Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
* master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6: [TCP]: Do not use inet->id of global tcp_socket when sending RST. [NETFILTER]: Fix undefined references to get_h225_addr [NETFILTER]: futher {ip,ip6,arp}_tables unification [NETFILTER]: Fix xt_policy address matching [NETFILTER]: nf_conntrack: support for layer 3 protocol load on demand [NETFILTER]: x_tables: set the protocol family in x_tables targets/matches [NETFILTER]: conntrack: cleanup the conntrack ID initialization [NETFILTER]: nfnetlink_queue: fix nfnetlink message size [NETFILTER]: ctnetlink: Fix expectaction mask dumping [NETFILTER]: Fix Kconfig typos [NETFILTER]: Fix ip6tables breakage from {get,set}sockopt compat layer
This commit is contained in:
commit
80576fd86b
46 changed files with 574 additions and 371 deletions
|
@ -4,6 +4,62 @@
|
|||
#define XT_FUNCTION_MAXNAMELEN 30
|
||||
#define XT_TABLE_MAXNAMELEN 32
|
||||
|
||||
struct xt_entry_match
|
||||
{
|
||||
union {
|
||||
struct {
|
||||
u_int16_t match_size;
|
||||
|
||||
/* Used by userspace */
|
||||
char name[XT_FUNCTION_MAXNAMELEN-1];
|
||||
|
||||
u_int8_t revision;
|
||||
} user;
|
||||
struct {
|
||||
u_int16_t match_size;
|
||||
|
||||
/* Used inside the kernel */
|
||||
struct xt_match *match;
|
||||
} kernel;
|
||||
|
||||
/* Total length */
|
||||
u_int16_t match_size;
|
||||
} u;
|
||||
|
||||
unsigned char data[0];
|
||||
};
|
||||
|
||||
struct xt_entry_target
|
||||
{
|
||||
union {
|
||||
struct {
|
||||
u_int16_t target_size;
|
||||
|
||||
/* Used by userspace */
|
||||
char name[XT_FUNCTION_MAXNAMELEN-1];
|
||||
|
||||
u_int8_t revision;
|
||||
} user;
|
||||
struct {
|
||||
u_int16_t target_size;
|
||||
|
||||
/* Used inside the kernel */
|
||||
struct xt_target *target;
|
||||
} kernel;
|
||||
|
||||
/* Total length */
|
||||
u_int16_t target_size;
|
||||
} u;
|
||||
|
||||
unsigned char data[0];
|
||||
};
|
||||
|
||||
struct xt_standard_target
|
||||
{
|
||||
struct xt_entry_target target;
|
||||
int verdict;
|
||||
};
|
||||
|
||||
/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision
|
||||
* kernel supports, if >= revision. */
|
||||
struct xt_get_revision
|
||||
|
@ -220,10 +276,10 @@ struct xt_table_info
|
|||
char *entries[NR_CPUS];
|
||||
};
|
||||
|
||||
extern int xt_register_target(int af, struct xt_target *target);
|
||||
extern void xt_unregister_target(int af, struct xt_target *target);
|
||||
extern int xt_register_match(int af, struct xt_match *target);
|
||||
extern void xt_unregister_match(int af, struct xt_match *target);
|
||||
extern int xt_register_target(struct xt_target *target);
|
||||
extern void xt_unregister_target(struct xt_target *target);
|
||||
extern int xt_register_match(struct xt_match *target);
|
||||
extern void xt_unregister_match(struct xt_match *target);
|
||||
|
||||
extern int xt_check_match(const struct xt_match *match, unsigned short family,
|
||||
unsigned int size, const char *table, unsigned int hook,
|
||||
|
|
|
@ -65,35 +65,8 @@ struct arpt_arp {
|
|||
u_int16_t invflags;
|
||||
};
|
||||
|
||||
struct arpt_entry_target
|
||||
{
|
||||
union {
|
||||
struct {
|
||||
u_int16_t target_size;
|
||||
|
||||
/* Used by userspace */
|
||||
char name[ARPT_FUNCTION_MAXNAMELEN-1];
|
||||
u_int8_t revision;
|
||||
} user;
|
||||
struct {
|
||||
u_int16_t target_size;
|
||||
|
||||
/* Used inside the kernel */
|
||||
struct arpt_target *target;
|
||||
} kernel;
|
||||
|
||||
/* Total length */
|
||||
u_int16_t target_size;
|
||||
} u;
|
||||
|
||||
unsigned char data[0];
|
||||
};
|
||||
|
||||
struct arpt_standard_target
|
||||
{
|
||||
struct arpt_entry_target target;
|
||||
int verdict;
|
||||
};
|
||||
#define arpt_entry_target xt_entry_target
|
||||
#define arpt_standard_target xt_standard_target
|
||||
|
||||
/* Values for "flag" field in struct arpt_ip (general arp structure).
|
||||
* No flags defined yet.
|
||||
|
@ -263,8 +236,10 @@ static __inline__ struct arpt_entry_target *arpt_get_target(struct arpt_entry *e
|
|||
*/
|
||||
#ifdef __KERNEL__
|
||||
|
||||
#define arpt_register_target(tgt) xt_register_target(NF_ARP, tgt)
|
||||
#define arpt_unregister_target(tgt) xt_unregister_target(NF_ARP, tgt)
|
||||
#define arpt_register_target(tgt) \
|
||||
({ (tgt)->family = NF_ARP; \
|
||||
xt_register_target(tgt); })
|
||||
#define arpt_unregister_target(tgt) xt_unregister_target(tgt)
|
||||
|
||||
extern int arpt_register_table(struct arpt_table *table,
|
||||
const struct arpt_replace *repl);
|
||||
|
|
|
@ -52,61 +52,9 @@ struct ipt_ip {
|
|||
u_int8_t invflags;
|
||||
};
|
||||
|
||||
struct ipt_entry_match
|
||||
{
|
||||
union {
|
||||
struct {
|
||||
u_int16_t match_size;
|
||||
|
||||
/* Used by userspace */
|
||||
char name[IPT_FUNCTION_MAXNAMELEN-1];
|
||||
|
||||
u_int8_t revision;
|
||||
} user;
|
||||
struct {
|
||||
u_int16_t match_size;
|
||||
|
||||
/* Used inside the kernel */
|
||||
struct ipt_match *match;
|
||||
} kernel;
|
||||
|
||||
/* Total length */
|
||||
u_int16_t match_size;
|
||||
} u;
|
||||
|
||||
unsigned char data[0];
|
||||
};
|
||||
|
||||
struct ipt_entry_target
|
||||
{
|
||||
union {
|
||||
struct {
|
||||
u_int16_t target_size;
|
||||
|
||||
/* Used by userspace */
|
||||
char name[IPT_FUNCTION_MAXNAMELEN-1];
|
||||
|
||||
u_int8_t revision;
|
||||
} user;
|
||||
struct {
|
||||
u_int16_t target_size;
|
||||
|
||||
/* Used inside the kernel */
|
||||
struct ipt_target *target;
|
||||
} kernel;
|
||||
|
||||
/* Total length */
|
||||
u_int16_t target_size;
|
||||
} u;
|
||||
|
||||
unsigned char data[0];
|
||||
};
|
||||
|
||||
struct ipt_standard_target
|
||||
{
|
||||
struct ipt_entry_target target;
|
||||
int verdict;
|
||||
};
|
||||
#define ipt_entry_match xt_entry_match
|
||||
#define ipt_entry_target xt_entry_target
|
||||
#define ipt_standard_target xt_standard_target
|
||||
|
||||
#define ipt_counters xt_counters
|
||||
|
||||
|
@ -321,11 +269,15 @@ ipt_get_target(struct ipt_entry *e)
|
|||
#include <linux/init.h>
|
||||
extern void ipt_init(void) __init;
|
||||
|
||||
#define ipt_register_target(tgt) xt_register_target(AF_INET, tgt)
|
||||
#define ipt_unregister_target(tgt) xt_unregister_target(AF_INET, tgt)
|
||||
#define ipt_register_target(tgt) \
|
||||
({ (tgt)->family = AF_INET; \
|
||||
xt_register_target(tgt); })
|
||||
#define ipt_unregister_target(tgt) xt_unregister_target(tgt)
|
||||
|
||||
#define ipt_register_match(mtch) xt_register_match(AF_INET, mtch)
|
||||
#define ipt_unregister_match(mtch) xt_unregister_match(AF_INET, mtch)
|
||||
#define ipt_register_match(mtch) \
|
||||
({ (mtch)->family = AF_INET; \
|
||||
xt_register_match(mtch); })
|
||||
#define ipt_unregister_match(mtch) xt_unregister_match(mtch)
|
||||
|
||||
//#define ipt_register_table(tbl, repl) xt_register_table(AF_INET, tbl, repl)
|
||||
//#define ipt_unregister_table(tbl) xt_unregister_table(AF_INET, tbl)
|
||||
|
|
|
@ -56,60 +56,9 @@ struct ip6t_ip6 {
|
|||
u_int8_t invflags;
|
||||
};
|
||||
|
||||
/* FIXME: If alignment in kernel different from userspace? --RR */
|
||||
struct ip6t_entry_match
|
||||
{
|
||||
union {
|
||||
struct {
|
||||
u_int16_t match_size;
|
||||
|
||||
/* Used by userspace */
|
||||
char name[IP6T_FUNCTION_MAXNAMELEN-1];
|
||||
u_int8_t revision;
|
||||
} user;
|
||||
struct {
|
||||
u_int16_t match_size;
|
||||
|
||||
/* Used inside the kernel */
|
||||
struct ip6t_match *match;
|
||||
} kernel;
|
||||
|
||||
/* Total length */
|
||||
u_int16_t match_size;
|
||||
} u;
|
||||
|
||||
unsigned char data[0];
|
||||
};
|
||||
|
||||
struct ip6t_entry_target
|
||||
{
|
||||
union {
|
||||
struct {
|
||||
u_int16_t target_size;
|
||||
|
||||
/* Used by userspace */
|
||||
char name[IP6T_FUNCTION_MAXNAMELEN-1];
|
||||
u_int8_t revision;
|
||||
} user;
|
||||
struct {
|
||||
u_int16_t target_size;
|
||||
|
||||
/* Used inside the kernel */
|
||||
struct ip6t_target *target;
|
||||
} kernel;
|
||||
|
||||
/* Total length */
|
||||
u_int16_t target_size;
|
||||
} u;
|
||||
|
||||
unsigned char data[0];
|
||||
};
|
||||
|
||||
struct ip6t_standard_target
|
||||
{
|
||||
struct ip6t_entry_target target;
|
||||
int verdict;
|
||||
};
|
||||
#define ip6t_entry_match xt_entry_match
|
||||
#define ip6t_entry_target xt_entry_target
|
||||
#define ip6t_standard_target xt_standard_target
|
||||
|
||||
#define ip6t_counters xt_counters
|
||||
|
||||
|
@ -334,11 +283,15 @@ ip6t_get_target(struct ip6t_entry *e)
|
|||
#include <linux/init.h>
|
||||
extern void ip6t_init(void) __init;
|
||||
|
||||
#define ip6t_register_target(tgt) xt_register_target(AF_INET6, tgt)
|
||||
#define ip6t_unregister_target(tgt) xt_unregister_target(AF_INET6, tgt)
|
||||
#define ip6t_register_target(tgt) \
|
||||
({ (tgt)->family = AF_INET6; \
|
||||
xt_register_target(tgt); })
|
||||
#define ip6t_unregister_target(tgt) xt_unregister_target(tgt)
|
||||
|
||||
#define ip6t_register_match(match) xt_register_match(AF_INET6, match)
|
||||
#define ip6t_unregister_match(match) xt_unregister_match(AF_INET6, match)
|
||||
#define ip6t_register_match(match) \
|
||||
({ (match)->family = AF_INET6; \
|
||||
xt_register_match(match); })
|
||||
#define ip6t_unregister_match(match) xt_unregister_match(match)
|
||||
|
||||
extern int ip6t_register_table(struct ip6t_table *table,
|
||||
const struct ip6t_replace *repl);
|
||||
|
|
|
@ -195,6 +195,10 @@ static inline void nf_ct_put(struct nf_conn *ct)
|
|||
nf_conntrack_put(&ct->ct_general);
|
||||
}
|
||||
|
||||
/* Protocol module loading */
|
||||
extern int nf_ct_l3proto_try_module_get(unsigned short l3proto);
|
||||
extern void nf_ct_l3proto_module_put(unsigned short l3proto);
|
||||
|
||||
extern struct nf_conntrack_tuple_hash *
|
||||
__nf_conntrack_find(const struct nf_conntrack_tuple *tuple,
|
||||
const struct nf_conn *ignored_conntrack);
|
||||
|
|
|
@ -3,14 +3,14 @@
|
|||
|
||||
#include <net/act_api.h>
|
||||
|
||||
struct ipt_entry_target;
|
||||
struct xt_entry_target;
|
||||
|
||||
struct tcf_ipt
|
||||
{
|
||||
tca_gen(ipt);
|
||||
u32 hook;
|
||||
char *tname;
|
||||
struct ipt_entry_target *t;
|
||||
struct xt_entry_target *t;
|
||||
};
|
||||
|
||||
#endif
|
||||
|
|
|
@ -1249,11 +1249,7 @@ int ip_push_pending_frames(struct sock *sk)
|
|||
iph->tos = inet->tos;
|
||||
iph->tot_len = htons(skb->len);
|
||||
iph->frag_off = df;
|
||||
if (!df) {
|
||||
__ip_select_ident(iph, &rt->u.dst, 0);
|
||||
} else {
|
||||
iph->id = htons(inet->id++);
|
||||
}
|
||||
ip_select_ident(iph, &rt->u.dst, sk);
|
||||
iph->ttl = ttl;
|
||||
iph->protocol = sk->sk_protocol;
|
||||
iph->saddr = rt->rt_src;
|
||||
|
|
|
@ -1146,12 +1146,14 @@ void arpt_unregister_table(struct arpt_table *table)
|
|||
static struct arpt_target arpt_standard_target = {
|
||||
.name = ARPT_STANDARD_TARGET,
|
||||
.targetsize = sizeof(int),
|
||||
.family = NF_ARP,
|
||||
};
|
||||
|
||||
static struct arpt_target arpt_error_target = {
|
||||
.name = ARPT_ERROR_TARGET,
|
||||
.target = arpt_error,
|
||||
.targetsize = ARPT_FUNCTION_MAXNAMELEN,
|
||||
.family = NF_ARP,
|
||||
};
|
||||
|
||||
static struct nf_sockopt_ops arpt_sockopts = {
|
||||
|
@ -1171,8 +1173,8 @@ static int __init init(void)
|
|||
xt_proto_init(NF_ARP);
|
||||
|
||||
/* Noone else will be downing sem now, so we won't sleep */
|
||||
xt_register_target(NF_ARP, &arpt_standard_target);
|
||||
xt_register_target(NF_ARP, &arpt_error_target);
|
||||
xt_register_target(&arpt_standard_target);
|
||||
xt_register_target(&arpt_error_target);
|
||||
|
||||
/* Register setsockopt */
|
||||
ret = nf_register_sockopt(&arpt_sockopts);
|
||||
|
|
|
@ -77,8 +77,8 @@ unsigned int ip_ct_log_invalid;
|
|||
static LIST_HEAD(unconfirmed);
|
||||
static int ip_conntrack_vmalloc;
|
||||
|
||||
static unsigned int ip_conntrack_next_id = 1;
|
||||
static unsigned int ip_conntrack_expect_next_id = 1;
|
||||
static unsigned int ip_conntrack_next_id;
|
||||
static unsigned int ip_conntrack_expect_next_id;
|
||||
#ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
|
||||
struct notifier_block *ip_conntrack_chain;
|
||||
struct notifier_block *ip_conntrack_expect_chain;
|
||||
|
|
|
@ -639,8 +639,8 @@ void ip_conntrack_h245_expect(struct ip_conntrack *new,
|
|||
}
|
||||
|
||||
/****************************************************************************/
|
||||
static int get_h225_addr(unsigned char *data, TransportAddress * addr,
|
||||
u_int32_t * ip, u_int16_t * port)
|
||||
int get_h225_addr(unsigned char *data, TransportAddress * addr,
|
||||
u_int32_t * ip, u_int16_t * port)
|
||||
{
|
||||
unsigned char *p;
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
* (C) 2001 by Jay Schulist <jschlst@samba.org>
|
||||
* (C) 2002-2005 by Harald Welte <laforge@gnumonks.org>
|
||||
* (C) 2003 by Patrick Mchardy <kaber@trash.net>
|
||||
* (C) 2005 by Pablo Neira Ayuso <pablo@eurodev.net>
|
||||
* (C) 2005-2006 by Pablo Neira Ayuso <pablo@eurodev.net>
|
||||
*
|
||||
* I've reworked this stuff to use attributes instead of conntrack
|
||||
* structures. 5.44 am. I need more tea. --pablo 05/07/11.
|
||||
|
@ -53,20 +53,18 @@ static char __initdata version[] = "0.90";
|
|||
|
||||
static inline int
|
||||
ctnetlink_dump_tuples_proto(struct sk_buff *skb,
|
||||
const struct ip_conntrack_tuple *tuple)
|
||||
const struct ip_conntrack_tuple *tuple,
|
||||
struct ip_conntrack_protocol *proto)
|
||||
{
|
||||
struct ip_conntrack_protocol *proto;
|
||||
int ret = 0;
|
||||
struct nfattr *nest_parms = NFA_NEST(skb, CTA_TUPLE_PROTO);
|
||||
|
||||
NFA_PUT(skb, CTA_PROTO_NUM, sizeof(u_int8_t), &tuple->dst.protonum);
|
||||
|
||||
/* If no protocol helper is found, this function will return the
|
||||
* generic protocol helper, so proto won't *ever* be NULL */
|
||||
proto = ip_conntrack_proto_find_get(tuple->dst.protonum);
|
||||
if (likely(proto->tuple_to_nfattr))
|
||||
ret = proto->tuple_to_nfattr(skb, tuple);
|
||||
|
||||
ip_conntrack_proto_put(proto);
|
||||
NFA_NEST_END(skb, nest_parms);
|
||||
|
||||
return ret;
|
||||
|
||||
|
@ -75,27 +73,40 @@ ctnetlink_dump_tuples_proto(struct sk_buff *skb,
|
|||
}
|
||||
|
||||
static inline int
|
||||
ctnetlink_dump_tuples(struct sk_buff *skb,
|
||||
const struct ip_conntrack_tuple *tuple)
|
||||
ctnetlink_dump_tuples_ip(struct sk_buff *skb,
|
||||
const struct ip_conntrack_tuple *tuple)
|
||||
{
|
||||
struct nfattr *nest_parms;
|
||||
int ret;
|
||||
struct nfattr *nest_parms = NFA_NEST(skb, CTA_TUPLE_IP);
|
||||
|
||||
nest_parms = NFA_NEST(skb, CTA_TUPLE_IP);
|
||||
NFA_PUT(skb, CTA_IP_V4_SRC, sizeof(u_int32_t), &tuple->src.ip);
|
||||
NFA_PUT(skb, CTA_IP_V4_DST, sizeof(u_int32_t), &tuple->dst.ip);
|
||||
|
||||
NFA_NEST_END(skb, nest_parms);
|
||||
|
||||
nest_parms = NFA_NEST(skb, CTA_TUPLE_PROTO);
|
||||
ret = ctnetlink_dump_tuples_proto(skb, tuple);
|
||||
NFA_NEST_END(skb, nest_parms);
|
||||
|
||||
return ret;
|
||||
return 0;
|
||||
|
||||
nfattr_failure:
|
||||
return -1;
|
||||
}
|
||||
|
||||
static inline int
|
||||
ctnetlink_dump_tuples(struct sk_buff *skb,
|
||||
const struct ip_conntrack_tuple *tuple)
|
||||
{
|
||||
int ret;
|
||||
struct ip_conntrack_protocol *proto;
|
||||
|
||||
ret = ctnetlink_dump_tuples_ip(skb, tuple);
|
||||
if (unlikely(ret < 0))
|
||||
return ret;
|
||||
|
||||
proto = ip_conntrack_proto_find_get(tuple->dst.protonum);
|
||||
ret = ctnetlink_dump_tuples_proto(skb, tuple, proto);
|
||||
ip_conntrack_proto_put(proto);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static inline int
|
||||
ctnetlink_dump_status(struct sk_buff *skb, const struct ip_conntrack *ct)
|
||||
{
|
||||
|
@ -1134,6 +1145,33 @@ ctnetlink_exp_dump_tuple(struct sk_buff *skb,
|
|||
return -1;
|
||||
}
|
||||
|
||||
static inline int
|
||||
ctnetlink_exp_dump_mask(struct sk_buff *skb,
|
||||
const struct ip_conntrack_tuple *tuple,
|
||||
const struct ip_conntrack_tuple *mask)
|
||||
{
|
||||
int ret;
|
||||
struct ip_conntrack_protocol *proto;
|
||||
struct nfattr *nest_parms = NFA_NEST(skb, CTA_EXPECT_MASK);
|
||||
|
||||
ret = ctnetlink_dump_tuples_ip(skb, mask);
|
||||
if (unlikely(ret < 0))
|
||||
goto nfattr_failure;
|
||||
|
||||
proto = ip_conntrack_proto_find_get(tuple->dst.protonum);
|
||||
ret = ctnetlink_dump_tuples_proto(skb, mask, proto);
|
||||
ip_conntrack_proto_put(proto);
|
||||
if (unlikely(ret < 0))
|
||||
goto nfattr_failure;
|
||||
|
||||
NFA_NEST_END(skb, nest_parms);
|
||||
|
||||
return 0;
|
||||
|
||||
nfattr_failure:
|
||||
return -1;
|
||||
}
|
||||
|
||||
static inline int
|
||||
ctnetlink_exp_dump_expect(struct sk_buff *skb,
|
||||
const struct ip_conntrack_expect *exp)
|
||||
|
@ -1144,7 +1182,7 @@ ctnetlink_exp_dump_expect(struct sk_buff *skb,
|
|||
|
||||
if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
|
||||
goto nfattr_failure;
|
||||
if (ctnetlink_exp_dump_tuple(skb, &exp->mask, CTA_EXPECT_MASK) < 0)
|
||||
if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0)
|
||||
goto nfattr_failure;
|
||||
if (ctnetlink_exp_dump_tuple(skb,
|
||||
&master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
|
||||
|
|
|
@ -1335,12 +1335,14 @@ icmp_checkentry(const char *tablename,
|
|||
static struct ipt_target ipt_standard_target = {
|
||||
.name = IPT_STANDARD_TARGET,
|
||||
.targetsize = sizeof(int),
|
||||
.family = AF_INET,
|
||||
};
|
||||
|
||||
static struct ipt_target ipt_error_target = {
|
||||
.name = IPT_ERROR_TARGET,
|
||||
.target = ipt_error,
|
||||
.targetsize = IPT_FUNCTION_MAXNAMELEN,
|
||||
.family = AF_INET,
|
||||
};
|
||||
|
||||
static struct nf_sockopt_ops ipt_sockopts = {
|
||||
|
@ -1358,6 +1360,7 @@ static struct ipt_match icmp_matchstruct = {
|
|||
.match = icmp_match,
|
||||
.matchsize = sizeof(struct ipt_icmp),
|
||||
.proto = IPPROTO_ICMP,
|
||||
.family = AF_INET,
|
||||
.checkentry = icmp_checkentry,
|
||||
};
|
||||
|
||||
|
@ -1368,9 +1371,9 @@ static int __init init(void)
|
|||
xt_proto_init(AF_INET);
|
||||
|
||||
/* Noone else will be downing sem now, so we won't sleep */
|
||||
xt_register_target(AF_INET, &ipt_standard_target);
|
||||
xt_register_target(AF_INET, &ipt_error_target);
|
||||
xt_register_match(AF_INET, &icmp_matchstruct);
|
||||
xt_register_target(&ipt_standard_target);
|
||||
xt_register_target(&ipt_error_target);
|
||||
xt_register_match(&icmp_matchstruct);
|
||||
|
||||
/* Register setsockopt */
|
||||
ret = nf_register_sockopt(&ipt_sockopts);
|
||||
|
@ -1387,9 +1390,9 @@ static void __exit fini(void)
|
|||
{
|
||||
nf_unregister_sockopt(&ipt_sockopts);
|
||||
|
||||
xt_unregister_match(AF_INET, &icmp_matchstruct);
|
||||
xt_unregister_target(AF_INET, &ipt_error_target);
|
||||
xt_unregister_target(AF_INET, &ipt_standard_target);
|
||||
xt_unregister_match(&icmp_matchstruct);
|
||||
xt_unregister_target(&ipt_error_target);
|
||||
xt_unregister_target(&ipt_standard_target);
|
||||
|
||||
xt_proto_fini(AF_INET);
|
||||
}
|
||||
|
|
|
@ -568,6 +568,7 @@ static int init_or_cleanup(int init)
|
|||
return ret;
|
||||
}
|
||||
|
||||
MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET));
|
||||
MODULE_LICENSE("GPL");
|
||||
|
||||
static int __init init(void)
|
||||
|
|
|
@ -907,7 +907,7 @@ int ipv6_getsockopt(struct sock *sk, int level, int optname,
|
|||
err = do_ipv6_getsockopt(sk, level, optname, optval, optlen);
|
||||
#ifdef CONFIG_NETFILTER
|
||||
/* we need to exclude all possible EINVALs except default case */
|
||||
if (err == -ENOPROTOOPT && optname != IPV6_ADDRFORM &&
|
||||
if (err == -EINVAL && optname != IPV6_ADDRFORM &&
|
||||
optname != MCAST_MSFILTER) {
|
||||
int len;
|
||||
|
||||
|
@ -944,7 +944,7 @@ int compat_ipv6_getsockopt(struct sock *sk, int level, int optname,
|
|||
err = do_ipv6_getsockopt(sk, level, optname, optval, optlen);
|
||||
#ifdef CONFIG_NETFILTER
|
||||
/* we need to exclude all possible EINVALs except default case */
|
||||
if (err == -ENOPROTOOPT && optname != IPV6_ADDRFORM &&
|
||||
if (err == -EINVAL && optname != IPV6_ADDRFORM &&
|
||||
optname != MCAST_MSFILTER) {
|
||||
int len;
|
||||
|
||||
|
|
|
@ -1377,12 +1377,14 @@ icmp6_checkentry(const char *tablename,
|
|||
static struct ip6t_target ip6t_standard_target = {
|
||||
.name = IP6T_STANDARD_TARGET,
|
||||
.targetsize = sizeof(int),
|
||||
.family = AF_INET6,
|
||||
};
|
||||
|
||||
static struct ip6t_target ip6t_error_target = {
|
||||
.name = IP6T_ERROR_TARGET,
|
||||
.target = ip6t_error,
|
||||
.targetsize = IP6T_FUNCTION_MAXNAMELEN,
|
||||
.family = AF_INET6,
|
||||
};
|
||||
|
||||
static struct nf_sockopt_ops ip6t_sockopts = {
|
||||
|
@ -1401,6 +1403,7 @@ static struct ip6t_match icmp6_matchstruct = {
|
|||
.matchsize = sizeof(struct ip6t_icmp),
|
||||
.checkentry = icmp6_checkentry,
|
||||
.proto = IPPROTO_ICMPV6,
|
||||
.family = AF_INET6,
|
||||
};
|
||||
|
||||
static int __init init(void)
|
||||
|
@ -1410,9 +1413,9 @@ static int __init init(void)
|
|||
xt_proto_init(AF_INET6);
|
||||
|
||||
/* Noone else will be downing sem now, so we won't sleep */
|
||||
xt_register_target(AF_INET6, &ip6t_standard_target);
|
||||
xt_register_target(AF_INET6, &ip6t_error_target);
|
||||
xt_register_match(AF_INET6, &icmp6_matchstruct);
|
||||
xt_register_target(&ip6t_standard_target);
|
||||
xt_register_target(&ip6t_error_target);
|
||||
xt_register_match(&icmp6_matchstruct);
|
||||
|
||||
/* Register setsockopt */
|
||||
ret = nf_register_sockopt(&ip6t_sockopts);
|
||||
|
@ -1429,9 +1432,9 @@ static int __init init(void)
|
|||
static void __exit fini(void)
|
||||
{
|
||||
nf_unregister_sockopt(&ip6t_sockopts);
|
||||
xt_unregister_match(AF_INET6, &icmp6_matchstruct);
|
||||
xt_unregister_target(AF_INET6, &ip6t_error_target);
|
||||
xt_unregister_target(AF_INET6, &ip6t_standard_target);
|
||||
xt_unregister_match(&icmp6_matchstruct);
|
||||
xt_unregister_target(&ip6t_error_target);
|
||||
xt_unregister_target(&ip6t_standard_target);
|
||||
xt_proto_fini(AF_INET6);
|
||||
}
|
||||
|
||||
|
|
|
@ -584,6 +584,7 @@ static int init_or_cleanup(int init)
|
|||
return ret;
|
||||
}
|
||||
|
||||
MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET6));
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_AUTHOR("Yasuyuki KOZAKAI @USAGI <yasuyuki.kozakai@toshiba.co.jp>");
|
||||
|
||||
|
|
|
@ -11,7 +11,7 @@ config NETFILTER_NETLINK_QUEUE
|
|||
tristate "Netfilter NFQUEUE over NFNETLINK interface"
|
||||
depends on NETFILTER_NETLINK
|
||||
help
|
||||
If this option isenabled, the kernel will include support
|
||||
If this option is enabled, the kernel will include support
|
||||
for queueing packets via NFNETLINK.
|
||||
|
||||
config NETFILTER_NETLINK_LOG
|
||||
|
@ -66,7 +66,7 @@ config NF_CONNTRACK_EVENTS
|
|||
help
|
||||
If this option is enabled, the connection tracking code will
|
||||
provide a notifier chain that can be used by other kernel code
|
||||
to get notified aboutchanges in the connection tracking state.
|
||||
to get notified about changes in the connection tracking state.
|
||||
|
||||
If unsure, say `N'.
|
||||
|
||||
|
@ -153,7 +153,7 @@ config NETFILTER_XT_TARGET_NFQUEUE
|
|||
tristate '"NFQUEUE" target Support'
|
||||
depends on NETFILTER_XTABLES
|
||||
help
|
||||
This Target replaced the old obsolete QUEUE target.
|
||||
This target replaced the old obsolete QUEUE target.
|
||||
|
||||
As opposed to QUEUE, it supports 65535 different queues,
|
||||
not just one.
|
||||
|
|
|
@ -23,6 +23,8 @@
|
|||
* 26 Jan 2006: Harald Welte <laforge@netfilter.org>
|
||||
* - restructure nf_conn (introduce nf_conn_help)
|
||||
* - redesign 'features' how they were originally intended
|
||||
* 26 Feb 2006: Pablo Neira Ayuso <pablo@eurodev.net>
|
||||
* - add support for L3 protocol module load on demand.
|
||||
*
|
||||
* Derived from net/ipv4/netfilter/ip_conntrack_core.c
|
||||
*/
|
||||
|
@ -85,8 +87,8 @@ unsigned int nf_ct_log_invalid;
|
|||
static LIST_HEAD(unconfirmed);
|
||||
static int nf_conntrack_vmalloc;
|
||||
|
||||
static unsigned int nf_conntrack_next_id = 1;
|
||||
static unsigned int nf_conntrack_expect_next_id = 1;
|
||||
static unsigned int nf_conntrack_next_id;
|
||||
static unsigned int nf_conntrack_expect_next_id;
|
||||
#ifdef CONFIG_NF_CONNTRACK_EVENTS
|
||||
struct notifier_block *nf_conntrack_chain;
|
||||
struct notifier_block *nf_conntrack_expect_chain;
|
||||
|
@ -241,6 +243,35 @@ void nf_ct_l3proto_put(struct nf_conntrack_l3proto *p)
|
|||
module_put(p->me);
|
||||
}
|
||||
|
||||
int
|
||||
nf_ct_l3proto_try_module_get(unsigned short l3proto)
|
||||
{
|
||||
int ret;
|
||||
struct nf_conntrack_l3proto *p;
|
||||
|
||||
retry: p = nf_ct_l3proto_find_get(l3proto);
|
||||
if (p == &nf_conntrack_generic_l3proto) {
|
||||
ret = request_module("nf_conntrack-%d", l3proto);
|
||||
if (!ret)
|
||||
goto retry;
|
||||
|
||||
return -EPROTOTYPE;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
void nf_ct_l3proto_module_put(unsigned short l3proto)
|
||||
{
|
||||
struct nf_conntrack_l3proto *p;
|
||||
|
||||
preempt_disable();
|
||||
p = __nf_ct_l3proto_find(l3proto);
|
||||
preempt_enable();
|
||||
|
||||
module_put(p->me);
|
||||
}
|
||||
|
||||
static int nf_conntrack_hash_rnd_initted;
|
||||
static unsigned int nf_conntrack_hash_rnd;
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
* (C) 2001 by Jay Schulist <jschlst@samba.org>
|
||||
* (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>
|
||||
* (C) 2003 by Patrick Mchardy <kaber@trash.net>
|
||||
* (C) 2005 by Pablo Neira Ayuso <pablo@eurodev.net>
|
||||
* (C) 2005-2006 by Pablo Neira Ayuso <pablo@eurodev.net>
|
||||
*
|
||||
* I've reworked this stuff to use attributes instead of conntrack
|
||||
* structures. 5.44 am. I need more tea. --pablo 05/07/11.
|
||||
|
@ -55,20 +55,18 @@ static char __initdata version[] = "0.93";
|
|||
|
||||
static inline int
|
||||
ctnetlink_dump_tuples_proto(struct sk_buff *skb,
|
||||
const struct nf_conntrack_tuple *tuple)
|
||||
const struct nf_conntrack_tuple *tuple,
|
||||
struct nf_conntrack_protocol *proto)
|
||||
{
|
||||
struct nf_conntrack_protocol *proto;
|
||||
int ret = 0;
|
||||
struct nfattr *nest_parms = NFA_NEST(skb, CTA_TUPLE_PROTO);
|
||||
|
||||
NFA_PUT(skb, CTA_PROTO_NUM, sizeof(u_int8_t), &tuple->dst.protonum);
|
||||
|
||||
/* If no protocol helper is found, this function will return the
|
||||
* generic protocol helper, so proto won't *ever* be NULL */
|
||||
proto = nf_ct_proto_find_get(tuple->src.l3num, tuple->dst.protonum);
|
||||
if (likely(proto->tuple_to_nfattr))
|
||||
ret = proto->tuple_to_nfattr(skb, tuple);
|
||||
|
||||
nf_ct_proto_put(proto);
|
||||
NFA_NEST_END(skb, nest_parms);
|
||||
|
||||
return ret;
|
||||
|
||||
|
@ -77,27 +75,16 @@ ctnetlink_dump_tuples_proto(struct sk_buff *skb,
|
|||
}
|
||||
|
||||
static inline int
|
||||
ctnetlink_dump_tuples(struct sk_buff *skb,
|
||||
const struct nf_conntrack_tuple *tuple)
|
||||
ctnetlink_dump_tuples_ip(struct sk_buff *skb,
|
||||
const struct nf_conntrack_tuple *tuple,
|
||||
struct nf_conntrack_l3proto *l3proto)
|
||||
{
|
||||
struct nfattr *nest_parms;
|
||||
struct nf_conntrack_l3proto *l3proto;
|
||||
int ret = 0;
|
||||
|
||||
l3proto = nf_ct_l3proto_find_get(tuple->src.l3num);
|
||||
|
||||
nest_parms = NFA_NEST(skb, CTA_TUPLE_IP);
|
||||
struct nfattr *nest_parms = NFA_NEST(skb, CTA_TUPLE_IP);
|
||||
|
||||
if (likely(l3proto->tuple_to_nfattr))
|
||||
ret = l3proto->tuple_to_nfattr(skb, tuple);
|
||||
NFA_NEST_END(skb, nest_parms);
|
||||
|
||||
nf_ct_l3proto_put(l3proto);
|
||||
|
||||
if (unlikely(ret < 0))
|
||||
return ret;
|
||||
|
||||
nest_parms = NFA_NEST(skb, CTA_TUPLE_PROTO);
|
||||
ret = ctnetlink_dump_tuples_proto(skb, tuple);
|
||||
NFA_NEST_END(skb, nest_parms);
|
||||
|
||||
return ret;
|
||||
|
@ -106,6 +93,28 @@ ctnetlink_dump_tuples(struct sk_buff *skb,
|
|||
return -1;
|
||||
}
|
||||
|
||||
static inline int
|
||||
ctnetlink_dump_tuples(struct sk_buff *skb,
|
||||
const struct nf_conntrack_tuple *tuple)
|
||||
{
|
||||
int ret;
|
||||
struct nf_conntrack_l3proto *l3proto;
|
||||
struct nf_conntrack_protocol *proto;
|
||||
|
||||
l3proto = nf_ct_l3proto_find_get(tuple->src.l3num);
|
||||
ret = ctnetlink_dump_tuples_ip(skb, tuple, l3proto);
|
||||
nf_ct_l3proto_put(l3proto);
|
||||
|
||||
if (unlikely(ret < 0))
|
||||
return ret;
|
||||
|
||||
proto = nf_ct_proto_find_get(tuple->src.l3num, tuple->dst.protonum);
|
||||
ret = ctnetlink_dump_tuples_proto(skb, tuple, proto);
|
||||
nf_ct_proto_put(proto);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static inline int
|
||||
ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct)
|
||||
{
|
||||
|
@ -1152,6 +1161,37 @@ ctnetlink_exp_dump_tuple(struct sk_buff *skb,
|
|||
return -1;
|
||||
}
|
||||
|
||||
static inline int
|
||||
ctnetlink_exp_dump_mask(struct sk_buff *skb,
|
||||
const struct nf_conntrack_tuple *tuple,
|
||||
const struct nf_conntrack_tuple *mask)
|
||||
{
|
||||
int ret;
|
||||
struct nf_conntrack_l3proto *l3proto;
|
||||
struct nf_conntrack_protocol *proto;
|
||||
struct nfattr *nest_parms = NFA_NEST(skb, CTA_EXPECT_MASK);
|
||||
|
||||
l3proto = nf_ct_l3proto_find_get(tuple->src.l3num);
|
||||
ret = ctnetlink_dump_tuples_ip(skb, mask, l3proto);
|
||||
nf_ct_l3proto_put(l3proto);
|
||||
|
||||
if (unlikely(ret < 0))
|
||||
goto nfattr_failure;
|
||||
|
||||
proto = nf_ct_proto_find_get(tuple->src.l3num, tuple->dst.protonum);
|
||||
ret = ctnetlink_dump_tuples_proto(skb, mask, proto);
|
||||
nf_ct_proto_put(proto);
|
||||
if (unlikely(ret < 0))
|
||||
goto nfattr_failure;
|
||||
|
||||
NFA_NEST_END(skb, nest_parms);
|
||||
|
||||
return 0;
|
||||
|
||||
nfattr_failure:
|
||||
return -1;
|
||||
}
|
||||
|
||||
static inline int
|
||||
ctnetlink_exp_dump_expect(struct sk_buff *skb,
|
||||
const struct nf_conntrack_expect *exp)
|
||||
|
@ -1162,7 +1202,7 @@ ctnetlink_exp_dump_expect(struct sk_buff *skb,
|
|||
|
||||
if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
|
||||
goto nfattr_failure;
|
||||
if (ctnetlink_exp_dump_tuple(skb, &exp->mask, CTA_EXPECT_MASK) < 0)
|
||||
if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0)
|
||||
goto nfattr_failure;
|
||||
if (ctnetlink_exp_dump_tuple(skb,
|
||||
&master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
|
||||
|
|
|
@ -834,6 +834,8 @@ EXPORT_SYMBOL_GPL(__nf_ct_event_cache_init);
|
|||
EXPORT_PER_CPU_SYMBOL_GPL(nf_conntrack_ecache);
|
||||
EXPORT_SYMBOL_GPL(nf_ct_deliver_cached_events);
|
||||
#endif
|
||||
EXPORT_SYMBOL(nf_ct_l3proto_try_module_get);
|
||||
EXPORT_SYMBOL(nf_ct_l3proto_module_put);
|
||||
EXPORT_SYMBOL(nf_conntrack_l3proto_register);
|
||||
EXPORT_SYMBOL(nf_conntrack_l3proto_unregister);
|
||||
EXPORT_SYMBOL(nf_conntrack_protocol_register);
|
||||
|
|
|
@ -354,16 +354,17 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
|
|||
QDEBUG("entered\n");
|
||||
|
||||
/* all macros expand to constant values at compile time */
|
||||
size = NLMSG_SPACE(sizeof(struct nfqnl_msg_packet_hdr))
|
||||
+ NLMSG_SPACE(sizeof(u_int32_t)) /* ifindex */
|
||||
+ NLMSG_SPACE(sizeof(u_int32_t)) /* ifindex */
|
||||
size = NLMSG_SPACE(sizeof(struct nfgenmsg)) +
|
||||
+ NFA_SPACE(sizeof(struct nfqnl_msg_packet_hdr))
|
||||
+ NFA_SPACE(sizeof(u_int32_t)) /* ifindex */
|
||||
+ NFA_SPACE(sizeof(u_int32_t)) /* ifindex */
|
||||
#ifdef CONFIG_BRIDGE_NETFILTER
|
||||
+ NLMSG_SPACE(sizeof(u_int32_t)) /* ifindex */
|
||||
+ NLMSG_SPACE(sizeof(u_int32_t)) /* ifindex */
|
||||
+ NFA_SPACE(sizeof(u_int32_t)) /* ifindex */
|
||||
+ NFA_SPACE(sizeof(u_int32_t)) /* ifindex */
|
||||
#endif
|
||||
+ NLMSG_SPACE(sizeof(u_int32_t)) /* mark */
|
||||
+ NLMSG_SPACE(sizeof(struct nfqnl_msg_packet_hw))
|
||||
+ NLMSG_SPACE(sizeof(struct nfqnl_msg_packet_timestamp));
|
||||
+ NFA_SPACE(sizeof(u_int32_t)) /* mark */
|
||||
+ NFA_SPACE(sizeof(struct nfqnl_msg_packet_hw))
|
||||
+ NFA_SPACE(sizeof(struct nfqnl_msg_packet_timestamp));
|
||||
|
||||
outdev = entinf->outdev;
|
||||
|
||||
|
@ -388,7 +389,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
|
|||
else
|
||||
data_len = queue->copy_range;
|
||||
|
||||
size += NLMSG_SPACE(data_len);
|
||||
size += NFA_SPACE(data_len);
|
||||
break;
|
||||
|
||||
default:
|
||||
|
|
|
@ -60,9 +60,9 @@ static const char *xt_prefix[NPROTO] = {
|
|||
|
||||
/* Registration hooks for targets. */
|
||||
int
|
||||
xt_register_target(int af, struct xt_target *target)
|
||||
xt_register_target(struct xt_target *target)
|
||||
{
|
||||
int ret;
|
||||
int ret, af = target->family;
|
||||
|
||||
ret = down_interruptible(&xt[af].mutex);
|
||||
if (ret != 0)
|
||||
|
@ -74,8 +74,10 @@ xt_register_target(int af, struct xt_target *target)
|
|||
EXPORT_SYMBOL(xt_register_target);
|
||||
|
||||
void
|
||||
xt_unregister_target(int af, struct xt_target *target)
|
||||
xt_unregister_target(struct xt_target *target)
|
||||
{
|
||||
int af = target->family;
|
||||
|
||||
down(&xt[af].mutex);
|
||||
LIST_DELETE(&xt[af].target, target);
|
||||
up(&xt[af].mutex);
|
||||
|
@ -83,9 +85,9 @@ xt_unregister_target(int af, struct xt_target *target)
|
|||
EXPORT_SYMBOL(xt_unregister_target);
|
||||
|
||||
int
|
||||
xt_register_match(int af, struct xt_match *match)
|
||||
xt_register_match(struct xt_match *match)
|
||||
{
|
||||
int ret;
|
||||
int ret, af = match->family;
|
||||
|
||||
ret = down_interruptible(&xt[af].mutex);
|
||||
if (ret != 0)
|
||||
|
@ -99,8 +101,10 @@ xt_register_match(int af, struct xt_match *match)
|
|||
EXPORT_SYMBOL(xt_register_match);
|
||||
|
||||
void
|
||||
xt_unregister_match(int af, struct xt_match *match)
|
||||
xt_unregister_match(struct xt_match *match)
|
||||
{
|
||||
int af = match->family;
|
||||
|
||||
down(&xt[af].mutex);
|
||||
LIST_DELETE(&xt[af].match, match);
|
||||
up(&xt[af].mutex);
|
||||
|
|
|
@ -47,6 +47,7 @@ static struct xt_target classify_reg = {
|
|||
.table = "mangle",
|
||||
.hooks = (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) |
|
||||
(1 << NF_IP_POST_ROUTING),
|
||||
.family = AF_INET,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
static struct xt_target classify6_reg = {
|
||||
|
@ -56,6 +57,7 @@ static struct xt_target classify6_reg = {
|
|||
.table = "mangle",
|
||||
.hooks = (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) |
|
||||
(1 << NF_IP_POST_ROUTING),
|
||||
.family = AF_INET6,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
|
@ -64,21 +66,21 @@ static int __init init(void)
|
|||
{
|
||||
int ret;
|
||||
|
||||
ret = xt_register_target(AF_INET, &classify_reg);
|
||||
ret = xt_register_target(&classify_reg);
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
ret = xt_register_target(AF_INET6, &classify6_reg);
|
||||
ret = xt_register_target(&classify6_reg);
|
||||
if (ret)
|
||||
xt_unregister_target(AF_INET, &classify_reg);
|
||||
xt_unregister_target(&classify_reg);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void __exit fini(void)
|
||||
{
|
||||
xt_unregister_target(AF_INET, &classify_reg);
|
||||
xt_unregister_target(AF_INET6, &classify6_reg);
|
||||
xt_unregister_target(&classify_reg);
|
||||
xt_unregister_target(&classify6_reg);
|
||||
}
|
||||
|
||||
module_init(init);
|
||||
|
|
|
@ -102,6 +102,7 @@ static struct xt_target connmark_reg = {
|
|||
.target = target,
|
||||
.targetsize = sizeof(struct xt_connmark_target_info),
|
||||
.checkentry = checkentry,
|
||||
.family = AF_INET,
|
||||
.me = THIS_MODULE
|
||||
};
|
||||
|
||||
|
@ -110,6 +111,7 @@ static struct xt_target connmark6_reg = {
|
|||
.target = target,
|
||||
.targetsize = sizeof(struct xt_connmark_target_info),
|
||||
.checkentry = checkentry,
|
||||
.family = AF_INET6,
|
||||
.me = THIS_MODULE
|
||||
};
|
||||
|
||||
|
@ -119,21 +121,21 @@ static int __init init(void)
|
|||
|
||||
need_conntrack();
|
||||
|
||||
ret = xt_register_target(AF_INET, &connmark_reg);
|
||||
ret = xt_register_target(&connmark_reg);
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
ret = xt_register_target(AF_INET6, &connmark6_reg);
|
||||
ret = xt_register_target(&connmark6_reg);
|
||||
if (ret)
|
||||
xt_unregister_target(AF_INET, &connmark_reg);
|
||||
xt_unregister_target(&connmark_reg);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void __exit fini(void)
|
||||
{
|
||||
xt_unregister_target(AF_INET, &connmark_reg);
|
||||
xt_unregister_target(AF_INET6, &connmark6_reg);
|
||||
xt_unregister_target(&connmark_reg);
|
||||
xt_unregister_target(&connmark6_reg);
|
||||
}
|
||||
|
||||
module_init(init);
|
||||
|
|
|
@ -119,6 +119,7 @@ static struct xt_target ipt_mark_reg_v0 = {
|
|||
.table = "mangle",
|
||||
.checkentry = checkentry_v0,
|
||||
.me = THIS_MODULE,
|
||||
.family = AF_INET,
|
||||
.revision = 0,
|
||||
};
|
||||
|
||||
|
@ -129,6 +130,7 @@ static struct xt_target ipt_mark_reg_v1 = {
|
|||
.table = "mangle",
|
||||
.checkentry = checkentry_v1,
|
||||
.me = THIS_MODULE,
|
||||
.family = AF_INET,
|
||||
.revision = 1,
|
||||
};
|
||||
|
||||
|
@ -139,6 +141,7 @@ static struct xt_target ip6t_mark_reg_v0 = {
|
|||
.table = "mangle",
|
||||
.checkentry = checkentry_v0,
|
||||
.me = THIS_MODULE,
|
||||
.family = AF_INET6,
|
||||
.revision = 0,
|
||||
};
|
||||
|
||||
|
@ -146,18 +149,18 @@ static int __init init(void)
|
|||
{
|
||||
int err;
|
||||
|
||||
err = xt_register_target(AF_INET, &ipt_mark_reg_v0);
|
||||
err = xt_register_target(&ipt_mark_reg_v0);
|
||||
if (err)
|
||||
return err;
|
||||
|
||||
err = xt_register_target(AF_INET, &ipt_mark_reg_v1);
|
||||
err = xt_register_target(&ipt_mark_reg_v1);
|
||||
if (err)
|
||||
xt_unregister_target(AF_INET, &ipt_mark_reg_v0);
|
||||
xt_unregister_target(&ipt_mark_reg_v0);
|
||||
|
||||
err = xt_register_target(AF_INET6, &ip6t_mark_reg_v0);
|
||||
err = xt_register_target(&ip6t_mark_reg_v0);
|
||||
if (err) {
|
||||
xt_unregister_target(AF_INET, &ipt_mark_reg_v0);
|
||||
xt_unregister_target(AF_INET, &ipt_mark_reg_v1);
|
||||
xt_unregister_target(&ipt_mark_reg_v0);
|
||||
xt_unregister_target(&ipt_mark_reg_v1);
|
||||
}
|
||||
|
||||
return err;
|
||||
|
@ -165,9 +168,9 @@ static int __init init(void)
|
|||
|
||||
static void __exit fini(void)
|
||||
{
|
||||
xt_unregister_target(AF_INET, &ipt_mark_reg_v0);
|
||||
xt_unregister_target(AF_INET, &ipt_mark_reg_v1);
|
||||
xt_unregister_target(AF_INET6, &ip6t_mark_reg_v0);
|
||||
xt_unregister_target(&ipt_mark_reg_v0);
|
||||
xt_unregister_target(&ipt_mark_reg_v1);
|
||||
xt_unregister_target(&ip6t_mark_reg_v0);
|
||||
}
|
||||
|
||||
module_init(init);
|
||||
|
|
|
@ -41,6 +41,7 @@ static struct xt_target ipt_NFQ_reg = {
|
|||
.name = "NFQUEUE",
|
||||
.target = target,
|
||||
.targetsize = sizeof(struct xt_NFQ_info),
|
||||
.family = AF_INET,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
|
@ -48,6 +49,7 @@ static struct xt_target ip6t_NFQ_reg = {
|
|||
.name = "NFQUEUE",
|
||||
.target = target,
|
||||
.targetsize = sizeof(struct xt_NFQ_info),
|
||||
.family = AF_INET6,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
|
@ -55,36 +57,37 @@ static struct xt_target arpt_NFQ_reg = {
|
|||
.name = "NFQUEUE",
|
||||
.target = target,
|
||||
.targetsize = sizeof(struct xt_NFQ_info),
|
||||
.family = NF_ARP,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
static int __init init(void)
|
||||
{
|
||||
int ret;
|
||||
ret = xt_register_target(AF_INET, &ipt_NFQ_reg);
|
||||
ret = xt_register_target(&ipt_NFQ_reg);
|
||||
if (ret)
|
||||
return ret;
|
||||
ret = xt_register_target(AF_INET6, &ip6t_NFQ_reg);
|
||||
ret = xt_register_target(&ip6t_NFQ_reg);
|
||||
if (ret)
|
||||
goto out_ip;
|
||||
ret = xt_register_target(NF_ARP, &arpt_NFQ_reg);
|
||||
ret = xt_register_target(&arpt_NFQ_reg);
|
||||
if (ret)
|
||||
goto out_ip6;
|
||||
|
||||
return ret;
|
||||
out_ip6:
|
||||
xt_unregister_target(AF_INET6, &ip6t_NFQ_reg);
|
||||
xt_unregister_target(&ip6t_NFQ_reg);
|
||||
out_ip:
|
||||
xt_unregister_target(AF_INET, &ipt_NFQ_reg);
|
||||
xt_unregister_target(&ipt_NFQ_reg);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void __exit fini(void)
|
||||
{
|
||||
xt_unregister_target(NF_ARP, &arpt_NFQ_reg);
|
||||
xt_unregister_target(AF_INET6, &ip6t_NFQ_reg);
|
||||
xt_unregister_target(AF_INET, &ipt_NFQ_reg);
|
||||
xt_unregister_target(&arpt_NFQ_reg);
|
||||
xt_unregister_target(&ip6t_NFQ_reg);
|
||||
xt_unregister_target(&ipt_NFQ_reg);
|
||||
}
|
||||
|
||||
module_init(init);
|
||||
|
|
|
@ -39,6 +39,7 @@ static struct xt_target notrack_reg = {
|
|||
.target = target,
|
||||
.targetsize = 0,
|
||||
.table = "raw",
|
||||
.family = AF_INET,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
|
@ -47,6 +48,7 @@ static struct xt_target notrack6_reg = {
|
|||
.target = target,
|
||||
.targetsize = 0,
|
||||
.table = "raw",
|
||||
.family = AF_INET6,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
|
@ -54,21 +56,21 @@ static int __init init(void)
|
|||
{
|
||||
int ret;
|
||||
|
||||
ret = xt_register_target(AF_INET, ¬rack_reg);
|
||||
ret = xt_register_target(¬rack_reg);
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
ret = xt_register_target(AF_INET6, ¬rack6_reg);
|
||||
ret = xt_register_target(¬rack6_reg);
|
||||
if (ret)
|
||||
xt_unregister_target(AF_INET, ¬rack_reg);
|
||||
xt_unregister_target(¬rack_reg);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void __exit fini(void)
|
||||
{
|
||||
xt_unregister_target(AF_INET6, ¬rack6_reg);
|
||||
xt_unregister_target(AF_INET, ¬rack_reg);
|
||||
xt_unregister_target(¬rack6_reg);
|
||||
xt_unregister_target(¬rack_reg);
|
||||
}
|
||||
|
||||
module_init(init);
|
||||
|
|
|
@ -33,6 +33,7 @@ static struct xt_match comment_match = {
|
|||
.name = "comment",
|
||||
.match = match,
|
||||
.matchsize = sizeof(struct xt_comment_info),
|
||||
.family = AF_INET,
|
||||
.me = THIS_MODULE
|
||||
};
|
||||
|
||||
|
@ -40,6 +41,7 @@ static struct xt_match comment6_match = {
|
|||
.name = "comment",
|
||||
.match = match,
|
||||
.matchsize = sizeof(struct xt_comment_info),
|
||||
.family = AF_INET6,
|
||||
.me = THIS_MODULE
|
||||
};
|
||||
|
||||
|
@ -47,21 +49,21 @@ static int __init init(void)
|
|||
{
|
||||
int ret;
|
||||
|
||||
ret = xt_register_match(AF_INET, &comment_match);
|
||||
ret = xt_register_match(&comment_match);
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
ret = xt_register_match(AF_INET6, &comment6_match);
|
||||
ret = xt_register_match(&comment6_match);
|
||||
if (ret)
|
||||
xt_unregister_match(AF_INET, &comment_match);
|
||||
xt_unregister_match(&comment_match);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void __exit fini(void)
|
||||
{
|
||||
xt_unregister_match(AF_INET, &comment_match);
|
||||
xt_unregister_match(AF_INET6, &comment6_match);
|
||||
xt_unregister_match(&comment_match);
|
||||
xt_unregister_match(&comment6_match);
|
||||
}
|
||||
|
||||
module_init(init);
|
||||
|
|
|
@ -148,6 +148,7 @@ static struct xt_match connbytes_match = {
|
|||
.match = match,
|
||||
.checkentry = check,
|
||||
.matchsize = sizeof(struct xt_connbytes_info),
|
||||
.family = AF_INET,
|
||||
.me = THIS_MODULE
|
||||
};
|
||||
static struct xt_match connbytes6_match = {
|
||||
|
@ -155,26 +156,27 @@ static struct xt_match connbytes6_match = {
|
|||
.match = match,
|
||||
.checkentry = check,
|
||||
.matchsize = sizeof(struct xt_connbytes_info),
|
||||
.family = AF_INET6,
|
||||
.me = THIS_MODULE
|
||||
};
|
||||
|
||||
static int __init init(void)
|
||||
{
|
||||
int ret;
|
||||
ret = xt_register_match(AF_INET, &connbytes_match);
|
||||
ret = xt_register_match(&connbytes_match);
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
ret = xt_register_match(AF_INET6, &connbytes6_match);
|
||||
ret = xt_register_match(&connbytes6_match);
|
||||
if (ret)
|
||||
xt_unregister_match(AF_INET, &connbytes_match);
|
||||
xt_unregister_match(&connbytes_match);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void __exit fini(void)
|
||||
{
|
||||
xt_unregister_match(AF_INET, &connbytes_match);
|
||||
xt_unregister_match(AF_INET6, &connbytes6_match);
|
||||
xt_unregister_match(&connbytes_match);
|
||||
xt_unregister_match(&connbytes6_match);
|
||||
}
|
||||
|
||||
module_init(init);
|
||||
|
|
|
@ -64,14 +64,31 @@ checkentry(const char *tablename,
|
|||
printk(KERN_WARNING "connmark: only support 32bit mark\n");
|
||||
return 0;
|
||||
}
|
||||
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
|
||||
if (nf_ct_l3proto_try_module_get(match->family) < 0) {
|
||||
printk(KERN_WARNING "can't load nf_conntrack support for "
|
||||
"proto=%d\n", match->family);
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
return 1;
|
||||
}
|
||||
|
||||
static void
|
||||
destroy(const struct xt_match *match, void *matchinfo, unsigned int matchsize)
|
||||
{
|
||||
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
|
||||
nf_ct_l3proto_module_put(match->family);
|
||||
#endif
|
||||
}
|
||||
|
||||
static struct xt_match connmark_match = {
|
||||
.name = "connmark",
|
||||
.match = match,
|
||||
.matchsize = sizeof(struct xt_connmark_info),
|
||||
.checkentry = checkentry,
|
||||
.destroy = destroy,
|
||||
.family = AF_INET,
|
||||
.me = THIS_MODULE
|
||||
};
|
||||
|
||||
|
@ -80,6 +97,8 @@ static struct xt_match connmark6_match = {
|
|||
.match = match,
|
||||
.matchsize = sizeof(struct xt_connmark_info),
|
||||
.checkentry = checkentry,
|
||||
.destroy = destroy,
|
||||
.family = AF_INET6,
|
||||
.me = THIS_MODULE
|
||||
};
|
||||
|
||||
|
@ -89,20 +108,20 @@ static int __init init(void)
|
|||
|
||||
need_conntrack();
|
||||
|
||||
ret = xt_register_match(AF_INET, &connmark_match);
|
||||
ret = xt_register_match(&connmark_match);
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
ret = xt_register_match(AF_INET6, &connmark6_match);
|
||||
ret = xt_register_match(&connmark6_match);
|
||||
if (ret)
|
||||
xt_unregister_match(AF_INET, &connmark_match);
|
||||
xt_unregister_match(&connmark_match);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void __exit fini(void)
|
||||
{
|
||||
xt_unregister_match(AF_INET6, &connmark6_match);
|
||||
xt_unregister_match(AF_INET, &connmark_match);
|
||||
xt_unregister_match(&connmark6_match);
|
||||
xt_unregister_match(&connmark_match);
|
||||
}
|
||||
|
||||
module_init(init);
|
||||
|
|
|
@ -203,10 +203,39 @@ match(const struct sk_buff *skb,
|
|||
|
||||
#endif /* CONFIG_NF_IP_CONNTRACK */
|
||||
|
||||
static int
|
||||
checkentry(const char *tablename,
|
||||
const void *ip,
|
||||
const struct xt_match *match,
|
||||
void *matchinfo,
|
||||
unsigned int matchsize,
|
||||
unsigned int hook_mask)
|
||||
{
|
||||
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
|
||||
if (nf_ct_l3proto_try_module_get(match->family) < 0) {
|
||||
printk(KERN_WARNING "can't load nf_conntrack support for "
|
||||
"proto=%d\n", match->family);
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
return 1;
|
||||
}
|
||||
|
||||
static void
|
||||
destroy(const struct xt_match *match, void *matchinfo, unsigned int matchsize)
|
||||
{
|
||||
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
|
||||
nf_ct_l3proto_module_put(match->family);
|
||||
#endif
|
||||
}
|
||||
|
||||
static struct xt_match conntrack_match = {
|
||||
.name = "conntrack",
|
||||
.match = match,
|
||||
.checkentry = checkentry,
|
||||
.destroy = destroy,
|
||||
.matchsize = sizeof(struct xt_conntrack_info),
|
||||
.family = AF_INET,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
|
@ -214,14 +243,14 @@ static int __init init(void)
|
|||
{
|
||||
int ret;
|
||||
need_conntrack();
|
||||
ret = xt_register_match(AF_INET, &conntrack_match);
|
||||
ret = xt_register_match(&conntrack_match);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void __exit fini(void)
|
||||
{
|
||||
xt_unregister_match(AF_INET, &conntrack_match);
|
||||
xt_unregister_match(&conntrack_match);
|
||||
}
|
||||
|
||||
module_init(init);
|
||||
|
|
|
@ -149,6 +149,7 @@ static struct xt_match dccp_match =
|
|||
.matchsize = sizeof(struct xt_dccp_info),
|
||||
.proto = IPPROTO_DCCP,
|
||||
.checkentry = checkentry,
|
||||
.family = AF_INET,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
static struct xt_match dccp6_match =
|
||||
|
@ -158,6 +159,7 @@ static struct xt_match dccp6_match =
|
|||
.matchsize = sizeof(struct xt_dccp_info),
|
||||
.proto = IPPROTO_DCCP,
|
||||
.checkentry = checkentry,
|
||||
.family = AF_INET6,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
|
@ -172,17 +174,17 @@ static int __init init(void)
|
|||
dccp_optbuf = kmalloc(256 * 4, GFP_KERNEL);
|
||||
if (!dccp_optbuf)
|
||||
return -ENOMEM;
|
||||
ret = xt_register_match(AF_INET, &dccp_match);
|
||||
ret = xt_register_match(&dccp_match);
|
||||
if (ret)
|
||||
goto out_kfree;
|
||||
ret = xt_register_match(AF_INET6, &dccp6_match);
|
||||
ret = xt_register_match(&dccp6_match);
|
||||
if (ret)
|
||||
goto out_unreg;
|
||||
|
||||
return ret;
|
||||
|
||||
out_unreg:
|
||||
xt_unregister_match(AF_INET, &dccp_match);
|
||||
xt_unregister_match(&dccp_match);
|
||||
out_kfree:
|
||||
kfree(dccp_optbuf);
|
||||
|
||||
|
@ -191,8 +193,8 @@ static int __init init(void)
|
|||
|
||||
static void __exit fini(void)
|
||||
{
|
||||
xt_unregister_match(AF_INET6, &dccp6_match);
|
||||
xt_unregister_match(AF_INET, &dccp_match);
|
||||
xt_unregister_match(&dccp6_match);
|
||||
xt_unregister_match(&dccp_match);
|
||||
kfree(dccp_optbuf);
|
||||
}
|
||||
|
||||
|
|
|
@ -144,15 +144,32 @@ static int check(const char *tablename,
|
|||
{
|
||||
struct xt_helper_info *info = matchinfo;
|
||||
|
||||
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
|
||||
if (nf_ct_l3proto_try_module_get(match->family) < 0) {
|
||||
printk(KERN_WARNING "can't load nf_conntrack support for "
|
||||
"proto=%d\n", match->family);
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
info->name[29] = '\0';
|
||||
return 1;
|
||||
}
|
||||
|
||||
static void
|
||||
destroy(const struct xt_match *match, void *matchinfo, unsigned int matchsize)
|
||||
{
|
||||
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
|
||||
nf_ct_l3proto_module_put(match->family);
|
||||
#endif
|
||||
}
|
||||
|
||||
static struct xt_match helper_match = {
|
||||
.name = "helper",
|
||||
.match = match,
|
||||
.matchsize = sizeof(struct xt_helper_info),
|
||||
.checkentry = check,
|
||||
.destroy = destroy,
|
||||
.family = AF_INET,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
static struct xt_match helper6_match = {
|
||||
|
@ -160,6 +177,8 @@ static struct xt_match helper6_match = {
|
|||
.match = match,
|
||||
.matchsize = sizeof(struct xt_helper_info),
|
||||
.checkentry = check,
|
||||
.destroy = destroy,
|
||||
.family = AF_INET6,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
|
@ -168,21 +187,21 @@ static int __init init(void)
|
|||
int ret;
|
||||
need_conntrack();
|
||||
|
||||
ret = xt_register_match(AF_INET, &helper_match);
|
||||
ret = xt_register_match(&helper_match);
|
||||
if (ret < 0)
|
||||
return ret;
|
||||
|
||||
ret = xt_register_match(AF_INET6, &helper6_match);
|
||||
ret = xt_register_match(&helper6_match);
|
||||
if (ret < 0)
|
||||
xt_unregister_match(AF_INET, &helper_match);
|
||||
xt_unregister_match(&helper_match);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void __exit fini(void)
|
||||
{
|
||||
xt_unregister_match(AF_INET, &helper_match);
|
||||
xt_unregister_match(AF_INET6, &helper6_match);
|
||||
xt_unregister_match(&helper_match);
|
||||
xt_unregister_match(&helper6_match);
|
||||
}
|
||||
|
||||
module_init(init);
|
||||
|
|
|
@ -56,6 +56,7 @@ static struct xt_match length_match = {
|
|||
.name = "length",
|
||||
.match = match,
|
||||
.matchsize = sizeof(struct xt_length_info),
|
||||
.family = AF_INET,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
|
@ -63,26 +64,27 @@ static struct xt_match length6_match = {
|
|||
.name = "length",
|
||||
.match = match6,
|
||||
.matchsize = sizeof(struct xt_length_info),
|
||||
.family = AF_INET6,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
static int __init init(void)
|
||||
{
|
||||
int ret;
|
||||
ret = xt_register_match(AF_INET, &length_match);
|
||||
ret = xt_register_match(&length_match);
|
||||
if (ret)
|
||||
return ret;
|
||||
ret = xt_register_match(AF_INET6, &length6_match);
|
||||
ret = xt_register_match(&length6_match);
|
||||
if (ret)
|
||||
xt_unregister_match(AF_INET, &length_match);
|
||||
xt_unregister_match(&length_match);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void __exit fini(void)
|
||||
{
|
||||
xt_unregister_match(AF_INET, &length_match);
|
||||
xt_unregister_match(AF_INET6, &length6_match);
|
||||
xt_unregister_match(&length_match);
|
||||
xt_unregister_match(&length6_match);
|
||||
}
|
||||
|
||||
module_init(init);
|
||||
|
|
|
@ -141,6 +141,7 @@ static struct xt_match ipt_limit_reg = {
|
|||
.match = ipt_limit_match,
|
||||
.matchsize = sizeof(struct xt_rateinfo),
|
||||
.checkentry = ipt_limit_checkentry,
|
||||
.family = AF_INET,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
static struct xt_match limit6_reg = {
|
||||
|
@ -148,6 +149,7 @@ static struct xt_match limit6_reg = {
|
|||
.match = ipt_limit_match,
|
||||
.matchsize = sizeof(struct xt_rateinfo),
|
||||
.checkentry = ipt_limit_checkentry,
|
||||
.family = AF_INET6,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
|
@ -155,21 +157,21 @@ static int __init init(void)
|
|||
{
|
||||
int ret;
|
||||
|
||||
ret = xt_register_match(AF_INET, &ipt_limit_reg);
|
||||
ret = xt_register_match(&ipt_limit_reg);
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
ret = xt_register_match(AF_INET6, &limit6_reg);
|
||||
ret = xt_register_match(&limit6_reg);
|
||||
if (ret)
|
||||
xt_unregister_match(AF_INET, &ipt_limit_reg);
|
||||
xt_unregister_match(&ipt_limit_reg);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void __exit fini(void)
|
||||
{
|
||||
xt_unregister_match(AF_INET, &ipt_limit_reg);
|
||||
xt_unregister_match(AF_INET6, &limit6_reg);
|
||||
xt_unregister_match(&ipt_limit_reg);
|
||||
xt_unregister_match(&limit6_reg);
|
||||
}
|
||||
|
||||
module_init(init);
|
||||
|
|
|
@ -49,6 +49,7 @@ static struct xt_match mac_match = {
|
|||
.matchsize = sizeof(struct xt_mac_info),
|
||||
.hooks = (1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_IN) |
|
||||
(1 << NF_IP_FORWARD),
|
||||
.family = AF_INET,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
static struct xt_match mac6_match = {
|
||||
|
@ -57,27 +58,28 @@ static struct xt_match mac6_match = {
|
|||
.matchsize = sizeof(struct xt_mac_info),
|
||||
.hooks = (1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_IN) |
|
||||
(1 << NF_IP_FORWARD),
|
||||
.family = AF_INET6,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
static int __init init(void)
|
||||
{
|
||||
int ret;
|
||||
ret = xt_register_match(AF_INET, &mac_match);
|
||||
ret = xt_register_match(&mac_match);
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
ret = xt_register_match(AF_INET6, &mac6_match);
|
||||
ret = xt_register_match(&mac6_match);
|
||||
if (ret)
|
||||
xt_unregister_match(AF_INET, &mac_match);
|
||||
xt_unregister_match(&mac_match);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void __exit fini(void)
|
||||
{
|
||||
xt_unregister_match(AF_INET, &mac_match);
|
||||
xt_unregister_match(AF_INET6, &mac6_match);
|
||||
xt_unregister_match(&mac_match);
|
||||
xt_unregister_match(&mac6_match);
|
||||
}
|
||||
|
||||
module_init(init);
|
||||
|
|
|
@ -56,6 +56,7 @@ static struct xt_match mark_match = {
|
|||
.match = match,
|
||||
.matchsize = sizeof(struct xt_mark_info),
|
||||
.checkentry = checkentry,
|
||||
.family = AF_INET,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
|
@ -64,27 +65,28 @@ static struct xt_match mark6_match = {
|
|||
.match = match,
|
||||
.matchsize = sizeof(struct xt_mark_info),
|
||||
.checkentry = checkentry,
|
||||
.family = AF_INET6,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
static int __init init(void)
|
||||
{
|
||||
int ret;
|
||||
ret = xt_register_match(AF_INET, &mark_match);
|
||||
ret = xt_register_match(&mark_match);
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
ret = xt_register_match(AF_INET6, &mark6_match);
|
||||
ret = xt_register_match(&mark6_match);
|
||||
if (ret)
|
||||
xt_unregister_match(AF_INET, &mark_match);
|
||||
xt_unregister_match(&mark_match);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void __exit fini(void)
|
||||
{
|
||||
xt_unregister_match(AF_INET, &mark_match);
|
||||
xt_unregister_match(AF_INET6, &mark6_match);
|
||||
xt_unregister_match(&mark_match);
|
||||
xt_unregister_match(&mark6_match);
|
||||
}
|
||||
|
||||
module_init(init);
|
||||
|
|
|
@ -121,6 +121,7 @@ static struct xt_match physdev_match = {
|
|||
.match = match,
|
||||
.matchsize = sizeof(struct xt_physdev_info),
|
||||
.checkentry = checkentry,
|
||||
.family = AF_INET,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
|
@ -129,6 +130,7 @@ static struct xt_match physdev6_match = {
|
|||
.match = match,
|
||||
.matchsize = sizeof(struct xt_physdev_info),
|
||||
.checkentry = checkentry,
|
||||
.family = AF_INET6,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
|
@ -136,21 +138,21 @@ static int __init init(void)
|
|||
{
|
||||
int ret;
|
||||
|
||||
ret = xt_register_match(AF_INET, &physdev_match);
|
||||
ret = xt_register_match(&physdev_match);
|
||||
if (ret < 0)
|
||||
return ret;
|
||||
|
||||
ret = xt_register_match(AF_INET6, &physdev6_match);
|
||||
ret = xt_register_match(&physdev6_match);
|
||||
if (ret < 0)
|
||||
xt_unregister_match(AF_INET, &physdev_match);
|
||||
xt_unregister_match(&physdev_match);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void __exit fini(void)
|
||||
{
|
||||
xt_unregister_match(AF_INET, &physdev_match);
|
||||
xt_unregister_match(AF_INET6, &physdev6_match);
|
||||
xt_unregister_match(&physdev_match);
|
||||
xt_unregister_match(&physdev6_match);
|
||||
}
|
||||
|
||||
module_init(init);
|
||||
|
|
|
@ -37,6 +37,7 @@ static struct xt_match pkttype_match = {
|
|||
.name = "pkttype",
|
||||
.match = match,
|
||||
.matchsize = sizeof(struct xt_pkttype_info),
|
||||
.family = AF_INET,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
|
@ -44,27 +45,28 @@ static struct xt_match pkttype6_match = {
|
|||
.name = "pkttype",
|
||||
.match = match,
|
||||
.matchsize = sizeof(struct xt_pkttype_info),
|
||||
.family = AF_INET6,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
static int __init init(void)
|
||||
{
|
||||
int ret;
|
||||
ret = xt_register_match(AF_INET, &pkttype_match);
|
||||
ret = xt_register_match(&pkttype_match);
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
ret = xt_register_match(AF_INET6, &pkttype6_match);
|
||||
ret = xt_register_match(&pkttype6_match);
|
||||
if (ret)
|
||||
xt_unregister_match(AF_INET, &pkttype_match);
|
||||
xt_unregister_match(&pkttype_match);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void __exit fini(void)
|
||||
{
|
||||
xt_unregister_match(AF_INET, &pkttype_match);
|
||||
xt_unregister_match(AF_INET6, &pkttype6_match);
|
||||
xt_unregister_match(&pkttype_match);
|
||||
xt_unregister_match(&pkttype6_match);
|
||||
}
|
||||
|
||||
module_init(init);
|
||||
|
|
|
@ -27,9 +27,9 @@ xt_addr_cmp(const union xt_policy_addr *a1, const union xt_policy_addr *m,
|
|||
{
|
||||
switch (family) {
|
||||
case AF_INET:
|
||||
return (a1->a4.s_addr ^ a2->a4.s_addr) & m->a4.s_addr;
|
||||
return !((a1->a4.s_addr ^ a2->a4.s_addr) & m->a4.s_addr);
|
||||
case AF_INET6:
|
||||
return ipv6_masked_addr_cmp(&a1->a6, &m->a6, &a2->a6);
|
||||
return !ipv6_masked_addr_cmp(&a1->a6, &m->a6, &a2->a6);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
@ -44,7 +44,7 @@ match_xfrm_state(struct xfrm_state *x, const struct xt_policy_elem *e,
|
|||
#define MATCH(x,y) (!e->match.x || ((e->x == (y)) ^ e->invert.x))
|
||||
|
||||
return MATCH_ADDR(saddr, smask, (union xt_policy_addr *)&x->props.saddr) &&
|
||||
MATCH_ADDR(daddr, dmask, (union xt_policy_addr *)&x->id.daddr.a4) &&
|
||||
MATCH_ADDR(daddr, dmask, (union xt_policy_addr *)&x->id.daddr) &&
|
||||
MATCH(proto, x->id.proto) &&
|
||||
MATCH(mode, x->props.mode) &&
|
||||
MATCH(spi, x->id.spi) &&
|
||||
|
@ -172,6 +172,7 @@ static struct xt_match policy_match = {
|
|||
.match = match,
|
||||
.matchsize = sizeof(struct xt_policy_info),
|
||||
.checkentry = checkentry,
|
||||
.family = AF_INET,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
|
@ -181,6 +182,7 @@ static struct xt_match policy6_match = {
|
|||
.match = match,
|
||||
.matchsize = sizeof(struct xt_policy_info),
|
||||
.checkentry = checkentry,
|
||||
.family = AF_INET6,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
|
@ -188,19 +190,19 @@ static int __init init(void)
|
|||
{
|
||||
int ret;
|
||||
|
||||
ret = xt_register_match(AF_INET, &policy_match);
|
||||
ret = xt_register_match(&policy_match);
|
||||
if (ret)
|
||||
return ret;
|
||||
ret = xt_register_match(AF_INET6, &policy6_match);
|
||||
ret = xt_register_match(&policy6_match);
|
||||
if (ret)
|
||||
xt_unregister_match(AF_INET, &policy_match);
|
||||
xt_unregister_match(&policy_match);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void __exit fini(void)
|
||||
{
|
||||
xt_unregister_match(AF_INET6, &policy6_match);
|
||||
xt_unregister_match(AF_INET, &policy_match);
|
||||
xt_unregister_match(&policy6_match);
|
||||
xt_unregister_match(&policy_match);
|
||||
}
|
||||
|
||||
module_init(init);
|
||||
|
|
|
@ -45,17 +45,18 @@ static struct xt_match realm_match = {
|
|||
.matchsize = sizeof(struct xt_realm_info),
|
||||
.hooks = (1 << NF_IP_POST_ROUTING) | (1 << NF_IP_FORWARD) |
|
||||
(1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_LOCAL_IN),
|
||||
.family = AF_INET,
|
||||
.me = THIS_MODULE
|
||||
};
|
||||
|
||||
static int __init init(void)
|
||||
{
|
||||
return xt_register_match(AF_INET, &realm_match);
|
||||
return xt_register_match(&realm_match);
|
||||
}
|
||||
|
||||
static void __exit fini(void)
|
||||
{
|
||||
xt_unregister_match(AF_INET, &realm_match);
|
||||
xt_unregister_match(&realm_match);
|
||||
}
|
||||
|
||||
module_init(init);
|
||||
|
|
|
@ -186,6 +186,7 @@ static struct xt_match sctp_match = {
|
|||
.matchsize = sizeof(struct xt_sctp_info),
|
||||
.proto = IPPROTO_SCTP,
|
||||
.checkentry = checkentry,
|
||||
.family = AF_INET,
|
||||
.me = THIS_MODULE
|
||||
};
|
||||
|
||||
|
@ -195,27 +196,28 @@ static struct xt_match sctp6_match = {
|
|||
.matchsize = sizeof(struct xt_sctp_info),
|
||||
.proto = IPPROTO_SCTP,
|
||||
.checkentry = checkentry,
|
||||
.family = AF_INET6,
|
||||
.me = THIS_MODULE
|
||||
};
|
||||
|
||||
static int __init init(void)
|
||||
{
|
||||
int ret;
|
||||
ret = xt_register_match(AF_INET, &sctp_match);
|
||||
ret = xt_register_match(&sctp_match);
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
ret = xt_register_match(AF_INET6, &sctp6_match);
|
||||
ret = xt_register_match(&sctp6_match);
|
||||
if (ret)
|
||||
xt_unregister_match(AF_INET, &sctp_match);
|
||||
xt_unregister_match(&sctp_match);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void __exit fini(void)
|
||||
{
|
||||
xt_unregister_match(AF_INET6, &sctp6_match);
|
||||
xt_unregister_match(AF_INET, &sctp_match);
|
||||
xt_unregister_match(&sctp6_match);
|
||||
xt_unregister_match(&sctp_match);
|
||||
}
|
||||
|
||||
module_init(init);
|
||||
|
|
|
@ -44,17 +44,48 @@ match(const struct sk_buff *skb,
|
|||
return (sinfo->statemask & statebit);
|
||||
}
|
||||
|
||||
static int check(const char *tablename,
|
||||
const void *inf,
|
||||
const struct xt_match *match,
|
||||
void *matchinfo,
|
||||
unsigned int matchsize,
|
||||
unsigned int hook_mask)
|
||||
{
|
||||
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
|
||||
if (nf_ct_l3proto_try_module_get(match->family) < 0) {
|
||||
printk(KERN_WARNING "can't load nf_conntrack support for "
|
||||
"proto=%d\n", match->family);
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
return 1;
|
||||
}
|
||||
|
||||
static void
|
||||
destroy(const struct xt_match *match, void *matchinfo, unsigned int matchsize)
|
||||
{
|
||||
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
|
||||
nf_ct_l3proto_module_put(match->family);
|
||||
#endif
|
||||
}
|
||||
|
||||
static struct xt_match state_match = {
|
||||
.name = "state",
|
||||
.match = match,
|
||||
.checkentry = check,
|
||||
.destroy = destroy,
|
||||
.matchsize = sizeof(struct xt_state_info),
|
||||
.family = AF_INET,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
static struct xt_match state6_match = {
|
||||
.name = "state",
|
||||
.match = match,
|
||||
.checkentry = check,
|
||||
.destroy = destroy,
|
||||
.matchsize = sizeof(struct xt_state_info),
|
||||
.family = AF_INET6,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
|
@ -64,21 +95,21 @@ static int __init init(void)
|
|||
|
||||
need_conntrack();
|
||||
|
||||
ret = xt_register_match(AF_INET, &state_match);
|
||||
ret = xt_register_match(&state_match);
|
||||
if (ret < 0)
|
||||
return ret;
|
||||
|
||||
ret = xt_register_match(AF_INET6, &state6_match);
|
||||
ret = xt_register_match(&state6_match);
|
||||
if (ret < 0)
|
||||
xt_unregister_match(AF_INET,&state_match);
|
||||
xt_unregister_match(&state_match);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void __exit fini(void)
|
||||
{
|
||||
xt_unregister_match(AF_INET, &state_match);
|
||||
xt_unregister_match(AF_INET6, &state6_match);
|
||||
xt_unregister_match(&state_match);
|
||||
xt_unregister_match(&state6_match);
|
||||
}
|
||||
|
||||
module_init(init);
|
||||
|
|
|
@ -78,6 +78,7 @@ static struct xt_match string_match = {
|
|||
.matchsize = sizeof(struct xt_string_info),
|
||||
.checkentry = checkentry,
|
||||
.destroy = destroy,
|
||||
.family = AF_INET,
|
||||
.me = THIS_MODULE
|
||||
};
|
||||
static struct xt_match string6_match = {
|
||||
|
@ -86,6 +87,7 @@ static struct xt_match string6_match = {
|
|||
.matchsize = sizeof(struct xt_string_info),
|
||||
.checkentry = checkentry,
|
||||
.destroy = destroy,
|
||||
.family = AF_INET6,
|
||||
.me = THIS_MODULE
|
||||
};
|
||||
|
||||
|
@ -93,20 +95,20 @@ static int __init init(void)
|
|||
{
|
||||
int ret;
|
||||
|
||||
ret = xt_register_match(AF_INET, &string_match);
|
||||
ret = xt_register_match(&string_match);
|
||||
if (ret)
|
||||
return ret;
|
||||
ret = xt_register_match(AF_INET6, &string6_match);
|
||||
ret = xt_register_match(&string6_match);
|
||||
if (ret)
|
||||
xt_unregister_match(AF_INET, &string_match);
|
||||
xt_unregister_match(&string_match);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void __exit fini(void)
|
||||
{
|
||||
xt_unregister_match(AF_INET, &string_match);
|
||||
xt_unregister_match(AF_INET6, &string6_match);
|
||||
xt_unregister_match(&string_match);
|
||||
xt_unregister_match(&string6_match);
|
||||
}
|
||||
|
||||
module_init(init);
|
||||
|
|
|
@ -98,6 +98,7 @@ static struct xt_match tcpmss_match = {
|
|||
.match = match,
|
||||
.matchsize = sizeof(struct xt_tcpmss_match_info),
|
||||
.proto = IPPROTO_TCP,
|
||||
.family = AF_INET,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
|
@ -106,6 +107,7 @@ static struct xt_match tcpmss6_match = {
|
|||
.match = match,
|
||||
.matchsize = sizeof(struct xt_tcpmss_match_info),
|
||||
.proto = IPPROTO_TCP,
|
||||
.family = AF_INET6,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
|
@ -113,21 +115,21 @@ static struct xt_match tcpmss6_match = {
|
|||
static int __init init(void)
|
||||
{
|
||||
int ret;
|
||||
ret = xt_register_match(AF_INET, &tcpmss_match);
|
||||
ret = xt_register_match(&tcpmss_match);
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
ret = xt_register_match(AF_INET6, &tcpmss6_match);
|
||||
ret = xt_register_match(&tcpmss6_match);
|
||||
if (ret)
|
||||
xt_unregister_match(AF_INET, &tcpmss_match);
|
||||
xt_unregister_match(&tcpmss_match);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void __exit fini(void)
|
||||
{
|
||||
xt_unregister_match(AF_INET6, &tcpmss6_match);
|
||||
xt_unregister_match(AF_INET, &tcpmss_match);
|
||||
xt_unregister_match(&tcpmss6_match);
|
||||
xt_unregister_match(&tcpmss_match);
|
||||
}
|
||||
|
||||
module_init(init);
|
||||
|
|
|
@ -204,6 +204,7 @@ static struct xt_match tcp_matchstruct = {
|
|||
.match = tcp_match,
|
||||
.matchsize = sizeof(struct xt_tcp),
|
||||
.proto = IPPROTO_TCP,
|
||||
.family = AF_INET,
|
||||
.checkentry = tcp_checkentry,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
@ -213,6 +214,7 @@ static struct xt_match tcp6_matchstruct = {
|
|||
.match = tcp_match,
|
||||
.matchsize = sizeof(struct xt_tcp),
|
||||
.proto = IPPROTO_TCP,
|
||||
.family = AF_INET6,
|
||||
.checkentry = tcp_checkentry,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
@ -222,6 +224,7 @@ static struct xt_match udp_matchstruct = {
|
|||
.match = udp_match,
|
||||
.matchsize = sizeof(struct xt_udp),
|
||||
.proto = IPPROTO_UDP,
|
||||
.family = AF_INET,
|
||||
.checkentry = udp_checkentry,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
@ -230,6 +233,7 @@ static struct xt_match udp6_matchstruct = {
|
|||
.match = udp_match,
|
||||
.matchsize = sizeof(struct xt_udp),
|
||||
.proto = IPPROTO_UDP,
|
||||
.family = AF_INET6,
|
||||
.checkentry = udp_checkentry,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
@ -237,39 +241,39 @@ static struct xt_match udp6_matchstruct = {
|
|||
static int __init init(void)
|
||||
{
|
||||
int ret;
|
||||
ret = xt_register_match(AF_INET, &tcp_matchstruct);
|
||||
ret = xt_register_match(&tcp_matchstruct);
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
ret = xt_register_match(AF_INET6, &tcp6_matchstruct);
|
||||
ret = xt_register_match(&tcp6_matchstruct);
|
||||
if (ret)
|
||||
goto out_unreg_tcp;
|
||||
|
||||
ret = xt_register_match(AF_INET, &udp_matchstruct);
|
||||
ret = xt_register_match(&udp_matchstruct);
|
||||
if (ret)
|
||||
goto out_unreg_tcp6;
|
||||
|
||||
ret = xt_register_match(AF_INET6, &udp6_matchstruct);
|
||||
ret = xt_register_match(&udp6_matchstruct);
|
||||
if (ret)
|
||||
goto out_unreg_udp;
|
||||
|
||||
return ret;
|
||||
|
||||
out_unreg_udp:
|
||||
xt_unregister_match(AF_INET, &tcp_matchstruct);
|
||||
xt_unregister_match(&tcp_matchstruct);
|
||||
out_unreg_tcp6:
|
||||
xt_unregister_match(AF_INET6, &tcp6_matchstruct);
|
||||
xt_unregister_match(&tcp6_matchstruct);
|
||||
out_unreg_tcp:
|
||||
xt_unregister_match(AF_INET, &tcp_matchstruct);
|
||||
xt_unregister_match(&tcp_matchstruct);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void __exit fini(void)
|
||||
{
|
||||
xt_unregister_match(AF_INET6, &udp6_matchstruct);
|
||||
xt_unregister_match(AF_INET, &udp_matchstruct);
|
||||
xt_unregister_match(AF_INET6, &tcp6_matchstruct);
|
||||
xt_unregister_match(AF_INET, &tcp_matchstruct);
|
||||
xt_unregister_match(&udp6_matchstruct);
|
||||
xt_unregister_match(&udp_matchstruct);
|
||||
xt_unregister_match(&tcp6_matchstruct);
|
||||
xt_unregister_match(&tcp_matchstruct);
|
||||
}
|
||||
|
||||
module_init(init);
|
||||
|
|
Loading…
Reference in a new issue