
conntrack
))
return
1
;
}
DEBUGP
(
"%p: no NAT mapping
\n
"
,
conntrack
);
return
0
;
}
/* manipulate a GRE packet according to maniptype */
static
int
gre_manip_pkt
(
struct
sk_buff
**
pskb
,
unsigned
int
iphdroff
,
const
struct
ip_conntrack_tuple
*
tuple
,
enum
ip_nat_manip_type
maniptype
)
{
struct
gre_hdr
*
greh
;
struct
gre_hdr_pptp
*
pgreh
;
struct
iphdr
*
iph
=
(
struct
iphdr
*
)((
*
pskb
)
->
data
+
iphdroff
);
unsigned
int
hdroff
=
iphdroff
+
iph
->
ihl
*
4
;
/* pgreh includes two optional 32bit fields which are not required
* to be there. That's where the magic '8' comes from */
if
(
!
skb_make_writable
(
pskb
,
hdroff
+
sizeof
(
*
pgreh
)
-
8
))
return
0
;
greh
=
(
void
*
)(
*
pskb
)
->
data
+
hdroff
;
pgreh
=
(
struct
gre_hdr_pptp
*
)
greh
;
/* we only have destination manip of a packet, since 'source key'
* is not present in the packet itself */
if
(
maniptype
==
IP_NAT_MANIP_DST
)
{
/* key manipulation is always dest */
switch
(
greh
->
version
)
{
case
0
:
if
(
!
greh
->
key
)
{
DEBUGP
(
"can't nat GRE w/o key
\n
"
);
break
;
}
if
(
greh
->
csum
)
{
/* FIXME: Never tested this code... */
*
(
gre_csum
(
greh
))
=
ip_nat_cheat_check
(
~*
(
gre_key
(
greh
)),
tuple
->
dst
.
u
.
gre
.
key
,
*
(
gre_csum
(
greh
)));
}
*
(
gre_key
(
greh
))
=
tuple
->
dst
.
u
.
gre
.
key
;
break
;
case
GRE_VERSION_PPTP
:
DEBUGP
(
"call_id -> 0x%04x
\n
"
,
ntohl
(
tuple
->
dst
.
u
.
gre
.
key
));
pgreh
->
call_id
=
htons
(
ntohl
(
tuple
->
dst
.
u
.
gre
.
key
));
break
;
default:
DEBUGP
(
"can't nat unknown GRE version
\n
"
);
return
0
;
break
;
}
}
return
1
;
}
/* print out a nat tuple */
static
unsigned
int
gre_print
(
char
*
buffer
,
const
struct
ip_conntrack_tuple
*
match
,
const
struct
ip_conntrack_tuple
*
mask
)
{
unsigned
int
len
=
0
;
if
(
mask
->
src
.
u
.
gre
.
key
)
len
+=
sprintf
(
buffer
+
len
,
"srckey=0x%x "
,
ntohl
(
match
->
src
.
u
.
gre
.
key
));
if
(
mask
->
dst
.
u
.
gre
.
key
)
len
+=
sprintf
(
buffer
+
len
,
"dstkey=0x%x "
,
ntohl
(
match
->
src
.
u
.
gre
.
key
));
return
len
;
}
/* print a range of keys */
static
unsigned
int
gre_print_range
(
char
*
buffer
,
const
struct
ip_nat_range
*
range
)
{
if
(
range
->
min
.
gre
.
key
!=
0
||
range
->
max
.
gre
.
key
!=
0xFFFF
)
{
if
(
range
->
min
.
gre
.
key
==
range
->
max
.
gre
.
key
)
return
sprintf
(
buffer
,
"key 0x%x "
,
ntohl
(
range
->
min
.
gre
.
key
));
else
return
sprintf
(
buffer
,
"keys 0x%u-0x%u "
,
ntohl
(
range
->
min
.
gre
.
key
),
ntohl
(
range
->
max
.
gre
.
key
));
}
else
return
0
;
}
/* nat helper struct */
static
struct
ip_nat_protocol
gre
=
{
.
name
=
"GRE"
,
.
protonum
=
IPPROTO_GRE
,
.
manip_pkt
=
gre_manip_pkt
,
.
in_range
=
gre_in_range
,
.
unique_tuple
=
gre_unique_tuple
,
.
print
=
gre_print
,
.
print_range
=
gre_print_range
,
#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
.
range_to_nfattr
=
ip_nat_port_range_to_nfattr
,
.
nfattr_to_range
=
ip_nat_port_nfattr_to_range
,
#endif
};
int
__init
ip_nat_proto_gre_init
(
void
)
{
return
ip_nat_protocol_register
(
&
gre
);
}
void
__exit
ip_nat_proto_gre_fini
(
void
)
{
ip_nat_protocol_unregister
(
&
gre
);
}
net/ipv4/tcp_output.c
View file @
875bd5ab
...
@@ -461,9 +461,7 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len, unsigned int mss
...
@@ -461,9 +461,7 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len, unsigned int mss
flags
=
TCP_SKB_CB
(
skb
)
->
flags
;
flags
=
TCP_SKB_CB
(
skb
)
->
flags
;
TCP_SKB_CB
(
skb
)
->
flags
=
flags
&
~
(
TCPCB_FLAG_FIN
|
TCPCB_FLAG_PSH
);
TCP_SKB_CB
(
skb
)
->
flags
=
flags
&
~
(
TCPCB_FLAG_FIN
|
TCPCB_FLAG_PSH
);
TCP_SKB_CB
(
buff
)
->
flags
=
flags
;
TCP_SKB_CB
(
buff
)
->
flags
=
flags
;
TCP_SKB_CB
(
buff
)
->
sacked
=
TCP_SKB_CB
(
buff
)
->
sacked
=
TCP_SKB_CB
(
skb
)
->
sacked
;
(
TCP_SKB_CB
(
skb
)
->
sacked
&
(
TCPCB_LOST
|
TCPCB_EVER_RETRANS
|
TCPCB_AT_TAIL
));
TCP_SKB_CB
(
skb
)
->
sacked
&=
~
TCPCB_AT_TAIL
;
TCP_SKB_CB
(
skb
)
->
sacked
&=
~
TCPCB_AT_TAIL
;
if
(
!
skb_shinfo
(
skb
)
->
nr_frags
&&
skb
->
ip_summed
!=
CHECKSUM_HW
)
{
if
(
!
skb_shinfo
(
skb
)
->
nr_frags
&&
skb
->
ip_summed
!=
CHECKSUM_HW
)
{
...
@@ -501,6 +499,12 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len, unsigned int mss
...
@@ -501,6 +499,12 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len, unsigned int mss
tcp_skb_pcount
(
buff
);
tcp_skb_pcount
(
buff
);
tp
->
packets_out
-=
diff
;
tp
->
packets_out
-=
diff
;
if
(
TCP_SKB_CB
(
skb
)
->
sacked
&
TCPCB_SACKED_ACKED
)
tp
->
sacked_out
-=
diff
;
if
(
TCP_SKB_CB
(
skb
)
->
sacked
&
TCPCB_SACKED_RETRANS
)
tp
->
retrans_out
-=
diff
;
if
(
TCP_SKB_CB
(
skb
)
->
sacked
&
TCPCB_LOST
)
{
if
(
TCP_SKB_CB
(
skb
)
->
sacked
&
TCPCB_LOST
)
{
tp
->
lost_out
-=
diff
;
tp
->
lost_out
-=
diff
;
tp
->
left_out
-=
diff
;
tp
->
left_out
-=
diff
;
...
...
net/ipv6/netfilter/ip6_tables.c
View file @
875bd5ab
...
@@ -1955,6 +1955,57 @@ static void __exit fini(void)
...
@@ -1955,6 +1955,57 @@ static void __exit fini(void)
#endif
#endif
}
}
/*
* find specified header up to transport protocol header.
* If found target header, the offset to the header is set to *offset
* and return 0. otherwise, return -1.
*
* Notes: - non-1st Fragment Header isn't skipped.
* - ESP header isn't skipped.
* - The target header may be trancated.
*/
int
ipv6_find_hdr
(
const
struct
sk_buff
*
skb
,
unsigned
int
*
offset
,
u8
target
)
{
unsigned
int
start
=
(
u8
*
)(
skb
->
nh
.
ipv6h
+
1
)
-
skb
->
data
;
u8
nexthdr
=
skb
->
nh
.
ipv6h
->
nexthdr
;
unsigned
int
len
=
skb
->
len
-
start
;
while
(
nexthdr
!=
target
)
{
struct
ipv6_opt_hdr
_hdr
,
*
hp
;
unsigned
int
hdrlen
;
if
((
!
ipv6_ext_hdr
(
nexthdr
))
||
nexthdr
==
NEXTHDR_NONE
)
return
-
1
;
hp
=
skb_header_pointer
(
skb
,
start
,
sizeof
(
_hdr
),
&
_hdr
);
if
(
hp
==
NULL
)
return
-
1
;
if
(
nexthdr
==
NEXTHDR_FRAGMENT
)
{
unsigned
short
_frag_off
,
*
fp
;
fp
=
skb_header_pointer
(
skb
,
start
+
offsetof
(
struct
frag_hdr
,
frag_off
),
sizeof
(
_frag_off
),
&
_frag_off
);
if
(
fp
==
NULL
)
return
-
1
;
if
(
ntohs
(
*
fp
)
&
~
0x7
)
return
-
1
;
hdrlen
=
8
;
}
else
if
(
nexthdr
==
NEXTHDR_AUTH
)
hdrlen
=
(
hp
->
hdrlen
+
2
)
<<
2
;
else
hdrlen
=
ipv6_optlen
(
hp
);
nexthdr
=
hp
->
nexthdr
;
len
-=
hdrlen
;
start
+=
hdrlen
;
}
*
offset
=
start
;
return
0
;
}
EXPORT_SYMBOL
(
ip6t_register_table
);
EXPORT_SYMBOL
(
ip6t_register_table
);
EXPORT_SYMBOL
(
ip6t_unregister_table
);
EXPORT_SYMBOL
(
ip6t_unregister_table
);
EXPORT_SYMBOL
(
ip6t_do_table
);
EXPORT_SYMBOL
(
ip6t_do_table
);
...
@@ -1963,6 +2014,7 @@ EXPORT_SYMBOL(ip6t_unregister_match);
...
@@ -1963,6 +2014,7 @@ EXPORT_SYMBOL(ip6t_unregister_match);
EXPORT_SYMBOL
(
ip6t_register_target
);
EXPORT_SYMBOL
(
ip6t_register_target
);
EXPORT_SYMBOL
(
ip6t_unregister_target
);
EXPORT_SYMBOL
(
ip6t_unregister_target
);
EXPORT_SYMBOL
(
ip6t_ext_hdr
);
EXPORT_SYMBOL
(
ip6t_ext_hdr
);
EXPORT_SYMBOL
(
ipv6_find_hdr
);
module_init
(
init
);
module_init
(
init
);
module_exit
(
fini
);
module_exit
(
fini
);
net/ipv6/netfilter/ip6t_ah.c
View file @
875bd5ab
...
@@ -48,92 +48,21 @@ match(const struct sk_buff *skb,
...
@@ -48,92 +48,21 @@ match(const struct sk_buff *skb,
unsigned
int
protoff
,
unsigned
int
protoff
,
int
*
hotdrop
)
int
*
hotdrop
)
{
{
struct
ip_auth_hdr
*
ah
=
NULL
,
_ah
;
struct
ip_auth_hdr
*
ah
,
_ah
;
const
struct
ip6t_ah
*
ahinfo
=
matchinfo
;
const
struct
ip6t_ah
*
ahinfo
=
matchinfo
;
unsigned
int
temp
;
int
len
;
u8
nexthdr
;
unsigned
int
ptr
;
unsigned
int
ptr
;
unsigned
int
hdrlen
=
0
;
unsigned
int
hdrlen
=
0
;
/*DEBUGP("IPv6 AH entered\n");*/
if
(
ipv6_find_hdr
(
skb
,
&
ptr
,
NEXTHDR_AUTH
)
<
0
)
/* if (opt->auth == 0) return 0;
* It does not filled on output */
/* type of the 1st exthdr */
nexthdr
=
skb
->
nh
.
ipv6h
->
nexthdr
;
/* pointer to the 1st exthdr */
ptr
=
sizeof
(
struct
ipv6hdr
);
/* available length */
len
=
skb
->
len
-
ptr
;
temp
=
0
;
while
(
ip6t_ext_hdr
(
nexthdr
))
{
struct
ipv6_opt_hdr
_hdr
,
*
hp
;
DEBUGP
(
"ipv6_ah header iteration
\n
"
);
/* Is there enough space for the next ext header? */
if
(
len
<
sizeof
(
struct
ipv6_opt_hdr
))
return
0
;
/* No more exthdr -> evaluate */
if
(
nexthdr
==
NEXTHDR_NONE
)
break
;
/* ESP -> evaluate */
if
(
nexthdr
==
NEXTHDR_ESP
)
break
;
hp
=
skb_header_pointer
(
skb
,
ptr
,
sizeof
(
_hdr
),
&
_hdr
);
BUG_ON
(
hp
==
NULL
);
/* Calculate the header length */
if
(
nexthdr
==
NEXTHDR_FRAGMENT
)
hdrlen
=
8
;
else
if
(
nexthdr
==
NEXTHDR_AUTH
)
hdrlen
=
(
hp
->
hdrlen
+
2
)
<<
2
;
else
hdrlen
=
ipv6_optlen
(
hp
);
/* AH -> evaluate */
if
(
nexthdr
==
NEXTHDR_AUTH
)
{
temp
|=
MASK_AH
;
break
;
}
/* set the flag */
switch
(
nexthdr
)
{
case
NEXTHDR_HOP
:
case
NEXTHDR_ROUTING
:
case
NEXTHDR_FRAGMENT
:
case
NEXTHDR_AUTH
:
case
NEXTHDR_DEST
:
break
;
default:
DEBUGP
(
"ipv6_ah match: unknown nextheader %u
\n
"
,
nexthdr
);
return
0
;
return
0
;
}
nexthdr
=
hp
->
nexthdr
;
len
-=
hdrlen
;
ptr
+=
hdrlen
;
if
(
ptr
>
skb
->
len
)
{
DEBUGP
(
"ipv6_ah: new pointer too large!
\n
"
);
break
;
}
}
/* AH header not found */
ah
=
skb_header_pointer
(
skb
,
ptr
,
sizeof
(
_ah
),
&
_ah
);
if
(
temp
!=
MASK_AH
)
if
(
ah
==
NULL
)
{
return
0
;
if
(
len
<
sizeof
(
struct
ip_auth_hdr
)){
*
hotdrop
=
1
;
*
hotdrop
=
1
;
return
0
;
return
0
;
}
}
ah
=
skb_header_pointer
(
skb
,
ptr
,
sizeof
(
_ah
),
&
_ah
);
hdrlen
=
(
ah
->
hdrlen
+
2
)
<<
2
;
BUG_ON
(
ah
==
NULL
);
DEBUGP
(
"IPv6 AH LEN %u %u "
,
hdrlen
,
ah
->
hdrlen
);
DEBUGP
(
"IPv6 AH LEN %u %u "
,
hdrlen
,
ah
->
hdrlen
);
DEBUGP
(
"RES %04X "
,
ah
->
reserved
);
DEBUGP
(
"RES %04X "
,
ah
->
reserved
);
...
...
net/ipv6/netfilter/ip6t_dst.c
View file @
875bd5ab
...
@@ -63,8 +63,6 @@ match(const struct sk_buff *skb,
...
@@ -63,8 +63,6 @@ match(const struct sk_buff *skb,
struct
ipv6_opt_hdr
_optsh
,
*
oh
;
struct
ipv6_opt_hdr
_optsh
,
*
oh
;
const
struct
ip6t_opts
*
optinfo
=
matchinfo
;
const
struct
ip6t_opts
*
optinfo
=
matchinfo
;
unsigned
int
temp
;
unsigned
int
temp
;
unsigned
int
len
;
u8
nexthdr
;
unsigned
int
ptr
;
unsigned
int
ptr
;
unsigned
int
hdrlen
=
0
;
unsigned
int
hdrlen
=
0
;
unsigned
int
ret
=
0
;
unsigned
int
ret
=
0
;
...
@@ -72,97 +70,25 @@ match(const struct sk_buff *skb,
...
@@ -72,97 +70,25 @@ match(const struct sk_buff *skb,
u8
_optlen
,
*
lp
=
NULL
;
u8
_optlen
,
*
lp
=
NULL
;
unsigned
int
optlen
;
unsigned
int
optlen
;
/* type of the 1st exthdr */
nexthdr
=
skb
->
nh
.
ipv6h
->
nexthdr
;
/* pointer to the 1st exthdr */
ptr
=
sizeof
(
struct
ipv6hdr
);
/* available length */
len
=
skb
->
len
-
ptr
;
temp
=
0
;
while
(
ip6t_ext_hdr
(
nexthdr
))
{
struct
ipv6_opt_hdr
_hdr
,
*
hp
;
DEBUGP
(
"ipv6_opts header iteration
\n
"
);
/* Is there enough space for the next ext header? */
if
(
len
<
(
int
)
sizeof
(
struct
ipv6_opt_hdr
))
return
0
;
/* No more exthdr -> evaluate */
if
(
nexthdr
==
NEXTHDR_NONE
)
{
break
;
}
/* ESP -> evaluate */
if
(
nexthdr
==
NEXTHDR_ESP
)
{
break
;
}
hp
=
skb_header_pointer
(
skb
,
ptr
,
sizeof
(
_hdr
),
&
_hdr
);
BUG_ON
(
hp
==
NULL
);
/* Calculate the header length */
if
(
nexthdr
==
NEXTHDR_FRAGMENT
)
{
hdrlen
=
8
;
}
else
if
(
nexthdr
==
NEXTHDR_AUTH
)
hdrlen
=
(
hp
->
hdrlen
+
2
)
<<
2
;
else
hdrlen
=
ipv6_optlen
(
hp
);
/* OPTS -> evaluate */
#if HOPBYHOP
#if HOPBYHOP
if
(
nexthdr
==
NEXTHDR_HOP
)
{
if
(
ipv6_find_hdr
(
skb
,
&
ptr
,
NEXTHDR_HOP
)
<
0
)
temp
|=
MASK_HOPOPTS
;
#else
#else
if
(
nexthdr
==
NEXTHDR_DEST
)
{
if
(
ipv6_find_hdr
(
skb
,
&
ptr
,
NEXTHDR_DEST
)
<
0
)
temp
|=
MASK_DSTOPTS
;
#endif
#endif
break
;
}
/* set the flag */
switch
(
nexthdr
){
case
NEXTHDR_HOP
:
case
NEXTHDR_ROUTING
:
case
NEXTHDR_FRAGMENT
:
case
NEXTHDR_AUTH
:
case
NEXTHDR_DEST
:
break
;
default:
DEBUGP
(
"ipv6_opts match: unknown nextheader %u
\n
"
,
nexthdr
);
return
0
;
return
0
;
break
;
}
nexthdr
=
hp
->
nexthdr
;
len
-=
hdrlen
;
ptr
+=
hdrlen
;
if
(
ptr
>
skb
->
len
)
{
DEBUGP
(
"ipv6_opts: new pointer is too large!
\n
"
);
break
;
}
}
/* OPTIONS header not found */
oh
=
skb_header_pointer
(
skb
,
ptr
,
sizeof
(
_optsh
),
&
_optsh
);
#if HOPBYHOP
if
(
oh
==
NULL
){
if
(
temp
!=
MASK_HOPOPTS
)
return
0
;
#else
if
(
temp
!=
MASK_DSTOPTS
)
return
0
;
#endif
if
(
len
<
(
int
)
sizeof
(
struct
ipv6_opt_hdr
)){
*
hotdrop
=
1
;
*
hotdrop
=
1
;
return
0
;
return
0
;
}
}
if
(
len
<
hdrlen
){
hdrlen
=
ipv6_optlen
(
oh
);
if
(
skb
->
len
-
ptr
<
hdrlen
){
/* Packet smaller than it's length field */
/* Packet smaller than it's length field */
return
0
;
return
0
;
}
}
oh
=
skb_header_pointer
(
skb
,
ptr
,
sizeof
(
_optsh
),
&
_optsh
);
BUG_ON
(
oh
==
NULL
);
DEBUGP
(
"IPv6 OPTS LEN %u %u "
,
hdrlen
,
oh
->
hdrlen
);
DEBUGP
(
"IPv6 OPTS LEN %u %u "
,
hdrlen
,
oh
->
hdrlen
);
DEBUGP
(
"len %02X %04X %02X "
,
DEBUGP
(
"len %02X %04X %02X "
,
...
...
net/ipv6/netfilter/ip6t_esp.c
View file @
875bd5ab
...
@@ -48,87 +48,22 @@ match(const struct sk_buff *skb,
...
@@ -48,87 +48,22 @@ match(const struct sk_buff *skb,
unsigned
int
protoff
,
unsigned
int
protoff
,
int
*
hotdrop
)
int
*
hotdrop
)
{
{
struct
ip_esp_hdr
_esp
,
*
eh
=
NULL
;
struct
ip_esp_hdr
_esp
,
*
eh
;
const
struct
ip6t_esp
*
espinfo
=
matchinfo
;
const
struct
ip6t_esp
*
espinfo
=
matchinfo
;
unsigned
int
temp
;
int
len
;
u8
nexthdr
;
unsigned
int
ptr
;
unsigned
int
ptr
;
/* Make sure this isn't an evil packet */
/* Make sure this isn't an evil packet */
/*DEBUGP("ipv6_esp entered \n");*/
/*DEBUGP("ipv6_esp entered \n");*/
/* type of the 1st exthdr */
if
(
ipv6_find_hdr
(
skb
,
&
ptr
,
NEXTHDR_ESP
)
<
0
)
nexthdr
=
skb
->
nh
.
ipv6h
->
nexthdr
;
/* pointer to the 1st exthdr */
ptr
=
sizeof
(
struct
ipv6hdr
);
/* available length */
len
=
skb
->
len
-
ptr
;
temp
=
0
;
while
(
ip6t_ext_hdr
(
nexthdr
))
{
struct
ipv6_opt_hdr
_hdr
,
*
hp
;
int
hdrlen
;
DEBUGP
(
"ipv6_esp header iteration
\n
"
);
/* Is there enough space for the next ext header? */
if
(
len
<
sizeof
(
struct
ipv6_opt_hdr
))
return
0
;
/* No more exthdr -> evaluate */
if
(
nexthdr
==
NEXTHDR_NONE
)
break
;
/* ESP -> evaluate */
if
(
nexthdr
==
NEXTHDR_ESP
)
{
temp
|=
MASK_ESP
;
break
;
}
hp
=
skb_header_pointer
(
skb
,
ptr
,
sizeof
(
_hdr
),
&
_hdr
);
BUG_ON
(
hp
==
NULL
);
/* Calculate the header length */
if
(
nexthdr
==
NEXTHDR_FRAGMENT
)
hdrlen
=
8
;
else
if
(
nexthdr
==
NEXTHDR_AUTH
)
hdrlen
=
(
hp
->
hdrlen
+
2
)
<<
2
;
else
hdrlen
=
ipv6_optlen
(
hp
);
/* set the flag */
switch
(
nexthdr
)
{
case
NEXTHDR_HOP
:
case
NEXTHDR_ROUTING
:
case
NEXTHDR_FRAGMENT
:
case
NEXTHDR_AUTH
:
case
NEXTHDR_DEST
:
break
;
default:
DEBUGP
(
"ipv6_esp match: unknown nextheader %u
\n
"
,
nexthdr
);
return
0
;
return
0
;
}
nexthdr
=
hp
->
nexthdr
;
eh
=
skb_header_pointer
(
skb
,
ptr
,
sizeof
(
_esp
),
&
_esp
);
len
-=
hdrlen
;
if
(
eh
==
NULL
)
{
ptr
+=
hdrlen
;
if
(
ptr
>
skb
->
len
)
{
DEBUGP
(
"ipv6_esp: new pointer too large!
\n
"
);
break
;
}
}
/* ESP header not found */
if
(
temp
!=
MASK_ESP
)
return
0
;
if
(
len
<
sizeof
(
struct
ip_esp_hdr
))
{
*
hotdrop
=
1
;
*
hotdrop
=
1
;
return
0
;
return
0
;
}
}
eh
=
skb_header_pointer
(
skb
,
ptr
,
sizeof
(
_esp
),
&
_esp
);
BUG_ON
(
eh
==
NULL
);
DEBUGP
(
"IPv6 ESP SPI %u %08X
\n
"
,
ntohl
(
eh
->
spi
),
ntohl
(
eh
->
spi
));
DEBUGP
(
"IPv6 ESP SPI %u %08X
\n
"
,
ntohl
(
eh
->
spi
),
ntohl
(
eh
->
spi
));
return
(
eh
!=
NULL
)
return
(
eh
!=
NULL
)
...
...
net/ipv6/netfilter/ip6t_frag.c
View file @
875bd5ab
...
@@ -48,91 +48,19 @@ match(const struct sk_buff *skb,
...
@@ -48,91 +48,19 @@ match(const struct sk_buff *skb,
unsigned
int
protoff
,
unsigned
int
protoff
,
int
*
hotdrop
)
int
*
hotdrop
)
{
{
struct
frag_hdr
_frag
,
*
fh
=
NULL
;
struct
frag_hdr
_frag
,
*
fh
;
const
struct
ip6t_frag
*
fraginfo
=
matchinfo
;
const
struct
ip6t_frag
*
fraginfo
=
matchinfo
;
unsigned
int
temp
;
int
len
;
u8
nexthdr
;
unsigned
int
ptr
;
unsigned
int
ptr
;
unsigned
int
hdrlen
=
0
;
/* type of the 1st exthdr */
if
(
ipv6_find_hdr
(
skb
,
&
ptr
,
NEXTHDR_FRAGMENT
)
<
0
)
nexthdr
=
skb
->
nh
.
ipv6h
->
nexthdr
;
/* pointer to the 1st exthdr */
ptr
=
sizeof
(
struct
ipv6hdr
);
/* available length */
len
=
skb
->
len
-
ptr
;
temp
=
0
;
while
(
ip6t_ext_hdr
(
nexthdr
))
{
struct
ipv6_opt_hdr
_hdr
,
*
hp
;
DEBUGP
(
"ipv6_frag header iteration
\n
"
);
/* Is there enough space for the next ext header? */
if
(
len
<
(
int
)
sizeof
(
struct
ipv6_opt_hdr
))
return
0
;
/* No more exthdr -> evaluate */
if
(
nexthdr
==
NEXTHDR_NONE
)
{
break
;
}
/* ESP -> evaluate */
if
(
nexthdr
==
NEXTHDR_ESP
)
{
break
;
}
hp
=
skb_header_pointer
(
skb
,
ptr
,
sizeof
(
_hdr
),
&
_hdr
);
BUG_ON
(
hp
==
NULL
);
/* Calculate the header length */
if
(
nexthdr
==
NEXTHDR_FRAGMENT
)
{
hdrlen
=
8
;
}
else
if
(
nexthdr
==
NEXTHDR_AUTH
)
hdrlen
=
(
hp
->
hdrlen
+
2
)
<<
2
;
else
hdrlen
=
ipv6_optlen
(
hp
);
/* FRAG -> evaluate */
if
(
nexthdr
==
NEXTHDR_FRAGMENT
)
{
temp
|=
MASK_FRAGMENT
;
break
;
}
/* set the flag */
switch
(
nexthdr
){
case
NEXTHDR_HOP
:
case
NEXTHDR_ROUTING
:
case
NEXTHDR_FRAGMENT
:
case
NEXTHDR_AUTH
:
case
NEXTHDR_DEST
:
break
;
default:
DEBUGP
(
"ipv6_frag match: unknown nextheader %u
\n
"
,
nexthdr
);
return
0
;
return
0
;
break
;
}
nexthdr
=
hp
->
nexthdr
;
len
-=
hdrlen
;
ptr
+=
hdrlen
;
if
(
ptr
>
skb
->
len
)
{
DEBUGP
(
"ipv6_frag: new pointer too large!
\n
"
);
break
;
}
}
/* FRAG header not found */
fh
=
skb_header_pointer
(
skb
,
ptr
,
sizeof
(
_frag
),
&
_frag
);
if
(
temp
!=
MASK_FRAGMENT
)
return
0
;
if
(
fh
==
NULL
){
if
(
len
<
sizeof
(
struct
frag_hdr
)){
*
hotdrop
=
1
;
*
hotdrop
=
1
;
return
0
;
return
0
;
}
}
fh
=
skb_header_pointer
(
skb
,
ptr
,
sizeof
(
_frag
),
&
_frag
);
BUG_ON
(
fh
==
NULL
);
DEBUGP
(
"INFO %04X "
,
fh
->
frag_off
);
DEBUGP
(
"INFO %04X "
,
fh
->
frag_off
);
DEBUGP
(
"OFFSET %04X "
,
ntohs
(
fh
->
frag_off
)
&
~
0x7
);
DEBUGP
(
"OFFSET %04X "
,
ntohs
(
fh
->
frag_off
)
&
~
0x7
);
DEBUGP
(
"RES %02X %04X"
,
fh
->
reserved
,
ntohs
(
fh
->
frag_off
)
&
0x6
);
DEBUGP
(
"RES %02X %04X"
,
fh
->
reserved
,
ntohs
(
fh
->
frag_off
)
&
0x6
);
...
...
net/ipv6/netfilter/ip6t_hbh.c
View file @
875bd5ab
...
@@ -63,8 +63,6 @@ match(const struct sk_buff *skb,
...
@@ -63,8 +63,6 @@ match(const struct sk_buff *skb,
struct
ipv6_opt_hdr
_optsh
,
*
oh
;
struct
ipv6_opt_hdr
_optsh
,
*
oh
;
const
struct
ip6t_opts
*
optinfo
=
matchinfo
;
const
struct
ip6t_opts
*
optinfo
=
matchinfo
;
unsigned
int
temp
;
unsigned
int
temp
;
unsigned
int
len
;
u8
nexthdr
;
unsigned
int
ptr
;
unsigned
int
ptr
;
unsigned
int
hdrlen
=
0
;
unsigned
int
hdrlen
=
0
;
unsigned
int
ret
=
0
;
unsigned
int
ret
=
0
;
...
@@ -72,97 +70,25 @@ match(const struct sk_buff *skb,
...
@@ -72,97 +70,25 @@ match(const struct sk_buff *skb,
u8
_optlen
,
*
lp
=
NULL
;
u8
_optlen
,
*
lp
=
NULL
;
unsigned
int
optlen
;
unsigned
int
optlen
;
/* type of the 1st exthdr */
nexthdr
=
skb
->
nh
.
ipv6h
->
nexthdr
;
/* pointer to the 1st exthdr */
ptr
=
sizeof
(
struct
ipv6hdr
);
/* available length */
len
=
skb
->
len
-
ptr
;
temp
=
0
;
while
(
ip6t_ext_hdr
(
nexthdr
))
{
struct
ipv6_opt_hdr
_hdr
,
*
hp
;
DEBUGP
(
"ipv6_opts header iteration
\n
"
);
/* Is there enough space for the next ext header? */
if
(
len
<
(
int
)
sizeof
(
struct
ipv6_opt_hdr
))
return
0
;
/* No more exthdr -> evaluate */
if
(
nexthdr
==
NEXTHDR_NONE
)
{
break
;
}
/* ESP -> evaluate */
if
(
nexthdr
==
NEXTHDR_ESP
)
{
break
;
}
hp
=
skb_header_pointer
(
skb
,
ptr
,
sizeof
(
_hdr
),
&
_hdr
);
BUG_ON
(
hp
==
NULL
);
/* Calculate the header length */
if
(
nexthdr
==
NEXTHDR_FRAGMENT
)
{
hdrlen
=
8
;
}
else
if
(
nexthdr
==
NEXTHDR_AUTH
)
hdrlen
=
(
hp
->
hdrlen
+
2
)
<<
2
;
else
hdrlen
=
ipv6_optlen
(
hp
);
/* OPTS -> evaluate */
#if HOPBYHOP
#if HOPBYHOP
if
(
nexthdr
==
NEXTHDR_HOP
)
{
if
(
ipv6_find_hdr
(
skb
,
&
ptr
,
NEXTHDR_HOP
)
<
0
)
temp
|=
MASK_HOPOPTS
;
#else
#else
if
(
nexthdr
==
NEXTHDR_DEST
)
{
if
(
ipv6_find_hdr
(
skb
,
&
ptr
,
NEXTHDR_DEST
)
<
0
)
temp
|=
MASK_DSTOPTS
;
#endif
#endif
break
;
}
/* set the flag */
switch
(
nexthdr
){
case
NEXTHDR_HOP
:
case
NEXTHDR_ROUTING
:
case
NEXTHDR_FRAGMENT
:
case
NEXTHDR_AUTH
:
case
NEXTHDR_DEST
:
break
;
default:
DEBUGP
(
"ipv6_opts match: unknown nextheader %u
\n
"
,
nexthdr
);
return
0
;
return
0
;
break
;
}
nexthdr
=
hp
->
nexthdr
;
len
-=
hdrlen
;
ptr
+=
hdrlen
;
if
(
ptr
>
skb
->
len
)
{
DEBUGP
(
"ipv6_opts: new pointer is too large!
\n
"
);
break
;
}
}
/* OPTIONS header not found */
oh
=
skb_header_pointer
(
skb
,
ptr
,
sizeof
(
_optsh
),
&
_optsh
);
#if HOPBYHOP
if
(
oh
==
NULL
){
if
(
temp
!=
MASK_HOPOPTS
)
return
0
;
#else
if
(
temp
!=
MASK_DSTOPTS
)
return
0
;
#endif
if
(
len
<
(
int
)
sizeof
(
struct
ipv6_opt_hdr
)){
*
hotdrop
=
1
;
*
hotdrop
=
1
;
return
0
;
return
0
;
}
}
if
(
len
<
hdrlen
){
hdrlen
=
ipv6_optlen
(
oh
);
if
(
skb
->
len
-
ptr
<
hdrlen
){
/* Packet smaller than it's length field */
/* Packet smaller than it's length field */
return
0
;
return
0
;
}
}
oh
=
skb_header_pointer
(
skb
,
ptr
,
sizeof
(
_optsh
),
&
_optsh
);
BUG_ON
(
oh
==
NULL
);
DEBUGP
(
"IPv6 OPTS LEN %u %u "
,
hdrlen
,
oh
->
hdrlen
);
DEBUGP
(
"IPv6 OPTS LEN %u %u "
,
hdrlen
,
oh
->
hdrlen
);
DEBUGP
(
"len %02X %04X %02X "
,
DEBUGP
(
"len %02X %04X %02X "
,
...
...
net/ipv6/netfilter/ip6t_rt.c
View file @
875bd5ab
...
@@ -50,98 +50,29 @@ match(const struct sk_buff *skb,
...
@@ -50,98 +50,29 @@ match(const struct sk_buff *skb,
unsigned
int
protoff
,
unsigned
int
protoff
,
int
*
hotdrop
)
int
*
hotdrop
)
{
{
struct
ipv6_rt_hdr
_route
,
*
rh
=
NULL
;
struct
ipv6_rt_hdr
_route
,
*
rh
;
const
struct
ip6t_rt
*
rtinfo
=
matchinfo
;
const
struct
ip6t_rt
*
rtinfo
=
matchinfo
;
unsigned
int
temp
;
unsigned
int
temp
;
unsigned
int
len
;
u8
nexthdr
;
unsigned
int
ptr
;
unsigned
int
ptr
;
unsigned
int
hdrlen
=
0
;
unsigned
int
hdrlen
=
0
;
unsigned
int
ret
=
0
;
unsigned
int
ret
=
0
;
struct
in6_addr
*
ap
,
_addr
;
struct
in6_addr
*
ap
,
_addr
;
/* type of the 1st exthdr */
if
(
ipv6_find_hdr
(
skb
,
&
ptr
,
NEXTHDR_ROUTING
)
<
0
)
nexthdr
=
skb
->
nh
.
ipv6h
->
nexthdr
;
/* pointer to the 1st exthdr */
ptr
=
sizeof
(
struct
ipv6hdr
);
/* available length */
len
=
skb
->
len
-
ptr
;
temp
=
0
;
while
(
ip6t_ext_hdr
(
nexthdr
))
{
struct
ipv6_opt_hdr
_hdr
,
*
hp
;
DEBUGP
(
"ipv6_rt header iteration
\n
"
);
/* Is there enough space for the next ext header? */
if
(
len
<
(
int
)
sizeof
(
struct
ipv6_opt_hdr
))
return
0
;
/* No more exthdr -> evaluate */
if
(
nexthdr
==
NEXTHDR_NONE
)
{
break
;
}
/* ESP -> evaluate */
if
(
nexthdr
==
NEXTHDR_ESP
)
{
break
;
}
hp
=
skb_header_pointer
(
skb
,
ptr
,
sizeof
(
_hdr
),
&
_hdr
);
BUG_ON
(
hp
==
NULL
);
/* Calculate the header length */
if
(
nexthdr
==
NEXTHDR_FRAGMENT
)
{
hdrlen
=
8
;
}
else
if
(
nexthdr
==
NEXTHDR_AUTH
)
hdrlen
=
(
hp
->
hdrlen
+
2
)
<<
2
;
else
hdrlen
=
ipv6_optlen
(
hp
);
/* ROUTING -> evaluate */
if
(
nexthdr
==
NEXTHDR_ROUTING
)
{
temp
|=
MASK_ROUTING
;
break
;
}
/* set the flag */
switch
(
nexthdr
){
case
NEXTHDR_HOP
:
case
NEXTHDR_ROUTING
:
case
NEXTHDR_FRAGMENT
:
case
NEXTHDR_AUTH
:
case
NEXTHDR_DEST
:
break
;
default:
DEBUGP
(
"ipv6_rt match: unknown nextheader %u
\n
"
,
nexthdr
);
return
0
;
return
0
;
break
;
}
nexthdr
=
hp
->
nexthdr
;
rh
=
skb_header_pointer
(
skb
,
ptr
,
sizeof
(
_route
),
&
_route
);
len
-=
hdrlen
;
if
(
rh
==
NULL
){
ptr
+=
hdrlen
;
if
(
ptr
>
skb
->
len
)
{
DEBUGP
(
"ipv6_rt: new pointer is too large!
\n
"
);
break
;
}
}
/* ROUTING header not found */
if
(
temp
!=
MASK_ROUTING
)
return
0
;
if
(
len
<
(
int
)
sizeof
(
struct
ipv6_rt_hdr
)){
*
hotdrop
=
1
;
*
hotdrop
=
1
;
return
0
;
return
0
;
}
}
if
(
len
<
hdrlen
){
hdrlen
=
ipv6_optlen
(
rh
);
if
(
skb
->
len
-
ptr
<
hdrlen
){
/* Pcket smaller than its length field */
/* Pcket smaller than its length field */
return
0
;
return
0
;
}
}
rh
=
skb_header_pointer
(
skb
,
ptr
,
sizeof
(
_route
),
&
_route
);
BUG_ON
(
rh
==
NULL
);
DEBUGP
(
"IPv6 RT LEN %u %u "
,
hdrlen
,
rh
->
hdrlen
);
DEBUGP
(
"IPv6 RT LEN %u %u "
,
hdrlen
,
rh
->
hdrlen
);
DEBUGP
(
"TYPE %04X "
,
rh
->
type
);
DEBUGP
(
"TYPE %04X "
,
rh
->
type
);
DEBUGP
(
"SGS_LEFT %u %02X
\n
"
,
rh
->
segments_left
,
rh
->
segments_left
);
DEBUGP
(
"SGS_LEFT %u %02X
\n
"
,
rh
->
segments_left
,
rh
->
segments_left
);
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment