Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
e1d31f45
Commit
e1d31f45
authored
Aug 18, 2002
by
Harald Welte
Committed by
David S. Miller
Aug 18, 2002
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
NETFILTER: Rest of new netfilter modules changes.
parent
e3e64cb9
Changes
17
Show whitespace changes
Inline
Side-by-side
Showing
17 changed files
with
172 additions
and
14 deletions
+172
-14
include/linux/netfilter_ipv4/ipt_owner.h
include/linux/netfilter_ipv4/ipt_owner.h
+2
-0
net/ipv4/netfilter/Config.help
net/ipv4/netfilter/Config.help
+67
-0
net/ipv4/netfilter/Config.in
net/ipv4/netfilter/Config.in
+13
-0
net/ipv4/netfilter/Makefile
net/ipv4/netfilter/Makefile
+8
-0
net/ipv4/netfilter/ip_conntrack_ftp.c
net/ipv4/netfilter/ip_conntrack_ftp.c
+2
-2
net/ipv4/netfilter/ip_conntrack_irc.c
net/ipv4/netfilter/ip_conntrack_irc.c
+3
-3
net/ipv4/netfilter/ip_fw_compat.c
net/ipv4/netfilter/ip_fw_compat.c
+1
-0
net/ipv4/netfilter/ip_nat_core.c
net/ipv4/netfilter/ip_nat_core.c
+3
-0
net/ipv4/netfilter/ip_nat_ftp.c
net/ipv4/netfilter/ip_nat_ftp.c
+1
-1
net/ipv4/netfilter/ip_nat_snmp_basic.c
net/ipv4/netfilter/ip_nat_snmp_basic.c
+1
-2
net/ipv4/netfilter/ipt_REJECT.c
net/ipv4/netfilter/ipt_REJECT.c
+8
-4
net/ipv4/netfilter/ipt_ah.c
net/ipv4/netfilter/ipt_ah.c
+3
-2
net/ipv4/netfilter/ipt_esp.c
net/ipv4/netfilter/ipt_esp.c
+1
-0
net/ipv4/netfilter/ipt_owner.c
net/ipv4/netfilter/ipt_owner.c
+38
-0
net/ipv6/netfilter/Config.help
net/ipv6/netfilter/Config.help
+15
-0
net/ipv6/netfilter/Config.in
net/ipv6/netfilter/Config.in
+4
-0
net/ipv6/netfilter/Makefile
net/ipv6/netfilter/Makefile
+2
-0
No files found.
include/linux/netfilter_ipv4/ipt_owner.h
View file @
e1d31f45
...
@@ -6,12 +6,14 @@
...
@@ -6,12 +6,14 @@
#define IPT_OWNER_GID 0x02
#define IPT_OWNER_GID 0x02
#define IPT_OWNER_PID 0x04
#define IPT_OWNER_PID 0x04
#define IPT_OWNER_SID 0x08
#define IPT_OWNER_SID 0x08
#define IPT_OWNER_COMM 0x10
struct
ipt_owner_info
{
struct
ipt_owner_info
{
uid_t
uid
;
uid_t
uid
;
gid_t
gid
;
gid_t
gid
;
pid_t
pid
;
pid_t
pid
;
pid_t
sid
;
pid_t
sid
;
char
comm
[
16
];
u_int8_t
match
,
invert
;
/* flags */
u_int8_t
match
,
invert
;
/* flags */
};
};
...
...
net/ipv4/netfilter/Config.help
View file @
e1d31f45
...
@@ -56,6 +56,16 @@ CONFIG_IP_NF_MATCH_LIMIT
...
@@ -56,6 +56,16 @@ CONFIG_IP_NF_MATCH_LIMIT
If you want to compile it as a module, say M here and read
If you want to compile it as a module, say M here and read
<file:Documentation/modules.txt>. If unsure, say `N'.
<file:Documentation/modules.txt>. If unsure, say `N'.
CONFIG_IP_NF_MATCH_PKTTYPE
This patch allows you to match packet in accrodance
to its "class", eg. BROADCAST, MULTICAST, ...
Typical usage:
iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
If you want to compile it as a module, say M here and read
Documentation/modules.txt. If unsure, say `N'.
CONFIG_IP_NF_MATCH_MAC
CONFIG_IP_NF_MATCH_MAC
MAC matching allows you to match packets based on the source
MAC matching allows you to match packets based on the source
Ethernet address of the packet.
Ethernet address of the packet.
...
@@ -100,6 +110,22 @@ CONFIG_IP_NF_MATCH_AH_ESP
...
@@ -100,6 +110,22 @@ CONFIG_IP_NF_MATCH_AH_ESP
If you want to compile it as a module, say M here and read
If you want to compile it as a module, say M here and read
Documentation/modules.txt. If unsure, say `N'.
Documentation/modules.txt. If unsure, say `N'.
CONFIG_IP_NF_TARGET_DSCP
This option adds a `DSCP' match, which allows you to match against
the IPv4 header DSCP field (DSCP codepoint).
The DSCP codepoint can have any value between 0x0 and 0x4f.
If you want to compile it as a module, say M here and read
Documentation/modules.txt. If unsure, say `N'.
CONFIG_IP_NF_MATCH_ECN
This option adds a `ECN' match, which allows you to match against
the IPv4 and TCP header ECN fields.
If you want to compile it as a module, say M here and read
Documentation/modules.txt. If unsure, say `N'.
CONFIG_IP_NF_MATCH_TOS
CONFIG_IP_NF_MATCH_TOS
TOS matching allows you to match packets based on the Type Of
TOS matching allows you to match packets based on the Type Of
Service fields of the IP packet.
Service fields of the IP packet.
...
@@ -107,6 +133,16 @@ CONFIG_IP_NF_MATCH_TOS
...
@@ -107,6 +133,16 @@ CONFIG_IP_NF_MATCH_TOS
If you want to compile it as a module, say M here and read
If you want to compile it as a module, say M here and read
<file:Documentation/modules.txt>. If unsure, say `N'.
<file:Documentation/modules.txt>. If unsure, say `N'.
CONFIG_IP_NF_MATCH_CONNTRACK
This is a general conntrack match module, a superset of the state match.
It allows matching on additional conntrack information, which is
useful in complex configurations, such as NAT gateways with multiple
internet links or tunnels.
If you want to compile it as a module, say M here and read
Documentation/modules.txt. If unsure, say `N'.
CONFIG_IP_NF_MATCH_STATE
CONFIG_IP_NF_MATCH_STATE
Connection state matching allows you to match packets based on their
Connection state matching allows you to match packets based on their
relationship to a tracked connection (ie. previous packets). This
relationship to a tracked connection (ie. previous packets). This
...
@@ -211,6 +247,30 @@ CONFIG_IP_NF_MANGLE
...
@@ -211,6 +247,30 @@ CONFIG_IP_NF_MANGLE
If you want to compile it as a module, say M here and read
If you want to compile it as a module, say M here and read
<file:Documentation/modules.txt>. If unsure, say `N'.
<file:Documentation/modules.txt>. If unsure, say `N'.
CONFIG_IP_NF_TARGET_DSCP
This option adds a `DSCP' target, which allows you to create rules in
the iptables mangle table. The selected packet has the DSCP field set
to the hex value provided on the command line; unlike the TOS target
which will only set the legal values within ip.h.
The DSCP field can be set to any value between 0x0 and 0x4f. It does
take into account that bits 6 and 7 are used by ECN.
If you want to compile it as a module, say M here and read
Documentation/modules.txt. If unsure, say `N'.
CONFIG_IP_NF_TARGET_ECN
This option adds a `ECN' target, which can be used in the iptables mangle
table.
You can use this target to remove the ECN bits from the IPv4 header of
an IP packet. This is particularly useful, if you need to work around
existing ECN blackholes on the internet, but don't want to disable
ECN support in general.
If you want to compile it as a module, say M here and read
Documentation/modules.txt. If unsure, say `N'.
CONFIG_IP_NF_TARGET_TOS
CONFIG_IP_NF_TARGET_TOS
This option adds a `TOS' target, which allows you to create rules in
This option adds a `TOS' target, which allows you to create rules in
the `mangle' table which alter the Type Of Service field of an IP
the `mangle' table which alter the Type Of Service field of an IP
...
@@ -230,6 +290,13 @@ CONFIG_IP_NF_TARGET_MARK
...
@@ -230,6 +290,13 @@ CONFIG_IP_NF_TARGET_MARK
If you want to compile it as a module, say M here and read
If you want to compile it as a module, say M here and read
<file:Documentation/modules.txt>. If unsure, say `N'.
<file:Documentation/modules.txt>. If unsure, say `N'.
CONFIG_IP_NF_MATCH_HELPER
Helper matching allows you to match packets in dynamic connections
tracked by a conntrack-helper, ie. ip_conntrack_ftp
If you want to compile it as a module, say M here and read
Documentation/modules.txt. If unsure, say `Y'.
CONFIG_IP_NF_TARGET_TCPMSS
CONFIG_IP_NF_TARGET_TCPMSS
This option adds a `TCPMSS' target, which allows you to alter the
This option adds a `TCPMSS' target, which allows you to alter the
MSS value of TCP SYN packets, to control the maximum size for that
MSS value of TCP SYN packets, to control the maximum size for that
...
...
net/ipv4/netfilter/Config.in
View file @
e1d31f45
...
@@ -18,15 +18,24 @@ if [ "$CONFIG_IP_NF_IPTABLES" != "n" ]; then
...
@@ -18,15 +18,24 @@ if [ "$CONFIG_IP_NF_IPTABLES" != "n" ]; then
# The simple matches.
# The simple matches.
dep_tristate ' limit match support' CONFIG_IP_NF_MATCH_LIMIT $CONFIG_IP_NF_IPTABLES
dep_tristate ' limit match support' CONFIG_IP_NF_MATCH_LIMIT $CONFIG_IP_NF_IPTABLES
dep_tristate ' MAC address match support' CONFIG_IP_NF_MATCH_MAC $CONFIG_IP_NF_IPTABLES
dep_tristate ' MAC address match support' CONFIG_IP_NF_MATCH_MAC $CONFIG_IP_NF_IPTABLES
dep_tristate ' Packet type match support' CONFIG_IP_NF_MATCH_PKTTYPE $CONFIG_IP_NF_IPTABLES
dep_tristate ' netfilter MARK match support' CONFIG_IP_NF_MATCH_MARK $CONFIG_IP_NF_IPTABLES
dep_tristate ' netfilter MARK match support' CONFIG_IP_NF_MATCH_MARK $CONFIG_IP_NF_IPTABLES
dep_tristate ' Multiple port match support' CONFIG_IP_NF_MATCH_MULTIPORT $CONFIG_IP_NF_IPTABLES
dep_tristate ' Multiple port match support' CONFIG_IP_NF_MATCH_MULTIPORT $CONFIG_IP_NF_IPTABLES
dep_tristate ' TOS match support' CONFIG_IP_NF_MATCH_TOS $CONFIG_IP_NF_IPTABLES
dep_tristate ' TOS match support' CONFIG_IP_NF_MATCH_TOS $CONFIG_IP_NF_IPTABLES
dep_tristate ' ECN match support' CONFIG_IP_NF_MATCH_ECN $CONFIG_IP_NF_IPTABLES
dep_tristate ' DSCP match support' CONFIG_IP_NF_MATCH_DSCP $CONFIG_IP_NF_IPTABLES
dep_tristate ' AH/ESP match support' CONFIG_IP_NF_MATCH_AH_ESP $CONFIG_IP_NF_IPTABLES
dep_tristate ' AH/ESP match support' CONFIG_IP_NF_MATCH_AH_ESP $CONFIG_IP_NF_IPTABLES
dep_tristate ' LENGTH match support' CONFIG_IP_NF_MATCH_LENGTH $CONFIG_IP_NF_IPTABLES
dep_tristate ' LENGTH match support' CONFIG_IP_NF_MATCH_LENGTH $CONFIG_IP_NF_IPTABLES
dep_tristate ' TTL match support' CONFIG_IP_NF_MATCH_TTL $CONFIG_IP_NF_IPTABLES
dep_tristate ' TTL match support' CONFIG_IP_NF_MATCH_TTL $CONFIG_IP_NF_IPTABLES
dep_tristate ' tcpmss match support' CONFIG_IP_NF_MATCH_TCPMSS $CONFIG_IP_NF_IPTABLES
dep_tristate ' tcpmss match support' CONFIG_IP_NF_MATCH_TCPMSS $CONFIG_IP_NF_IPTABLES
if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
dep_tristate ' Helper match support' CONFIG_IP_NF_MATCH_HELPER $CONFIG_IP_NF_IPTABLES
fi
if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
dep_tristate ' Connection state match support' CONFIG_IP_NF_MATCH_STATE $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IPTABLES
dep_tristate ' Connection state match support' CONFIG_IP_NF_MATCH_STATE $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IPTABLES
dep_tristate ' Connection tracking match support' CONFIG_IP_NF_MATCH_CONNTRACK $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IPTABLES
fi
fi
if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES
dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES
...
@@ -73,6 +82,10 @@ if [ "$CONFIG_IP_NF_IPTABLES" != "n" ]; then
...
@@ -73,6 +82,10 @@ if [ "$CONFIG_IP_NF_IPTABLES" != "n" ]; then
dep_tristate ' Packet mangling' CONFIG_IP_NF_MANGLE $CONFIG_IP_NF_IPTABLES
dep_tristate ' Packet mangling' CONFIG_IP_NF_MANGLE $CONFIG_IP_NF_IPTABLES
if [ "$CONFIG_IP_NF_MANGLE" != "n" ]; then
if [ "$CONFIG_IP_NF_MANGLE" != "n" ]; then
dep_tristate ' TOS target support' CONFIG_IP_NF_TARGET_TOS $CONFIG_IP_NF_MANGLE
dep_tristate ' TOS target support' CONFIG_IP_NF_TARGET_TOS $CONFIG_IP_NF_MANGLE
dep_tristate ' ECN target support' CONFIG_IP_NF_TARGET_ECN $CONFIG_IP_NF_MANGLE
dep_tristate ' DSCP target support' CONFIG_IP_NF_TARGET_DSCP $CONFIG_IP_NF_MANGLE
dep_tristate ' MARK target support' CONFIG_IP_NF_TARGET_MARK $CONFIG_IP_NF_MANGLE
dep_tristate ' MARK target support' CONFIG_IP_NF_TARGET_MARK $CONFIG_IP_NF_MANGLE
fi
fi
dep_tristate ' LOG target support' CONFIG_IP_NF_TARGET_LOG $CONFIG_IP_NF_IPTABLES
dep_tristate ' LOG target support' CONFIG_IP_NF_TARGET_LOG $CONFIG_IP_NF_IPTABLES
...
...
net/ipv4/netfilter/Makefile
View file @
e1d31f45
...
@@ -45,18 +45,24 @@ obj-$(CONFIG_IP_NF_MANGLE) += iptable_mangle.o
...
@@ -45,18 +45,24 @@ obj-$(CONFIG_IP_NF_MANGLE) += iptable_mangle.o
obj-$(CONFIG_IP_NF_NAT)
+=
iptable_nat.o
obj-$(CONFIG_IP_NF_NAT)
+=
iptable_nat.o
# matches
# matches
obj-$(CONFIG_IP_NF_MATCH_HELPER)
+=
ipt_helper.o
obj-$(CONFIG_IP_NF_MATCH_LIMIT)
+=
ipt_limit.o
obj-$(CONFIG_IP_NF_MATCH_LIMIT)
+=
ipt_limit.o
obj-$(CONFIG_IP_NF_MATCH_MARK)
+=
ipt_mark.o
obj-$(CONFIG_IP_NF_MATCH_MARK)
+=
ipt_mark.o
obj-$(CONFIG_IP_NF_MATCH_MAC)
+=
ipt_mac.o
obj-$(CONFIG_IP_NF_MATCH_MAC)
+=
ipt_mac.o
obj-$(CONFIG_IP_NF_MATCH_PKTTYPE)
+=
ipt_pkttype.o
obj-$(CONFIG_IP_NF_MATCH_MULTIPORT)
+=
ipt_multiport.o
obj-$(CONFIG_IP_NF_MATCH_MULTIPORT)
+=
ipt_multiport.o
obj-$(CONFIG_IP_NF_MATCH_OWNER)
+=
ipt_owner.o
obj-$(CONFIG_IP_NF_MATCH_OWNER)
+=
ipt_owner.o
obj-$(CONFIG_IP_NF_MATCH_TOS)
+=
ipt_tos.o
obj-$(CONFIG_IP_NF_MATCH_TOS)
+=
ipt_tos.o
obj-$(CONFIG_IP_NF_MATCH_ECN)
+=
ipt_ecn.o
obj-$(CONFIG_IP_NF_MATCH_DSCP)
+=
ipt_dscp.o
obj-$(CONFIG_IP_NF_MATCH_AH_ESP)
+=
ipt_ah.o ipt_esp.o
obj-$(CONFIG_IP_NF_MATCH_AH_ESP)
+=
ipt_ah.o ipt_esp.o
obj-$(CONFIG_IP_NF_MATCH_LENGTH)
+=
ipt_length.o
obj-$(CONFIG_IP_NF_MATCH_LENGTH)
+=
ipt_length.o
obj-$(CONFIG_IP_NF_MATCH_TTL)
+=
ipt_ttl.o
obj-$(CONFIG_IP_NF_MATCH_TTL)
+=
ipt_ttl.o
obj-$(CONFIG_IP_NF_MATCH_STATE)
+=
ipt_state.o
obj-$(CONFIG_IP_NF_MATCH_STATE)
+=
ipt_state.o
obj-$(CONFIG_IP_NF_MATCH_CONNTRACK)
+=
ipt_conntrack.o
obj-$(CONFIG_IP_NF_MATCH_UNCLEAN)
+=
ipt_unclean.o
obj-$(CONFIG_IP_NF_MATCH_UNCLEAN)
+=
ipt_unclean.o
obj-$(CONFIG_IP_NF_MATCH_TCPMSS)
+=
ipt_tcpmss.o
obj-$(CONFIG_IP_NF_MATCH_TCPMSS)
+=
ipt_tcpmss.o
...
@@ -64,6 +70,8 @@ obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
...
@@ -64,6 +70,8 @@ obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
obj-$(CONFIG_IP_NF_TARGET_REJECT)
+=
ipt_REJECT.o
obj-$(CONFIG_IP_NF_TARGET_REJECT)
+=
ipt_REJECT.o
obj-$(CONFIG_IP_NF_TARGET_MIRROR)
+=
ipt_MIRROR.o
obj-$(CONFIG_IP_NF_TARGET_MIRROR)
+=
ipt_MIRROR.o
obj-$(CONFIG_IP_NF_TARGET_TOS)
+=
ipt_TOS.o
obj-$(CONFIG_IP_NF_TARGET_TOS)
+=
ipt_TOS.o
obj-$(CONFIG_IP_NF_TARGET_ECN)
+=
ipt_ECN.o
obj-$(CONFIG_IP_NF_TARGET_DSCP)
+=
ipt_DSCP.o
obj-$(CONFIG_IP_NF_TARGET_MARK)
+=
ipt_MARK.o
obj-$(CONFIG_IP_NF_TARGET_MARK)
+=
ipt_MARK.o
obj-$(CONFIG_IP_NF_TARGET_MASQUERADE)
+=
ipt_MASQUERADE.o
obj-$(CONFIG_IP_NF_TARGET_MASQUERADE)
+=
ipt_MASQUERADE.o
obj-$(CONFIG_IP_NF_TARGET_REDIRECT)
+=
ipt_REDIRECT.o
obj-$(CONFIG_IP_NF_TARGET_REDIRECT)
+=
ipt_REDIRECT.o
...
...
net/ipv4/netfilter/ip_conntrack_ftp.c
View file @
e1d31f45
...
@@ -16,7 +16,7 @@ struct module *ip_conntrack_ftp = THIS_MODULE;
...
@@ -16,7 +16,7 @@ struct module *ip_conntrack_ftp = THIS_MODULE;
#define MAX_PORTS 8
#define MAX_PORTS 8
static
int
ports
[
MAX_PORTS
];
static
int
ports
[
MAX_PORTS
];
static
int
ports_c
;
static
int
ports_c
=
0
;
#ifdef MODULE_PARM
#ifdef MODULE_PARM
MODULE_PARM
(
ports
,
"1-"
__MODULE_STRING
(
MAX_PORTS
)
"i"
);
MODULE_PARM
(
ports
,
"1-"
__MODULE_STRING
(
MAX_PORTS
)
"i"
);
#endif
#endif
...
@@ -389,7 +389,7 @@ static char ftp_names[MAX_PORTS][10];
...
@@ -389,7 +389,7 @@ static char ftp_names[MAX_PORTS][10];
static
void
fini
(
void
)
static
void
fini
(
void
)
{
{
int
i
;
int
i
;
for
(
i
=
0
;
(
i
<
MAX_PORTS
)
&&
ports
[
i
]
;
i
++
)
{
for
(
i
=
0
;
i
<
ports_c
;
i
++
)
{
DEBUGP
(
"ip_ct_ftp: unregistering helper for port %d
\n
"
,
DEBUGP
(
"ip_ct_ftp: unregistering helper for port %d
\n
"
,
ports
[
i
]);
ports
[
i
]);
ip_conntrack_helper_unregister
(
&
ftp
[
i
]);
ip_conntrack_helper_unregister
(
&
ftp
[
i
]);
...
...
net/ipv4/netfilter/ip_conntrack_irc.c
View file @
e1d31f45
...
@@ -35,7 +35,7 @@
...
@@ -35,7 +35,7 @@
#define MAX_PORTS 8
#define MAX_PORTS 8
static
int
ports
[
MAX_PORTS
];
static
int
ports
[
MAX_PORTS
];
static
int
ports_
n_
c
=
0
;
static
int
ports_c
=
0
;
static
int
max_dcc_channels
=
8
;
static
int
max_dcc_channels
=
8
;
static
unsigned
int
dcc_timeout
=
300
;
static
unsigned
int
dcc_timeout
=
300
;
...
@@ -288,7 +288,7 @@ static int __init init(void)
...
@@ -288,7 +288,7 @@ static int __init init(void)
fini
();
fini
();
return
-
EBUSY
;
return
-
EBUSY
;
}
}
ports_
n_
c
++
;
ports_c
++
;
}
}
return
0
;
return
0
;
}
}
...
@@ -298,7 +298,7 @@ static int __init init(void)
...
@@ -298,7 +298,7 @@ static int __init init(void)
static
void
fini
(
void
)
static
void
fini
(
void
)
{
{
int
i
;
int
i
;
for
(
i
=
0
;
(
i
<
MAX_PORTS
)
&&
ports
[
i
]
;
i
++
)
{
for
(
i
=
0
;
i
<
ports_c
;
i
++
)
{
DEBUGP
(
"unregistering port %d
\n
"
,
DEBUGP
(
"unregistering port %d
\n
"
,
ports
[
i
]);
ports
[
i
]);
ip_conntrack_helper_unregister
(
&
irc_helpers
[
i
]);
ip_conntrack_helper_unregister
(
&
irc_helpers
[
i
]);
...
...
net/ipv4/netfilter/ip_fw_compat.c
View file @
e1d31f45
...
@@ -18,6 +18,7 @@ struct notifier_block;
...
@@ -18,6 +18,7 @@ struct notifier_block;
/* Theoretically, we could one day use 2.4 helpers, but for now it
/* Theoretically, we could one day use 2.4 helpers, but for now it
just confuses depmod --RR */
just confuses depmod --RR */
EXPORT_NO_SYMBOLS
;
static
struct
firewall_ops
*
fwops
;
static
struct
firewall_ops
*
fwops
;
...
...
net/ipv4/netfilter/ip_nat_core.c
View file @
e1d31f45
...
@@ -203,6 +203,7 @@ find_appropriate_src(const struct ip_conntrack_tuple *tuple,
...
@@ -203,6 +203,7 @@ find_appropriate_src(const struct ip_conntrack_tuple *tuple,
return
NULL
;
return
NULL
;
}
}
#ifdef CONFIG_IP_NF_NAT_LOCAL
/* If it's really a local destination manip, it may need to do a
/* If it's really a local destination manip, it may need to do a
source manip too. */
source manip too. */
static
int
static
int
...
@@ -221,6 +222,7 @@ do_extra_mangle(u_int32_t var_ip, u_int32_t *other_ipp)
...
@@ -221,6 +222,7 @@ do_extra_mangle(u_int32_t var_ip, u_int32_t *other_ipp)
ip_rt_put
(
rt
);
ip_rt_put
(
rt
);
return
1
;
return
1
;
}
}
#endif
/* Simple way to iterate through all. */
/* Simple way to iterate through all. */
static
inline
int
fake_cmp
(
const
struct
ip_nat_hash
*
i
,
static
inline
int
fake_cmp
(
const
struct
ip_nat_hash
*
i
,
...
@@ -996,4 +998,5 @@ void ip_nat_cleanup(void)
...
@@ -996,4 +998,5 @@ void ip_nat_cleanup(void)
{
{
ip_ct_selective_cleanup
(
&
clean_nat
,
NULL
);
ip_ct_selective_cleanup
(
&
clean_nat
,
NULL
);
ip_conntrack_destroyed
=
NULL
;
ip_conntrack_destroyed
=
NULL
;
vfree
(
bysource
);
}
}
net/ipv4/netfilter/ip_nat_ftp.c
View file @
e1d31f45
...
@@ -291,7 +291,7 @@ static void fini(void)
...
@@ -291,7 +291,7 @@ static void fini(void)
{
{
int
i
;
int
i
;
for
(
i
=
0
;
(
i
<
MAX_PORTS
)
&&
ports
[
i
]
;
i
++
)
{
for
(
i
=
0
;
i
<
ports_c
;
i
++
)
{
DEBUGP
(
"ip_nat_ftp: unregistering port %d
\n
"
,
ports
[
i
]);
DEBUGP
(
"ip_nat_ftp: unregistering port %d
\n
"
,
ports
[
i
]);
ip_nat_helper_unregister
(
&
ftp
[
i
]);
ip_nat_helper_unregister
(
&
ftp
[
i
]);
}
}
...
...
net/ipv4/netfilter/ip_nat_snmp_basic.c
View file @
e1d31f45
...
@@ -52,11 +52,10 @@
...
@@ -52,11 +52,10 @@
#include <linux/netfilter_ipv4/ip_nat_helper.h>
#include <linux/netfilter_ipv4/ip_nat_helper.h>
#include <linux/brlock.h>
#include <linux/brlock.h>
#include <linux/types.h>
#include <linux/types.h>
#include <linux/in.h>
#include <linux/ip.h>
#include <linux/ip.h>
#include <net/udp.h>
#include <net/udp.h>
#include <asm/uaccess.h>
#include <asm/uaccess.h>
#include <
net
/checksum.h>
#include <
asm
/checksum.h>
...
...
net/ipv4/netfilter/ipt_REJECT.c
View file @
e1d31f45
...
@@ -39,7 +39,8 @@ static void send_reset(struct sk_buff *oldskb, int local)
...
@@ -39,7 +39,8 @@ static void send_reset(struct sk_buff *oldskb, int local)
struct
tcphdr
*
otcph
,
*
tcph
;
struct
tcphdr
*
otcph
,
*
tcph
;
struct
rtable
*
rt
;
struct
rtable
*
rt
;
unsigned
int
otcplen
;
unsigned
int
otcplen
;
u_int16_t
tmp
;
u_int16_t
tmp_port
;
u_int32_t
tmp_addr
;
int
needs_ack
;
int
needs_ack
;
/* IP header checks: fragment, too short. */
/* IP header checks: fragment, too short. */
...
@@ -74,14 +75,17 @@ static void send_reset(struct sk_buff *oldskb, int local)
...
@@ -74,14 +75,17 @@ static void send_reset(struct sk_buff *oldskb, int local)
#ifdef CONFIG_NETFILTER_DEBUG
#ifdef CONFIG_NETFILTER_DEBUG
nskb
->
nf_debug
=
0
;
nskb
->
nf_debug
=
0
;
#endif
#endif
nskb
->
nfmark
=
0
;
tcph
=
(
struct
tcphdr
*
)((
u_int32_t
*
)
nskb
->
nh
.
iph
+
nskb
->
nh
.
iph
->
ihl
);
tcph
=
(
struct
tcphdr
*
)((
u_int32_t
*
)
nskb
->
nh
.
iph
+
nskb
->
nh
.
iph
->
ihl
);
/* Swap source and dest */
/* Swap source and dest */
nskb
->
nh
.
iph
->
daddr
=
xchg
(
&
nskb
->
nh
.
iph
->
saddr
,
nskb
->
nh
.
iph
->
daddr
);
tmp_addr
=
nskb
->
nh
.
iph
->
saddr
;
tmp
=
tcph
->
source
;
nskb
->
nh
.
iph
->
saddr
=
nskb
->
nh
.
iph
->
daddr
;
nskb
->
nh
.
iph
->
daddr
=
tmp_addr
;
tmp_port
=
tcph
->
source
;
tcph
->
source
=
tcph
->
dest
;
tcph
->
source
=
tcph
->
dest
;
tcph
->
dest
=
tmp
;
tcph
->
dest
=
tmp
_port
;
/* Truncate to length (no data) */
/* Truncate to length (no data) */
tcph
->
doff
=
sizeof
(
struct
tcphdr
)
/
4
;
tcph
->
doff
=
sizeof
(
struct
tcphdr
)
/
4
;
...
...
net/ipv4/netfilter/ipt_ah.c
View file @
e1d31f45
...
@@ -5,6 +5,7 @@
...
@@ -5,6 +5,7 @@
#include <linux/netfilter_ipv4/ipt_ah.h>
#include <linux/netfilter_ipv4/ipt_ah.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
EXPORT_NO_SYMBOLS
;
MODULE_LICENSE
(
"GPL"
);
MODULE_LICENSE
(
"GPL"
);
#ifdef DEBUG_CONNTRACK
#ifdef DEBUG_CONNTRACK
...
@@ -90,12 +91,12 @@ checkentry(const char *tablename,
...
@@ -90,12 +91,12 @@ checkentry(const char *tablename,
static
struct
ipt_match
ah_match
static
struct
ipt_match
ah_match
=
{
{
NULL
,
NULL
},
"ah"
,
&
match
,
&
checkentry
,
NULL
,
THIS_MODULE
};
=
{
{
NULL
,
NULL
},
"ah"
,
&
match
,
&
checkentry
,
NULL
,
THIS_MODULE
};
int
__init
init
(
void
)
static
int
__init
init
(
void
)
{
{
return
ipt_register_match
(
&
ah_match
);
return
ipt_register_match
(
&
ah_match
);
}
}
void
__exit
cleanup
(
void
)
static
void
__exit
cleanup
(
void
)
{
{
ipt_unregister_match
(
&
ah_match
);
ipt_unregister_match
(
&
ah_match
);
}
}
...
...
net/ipv4/netfilter/ipt_esp.c
View file @
e1d31f45
...
@@ -5,6 +5,7 @@
...
@@ -5,6 +5,7 @@
#include <linux/netfilter_ipv4/ipt_esp.h>
#include <linux/netfilter_ipv4/ipt_esp.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
EXPORT_NO_SYMBOLS
;
MODULE_LICENSE
(
"GPL"
);
MODULE_LICENSE
(
"GPL"
);
#ifdef DEBUG_CONNTRACK
#ifdef DEBUG_CONNTRACK
...
...
net/ipv4/netfilter/ipt_owner.c
View file @
e1d31f45
...
@@ -11,6 +11,38 @@
...
@@ -11,6 +11,38 @@
#include <linux/netfilter_ipv4/ipt_owner.h>
#include <linux/netfilter_ipv4/ipt_owner.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
static
int
match_comm
(
const
struct
sk_buff
*
skb
,
const
char
*
comm
)
{
struct
task_struct
*
p
;
struct
files_struct
*
files
;
int
i
;
read_lock
(
&
tasklist_lock
);
for_each_task
(
p
)
{
if
(
strncmp
(
p
->
comm
,
comm
,
sizeof
(
p
->
comm
)))
continue
;
task_lock
(
p
);
files
=
p
->
files
;
if
(
files
)
{
read_lock
(
&
files
->
file_lock
);
for
(
i
=
0
;
i
<
files
->
max_fds
;
i
++
)
{
if
(
fcheck_files
(
files
,
i
)
==
skb
->
sk
->
socket
->
file
)
{
read_unlock
(
&
files
->
file_lock
);
task_unlock
(
p
);
read_unlock
(
&
tasklist_lock
);
return
1
;
}
}
read_unlock
(
&
files
->
file_lock
);
}
task_unlock
(
p
);
}
read_unlock
(
&
tasklist_lock
);
return
0
;
}
static
int
static
int
match_pid
(
const
struct
sk_buff
*
skb
,
pid_t
pid
)
match_pid
(
const
struct
sk_buff
*
skb
,
pid_t
pid
)
{
{
...
@@ -115,6 +147,12 @@ match(const struct sk_buff *skb,
...
@@ -115,6 +147,12 @@ match(const struct sk_buff *skb,
return
0
;
return
0
;
}
}
if
(
info
->
match
&
IPT_OWNER_COMM
)
{
if
(
!
match_comm
(
skb
,
info
->
comm
)
^
!!
(
info
->
invert
&
IPT_OWNER_COMM
))
return
0
;
}
return
1
;
return
1
;
}
}
...
...
net/ipv6/netfilter/Config.help
View file @
e1d31f45
CONFIG_IP6_NF_MATCH_EUI64
This module performs checking on the IPv6 source address
Compares the last 64 bits with the EUI64 (delivered
from the MAC address) address
If you want to compile it as a module, say M here and read
Documentation/modules.txt. If unsure, say `N'.
CONFIG_IP6_NF_MATCH_MAC
CONFIG_IP6_NF_MATCH_MAC
mac matching allows you to match packets based on the source
mac matching allows you to match packets based on the source
Ethernet address of the packet.
Ethernet address of the packet.
...
@@ -5,6 +13,13 @@ CONFIG_IP6_NF_MATCH_MAC
...
@@ -5,6 +13,13 @@ CONFIG_IP6_NF_MATCH_MAC
If you want to compile it as a module, say M here and read
If you want to compile it as a module, say M here and read
<file:Documentation/modules.txt>. If unsure, say `N'.
<file:Documentation/modules.txt>. If unsure, say `N'.
CONFIG_IP6_NF_MATCH_LENGTH
This option allows you to match the length of a packet against a
specific value or range of values.
If you want to compile it as a module, say M here and read
Documentation/modules.txt. If unsure, say `N'.
CONFIG_IP6_NF_MATCH_MARK
CONFIG_IP6_NF_MATCH_MARK
Netfilter mark matching allows you to match packets based on the
Netfilter mark matching allows you to match packets based on the
`nfmark' value in the packet. This can be set by the MARK target
`nfmark' value in the packet. This can be set by the MARK target
...
...
net/ipv6/netfilter/Config.in
View file @
e1d31f45
...
@@ -24,6 +24,10 @@ if [ "$CONFIG_IP6_NF_IPTABLES" != "n" ]; then
...
@@ -24,6 +24,10 @@ if [ "$CONFIG_IP6_NF_IPTABLES" != "n" ]; then
fi
fi
# dep_tristate ' MAC address match support' CONFIG_IP6_NF_MATCH_MAC $CONFIG_IP6_NF_IPTABLES
# dep_tristate ' MAC address match support' CONFIG_IP6_NF_MATCH_MAC $CONFIG_IP6_NF_IPTABLES
dep_tristate ' netfilter MARK match support' CONFIG_IP6_NF_MATCH_MARK $CONFIG_IP6_NF_IPTABLES
dep_tristate ' netfilter MARK match support' CONFIG_IP6_NF_MATCH_MARK $CONFIG_IP6_NF_IPTABLES
dep_tristate ' Packet Length match support' CONFIG_IP6_NF_MATCH_LENGTH $CONFIG_IP6_NF_IPTABLES
if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
dep_tristate ' EUI64 address check (EXPERIMENTAL)' CONFIG_IP6_NF_MATCH_EUI64 $CONFIG_IP6_NF_IPTABLES
fi
# dep_tristate ' Multiple port match support' CONFIG_IP6_NF_MATCH_MULTIPORT $CONFIG_IP6_NF_IPTABLES
# dep_tristate ' Multiple port match support' CONFIG_IP6_NF_MATCH_MULTIPORT $CONFIG_IP6_NF_IPTABLES
# dep_tristate ' TOS match support' CONFIG_IP6_NF_MATCH_TOS $CONFIG_IP6_NF_IPTABLES
# dep_tristate ' TOS match support' CONFIG_IP6_NF_MATCH_TOS $CONFIG_IP6_NF_IPTABLES
# if [ "$CONFIG_IP6_NF_CONNTRACK" != "n" ]; then
# if [ "$CONFIG_IP6_NF_CONNTRACK" != "n" ]; then
...
...
net/ipv6/netfilter/Makefile
View file @
e1d31f45
...
@@ -8,7 +8,9 @@ export-objs := ip6_tables.o
...
@@ -8,7 +8,9 @@ export-objs := ip6_tables.o
obj-$(CONFIG_IP6_NF_IPTABLES)
+=
ip6_tables.o
obj-$(CONFIG_IP6_NF_IPTABLES)
+=
ip6_tables.o
obj-$(CONFIG_IP6_NF_MATCH_LIMIT)
+=
ip6t_limit.o
obj-$(CONFIG_IP6_NF_MATCH_LIMIT)
+=
ip6t_limit.o
obj-$(CONFIG_IP6_NF_MATCH_MARK)
+=
ip6t_mark.o
obj-$(CONFIG_IP6_NF_MATCH_MARK)
+=
ip6t_mark.o
obj-$(CONFIG_IP6_NF_MATCH_LENGTH)
+=
ip6t_length.o
obj-$(CONFIG_IP6_NF_MATCH_MAC)
+=
ip6t_mac.o
obj-$(CONFIG_IP6_NF_MATCH_MAC)
+=
ip6t_mac.o
obj-$(CONFIG_IP6_NF_MATCH_EUI64)
+=
ip6t_eui64.o
obj-$(CONFIG_IP6_NF_MATCH_MULTIPORT)
+=
ip6t_multiport.o
obj-$(CONFIG_IP6_NF_MATCH_MULTIPORT)
+=
ip6t_multiport.o
obj-$(CONFIG_IP6_NF_MATCH_OWNER)
+=
ip6t_owner.o
obj-$(CONFIG_IP6_NF_MATCH_OWNER)
+=
ip6t_owner.o
obj-$(CONFIG_IP6_NF_FILTER)
+=
ip6table_filter.o
obj-$(CONFIG_IP6_NF_FILTER)
+=
ip6table_filter.o
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment