netfilter: xtables: replace custom duprintf with pr_debug
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
This commit is contained in:
Jan Engelhardt
parent
85bc3f3814
commit
be91fd5e32
7 changed files with 41 additions and 79 deletions
|
|
@ -5,7 +5,7 @@
|
||||||
* it under the terms of the GNU General Public License version 2 as
|
* it under the terms of the GNU General Public License version 2 as
|
||||||
* published by the Free Software Foundation.
|
* published by the Free Software Foundation.
|
||||||
*/
|
*/
|
||||||
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
||||||
#include <linux/in.h>
|
#include <linux/in.h>
|
||||||
#include <linux/module.h>
|
#include <linux/module.h>
|
||||||
#include <linux/skbuff.h>
|
#include <linux/skbuff.h>
|
||||||
|
|
@ -18,21 +18,15 @@ MODULE_LICENSE("GPL");
|
||||||
MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
|
MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
|
||||||
MODULE_DESCRIPTION("Xtables: IPv4 IPsec-AH SPI match");
|
MODULE_DESCRIPTION("Xtables: IPv4 IPsec-AH SPI match");
|
||||||
|
|
||||||
#ifdef DEBUG_CONNTRACK
|
|
||||||
#define duprintf(format, args...) printk(format , ## args)
|
|
||||||
#else
|
|
||||||
#define duprintf(format, args...)
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Returns 1 if the spi is matched by the range, 0 otherwise */
|
/* Returns 1 if the spi is matched by the range, 0 otherwise */
|
||||||
static inline bool
|
static inline bool
|
||||||
spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
|
spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
|
||||||
{
|
{
|
||||||
bool r;
|
bool r;
|
||||||
duprintf("ah spi_match:%c 0x%x <= 0x%x <= 0x%x",invert? '!':' ',
|
pr_debug("spi_match:%c 0x%x <= 0x%x <= 0x%x\n",
|
||||||
min,spi,max);
|
invert ? '!' : ' ', min, spi, max);
|
||||||
r=(spi >= min && spi <= max) ^ invert;
|
r=(spi >= min && spi <= max) ^ invert;
|
||||||
duprintf(" result %s\n",r? "PASS" : "FAILED");
|
pr_debug(" result %s\n", r ? "PASS" : "FAILED");
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -51,7 +45,7 @@ static bool ah_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
/* We've been asked to examine this packet, and we
|
/* We've been asked to examine this packet, and we
|
||||||
* can't. Hence, no choice but to drop.
|
* can't. Hence, no choice but to drop.
|
||||||
*/
|
*/
|
||||||
duprintf("Dropping evil AH tinygram.\n");
|
pr_debug("Dropping evil AH tinygram.\n");
|
||||||
*par->hotdrop = true;
|
*par->hotdrop = true;
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
@ -67,7 +61,7 @@ static bool ah_mt_check(const struct xt_mtchk_param *par)
|
||||||
|
|
||||||
/* Must specify no unknown invflags */
|
/* Must specify no unknown invflags */
|
||||||
if (ahinfo->invflags & ~IPT_AH_INV_MASK) {
|
if (ahinfo->invflags & ~IPT_AH_INV_MASK) {
|
||||||
duprintf("ipt_ah: unknown flags %X\n", ahinfo->invflags);
|
pr_debug("unknown flags %X\n", ahinfo->invflags);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
return true;
|
return true;
|
||||||
|
|
|
||||||
|
|
@ -11,6 +11,7 @@
|
||||||
* Based on net/netfilter/xt_tcpudp.c
|
* Based on net/netfilter/xt_tcpudp.c
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
||||||
#include <linux/types.h>
|
#include <linux/types.h>
|
||||||
#include <linux/module.h>
|
#include <linux/module.h>
|
||||||
#include <net/ip.h>
|
#include <net/ip.h>
|
||||||
|
|
@ -24,12 +25,6 @@
|
||||||
MODULE_DESCRIPTION("Xtables: IPv6 Mobility Header match");
|
MODULE_DESCRIPTION("Xtables: IPv6 Mobility Header match");
|
||||||
MODULE_LICENSE("GPL");
|
MODULE_LICENSE("GPL");
|
||||||
|
|
||||||
#ifdef DEBUG_IP_FIREWALL_USER
|
|
||||||
#define duprintf(format, args...) printk(format , ## args)
|
|
||||||
#else
|
|
||||||
#define duprintf(format, args...)
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Returns 1 if the type is matched by the range, 0 otherwise */
|
/* Returns 1 if the type is matched by the range, 0 otherwise */
|
||||||
static inline bool
|
static inline bool
|
||||||
type_match(u_int8_t min, u_int8_t max, u_int8_t type, bool invert)
|
type_match(u_int8_t min, u_int8_t max, u_int8_t type, bool invert)
|
||||||
|
|
@ -51,13 +46,13 @@ static bool mh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
if (mh == NULL) {
|
if (mh == NULL) {
|
||||||
/* We've been asked to examine this packet, and we
|
/* We've been asked to examine this packet, and we
|
||||||
can't. Hence, no choice but to drop. */
|
can't. Hence, no choice but to drop. */
|
||||||
duprintf("Dropping evil MH tinygram.\n");
|
pr_debug("Dropping evil MH tinygram.\n");
|
||||||
*par->hotdrop = true;
|
*par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (mh->ip6mh_proto != IPPROTO_NONE) {
|
if (mh->ip6mh_proto != IPPROTO_NONE) {
|
||||||
duprintf("Dropping invalid MH Payload Proto: %u\n",
|
pr_debug("Dropping invalid MH Payload Proto: %u\n",
|
||||||
mh->ip6mh_proto);
|
mh->ip6mh_proto);
|
||||||
*par->hotdrop = true;
|
*par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@
|
||||||
* published by the Free Software Foundation.
|
* published by the Free Software Foundation.
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
||||||
#include <linux/kernel.h>
|
#include <linux/kernel.h>
|
||||||
#include <linux/socket.h>
|
#include <linux/socket.h>
|
||||||
#include <linux/net.h>
|
#include <linux/net.h>
|
||||||
|
|
@ -54,12 +54,6 @@ struct xt_af {
|
||||||
|
|
||||||
static struct xt_af *xt;
|
static struct xt_af *xt;
|
||||||
|
|
||||||
#ifdef DEBUG_IP_FIREWALL_USER
|
|
||||||
#define duprintf(format, args...) printk(format , ## args)
|
|
||||||
#else
|
|
||||||
#define duprintf(format, args...)
|
|
||||||
#endif
|
|
||||||
|
|
||||||
static const char *const xt_prefix[NFPROTO_NUMPROTO] = {
|
static const char *const xt_prefix[NFPROTO_NUMPROTO] = {
|
||||||
[NFPROTO_UNSPEC] = "x",
|
[NFPROTO_UNSPEC] = "x",
|
||||||
[NFPROTO_IPV4] = "ip",
|
[NFPROTO_IPV4] = "ip",
|
||||||
|
|
@ -720,7 +714,7 @@ xt_replace_table(struct xt_table *table,
|
||||||
|
|
||||||
/* Check inside lock: is the old number correct? */
|
/* Check inside lock: is the old number correct? */
|
||||||
if (num_counters != private->number) {
|
if (num_counters != private->number) {
|
||||||
duprintf("num_counters != table->private->number (%u/%u)\n",
|
pr_debug("num_counters != table->private->number (%u/%u)\n",
|
||||||
num_counters, private->number);
|
num_counters, private->number);
|
||||||
local_bh_enable();
|
local_bh_enable();
|
||||||
*error = -EAGAIN;
|
*error = -EAGAIN;
|
||||||
|
|
@ -777,7 +771,7 @@ struct xt_table *xt_register_table(struct net *net,
|
||||||
goto unlock;
|
goto unlock;
|
||||||
|
|
||||||
private = table->private;
|
private = table->private;
|
||||||
duprintf("table->private->number = %u\n", private->number);
|
pr_debug("table->private->number = %u\n", private->number);
|
||||||
|
|
||||||
/* save number of initial entries */
|
/* save number of initial entries */
|
||||||
private->initial_entries = private->number;
|
private->initial_entries = private->number;
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,7 @@
|
||||||
* it under the terms of the GNU General Public License version 2 as
|
* it under the terms of the GNU General Public License version 2 as
|
||||||
* published by the Free Software Foundation.
|
* published by the Free Software Foundation.
|
||||||
*/
|
*/
|
||||||
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
||||||
#include <linux/module.h>
|
#include <linux/module.h>
|
||||||
#include <linux/skbuff.h>
|
#include <linux/skbuff.h>
|
||||||
#include <linux/in.h>
|
#include <linux/in.h>
|
||||||
|
|
@ -24,21 +24,15 @@ MODULE_DESCRIPTION("Xtables: IPsec-ESP packet match");
|
||||||
MODULE_ALIAS("ipt_esp");
|
MODULE_ALIAS("ipt_esp");
|
||||||
MODULE_ALIAS("ip6t_esp");
|
MODULE_ALIAS("ip6t_esp");
|
||||||
|
|
||||||
#if 0
|
|
||||||
#define duprintf(format, args...) printk(format , ## args)
|
|
||||||
#else
|
|
||||||
#define duprintf(format, args...)
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Returns 1 if the spi is matched by the range, 0 otherwise */
|
/* Returns 1 if the spi is matched by the range, 0 otherwise */
|
||||||
static inline bool
|
static inline bool
|
||||||
spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
|
spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
|
||||||
{
|
{
|
||||||
bool r;
|
bool r;
|
||||||
duprintf("esp spi_match:%c 0x%x <= 0x%x <= 0x%x", invert ? '!' : ' ',
|
pr_debug("esp spi_match:%c 0x%x <= 0x%x <= 0x%x\n",
|
||||||
min, spi, max);
|
invert ? '!' : ' ', min, spi, max);
|
||||||
r = (spi >= min && spi <= max) ^ invert;
|
r = (spi >= min && spi <= max) ^ invert;
|
||||||
duprintf(" result %s\n", r ? "PASS" : "FAILED");
|
pr_debug(" result %s\n", r ? "PASS" : "FAILED");
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -57,7 +51,7 @@ static bool esp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
/* We've been asked to examine this packet, and we
|
/* We've been asked to examine this packet, and we
|
||||||
* can't. Hence, no choice but to drop.
|
* can't. Hence, no choice but to drop.
|
||||||
*/
|
*/
|
||||||
duprintf("Dropping evil ESP tinygram.\n");
|
pr_debug("Dropping evil ESP tinygram.\n");
|
||||||
*par->hotdrop = true;
|
*par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
@ -71,7 +65,7 @@ static bool esp_mt_check(const struct xt_mtchk_param *par)
|
||||||
const struct xt_esp *espinfo = par->matchinfo;
|
const struct xt_esp *espinfo = par->matchinfo;
|
||||||
|
|
||||||
if (espinfo->invflags & ~XT_ESP_INV_MASK) {
|
if (espinfo->invflags & ~XT_ESP_INV_MASK) {
|
||||||
duprintf("xt_esp: unknown flags %X\n", espinfo->invflags);
|
pr_debug("unknown flags %X\n", espinfo->invflags);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,7 @@
|
||||||
* it under the terms of the GNU General Public License version 2 as
|
* it under the terms of the GNU General Public License version 2 as
|
||||||
* published by the Free Software Foundation.
|
* published by the Free Software Foundation.
|
||||||
*/
|
*/
|
||||||
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
||||||
#include <linux/module.h>
|
#include <linux/module.h>
|
||||||
#include <linux/types.h>
|
#include <linux/types.h>
|
||||||
#include <linux/udp.h>
|
#include <linux/udp.h>
|
||||||
|
|
@ -26,12 +26,6 @@ MODULE_DESCRIPTION("Xtables: multiple port matching for TCP, UDP, UDP-Lite, SCTP
|
||||||
MODULE_ALIAS("ipt_multiport");
|
MODULE_ALIAS("ipt_multiport");
|
||||||
MODULE_ALIAS("ip6t_multiport");
|
MODULE_ALIAS("ip6t_multiport");
|
||||||
|
|
||||||
#if 0
|
|
||||||
#define duprintf(format, args...) printk(format , ## args)
|
|
||||||
#else
|
|
||||||
#define duprintf(format, args...)
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Returns 1 if the port is matched by the test, 0 otherwise. */
|
/* Returns 1 if the port is matched by the test, 0 otherwise. */
|
||||||
static inline bool
|
static inline bool
|
||||||
ports_match_v0(const u_int16_t *portlist, enum xt_multiport_flags flags,
|
ports_match_v0(const u_int16_t *portlist, enum xt_multiport_flags flags,
|
||||||
|
|
@ -63,7 +57,7 @@ ports_match_v1(const struct xt_multiport_v1 *minfo,
|
||||||
if (minfo->pflags[i]) {
|
if (minfo->pflags[i]) {
|
||||||
/* range port matching */
|
/* range port matching */
|
||||||
e = minfo->ports[++i];
|
e = minfo->ports[++i];
|
||||||
duprintf("src or dst matches with %d-%d?\n", s, e);
|
pr_debug("src or dst matches with %d-%d?\n", s, e);
|
||||||
|
|
||||||
if (minfo->flags == XT_MULTIPORT_SOURCE
|
if (minfo->flags == XT_MULTIPORT_SOURCE
|
||||||
&& src >= s && src <= e)
|
&& src >= s && src <= e)
|
||||||
|
|
@ -77,7 +71,7 @@ ports_match_v1(const struct xt_multiport_v1 *minfo,
|
||||||
return true ^ minfo->invert;
|
return true ^ minfo->invert;
|
||||||
} else {
|
} else {
|
||||||
/* exact port matching */
|
/* exact port matching */
|
||||||
duprintf("src or dst matches with %d?\n", s);
|
pr_debug("src or dst matches with %d?\n", s);
|
||||||
|
|
||||||
if (minfo->flags == XT_MULTIPORT_SOURCE
|
if (minfo->flags == XT_MULTIPORT_SOURCE
|
||||||
&& src == s)
|
&& src == s)
|
||||||
|
|
@ -109,7 +103,7 @@ multiport_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
/* We've been asked to examine this packet, and we
|
/* We've been asked to examine this packet, and we
|
||||||
* can't. Hence, no choice but to drop.
|
* can't. Hence, no choice but to drop.
|
||||||
*/
|
*/
|
||||||
duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n");
|
pr_debug("Dropping evil offset=0 tinygram.\n");
|
||||||
*par->hotdrop = true;
|
*par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
@ -133,7 +127,7 @@ multiport_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
/* We've been asked to examine this packet, and we
|
/* We've been asked to examine this packet, and we
|
||||||
* can't. Hence, no choice but to drop.
|
* can't. Hence, no choice but to drop.
|
||||||
*/
|
*/
|
||||||
duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n");
|
pr_debug("Dropping evil offset=0 tinygram.\n");
|
||||||
*par->hotdrop = true;
|
*par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,4 @@
|
||||||
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
||||||
#include <linux/module.h>
|
#include <linux/module.h>
|
||||||
#include <linux/skbuff.h>
|
#include <linux/skbuff.h>
|
||||||
#include <net/ip.h>
|
#include <net/ip.h>
|
||||||
|
|
@ -15,12 +16,6 @@ MODULE_DESCRIPTION("Xtables: SCTP protocol packet match");
|
||||||
MODULE_ALIAS("ipt_sctp");
|
MODULE_ALIAS("ipt_sctp");
|
||||||
MODULE_ALIAS("ip6t_sctp");
|
MODULE_ALIAS("ip6t_sctp");
|
||||||
|
|
||||||
#ifdef DEBUG_SCTP
|
|
||||||
#define duprintf(format, args...) printk(format , ## args)
|
|
||||||
#else
|
|
||||||
#define duprintf(format, args...)
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#define SCCHECK(cond, option, flag, invflag) (!((flag) & (option)) \
|
#define SCCHECK(cond, option, flag, invflag) (!((flag) & (option)) \
|
||||||
|| (!!((invflag) & (option)) ^ (cond)))
|
|| (!!((invflag) & (option)) ^ (cond)))
|
||||||
|
|
||||||
|
|
@ -52,7 +47,7 @@ match_packet(const struct sk_buff *skb,
|
||||||
const struct xt_sctp_flag_info *flag_info = info->flag_info;
|
const struct xt_sctp_flag_info *flag_info = info->flag_info;
|
||||||
int flag_count = info->flag_count;
|
int flag_count = info->flag_count;
|
||||||
|
|
||||||
#ifdef DEBUG_SCTP
|
#ifdef DEBUG
|
||||||
int i = 0;
|
int i = 0;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
@ -62,17 +57,19 @@ match_packet(const struct sk_buff *skb,
|
||||||
do {
|
do {
|
||||||
sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch);
|
sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch);
|
||||||
if (sch == NULL || sch->length == 0) {
|
if (sch == NULL || sch->length == 0) {
|
||||||
duprintf("Dropping invalid SCTP packet.\n");
|
pr_debug("Dropping invalid SCTP packet.\n");
|
||||||
*hotdrop = true;
|
*hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
#ifdef DEBUG
|
||||||
duprintf("Chunk num: %d\toffset: %d\ttype: %d\tlength: %d\tflags: %x\n",
|
pr_debug("Chunk num: %d\toffset: %d\ttype: %d\tlength: %d"
|
||||||
++i, offset, sch->type, htons(sch->length), sch->flags);
|
"\tflags: %x\n",
|
||||||
|
++i, offset, sch->type, htons(sch->length),
|
||||||
|
sch->flags);
|
||||||
|
#endif
|
||||||
offset += (ntohs(sch->length) + 3) & ~3;
|
offset += (ntohs(sch->length) + 3) & ~3;
|
||||||
|
|
||||||
duprintf("skb->len: %d\toffset: %d\n", skb->len, offset);
|
pr_debug("skb->len: %d\toffset: %d\n", skb->len, offset);
|
||||||
|
|
||||||
if (SCTP_CHUNKMAP_IS_SET(info->chunkmap, sch->type)) {
|
if (SCTP_CHUNKMAP_IS_SET(info->chunkmap, sch->type)) {
|
||||||
switch (chunk_match_type) {
|
switch (chunk_match_type) {
|
||||||
|
|
@ -124,17 +121,17 @@ sctp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
sctp_sctphdr_t _sh;
|
sctp_sctphdr_t _sh;
|
||||||
|
|
||||||
if (par->fragoff != 0) {
|
if (par->fragoff != 0) {
|
||||||
duprintf("Dropping non-first fragment.. FIXME\n");
|
pr_debug("Dropping non-first fragment.. FIXME\n");
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh);
|
sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh);
|
||||||
if (sh == NULL) {
|
if (sh == NULL) {
|
||||||
duprintf("Dropping evil TCP offset=0 tinygram.\n");
|
pr_debug("Dropping evil TCP offset=0 tinygram.\n");
|
||||||
*par->hotdrop = true;
|
*par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
duprintf("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
|
pr_debug("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
|
||||||
|
|
||||||
return SCCHECK(ntohs(sh->source) >= info->spts[0]
|
return SCCHECK(ntohs(sh->source) >= info->spts[0]
|
||||||
&& ntohs(sh->source) <= info->spts[1],
|
&& ntohs(sh->source) <= info->spts[1],
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,4 @@
|
||||||
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
||||||
#include <linux/types.h>
|
#include <linux/types.h>
|
||||||
#include <linux/module.h>
|
#include <linux/module.h>
|
||||||
#include <net/ip.h>
|
#include <net/ip.h>
|
||||||
|
|
@ -19,13 +20,6 @@ MODULE_ALIAS("ipt_tcp");
|
||||||
MODULE_ALIAS("ip6t_udp");
|
MODULE_ALIAS("ip6t_udp");
|
||||||
MODULE_ALIAS("ip6t_tcp");
|
MODULE_ALIAS("ip6t_tcp");
|
||||||
|
|
||||||
#ifdef DEBUG_IP_FIREWALL_USER
|
|
||||||
#define duprintf(format, args...) printk(format , ## args)
|
|
||||||
#else
|
|
||||||
#define duprintf(format, args...)
|
|
||||||
#endif
|
|
||||||
|
|
||||||
|
|
||||||
/* Returns 1 if the port is matched by the range, 0 otherwise */
|
/* Returns 1 if the port is matched by the range, 0 otherwise */
|
||||||
static inline bool
|
static inline bool
|
||||||
port_match(u_int16_t min, u_int16_t max, u_int16_t port, bool invert)
|
port_match(u_int16_t min, u_int16_t max, u_int16_t port, bool invert)
|
||||||
|
|
@ -46,7 +40,7 @@ tcp_find_option(u_int8_t option,
|
||||||
u_int8_t _opt[60 - sizeof(struct tcphdr)];
|
u_int8_t _opt[60 - sizeof(struct tcphdr)];
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
duprintf("tcp_match: finding option\n");
|
pr_debug("finding option\n");
|
||||||
|
|
||||||
if (!optlen)
|
if (!optlen)
|
||||||
return invert;
|
return invert;
|
||||||
|
|
@ -82,7 +76,7 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
flag overwrite to pass the direction checks.
|
flag overwrite to pass the direction checks.
|
||||||
*/
|
*/
|
||||||
if (par->fragoff == 1) {
|
if (par->fragoff == 1) {
|
||||||
duprintf("Dropping evil TCP offset=1 frag.\n");
|
pr_debug("Dropping evil TCP offset=1 frag.\n");
|
||||||
*par->hotdrop = true;
|
*par->hotdrop = true;
|
||||||
}
|
}
|
||||||
/* Must not be a fragment. */
|
/* Must not be a fragment. */
|
||||||
|
|
@ -95,7 +89,7 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
if (th == NULL) {
|
if (th == NULL) {
|
||||||
/* We've been asked to examine this packet, and we
|
/* We've been asked to examine this packet, and we
|
||||||
can't. Hence, no choice but to drop. */
|
can't. Hence, no choice but to drop. */
|
||||||
duprintf("Dropping evil TCP offset=0 tinygram.\n");
|
pr_debug("Dropping evil TCP offset=0 tinygram.\n");
|
||||||
*par->hotdrop = true;
|
*par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
@ -148,7 +142,7 @@ static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
if (uh == NULL) {
|
if (uh == NULL) {
|
||||||
/* We've been asked to examine this packet, and we
|
/* We've been asked to examine this packet, and we
|
||||||
can't. Hence, no choice but to drop. */
|
can't. Hence, no choice but to drop. */
|
||||||
duprintf("Dropping evil UDP tinygram.\n");
|
pr_debug("Dropping evil UDP tinygram.\n");
|
||||||
*par->hotdrop = true;
|
*par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue