Merge branch 'master' of git://dev.medozas.de/linux
This commit is contained in:
Patrick McHardy
commit
cba7a98a47
98 changed files with 316 additions and 367 deletions
|
|
@ -183,29 +183,39 @@ struct xt_counters_info {
|
||||||
#include <linux/netdevice.h>
|
#include <linux/netdevice.h>
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* struct xt_match_param - parameters for match extensions' match functions
|
* struct xt_action_param - parameters for matches/targets
|
||||||
*
|
*
|
||||||
|
* @match: the match extension
|
||||||
|
* @target: the target extension
|
||||||
|
* @matchinfo: per-match data
|
||||||
|
* @targetinfo: per-target data
|
||||||
* @in: input netdevice
|
* @in: input netdevice
|
||||||
* @out: output netdevice
|
* @out: output netdevice
|
||||||
* @match: struct xt_match through which this function was invoked
|
|
||||||
* @matchinfo: per-match data
|
|
||||||
* @fragoff: packet is a fragment, this is the data offset
|
* @fragoff: packet is a fragment, this is the data offset
|
||||||
* @thoff: position of transport header relative to skb->data
|
* @thoff: position of transport header relative to skb->data
|
||||||
* @hook: hook number given packet came from
|
* @hook: hook number given packet came from
|
||||||
* @family: Actual NFPROTO_* through which the function is invoked
|
* @family: Actual NFPROTO_* through which the function is invoked
|
||||||
* (helpful when match->family == NFPROTO_UNSPEC)
|
* (helpful when match->family == NFPROTO_UNSPEC)
|
||||||
|
*
|
||||||
|
* Fields written to by extensions:
|
||||||
|
*
|
||||||
* @hotdrop: drop packet if we had inspection problems
|
* @hotdrop: drop packet if we had inspection problems
|
||||||
* Network namespace obtainable using dev_net(in/out)
|
* Network namespace obtainable using dev_net(in/out)
|
||||||
*/
|
*/
|
||||||
struct xt_match_param {
|
struct xt_action_param {
|
||||||
|
union {
|
||||||
|
const struct xt_match *match;
|
||||||
|
const struct xt_target *target;
|
||||||
|
};
|
||||||
|
union {
|
||||||
|
const void *matchinfo, *targinfo;
|
||||||
|
};
|
||||||
const struct net_device *in, *out;
|
const struct net_device *in, *out;
|
||||||
const struct xt_match *match;
|
|
||||||
const void *matchinfo;
|
|
||||||
int fragoff;
|
int fragoff;
|
||||||
unsigned int thoff;
|
unsigned int thoff;
|
||||||
unsigned int hooknum;
|
unsigned int hooknum;
|
||||||
u_int8_t family;
|
u_int8_t family;
|
||||||
bool *hotdrop;
|
bool hotdrop;
|
||||||
};
|
};
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
@ -242,23 +252,6 @@ struct xt_mtdtor_param {
|
||||||
u_int8_t family;
|
u_int8_t family;
|
||||||
};
|
};
|
||||||
|
|
||||||
/**
|
|
||||||
* struct xt_target_param - parameters for target extensions' target functions
|
|
||||||
*
|
|
||||||
* @hooknum: hook through which this target was invoked
|
|
||||||
* @target: struct xt_target through which this function was invoked
|
|
||||||
* @targinfo: per-target data
|
|
||||||
*
|
|
||||||
* Other fields see above.
|
|
||||||
*/
|
|
||||||
struct xt_target_param {
|
|
||||||
const struct net_device *in, *out;
|
|
||||||
const struct xt_target *target;
|
|
||||||
const void *targinfo;
|
|
||||||
unsigned int hooknum;
|
|
||||||
u_int8_t family;
|
|
||||||
};
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* struct xt_tgchk_param - parameters for target extensions'
|
* struct xt_tgchk_param - parameters for target extensions'
|
||||||
* checkentry functions
|
* checkentry functions
|
||||||
|
|
@ -298,7 +291,7 @@ struct xt_match {
|
||||||
non-linear skb, using skb_header_pointer and
|
non-linear skb, using skb_header_pointer and
|
||||||
skb_ip_make_writable. */
|
skb_ip_make_writable. */
|
||||||
bool (*match)(const struct sk_buff *skb,
|
bool (*match)(const struct sk_buff *skb,
|
||||||
const struct xt_match_param *);
|
struct xt_action_param *);
|
||||||
|
|
||||||
/* Called when user tries to insert an entry of this type. */
|
/* Called when user tries to insert an entry of this type. */
|
||||||
int (*checkentry)(const struct xt_mtchk_param *);
|
int (*checkentry)(const struct xt_mtchk_param *);
|
||||||
|
|
@ -335,7 +328,7 @@ struct xt_target {
|
||||||
must now handle non-linear skbs, using skb_copy_bits and
|
must now handle non-linear skbs, using skb_copy_bits and
|
||||||
skb_ip_make_writable. */
|
skb_ip_make_writable. */
|
||||||
unsigned int (*target)(struct sk_buff *skb,
|
unsigned int (*target)(struct sk_buff *skb,
|
||||||
const struct xt_target_param *);
|
const struct xt_action_param *);
|
||||||
|
|
||||||
/* Called when user tries to insert an entry of this type:
|
/* Called when user tries to insert an entry of this type:
|
||||||
hook_mask is a bitmask of hooks from which it can be
|
hook_mask is a bitmask of hooks from which it can be
|
||||||
|
|
|
||||||
|
|
@ -13,7 +13,7 @@
|
||||||
#include <linux/netfilter_bridge/ebt_802_3.h>
|
#include <linux/netfilter_bridge/ebt_802_3.h>
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
ebt_802_3_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
ebt_802_3_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ebt_802_3_info *info = par->matchinfo;
|
const struct ebt_802_3_info *info = par->matchinfo;
|
||||||
const struct ebt_802_3_hdr *hdr = ebt_802_3_hdr(skb);
|
const struct ebt_802_3_hdr *hdr = ebt_802_3_hdr(skb);
|
||||||
|
|
|
||||||
|
|
@ -129,7 +129,7 @@ static int get_ip_src(const struct sk_buff *skb, __be32 *addr)
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
ebt_among_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
ebt_among_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ebt_among_info *info = par->matchinfo;
|
const struct ebt_among_info *info = par->matchinfo;
|
||||||
const char *dmac, *smac;
|
const char *dmac, *smac;
|
||||||
|
|
|
||||||
|
|
@ -16,7 +16,7 @@
|
||||||
#include <linux/netfilter_bridge/ebt_arp.h>
|
#include <linux/netfilter_bridge/ebt_arp.h>
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
ebt_arp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ebt_arp_info *info = par->matchinfo;
|
const struct ebt_arp_info *info = par->matchinfo;
|
||||||
const struct arphdr *ah;
|
const struct arphdr *ah;
|
||||||
|
|
|
||||||
|
|
@ -16,7 +16,7 @@
|
||||||
#include <linux/netfilter_bridge/ebt_arpreply.h>
|
#include <linux/netfilter_bridge/ebt_arpreply.h>
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ebt_arpreply_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
ebt_arpreply_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ebt_arpreply_info *info = par->targinfo;
|
const struct ebt_arpreply_info *info = par->targinfo;
|
||||||
const __be32 *siptr, *diptr;
|
const __be32 *siptr, *diptr;
|
||||||
|
|
|
||||||
|
|
@ -15,7 +15,7 @@
|
||||||
#include <linux/netfilter_bridge/ebt_nat.h>
|
#include <linux/netfilter_bridge/ebt_nat.h>
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ebt_dnat_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
ebt_dnat_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ebt_nat_info *info = par->targinfo;
|
const struct ebt_nat_info *info = par->targinfo;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -25,7 +25,7 @@ struct tcpudphdr {
|
||||||
};
|
};
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
ebt_ip_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
ebt_ip_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ebt_ip_info *info = par->matchinfo;
|
const struct ebt_ip_info *info = par->matchinfo;
|
||||||
const struct iphdr *ih;
|
const struct iphdr *ih;
|
||||||
|
|
|
||||||
|
|
@ -28,7 +28,7 @@ struct tcpudphdr {
|
||||||
};
|
};
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
ebt_ip6_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ebt_ip6_info *info = par->matchinfo;
|
const struct ebt_ip6_info *info = par->matchinfo;
|
||||||
const struct ipv6hdr *ih6;
|
const struct ipv6hdr *ih6;
|
||||||
|
|
|
||||||
|
|
@ -32,7 +32,7 @@ static DEFINE_SPINLOCK(limit_lock);
|
||||||
#define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ)
|
#define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ)
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
ebt_limit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
ebt_limit_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
struct ebt_limit_info *info = (void *)par->matchinfo;
|
struct ebt_limit_info *info = (void *)par->matchinfo;
|
||||||
unsigned long now = jiffies;
|
unsigned long now = jiffies;
|
||||||
|
|
|
||||||
|
|
@ -171,7 +171,7 @@ ebt_log_packet(u_int8_t pf, unsigned int hooknum,
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ebt_log_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
ebt_log_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ebt_log_info *info = par->targinfo;
|
const struct ebt_log_info *info = par->targinfo;
|
||||||
struct nf_loginfo li;
|
struct nf_loginfo li;
|
||||||
|
|
|
||||||
|
|
@ -19,7 +19,7 @@
|
||||||
#include <linux/netfilter_bridge/ebt_mark_t.h>
|
#include <linux/netfilter_bridge/ebt_mark_t.h>
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ebt_mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
ebt_mark_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ebt_mark_t_info *info = par->targinfo;
|
const struct ebt_mark_t_info *info = par->targinfo;
|
||||||
int action = info->target & -16;
|
int action = info->target & -16;
|
||||||
|
|
|
||||||
|
|
@ -13,7 +13,7 @@
|
||||||
#include <linux/netfilter_bridge/ebt_mark_m.h>
|
#include <linux/netfilter_bridge/ebt_mark_m.h>
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
ebt_mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
ebt_mark_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ebt_mark_m_info *info = par->matchinfo;
|
const struct ebt_mark_m_info *info = par->matchinfo;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -20,7 +20,7 @@
|
||||||
#include <net/netfilter/nf_log.h>
|
#include <net/netfilter/nf_log.h>
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ebt_nflog_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
ebt_nflog_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ebt_nflog_info *info = par->targinfo;
|
const struct ebt_nflog_info *info = par->targinfo;
|
||||||
struct nf_loginfo li;
|
struct nf_loginfo li;
|
||||||
|
|
|
||||||
|
|
@ -13,7 +13,7 @@
|
||||||
#include <linux/netfilter_bridge/ebt_pkttype.h>
|
#include <linux/netfilter_bridge/ebt_pkttype.h>
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
ebt_pkttype_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
ebt_pkttype_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ebt_pkttype_info *info = par->matchinfo;
|
const struct ebt_pkttype_info *info = par->matchinfo;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -16,7 +16,7 @@
|
||||||
#include <linux/netfilter_bridge/ebt_redirect.h>
|
#include <linux/netfilter_bridge/ebt_redirect.h>
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ebt_redirect_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
ebt_redirect_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ebt_redirect_info *info = par->targinfo;
|
const struct ebt_redirect_info *info = par->targinfo;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -17,7 +17,7 @@
|
||||||
#include <linux/netfilter_bridge/ebt_nat.h>
|
#include <linux/netfilter_bridge/ebt_nat.h>
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ebt_snat_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
ebt_snat_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ebt_nat_info *info = par->targinfo;
|
const struct ebt_nat_info *info = par->targinfo;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -120,7 +120,7 @@ static bool ebt_filter_config(const struct ebt_stp_info *info,
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
ebt_stp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
ebt_stp_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ebt_stp_info *info = par->matchinfo;
|
const struct ebt_stp_info *info = par->matchinfo;
|
||||||
const struct stp_header *sp;
|
const struct stp_header *sp;
|
||||||
|
|
|
||||||
|
|
@ -243,7 +243,7 @@ static void ebt_log_packet(u_int8_t pf, unsigned int hooknum,
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ebt_ulog_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
ebt_ulog_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
ebt_ulog_packet(par->hooknum, skb, par->in, par->out,
|
ebt_ulog_packet(par->hooknum, skb, par->in, par->out,
|
||||||
par->targinfo, NULL);
|
par->targinfo, NULL);
|
||||||
|
|
|
||||||
|
|
@ -36,7 +36,7 @@ MODULE_LICENSE("GPL");
|
||||||
#define EXIT_ON_MISMATCH(_MATCH_,_MASK_) {if (!((info->_MATCH_ == _MATCH_)^!!(info->invflags & _MASK_))) return false; }
|
#define EXIT_ON_MISMATCH(_MATCH_,_MASK_) {if (!((info->_MATCH_ == _MATCH_)^!!(info->invflags & _MASK_))) return false; }
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
ebt_vlan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
ebt_vlan_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ebt_vlan_info *info = par->matchinfo;
|
const struct ebt_vlan_info *info = par->matchinfo;
|
||||||
const struct vlan_hdr *fp;
|
const struct vlan_hdr *fp;
|
||||||
|
|
|
||||||
|
|
@ -86,7 +86,7 @@ static struct xt_target ebt_standard_target = {
|
||||||
|
|
||||||
static inline int
|
static inline int
|
||||||
ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
|
ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
|
||||||
struct xt_target_param *par)
|
struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
par->target = w->u.watcher;
|
par->target = w->u.watcher;
|
||||||
par->targinfo = w->data;
|
par->targinfo = w->data;
|
||||||
|
|
@ -95,8 +95,9 @@ ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline int ebt_do_match (struct ebt_entry_match *m,
|
static inline int
|
||||||
const struct sk_buff *skb, struct xt_match_param *par)
|
ebt_do_match(struct ebt_entry_match *m, const struct sk_buff *skb,
|
||||||
|
struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
par->match = m->u.match;
|
par->match = m->u.match;
|
||||||
par->matchinfo = m->data;
|
par->matchinfo = m->data;
|
||||||
|
|
@ -185,15 +186,13 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
|
||||||
struct ebt_entries *chaininfo;
|
struct ebt_entries *chaininfo;
|
||||||
const char *base;
|
const char *base;
|
||||||
const struct ebt_table_info *private;
|
const struct ebt_table_info *private;
|
||||||
bool hotdrop = false;
|
struct xt_action_param acpar;
|
||||||
struct xt_match_param mtpar;
|
|
||||||
struct xt_target_param tgpar;
|
|
||||||
|
|
||||||
mtpar.family = tgpar.family = NFPROTO_BRIDGE;
|
acpar.family = NFPROTO_BRIDGE;
|
||||||
mtpar.in = tgpar.in = in;
|
acpar.in = in;
|
||||||
mtpar.out = tgpar.out = out;
|
acpar.out = out;
|
||||||
mtpar.hotdrop = &hotdrop;
|
acpar.hotdrop = false;
|
||||||
mtpar.hooknum = tgpar.hooknum = hook;
|
acpar.hooknum = hook;
|
||||||
|
|
||||||
read_lock_bh(&table->lock);
|
read_lock_bh(&table->lock);
|
||||||
private = table->private;
|
private = table->private;
|
||||||
|
|
@ -214,9 +213,9 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
|
||||||
if (ebt_basic_match(point, eth_hdr(skb), in, out))
|
if (ebt_basic_match(point, eth_hdr(skb), in, out))
|
||||||
goto letscontinue;
|
goto letscontinue;
|
||||||
|
|
||||||
if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &mtpar) != 0)
|
if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0)
|
||||||
goto letscontinue;
|
goto letscontinue;
|
||||||
if (hotdrop) {
|
if (acpar.hotdrop) {
|
||||||
read_unlock_bh(&table->lock);
|
read_unlock_bh(&table->lock);
|
||||||
return NF_DROP;
|
return NF_DROP;
|
||||||
}
|
}
|
||||||
|
|
@ -227,7 +226,7 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
|
||||||
|
|
||||||
/* these should only watch: not modify, nor tell us
|
/* these should only watch: not modify, nor tell us
|
||||||
what to do with the packet */
|
what to do with the packet */
|
||||||
EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &tgpar);
|
EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &acpar);
|
||||||
|
|
||||||
t = (struct ebt_entry_target *)
|
t = (struct ebt_entry_target *)
|
||||||
(((char *)point) + point->target_offset);
|
(((char *)point) + point->target_offset);
|
||||||
|
|
@ -235,9 +234,9 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
|
||||||
if (!t->u.target->target)
|
if (!t->u.target->target)
|
||||||
verdict = ((struct ebt_standard_target *)t)->verdict;
|
verdict = ((struct ebt_standard_target *)t)->verdict;
|
||||||
else {
|
else {
|
||||||
tgpar.target = t->u.target;
|
acpar.target = t->u.target;
|
||||||
tgpar.targinfo = t->data;
|
acpar.targinfo = t->data;
|
||||||
verdict = t->u.target->target(skb, &tgpar);
|
verdict = t->u.target->target(skb, &acpar);
|
||||||
}
|
}
|
||||||
if (verdict == EBT_ACCEPT) {
|
if (verdict == EBT_ACCEPT) {
|
||||||
read_unlock_bh(&table->lock);
|
read_unlock_bh(&table->lock);
|
||||||
|
|
|
||||||
|
|
@ -224,7 +224,7 @@ static inline int arp_checkentry(const struct arpt_arp *arp)
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
arpt_error(struct sk_buff *skb, const struct xt_target_param *par)
|
arpt_error(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
if (net_ratelimit())
|
if (net_ratelimit())
|
||||||
printk("arp_tables: error: '%s'\n",
|
printk("arp_tables: error: '%s'\n",
|
||||||
|
|
@ -260,12 +260,11 @@ unsigned int arpt_do_table(struct sk_buff *skb,
|
||||||
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
|
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
|
||||||
unsigned int verdict = NF_DROP;
|
unsigned int verdict = NF_DROP;
|
||||||
const struct arphdr *arp;
|
const struct arphdr *arp;
|
||||||
bool hotdrop = false;
|
|
||||||
struct arpt_entry *e, *back;
|
struct arpt_entry *e, *back;
|
||||||
const char *indev, *outdev;
|
const char *indev, *outdev;
|
||||||
void *table_base;
|
void *table_base;
|
||||||
const struct xt_table_info *private;
|
const struct xt_table_info *private;
|
||||||
struct xt_target_param tgpar;
|
struct xt_action_param acpar;
|
||||||
|
|
||||||
if (!pskb_may_pull(skb, arp_hdr_len(skb->dev)))
|
if (!pskb_may_pull(skb, arp_hdr_len(skb->dev)))
|
||||||
return NF_DROP;
|
return NF_DROP;
|
||||||
|
|
@ -280,10 +279,11 @@ unsigned int arpt_do_table(struct sk_buff *skb,
|
||||||
e = get_entry(table_base, private->hook_entry[hook]);
|
e = get_entry(table_base, private->hook_entry[hook]);
|
||||||
back = get_entry(table_base, private->underflow[hook]);
|
back = get_entry(table_base, private->underflow[hook]);
|
||||||
|
|
||||||
tgpar.in = in;
|
acpar.in = in;
|
||||||
tgpar.out = out;
|
acpar.out = out;
|
||||||
tgpar.hooknum = hook;
|
acpar.hooknum = hook;
|
||||||
tgpar.family = NFPROTO_ARP;
|
acpar.family = NFPROTO_ARP;
|
||||||
|
acpar.hotdrop = false;
|
||||||
|
|
||||||
arp = arp_hdr(skb);
|
arp = arp_hdr(skb);
|
||||||
do {
|
do {
|
||||||
|
|
@ -333,9 +333,9 @@ unsigned int arpt_do_table(struct sk_buff *skb,
|
||||||
/* Targets which reenter must return
|
/* Targets which reenter must return
|
||||||
* abs. verdicts
|
* abs. verdicts
|
||||||
*/
|
*/
|
||||||
tgpar.target = t->u.kernel.target;
|
acpar.target = t->u.kernel.target;
|
||||||
tgpar.targinfo = t->data;
|
acpar.targinfo = t->data;
|
||||||
verdict = t->u.kernel.target->target(skb, &tgpar);
|
verdict = t->u.kernel.target->target(skb, &acpar);
|
||||||
|
|
||||||
/* Target might have changed stuff. */
|
/* Target might have changed stuff. */
|
||||||
arp = arp_hdr(skb);
|
arp = arp_hdr(skb);
|
||||||
|
|
@ -345,10 +345,10 @@ unsigned int arpt_do_table(struct sk_buff *skb,
|
||||||
else
|
else
|
||||||
/* Verdict */
|
/* Verdict */
|
||||||
break;
|
break;
|
||||||
} while (!hotdrop);
|
} while (!acpar.hotdrop);
|
||||||
xt_info_rdunlock_bh();
|
xt_info_rdunlock_bh();
|
||||||
|
|
||||||
if (hotdrop)
|
if (acpar.hotdrop)
|
||||||
return NF_DROP;
|
return NF_DROP;
|
||||||
else
|
else
|
||||||
return verdict;
|
return verdict;
|
||||||
|
|
@ -1828,22 +1828,23 @@ void arpt_unregister_table(struct xt_table *table)
|
||||||
}
|
}
|
||||||
|
|
||||||
/* The built-in targets: standard (NULL) and error. */
|
/* The built-in targets: standard (NULL) and error. */
|
||||||
static struct xt_target arpt_standard_target __read_mostly = {
|
static struct xt_target arpt_builtin_tg[] __read_mostly = {
|
||||||
.name = ARPT_STANDARD_TARGET,
|
{
|
||||||
.targetsize = sizeof(int),
|
.name = ARPT_STANDARD_TARGET,
|
||||||
.family = NFPROTO_ARP,
|
.targetsize = sizeof(int),
|
||||||
|
.family = NFPROTO_ARP,
|
||||||
#ifdef CONFIG_COMPAT
|
#ifdef CONFIG_COMPAT
|
||||||
.compatsize = sizeof(compat_int_t),
|
.compatsize = sizeof(compat_int_t),
|
||||||
.compat_from_user = compat_standard_from_user,
|
.compat_from_user = compat_standard_from_user,
|
||||||
.compat_to_user = compat_standard_to_user,
|
.compat_to_user = compat_standard_to_user,
|
||||||
#endif
|
#endif
|
||||||
};
|
},
|
||||||
|
{
|
||||||
static struct xt_target arpt_error_target __read_mostly = {
|
.name = ARPT_ERROR_TARGET,
|
||||||
.name = ARPT_ERROR_TARGET,
|
.target = arpt_error,
|
||||||
.target = arpt_error,
|
.targetsize = ARPT_FUNCTION_MAXNAMELEN,
|
||||||
.targetsize = ARPT_FUNCTION_MAXNAMELEN,
|
.family = NFPROTO_ARP,
|
||||||
.family = NFPROTO_ARP,
|
},
|
||||||
};
|
};
|
||||||
|
|
||||||
static struct nf_sockopt_ops arpt_sockopts = {
|
static struct nf_sockopt_ops arpt_sockopts = {
|
||||||
|
|
@ -1887,12 +1888,9 @@ static int __init arp_tables_init(void)
|
||||||
goto err1;
|
goto err1;
|
||||||
|
|
||||||
/* Noone else will be downing sem now, so we won't sleep */
|
/* Noone else will be downing sem now, so we won't sleep */
|
||||||
ret = xt_register_target(&arpt_standard_target);
|
ret = xt_register_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg));
|
||||||
if (ret < 0)
|
if (ret < 0)
|
||||||
goto err2;
|
goto err2;
|
||||||
ret = xt_register_target(&arpt_error_target);
|
|
||||||
if (ret < 0)
|
|
||||||
goto err3;
|
|
||||||
|
|
||||||
/* Register setsockopt */
|
/* Register setsockopt */
|
||||||
ret = nf_register_sockopt(&arpt_sockopts);
|
ret = nf_register_sockopt(&arpt_sockopts);
|
||||||
|
|
@ -1903,9 +1901,7 @@ static int __init arp_tables_init(void)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
err4:
|
err4:
|
||||||
xt_unregister_target(&arpt_error_target);
|
xt_unregister_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg));
|
||||||
err3:
|
|
||||||
xt_unregister_target(&arpt_standard_target);
|
|
||||||
err2:
|
err2:
|
||||||
unregister_pernet_subsys(&arp_tables_net_ops);
|
unregister_pernet_subsys(&arp_tables_net_ops);
|
||||||
err1:
|
err1:
|
||||||
|
|
@ -1915,8 +1911,7 @@ static int __init arp_tables_init(void)
|
||||||
static void __exit arp_tables_fini(void)
|
static void __exit arp_tables_fini(void)
|
||||||
{
|
{
|
||||||
nf_unregister_sockopt(&arpt_sockopts);
|
nf_unregister_sockopt(&arpt_sockopts);
|
||||||
xt_unregister_target(&arpt_error_target);
|
xt_unregister_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg));
|
||||||
xt_unregister_target(&arpt_standard_target);
|
|
||||||
unregister_pernet_subsys(&arp_tables_net_ops);
|
unregister_pernet_subsys(&arp_tables_net_ops);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -9,7 +9,7 @@ MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
|
||||||
MODULE_DESCRIPTION("arptables arp payload mangle target");
|
MODULE_DESCRIPTION("arptables arp payload mangle target");
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
target(struct sk_buff *skb, const struct xt_target_param *par)
|
target(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct arpt_mangle *mangle = par->targinfo;
|
const struct arpt_mangle *mangle = par->targinfo;
|
||||||
const struct arphdr *arp;
|
const struct arphdr *arp;
|
||||||
|
|
|
||||||
|
|
@ -165,7 +165,7 @@ ip_checkentry(const struct ipt_ip *ip)
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ipt_error(struct sk_buff *skb, const struct xt_target_param *par)
|
ipt_error(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
if (net_ratelimit())
|
if (net_ratelimit())
|
||||||
pr_info("error: `%s'\n", (const char *)par->targinfo);
|
pr_info("error: `%s'\n", (const char *)par->targinfo);
|
||||||
|
|
@ -173,21 +173,6 @@ ipt_error(struct sk_buff *skb, const struct xt_target_param *par)
|
||||||
return NF_DROP;
|
return NF_DROP;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Performance critical - called for every packet */
|
|
||||||
static inline bool
|
|
||||||
do_match(const struct ipt_entry_match *m, const struct sk_buff *skb,
|
|
||||||
struct xt_match_param *par)
|
|
||||||
{
|
|
||||||
par->match = m->u.kernel.match;
|
|
||||||
par->matchinfo = m->data;
|
|
||||||
|
|
||||||
/* Stop iteration if it doesn't match */
|
|
||||||
if (!m->u.kernel.match->match(skb, par))
|
|
||||||
return true;
|
|
||||||
else
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Performance critical */
|
/* Performance critical */
|
||||||
static inline struct ipt_entry *
|
static inline struct ipt_entry *
|
||||||
get_entry(const void *base, unsigned int offset)
|
get_entry(const void *base, unsigned int offset)
|
||||||
|
|
@ -323,7 +308,6 @@ ipt_do_table(struct sk_buff *skb,
|
||||||
{
|
{
|
||||||
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
|
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
|
||||||
const struct iphdr *ip;
|
const struct iphdr *ip;
|
||||||
bool hotdrop = false;
|
|
||||||
/* Initializing verdict to NF_DROP keeps gcc happy. */
|
/* Initializing verdict to NF_DROP keeps gcc happy. */
|
||||||
unsigned int verdict = NF_DROP;
|
unsigned int verdict = NF_DROP;
|
||||||
const char *indev, *outdev;
|
const char *indev, *outdev;
|
||||||
|
|
@ -331,8 +315,7 @@ ipt_do_table(struct sk_buff *skb,
|
||||||
struct ipt_entry *e, **jumpstack;
|
struct ipt_entry *e, **jumpstack;
|
||||||
unsigned int *stackptr, origptr, cpu;
|
unsigned int *stackptr, origptr, cpu;
|
||||||
const struct xt_table_info *private;
|
const struct xt_table_info *private;
|
||||||
struct xt_match_param mtpar;
|
struct xt_action_param acpar;
|
||||||
struct xt_target_param tgpar;
|
|
||||||
|
|
||||||
/* Initialization */
|
/* Initialization */
|
||||||
ip = ip_hdr(skb);
|
ip = ip_hdr(skb);
|
||||||
|
|
@ -344,13 +327,13 @@ ipt_do_table(struct sk_buff *skb,
|
||||||
* things we don't know, ie. tcp syn flag or ports). If the
|
* things we don't know, ie. tcp syn flag or ports). If the
|
||||||
* rule is also a fragment-specific rule, non-fragments won't
|
* rule is also a fragment-specific rule, non-fragments won't
|
||||||
* match it. */
|
* match it. */
|
||||||
mtpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
|
acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
|
||||||
mtpar.thoff = ip_hdrlen(skb);
|
acpar.thoff = ip_hdrlen(skb);
|
||||||
mtpar.hotdrop = &hotdrop;
|
acpar.hotdrop = false;
|
||||||
mtpar.in = tgpar.in = in;
|
acpar.in = in;
|
||||||
mtpar.out = tgpar.out = out;
|
acpar.out = out;
|
||||||
mtpar.family = tgpar.family = NFPROTO_IPV4;
|
acpar.family = NFPROTO_IPV4;
|
||||||
mtpar.hooknum = tgpar.hooknum = hook;
|
acpar.hooknum = hook;
|
||||||
|
|
||||||
IP_NF_ASSERT(table->valid_hooks & (1 << hook));
|
IP_NF_ASSERT(table->valid_hooks & (1 << hook));
|
||||||
xt_info_rdlock_bh();
|
xt_info_rdlock_bh();
|
||||||
|
|
@ -373,15 +356,18 @@ ipt_do_table(struct sk_buff *skb,
|
||||||
|
|
||||||
IP_NF_ASSERT(e);
|
IP_NF_ASSERT(e);
|
||||||
if (!ip_packet_match(ip, indev, outdev,
|
if (!ip_packet_match(ip, indev, outdev,
|
||||||
&e->ip, mtpar.fragoff)) {
|
&e->ip, acpar.fragoff)) {
|
||||||
no_match:
|
no_match:
|
||||||
e = ipt_next_entry(e);
|
e = ipt_next_entry(e);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
xt_ematch_foreach(ematch, e)
|
xt_ematch_foreach(ematch, e) {
|
||||||
if (do_match(ematch, skb, &mtpar) != 0)
|
acpar.match = ematch->u.kernel.match;
|
||||||
|
acpar.matchinfo = ematch->data;
|
||||||
|
if (!acpar.match->match(skb, &acpar))
|
||||||
goto no_match;
|
goto no_match;
|
||||||
|
}
|
||||||
|
|
||||||
ADD_COUNTER(e->counters, ntohs(ip->tot_len), 1);
|
ADD_COUNTER(e->counters, ntohs(ip->tot_len), 1);
|
||||||
|
|
||||||
|
|
@ -434,11 +420,10 @@ ipt_do_table(struct sk_buff *skb,
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
tgpar.target = t->u.kernel.target;
|
acpar.target = t->u.kernel.target;
|
||||||
tgpar.targinfo = t->data;
|
acpar.targinfo = t->data;
|
||||||
|
|
||||||
|
verdict = t->u.kernel.target->target(skb, &acpar);
|
||||||
verdict = t->u.kernel.target->target(skb, &tgpar);
|
|
||||||
/* Target might have changed stuff. */
|
/* Target might have changed stuff. */
|
||||||
ip = ip_hdr(skb);
|
ip = ip_hdr(skb);
|
||||||
if (verdict == IPT_CONTINUE)
|
if (verdict == IPT_CONTINUE)
|
||||||
|
|
@ -446,7 +431,7 @@ ipt_do_table(struct sk_buff *skb,
|
||||||
else
|
else
|
||||||
/* Verdict */
|
/* Verdict */
|
||||||
break;
|
break;
|
||||||
} while (!hotdrop);
|
} while (!acpar.hotdrop);
|
||||||
xt_info_rdunlock_bh();
|
xt_info_rdunlock_bh();
|
||||||
pr_debug("Exiting %s; resetting sp from %u to %u\n",
|
pr_debug("Exiting %s; resetting sp from %u to %u\n",
|
||||||
__func__, *stackptr, origptr);
|
__func__, *stackptr, origptr);
|
||||||
|
|
@ -454,7 +439,7 @@ ipt_do_table(struct sk_buff *skb,
|
||||||
#ifdef DEBUG_ALLOW_ALL
|
#ifdef DEBUG_ALLOW_ALL
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
#else
|
#else
|
||||||
if (hotdrop)
|
if (acpar.hotdrop)
|
||||||
return NF_DROP;
|
return NF_DROP;
|
||||||
else return verdict;
|
else return verdict;
|
||||||
#endif
|
#endif
|
||||||
|
|
@ -591,7 +576,7 @@ check_entry(const struct ipt_entry *e, const char *name)
|
||||||
const struct ipt_entry_target *t;
|
const struct ipt_entry_target *t;
|
||||||
|
|
||||||
if (!ip_checkentry(&e->ip)) {
|
if (!ip_checkentry(&e->ip)) {
|
||||||
duprintf("ip check failed %p %s.\n", e, name);
|
duprintf("ip check failed %p %s.\n", e, par->match->name);
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -618,7 +603,7 @@ check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par)
|
||||||
ret = xt_check_match(par, m->u.match_size - sizeof(*m),
|
ret = xt_check_match(par, m->u.match_size - sizeof(*m),
|
||||||
ip->proto, ip->invflags & IPT_INV_PROTO);
|
ip->proto, ip->invflags & IPT_INV_PROTO);
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
duprintf("check failed for `%s'.\n", par.match->name);
|
duprintf("check failed for `%s'.\n", par->match->name);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
return 0;
|
return 0;
|
||||||
|
|
@ -2152,7 +2137,7 @@ icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
icmp_match(const struct sk_buff *skb, const struct xt_match_param *par)
|
icmp_match(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct icmphdr *ic;
|
const struct icmphdr *ic;
|
||||||
struct icmphdr _icmph;
|
struct icmphdr _icmph;
|
||||||
|
|
@ -2168,7 +2153,7 @@ icmp_match(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
* can't. Hence, no choice but to drop.
|
* can't. Hence, no choice but to drop.
|
||||||
*/
|
*/
|
||||||
duprintf("Dropping evil ICMP tinygram.\n");
|
duprintf("Dropping evil ICMP tinygram.\n");
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -2187,23 +2172,23 @@ static int icmp_checkentry(const struct xt_mtchk_param *par)
|
||||||
return (icmpinfo->invflags & ~IPT_ICMP_INV) ? -EINVAL : 0;
|
return (icmpinfo->invflags & ~IPT_ICMP_INV) ? -EINVAL : 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* The built-in targets: standard (NULL) and error. */
|
static struct xt_target ipt_builtin_tg[] __read_mostly = {
|
||||||
static struct xt_target ipt_standard_target __read_mostly = {
|
{
|
||||||
.name = IPT_STANDARD_TARGET,
|
.name = IPT_STANDARD_TARGET,
|
||||||
.targetsize = sizeof(int),
|
.targetsize = sizeof(int),
|
||||||
.family = NFPROTO_IPV4,
|
.family = NFPROTO_IPV4,
|
||||||
#ifdef CONFIG_COMPAT
|
#ifdef CONFIG_COMPAT
|
||||||
.compatsize = sizeof(compat_int_t),
|
.compatsize = sizeof(compat_int_t),
|
||||||
.compat_from_user = compat_standard_from_user,
|
.compat_from_user = compat_standard_from_user,
|
||||||
.compat_to_user = compat_standard_to_user,
|
.compat_to_user = compat_standard_to_user,
|
||||||
#endif
|
#endif
|
||||||
};
|
},
|
||||||
|
{
|
||||||
static struct xt_target ipt_error_target __read_mostly = {
|
.name = IPT_ERROR_TARGET,
|
||||||
.name = IPT_ERROR_TARGET,
|
.target = ipt_error,
|
||||||
.target = ipt_error,
|
.targetsize = IPT_FUNCTION_MAXNAMELEN,
|
||||||
.targetsize = IPT_FUNCTION_MAXNAMELEN,
|
.family = NFPROTO_IPV4,
|
||||||
.family = NFPROTO_IPV4,
|
},
|
||||||
};
|
};
|
||||||
|
|
||||||
static struct nf_sockopt_ops ipt_sockopts = {
|
static struct nf_sockopt_ops ipt_sockopts = {
|
||||||
|
|
@ -2223,13 +2208,15 @@ static struct nf_sockopt_ops ipt_sockopts = {
|
||||||
.owner = THIS_MODULE,
|
.owner = THIS_MODULE,
|
||||||
};
|
};
|
||||||
|
|
||||||
static struct xt_match icmp_matchstruct __read_mostly = {
|
static struct xt_match ipt_builtin_mt[] __read_mostly = {
|
||||||
.name = "icmp",
|
{
|
||||||
.match = icmp_match,
|
.name = "icmp",
|
||||||
.matchsize = sizeof(struct ipt_icmp),
|
.match = icmp_match,
|
||||||
.checkentry = icmp_checkentry,
|
.matchsize = sizeof(struct ipt_icmp),
|
||||||
.proto = IPPROTO_ICMP,
|
.checkentry = icmp_checkentry,
|
||||||
.family = NFPROTO_IPV4,
|
.proto = IPPROTO_ICMP,
|
||||||
|
.family = NFPROTO_IPV4,
|
||||||
|
},
|
||||||
};
|
};
|
||||||
|
|
||||||
static int __net_init ip_tables_net_init(struct net *net)
|
static int __net_init ip_tables_net_init(struct net *net)
|
||||||
|
|
@ -2256,13 +2243,10 @@ static int __init ip_tables_init(void)
|
||||||
goto err1;
|
goto err1;
|
||||||
|
|
||||||
/* Noone else will be downing sem now, so we won't sleep */
|
/* Noone else will be downing sem now, so we won't sleep */
|
||||||
ret = xt_register_target(&ipt_standard_target);
|
ret = xt_register_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
|
||||||
if (ret < 0)
|
if (ret < 0)
|
||||||
goto err2;
|
goto err2;
|
||||||
ret = xt_register_target(&ipt_error_target);
|
ret = xt_register_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
|
||||||
if (ret < 0)
|
|
||||||
goto err3;
|
|
||||||
ret = xt_register_match(&icmp_matchstruct);
|
|
||||||
if (ret < 0)
|
if (ret < 0)
|
||||||
goto err4;
|
goto err4;
|
||||||
|
|
||||||
|
|
@ -2275,11 +2259,9 @@ static int __init ip_tables_init(void)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
err5:
|
err5:
|
||||||
xt_unregister_match(&icmp_matchstruct);
|
xt_unregister_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
|
||||||
err4:
|
err4:
|
||||||
xt_unregister_target(&ipt_error_target);
|
xt_unregister_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
|
||||||
err3:
|
|
||||||
xt_unregister_target(&ipt_standard_target);
|
|
||||||
err2:
|
err2:
|
||||||
unregister_pernet_subsys(&ip_tables_net_ops);
|
unregister_pernet_subsys(&ip_tables_net_ops);
|
||||||
err1:
|
err1:
|
||||||
|
|
@ -2290,10 +2272,8 @@ static void __exit ip_tables_fini(void)
|
||||||
{
|
{
|
||||||
nf_unregister_sockopt(&ipt_sockopts);
|
nf_unregister_sockopt(&ipt_sockopts);
|
||||||
|
|
||||||
xt_unregister_match(&icmp_matchstruct);
|
xt_unregister_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
|
||||||
xt_unregister_target(&ipt_error_target);
|
xt_unregister_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
|
||||||
xt_unregister_target(&ipt_standard_target);
|
|
||||||
|
|
||||||
unregister_pernet_subsys(&ip_tables_net_ops);
|
unregister_pernet_subsys(&ip_tables_net_ops);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -282,7 +282,7 @@ clusterip_responsible(const struct clusterip_config *config, u_int32_t hash)
|
||||||
***********************************************************************/
|
***********************************************************************/
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
clusterip_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ipt_clusterip_tgt_info *cipinfo = par->targinfo;
|
const struct ipt_clusterip_tgt_info *cipinfo = par->targinfo;
|
||||||
struct nf_conn *ct;
|
struct nf_conn *ct;
|
||||||
|
|
|
||||||
|
|
@ -77,7 +77,7 @@ set_ect_tcp(struct sk_buff *skb, const struct ipt_ECN_info *einfo)
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ecn_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
ecn_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ipt_ECN_info *einfo = par->targinfo;
|
const struct ipt_ECN_info *einfo = par->targinfo;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -425,7 +425,7 @@ ipt_log_packet(u_int8_t pf,
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
log_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
log_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ipt_log_info *loginfo = par->targinfo;
|
const struct ipt_log_info *loginfo = par->targinfo;
|
||||||
struct nf_loginfo li;
|
struct nf_loginfo li;
|
||||||
|
|
|
||||||
|
|
@ -44,7 +44,7 @@ static int masquerade_tg_check(const struct xt_tgchk_param *par)
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
masquerade_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
masquerade_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
struct nf_conn *ct;
|
struct nf_conn *ct;
|
||||||
struct nf_conn_nat *nat;
|
struct nf_conn_nat *nat;
|
||||||
|
|
|
||||||
|
|
@ -38,7 +38,7 @@ static int netmap_tg_check(const struct xt_tgchk_param *par)
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
netmap_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
netmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
struct nf_conn *ct;
|
struct nf_conn *ct;
|
||||||
enum ip_conntrack_info ctinfo;
|
enum ip_conntrack_info ctinfo;
|
||||||
|
|
|
||||||
|
|
@ -42,7 +42,7 @@ static int redirect_tg_check(const struct xt_tgchk_param *par)
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
redirect_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
redirect_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
struct nf_conn *ct;
|
struct nf_conn *ct;
|
||||||
enum ip_conntrack_info ctinfo;
|
enum ip_conntrack_info ctinfo;
|
||||||
|
|
|
||||||
|
|
@ -136,7 +136,7 @@ static inline void send_unreach(struct sk_buff *skb_in, int code)
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
reject_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
reject_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ipt_reject_info *reject = par->targinfo;
|
const struct ipt_reject_info *reject = par->targinfo;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -276,7 +276,7 @@ static void ipt_ulog_packet(unsigned int hooknum,
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ulog_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
ulog_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
ipt_ulog_packet(par->hooknum, skb, par->in, par->out,
|
ipt_ulog_packet(par->hooknum, skb, par->in, par->out,
|
||||||
par->targinfo, NULL);
|
par->targinfo, NULL);
|
||||||
|
|
|
||||||
|
|
@ -30,7 +30,7 @@ static inline bool match_type(struct net *net, const struct net_device *dev,
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
addrtype_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
|
addrtype_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
struct net *net = dev_net(par->in ? par->in : par->out);
|
struct net *net = dev_net(par->in ? par->in : par->out);
|
||||||
const struct ipt_addrtype_info *info = par->matchinfo;
|
const struct ipt_addrtype_info *info = par->matchinfo;
|
||||||
|
|
@ -48,7 +48,7 @@ addrtype_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
addrtype_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
|
addrtype_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
struct net *net = dev_net(par->in ? par->in : par->out);
|
struct net *net = dev_net(par->in ? par->in : par->out);
|
||||||
const struct ipt_addrtype_info_v1 *info = par->matchinfo;
|
const struct ipt_addrtype_info_v1 *info = par->matchinfo;
|
||||||
|
|
|
||||||
|
|
@ -30,7 +30,7 @@ spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool ah_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
static bool ah_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
struct ip_auth_hdr _ahdr;
|
struct ip_auth_hdr _ahdr;
|
||||||
const struct ip_auth_hdr *ah;
|
const struct ip_auth_hdr *ah;
|
||||||
|
|
@ -46,7 +46,7 @@ static bool ah_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
* can't. Hence, no choice but to drop.
|
* can't. Hence, no choice but to drop.
|
||||||
*/
|
*/
|
||||||
pr_debug("Dropping evil AH tinygram.\n");
|
pr_debug("Dropping evil AH tinygram.\n");
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -67,7 +67,7 @@ static inline bool match_tcp(const struct sk_buff *skb,
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool ecn_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ipt_ecn_info *info = par->matchinfo;
|
const struct ipt_ecn_info *info = par->matchinfo;
|
||||||
|
|
||||||
|
|
@ -78,7 +78,7 @@ static bool ecn_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) {
|
if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) {
|
||||||
if (ip_hdr(skb)->protocol != IPPROTO_TCP)
|
if (ip_hdr(skb)->protocol != IPPROTO_TCP)
|
||||||
return false;
|
return false;
|
||||||
if (!match_tcp(skb, info, par->hotdrop))
|
if (!match_tcp(skb, info, &par->hotdrop))
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -39,7 +39,7 @@ static const struct xt_table nat_table = {
|
||||||
|
|
||||||
/* Source NAT */
|
/* Source NAT */
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ipt_snat_target(struct sk_buff *skb, const struct xt_target_param *par)
|
ipt_snat_target(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
struct nf_conn *ct;
|
struct nf_conn *ct;
|
||||||
enum ip_conntrack_info ctinfo;
|
enum ip_conntrack_info ctinfo;
|
||||||
|
|
@ -58,7 +58,7 @@ ipt_snat_target(struct sk_buff *skb, const struct xt_target_param *par)
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ipt_dnat_target(struct sk_buff *skb, const struct xt_target_param *par)
|
ipt_dnat_target(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
struct nf_conn *ct;
|
struct nf_conn *ct;
|
||||||
enum ip_conntrack_info ctinfo;
|
enum ip_conntrack_info ctinfo;
|
||||||
|
|
|
||||||
|
|
@ -197,7 +197,7 @@ ip6_checkentry(const struct ip6t_ip6 *ipv6)
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ip6t_error(struct sk_buff *skb, const struct xt_target_param *par)
|
ip6t_error(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
if (net_ratelimit())
|
if (net_ratelimit())
|
||||||
pr_info("error: `%s'\n", (const char *)par->targinfo);
|
pr_info("error: `%s'\n", (const char *)par->targinfo);
|
||||||
|
|
@ -205,21 +205,6 @@ ip6t_error(struct sk_buff *skb, const struct xt_target_param *par)
|
||||||
return NF_DROP;
|
return NF_DROP;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Performance critical - called for every packet */
|
|
||||||
static inline bool
|
|
||||||
do_match(const struct ip6t_entry_match *m, const struct sk_buff *skb,
|
|
||||||
struct xt_match_param *par)
|
|
||||||
{
|
|
||||||
par->match = m->u.kernel.match;
|
|
||||||
par->matchinfo = m->data;
|
|
||||||
|
|
||||||
/* Stop iteration if it doesn't match */
|
|
||||||
if (!m->u.kernel.match->match(skb, par))
|
|
||||||
return true;
|
|
||||||
else
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
static inline struct ip6t_entry *
|
static inline struct ip6t_entry *
|
||||||
get_entry(const void *base, unsigned int offset)
|
get_entry(const void *base, unsigned int offset)
|
||||||
{
|
{
|
||||||
|
|
@ -352,7 +337,6 @@ ip6t_do_table(struct sk_buff *skb,
|
||||||
struct xt_table *table)
|
struct xt_table *table)
|
||||||
{
|
{
|
||||||
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
|
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
|
||||||
bool hotdrop = false;
|
|
||||||
/* Initializing verdict to NF_DROP keeps gcc happy. */
|
/* Initializing verdict to NF_DROP keeps gcc happy. */
|
||||||
unsigned int verdict = NF_DROP;
|
unsigned int verdict = NF_DROP;
|
||||||
const char *indev, *outdev;
|
const char *indev, *outdev;
|
||||||
|
|
@ -360,8 +344,7 @@ ip6t_do_table(struct sk_buff *skb,
|
||||||
struct ip6t_entry *e, **jumpstack;
|
struct ip6t_entry *e, **jumpstack;
|
||||||
unsigned int *stackptr, origptr, cpu;
|
unsigned int *stackptr, origptr, cpu;
|
||||||
const struct xt_table_info *private;
|
const struct xt_table_info *private;
|
||||||
struct xt_match_param mtpar;
|
struct xt_action_param acpar;
|
||||||
struct xt_target_param tgpar;
|
|
||||||
|
|
||||||
/* Initialization */
|
/* Initialization */
|
||||||
indev = in ? in->name : nulldevname;
|
indev = in ? in->name : nulldevname;
|
||||||
|
|
@ -372,11 +355,11 @@ ip6t_do_table(struct sk_buff *skb,
|
||||||
* things we don't know, ie. tcp syn flag or ports). If the
|
* things we don't know, ie. tcp syn flag or ports). If the
|
||||||
* rule is also a fragment-specific rule, non-fragments won't
|
* rule is also a fragment-specific rule, non-fragments won't
|
||||||
* match it. */
|
* match it. */
|
||||||
mtpar.hotdrop = &hotdrop;
|
acpar.hotdrop = false;
|
||||||
mtpar.in = tgpar.in = in;
|
acpar.in = in;
|
||||||
mtpar.out = tgpar.out = out;
|
acpar.out = out;
|
||||||
mtpar.family = tgpar.family = NFPROTO_IPV6;
|
acpar.family = NFPROTO_IPV6;
|
||||||
mtpar.hooknum = tgpar.hooknum = hook;
|
acpar.hooknum = hook;
|
||||||
|
|
||||||
IP_NF_ASSERT(table->valid_hooks & (1 << hook));
|
IP_NF_ASSERT(table->valid_hooks & (1 << hook));
|
||||||
|
|
||||||
|
|
@ -396,15 +379,18 @@ ip6t_do_table(struct sk_buff *skb,
|
||||||
|
|
||||||
IP_NF_ASSERT(e);
|
IP_NF_ASSERT(e);
|
||||||
if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
|
if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
|
||||||
&mtpar.thoff, &mtpar.fragoff, &hotdrop)) {
|
&acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) {
|
||||||
no_match:
|
no_match:
|
||||||
e = ip6t_next_entry(e);
|
e = ip6t_next_entry(e);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
xt_ematch_foreach(ematch, e)
|
xt_ematch_foreach(ematch, e) {
|
||||||
if (do_match(ematch, skb, &mtpar) != 0)
|
acpar.match = ematch->u.kernel.match;
|
||||||
|
acpar.matchinfo = ematch->data;
|
||||||
|
if (!acpar.match->match(skb, &acpar))
|
||||||
goto no_match;
|
goto no_match;
|
||||||
|
}
|
||||||
|
|
||||||
ADD_COUNTER(e->counters,
|
ADD_COUNTER(e->counters,
|
||||||
ntohs(ipv6_hdr(skb)->payload_len) +
|
ntohs(ipv6_hdr(skb)->payload_len) +
|
||||||
|
|
@ -451,16 +437,16 @@ ip6t_do_table(struct sk_buff *skb,
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
tgpar.target = t->u.kernel.target;
|
acpar.target = t->u.kernel.target;
|
||||||
tgpar.targinfo = t->data;
|
acpar.targinfo = t->data;
|
||||||
|
|
||||||
verdict = t->u.kernel.target->target(skb, &tgpar);
|
verdict = t->u.kernel.target->target(skb, &acpar);
|
||||||
if (verdict == IP6T_CONTINUE)
|
if (verdict == IP6T_CONTINUE)
|
||||||
e = ip6t_next_entry(e);
|
e = ip6t_next_entry(e);
|
||||||
else
|
else
|
||||||
/* Verdict */
|
/* Verdict */
|
||||||
break;
|
break;
|
||||||
} while (!hotdrop);
|
} while (!acpar.hotdrop);
|
||||||
|
|
||||||
xt_info_rdunlock_bh();
|
xt_info_rdunlock_bh();
|
||||||
*stackptr = origptr;
|
*stackptr = origptr;
|
||||||
|
|
@ -468,7 +454,7 @@ ip6t_do_table(struct sk_buff *skb,
|
||||||
#ifdef DEBUG_ALLOW_ALL
|
#ifdef DEBUG_ALLOW_ALL
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
#else
|
#else
|
||||||
if (hotdrop)
|
if (acpar.hotdrop)
|
||||||
return NF_DROP;
|
return NF_DROP;
|
||||||
else return verdict;
|
else return verdict;
|
||||||
#endif
|
#endif
|
||||||
|
|
@ -2167,7 +2153,7 @@ icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
icmp6_match(const struct sk_buff *skb, const struct xt_match_param *par)
|
icmp6_match(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct icmp6hdr *ic;
|
const struct icmp6hdr *ic;
|
||||||
struct icmp6hdr _icmph;
|
struct icmp6hdr _icmph;
|
||||||
|
|
@ -2183,7 +2169,7 @@ icmp6_match(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
* can't. Hence, no choice but to drop.
|
* can't. Hence, no choice but to drop.
|
||||||
*/
|
*/
|
||||||
duprintf("Dropping evil ICMP tinygram.\n");
|
duprintf("Dropping evil ICMP tinygram.\n");
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -2204,22 +2190,23 @@ static int icmp6_checkentry(const struct xt_mtchk_param *par)
|
||||||
}
|
}
|
||||||
|
|
||||||
/* The built-in targets: standard (NULL) and error. */
|
/* The built-in targets: standard (NULL) and error. */
|
||||||
static struct xt_target ip6t_standard_target __read_mostly = {
|
static struct xt_target ip6t_builtin_tg[] __read_mostly = {
|
||||||
.name = IP6T_STANDARD_TARGET,
|
{
|
||||||
.targetsize = sizeof(int),
|
.name = IP6T_STANDARD_TARGET,
|
||||||
.family = NFPROTO_IPV6,
|
.targetsize = sizeof(int),
|
||||||
|
.family = NFPROTO_IPV6,
|
||||||
#ifdef CONFIG_COMPAT
|
#ifdef CONFIG_COMPAT
|
||||||
.compatsize = sizeof(compat_int_t),
|
.compatsize = sizeof(compat_int_t),
|
||||||
.compat_from_user = compat_standard_from_user,
|
.compat_from_user = compat_standard_from_user,
|
||||||
.compat_to_user = compat_standard_to_user,
|
.compat_to_user = compat_standard_to_user,
|
||||||
#endif
|
#endif
|
||||||
};
|
},
|
||||||
|
{
|
||||||
static struct xt_target ip6t_error_target __read_mostly = {
|
.name = IP6T_ERROR_TARGET,
|
||||||
.name = IP6T_ERROR_TARGET,
|
.target = ip6t_error,
|
||||||
.target = ip6t_error,
|
.targetsize = IP6T_FUNCTION_MAXNAMELEN,
|
||||||
.targetsize = IP6T_FUNCTION_MAXNAMELEN,
|
.family = NFPROTO_IPV6,
|
||||||
.family = NFPROTO_IPV6,
|
},
|
||||||
};
|
};
|
||||||
|
|
||||||
static struct nf_sockopt_ops ip6t_sockopts = {
|
static struct nf_sockopt_ops ip6t_sockopts = {
|
||||||
|
|
@ -2239,13 +2226,15 @@ static struct nf_sockopt_ops ip6t_sockopts = {
|
||||||
.owner = THIS_MODULE,
|
.owner = THIS_MODULE,
|
||||||
};
|
};
|
||||||
|
|
||||||
static struct xt_match icmp6_matchstruct __read_mostly = {
|
static struct xt_match ip6t_builtin_mt[] __read_mostly = {
|
||||||
.name = "icmp6",
|
{
|
||||||
.match = icmp6_match,
|
.name = "icmp6",
|
||||||
.matchsize = sizeof(struct ip6t_icmp),
|
.match = icmp6_match,
|
||||||
.checkentry = icmp6_checkentry,
|
.matchsize = sizeof(struct ip6t_icmp),
|
||||||
.proto = IPPROTO_ICMPV6,
|
.checkentry = icmp6_checkentry,
|
||||||
.family = NFPROTO_IPV6,
|
.proto = IPPROTO_ICMPV6,
|
||||||
|
.family = NFPROTO_IPV6,
|
||||||
|
},
|
||||||
};
|
};
|
||||||
|
|
||||||
static int __net_init ip6_tables_net_init(struct net *net)
|
static int __net_init ip6_tables_net_init(struct net *net)
|
||||||
|
|
@ -2272,13 +2261,10 @@ static int __init ip6_tables_init(void)
|
||||||
goto err1;
|
goto err1;
|
||||||
|
|
||||||
/* Noone else will be downing sem now, so we won't sleep */
|
/* Noone else will be downing sem now, so we won't sleep */
|
||||||
ret = xt_register_target(&ip6t_standard_target);
|
ret = xt_register_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
|
||||||
if (ret < 0)
|
if (ret < 0)
|
||||||
goto err2;
|
goto err2;
|
||||||
ret = xt_register_target(&ip6t_error_target);
|
ret = xt_register_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
|
||||||
if (ret < 0)
|
|
||||||
goto err3;
|
|
||||||
ret = xt_register_match(&icmp6_matchstruct);
|
|
||||||
if (ret < 0)
|
if (ret < 0)
|
||||||
goto err4;
|
goto err4;
|
||||||
|
|
||||||
|
|
@ -2291,11 +2277,9 @@ static int __init ip6_tables_init(void)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
err5:
|
err5:
|
||||||
xt_unregister_match(&icmp6_matchstruct);
|
xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
|
||||||
err4:
|
err4:
|
||||||
xt_unregister_target(&ip6t_error_target);
|
xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
|
||||||
err3:
|
|
||||||
xt_unregister_target(&ip6t_standard_target);
|
|
||||||
err2:
|
err2:
|
||||||
unregister_pernet_subsys(&ip6_tables_net_ops);
|
unregister_pernet_subsys(&ip6_tables_net_ops);
|
||||||
err1:
|
err1:
|
||||||
|
|
@ -2306,10 +2290,8 @@ static void __exit ip6_tables_fini(void)
|
||||||
{
|
{
|
||||||
nf_unregister_sockopt(&ip6t_sockopts);
|
nf_unregister_sockopt(&ip6t_sockopts);
|
||||||
|
|
||||||
xt_unregister_match(&icmp6_matchstruct);
|
xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
|
||||||
xt_unregister_target(&ip6t_error_target);
|
xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
|
||||||
xt_unregister_target(&ip6t_standard_target);
|
|
||||||
|
|
||||||
unregister_pernet_subsys(&ip6_tables_net_ops);
|
unregister_pernet_subsys(&ip6_tables_net_ops);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -436,7 +436,7 @@ ip6t_log_packet(u_int8_t pf,
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
log_tg6(struct sk_buff *skb, const struct xt_target_param *par)
|
log_tg6(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ip6t_log_info *loginfo = par->targinfo;
|
const struct ip6t_log_info *loginfo = par->targinfo;
|
||||||
struct nf_loginfo li;
|
struct nf_loginfo li;
|
||||||
|
|
|
||||||
|
|
@ -175,7 +175,7 @@ send_unreach(struct net *net, struct sk_buff *skb_in, unsigned char code,
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
reject_tg6(struct sk_buff *skb, const struct xt_target_param *par)
|
reject_tg6(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ip6t_reject_info *reject = par->targinfo;
|
const struct ip6t_reject_info *reject = par->targinfo;
|
||||||
struct net *net = dev_net((par->in != NULL) ? par->in : par->out);
|
struct net *net = dev_net((par->in != NULL) ? par->in : par->out);
|
||||||
|
|
|
||||||
|
|
@ -36,7 +36,7 @@ spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool ah_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
static bool ah_mt6(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
struct ip_auth_hdr _ah;
|
struct ip_auth_hdr _ah;
|
||||||
const struct ip_auth_hdr *ah;
|
const struct ip_auth_hdr *ah;
|
||||||
|
|
@ -48,13 +48,13 @@ static bool ah_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL);
|
err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL);
|
||||||
if (err < 0) {
|
if (err < 0) {
|
||||||
if (err != -ENOENT)
|
if (err != -ENOENT)
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah);
|
ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah);
|
||||||
if (ah == NULL) {
|
if (ah == NULL) {
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -20,14 +20,14 @@ MODULE_LICENSE("GPL");
|
||||||
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
|
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
eui64_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
unsigned char eui64[8];
|
unsigned char eui64[8];
|
||||||
|
|
||||||
if (!(skb_mac_header(skb) >= skb->head &&
|
if (!(skb_mac_header(skb) >= skb->head &&
|
||||||
skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
|
skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
|
||||||
par->fragoff != 0) {
|
par->fragoff != 0) {
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -35,7 +35,7 @@ id_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert)
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
frag_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
frag_mt6(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
struct frag_hdr _frag;
|
struct frag_hdr _frag;
|
||||||
const struct frag_hdr *fh;
|
const struct frag_hdr *fh;
|
||||||
|
|
@ -46,13 +46,13 @@ frag_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL);
|
err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL);
|
||||||
if (err < 0) {
|
if (err < 0) {
|
||||||
if (err != -ENOENT)
|
if (err != -ENOENT)
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag);
|
fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag);
|
||||||
if (fh == NULL) {
|
if (fh == NULL) {
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -44,7 +44,7 @@ MODULE_ALIAS("ip6t_dst");
|
||||||
static struct xt_match hbh_mt6_reg[] __read_mostly;
|
static struct xt_match hbh_mt6_reg[] __read_mostly;
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
hbh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
struct ipv6_opt_hdr _optsh;
|
struct ipv6_opt_hdr _optsh;
|
||||||
const struct ipv6_opt_hdr *oh;
|
const struct ipv6_opt_hdr *oh;
|
||||||
|
|
@ -65,13 +65,13 @@ hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
NEXTHDR_HOP : NEXTHDR_DEST, NULL);
|
NEXTHDR_HOP : NEXTHDR_DEST, NULL);
|
||||||
if (err < 0) {
|
if (err < 0) {
|
||||||
if (err != -ENOENT)
|
if (err != -ENOENT)
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh);
|
oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh);
|
||||||
if (oh == NULL) {
|
if (oh == NULL) {
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -27,7 +27,7 @@ MODULE_DESCRIPTION("Xtables: IPv6 header types match");
|
||||||
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
|
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
ipv6header_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
ipv6header_mt6(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ip6t_ipv6header_info *info = par->matchinfo;
|
const struct ip6t_ipv6header_info *info = par->matchinfo;
|
||||||
unsigned int temp;
|
unsigned int temp;
|
||||||
|
|
|
||||||
|
|
@ -32,7 +32,7 @@ type_match(u_int8_t min, u_int8_t max, u_int8_t type, bool invert)
|
||||||
return (type >= min && type <= max) ^ invert;
|
return (type >= min && type <= max) ^ invert;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool mh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
static bool mh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
struct ip6_mh _mh;
|
struct ip6_mh _mh;
|
||||||
const struct ip6_mh *mh;
|
const struct ip6_mh *mh;
|
||||||
|
|
@ -47,14 +47,14 @@ static bool mh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
/* We've been asked to examine this packet, and we
|
/* We've been asked to examine this packet, and we
|
||||||
can't. Hence, no choice but to drop. */
|
can't. Hence, no choice but to drop. */
|
||||||
pr_debug("Dropping evil MH tinygram.\n");
|
pr_debug("Dropping evil MH tinygram.\n");
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (mh->ip6mh_proto != IPPROTO_NONE) {
|
if (mh->ip6mh_proto != IPPROTO_NONE) {
|
||||||
pr_debug("Dropping invalid MH Payload Proto: %u\n",
|
pr_debug("Dropping invalid MH Payload Proto: %u\n",
|
||||||
mh->ip6mh_proto);
|
mh->ip6mh_proto);
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -36,7 +36,7 @@ segsleft_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert)
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool rt_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
static bool rt_mt6(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
struct ipv6_rt_hdr _route;
|
struct ipv6_rt_hdr _route;
|
||||||
const struct ipv6_rt_hdr *rh;
|
const struct ipv6_rt_hdr *rh;
|
||||||
|
|
@ -52,13 +52,13 @@ static bool rt_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL);
|
err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL);
|
||||||
if (err < 0) {
|
if (err < 0) {
|
||||||
if (err != -ENOENT)
|
if (err != -ENOENT)
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route);
|
rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route);
|
||||||
if (rh == NULL) {
|
if (rh == NULL) {
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -27,7 +27,7 @@ MODULE_ALIAS("ipt_CLASSIFY");
|
||||||
MODULE_ALIAS("ip6t_CLASSIFY");
|
MODULE_ALIAS("ip6t_CLASSIFY");
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
classify_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
classify_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_classify_target_info *clinfo = par->targinfo;
|
const struct xt_classify_target_info *clinfo = par->targinfo;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -64,7 +64,7 @@ static void secmark_restore(struct sk_buff *skb)
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
connsecmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
connsecmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_connsecmark_target_info *info = par->targinfo;
|
const struct xt_connsecmark_target_info *info = par->targinfo;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -20,7 +20,7 @@
|
||||||
#include <net/netfilter/nf_conntrack_zones.h>
|
#include <net/netfilter/nf_conntrack_zones.h>
|
||||||
|
|
||||||
static unsigned int xt_ct_target(struct sk_buff *skb,
|
static unsigned int xt_ct_target(struct sk_buff *skb,
|
||||||
const struct xt_target_param *par)
|
const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_ct_target_info *info = par->targinfo;
|
const struct xt_ct_target_info *info = par->targinfo;
|
||||||
struct nf_conn *ct = info->ct;
|
struct nf_conn *ct = info->ct;
|
||||||
|
|
|
||||||
|
|
@ -28,7 +28,7 @@ MODULE_ALIAS("ipt_TOS");
|
||||||
MODULE_ALIAS("ip6t_TOS");
|
MODULE_ALIAS("ip6t_TOS");
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
dscp_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
dscp_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_DSCP_info *dinfo = par->targinfo;
|
const struct xt_DSCP_info *dinfo = par->targinfo;
|
||||||
u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT;
|
u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT;
|
||||||
|
|
@ -45,7 +45,7 @@ dscp_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
dscp_tg6(struct sk_buff *skb, const struct xt_target_param *par)
|
dscp_tg6(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_DSCP_info *dinfo = par->targinfo;
|
const struct xt_DSCP_info *dinfo = par->targinfo;
|
||||||
u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT;
|
u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT;
|
||||||
|
|
@ -72,7 +72,7 @@ static int dscp_tg_check(const struct xt_tgchk_param *par)
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
tos_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
tos_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_tos_target_info *info = par->targinfo;
|
const struct xt_tos_target_info *info = par->targinfo;
|
||||||
struct iphdr *iph = ip_hdr(skb);
|
struct iphdr *iph = ip_hdr(skb);
|
||||||
|
|
@ -92,7 +92,7 @@ tos_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
tos_tg6(struct sk_buff *skb, const struct xt_target_param *par)
|
tos_tg6(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_tos_target_info *info = par->targinfo;
|
const struct xt_tos_target_info *info = par->targinfo;
|
||||||
struct ipv6hdr *iph = ipv6_hdr(skb);
|
struct ipv6hdr *iph = ipv6_hdr(skb);
|
||||||
|
|
|
||||||
|
|
@ -26,7 +26,7 @@ MODULE_DESCRIPTION("Xtables: Hoplimit/TTL Limit field modification target");
|
||||||
MODULE_LICENSE("GPL");
|
MODULE_LICENSE("GPL");
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
ttl_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
ttl_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
struct iphdr *iph;
|
struct iphdr *iph;
|
||||||
const struct ipt_TTL_info *info = par->targinfo;
|
const struct ipt_TTL_info *info = par->targinfo;
|
||||||
|
|
@ -66,7 +66,7 @@ ttl_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
hl_tg6(struct sk_buff *skb, const struct xt_target_param *par)
|
hl_tg6(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
struct ipv6hdr *ip6h;
|
struct ipv6hdr *ip6h;
|
||||||
const struct ip6t_HL_info *info = par->targinfo;
|
const struct ip6t_HL_info *info = par->targinfo;
|
||||||
|
|
|
||||||
|
|
@ -49,7 +49,7 @@ struct xt_led_info_internal {
|
||||||
};
|
};
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
led_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
led_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_led_info *ledinfo = par->targinfo;
|
const struct xt_led_info *ledinfo = par->targinfo;
|
||||||
struct xt_led_info_internal *ledinternal = ledinfo->internal_data;
|
struct xt_led_info_internal *ledinternal = ledinfo->internal_data;
|
||||||
|
|
|
||||||
|
|
@ -22,7 +22,7 @@ MODULE_ALIAS("ipt_NFLOG");
|
||||||
MODULE_ALIAS("ip6t_NFLOG");
|
MODULE_ALIAS("ip6t_NFLOG");
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
nflog_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
nflog_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_nflog_info *info = par->targinfo;
|
const struct xt_nflog_info *info = par->targinfo;
|
||||||
struct nf_loginfo li;
|
struct nf_loginfo li;
|
||||||
|
|
|
||||||
|
|
@ -31,7 +31,7 @@ static u32 jhash_initval __read_mostly;
|
||||||
static bool rnd_inited __read_mostly;
|
static bool rnd_inited __read_mostly;
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
nfqueue_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
nfqueue_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_NFQ_info *tinfo = par->targinfo;
|
const struct xt_NFQ_info *tinfo = par->targinfo;
|
||||||
|
|
||||||
|
|
@ -65,7 +65,7 @@ static u32 hash_v6(const struct sk_buff *skb)
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
nfqueue_tg_v1(struct sk_buff *skb, const struct xt_target_param *par)
|
nfqueue_tg_v1(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_NFQ_info_v1 *info = par->targinfo;
|
const struct xt_NFQ_info_v1 *info = par->targinfo;
|
||||||
u32 queue = info->queuenum;
|
u32 queue = info->queuenum;
|
||||||
|
|
|
||||||
|
|
@ -13,7 +13,7 @@ MODULE_ALIAS("ipt_NOTRACK");
|
||||||
MODULE_ALIAS("ip6t_NOTRACK");
|
MODULE_ALIAS("ip6t_NOTRACK");
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
notrack_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
notrack_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
/* Previously seen (loopback)? Ignore. */
|
/* Previously seen (loopback)? Ignore. */
|
||||||
if (skb->nfct != NULL)
|
if (skb->nfct != NULL)
|
||||||
|
|
|
||||||
|
|
@ -73,7 +73,7 @@ void xt_rateest_put(struct xt_rateest *est)
|
||||||
EXPORT_SYMBOL_GPL(xt_rateest_put);
|
EXPORT_SYMBOL_GPL(xt_rateest_put);
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
xt_rateest_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
xt_rateest_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_rateest_target_info *info = par->targinfo;
|
const struct xt_rateest_target_info *info = par->targinfo;
|
||||||
struct gnet_stats_basic_packed *stats = &info->est->bstats;
|
struct gnet_stats_basic_packed *stats = &info->est->bstats;
|
||||||
|
|
|
||||||
|
|
@ -30,7 +30,7 @@ MODULE_ALIAS("ip6t_SECMARK");
|
||||||
static u8 mode;
|
static u8 mode;
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
secmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
secmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
u32 secmark = 0;
|
u32 secmark = 0;
|
||||||
const struct xt_secmark_target_info *info = par->targinfo;
|
const struct xt_secmark_target_info *info = par->targinfo;
|
||||||
|
|
|
||||||
|
|
@ -172,7 +172,7 @@ static u_int32_t tcpmss_reverse_mtu(const struct sk_buff *skb,
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
tcpmss_tg4(struct sk_buff *skb, const struct xt_target_param *par)
|
tcpmss_tg4(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
struct iphdr *iph = ip_hdr(skb);
|
struct iphdr *iph = ip_hdr(skb);
|
||||||
__be16 newlen;
|
__be16 newlen;
|
||||||
|
|
@ -195,7 +195,7 @@ tcpmss_tg4(struct sk_buff *skb, const struct xt_target_param *par)
|
||||||
|
|
||||||
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
|
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
|
||||||
static unsigned int
|
static unsigned int
|
||||||
tcpmss_tg6(struct sk_buff *skb, const struct xt_target_param *par)
|
tcpmss_tg6(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
struct ipv6hdr *ipv6h = ipv6_hdr(skb);
|
struct ipv6hdr *ipv6h = ipv6_hdr(skb);
|
||||||
u8 nexthdr;
|
u8 nexthdr;
|
||||||
|
|
|
||||||
|
|
@ -74,7 +74,7 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_target_param *par)
|
tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
return tcpoptstrip_mangle_packet(skb, par->targinfo, ip_hdrlen(skb),
|
return tcpoptstrip_mangle_packet(skb, par->targinfo, ip_hdrlen(skb),
|
||||||
sizeof(struct iphdr) + sizeof(struct tcphdr));
|
sizeof(struct iphdr) + sizeof(struct tcphdr));
|
||||||
|
|
@ -82,7 +82,7 @@ tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_target_param *par)
|
||||||
|
|
||||||
#if defined(CONFIG_IP6_NF_MANGLE) || defined(CONFIG_IP6_NF_MANGLE_MODULE)
|
#if defined(CONFIG_IP6_NF_MANGLE) || defined(CONFIG_IP6_NF_MANGLE_MODULE)
|
||||||
static unsigned int
|
static unsigned int
|
||||||
tcpoptstrip_tg6(struct sk_buff *skb, const struct xt_target_param *par)
|
tcpoptstrip_tg6(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
struct ipv6hdr *ipv6h = ipv6_hdr(skb);
|
struct ipv6hdr *ipv6h = ipv6_hdr(skb);
|
||||||
int tcphoff;
|
int tcphoff;
|
||||||
|
|
|
||||||
|
|
@ -84,7 +84,7 @@ tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
tee_tg4(struct sk_buff *skb, const struct xt_target_param *par)
|
tee_tg4(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_tee_tginfo *info = par->targinfo;
|
const struct xt_tee_tginfo *info = par->targinfo;
|
||||||
struct iphdr *iph;
|
struct iphdr *iph;
|
||||||
|
|
@ -165,7 +165,7 @@ tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
tee_tg6(struct sk_buff *skb, const struct xt_target_param *par)
|
tee_tg6(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_tee_tginfo *info = par->targinfo;
|
const struct xt_tee_tginfo *info = par->targinfo;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -25,7 +25,7 @@
|
||||||
#include <net/netfilter/nf_tproxy_core.h>
|
#include <net/netfilter/nf_tproxy_core.h>
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
tproxy_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
tproxy_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct iphdr *iph = ip_hdr(skb);
|
const struct iphdr *iph = ip_hdr(skb);
|
||||||
const struct xt_tproxy_target_info *tgi = par->targinfo;
|
const struct xt_tproxy_target_info *tgi = par->targinfo;
|
||||||
|
|
|
||||||
|
|
@ -11,7 +11,7 @@ MODULE_ALIAS("ipt_TRACE");
|
||||||
MODULE_ALIAS("ip6t_TRACE");
|
MODULE_ALIAS("ip6t_TRACE");
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
trace_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
trace_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
skb->nf_trace = 1;
|
skb->nf_trace = 1;
|
||||||
return XT_CONTINUE;
|
return XT_CONTINUE;
|
||||||
|
|
|
||||||
|
|
@ -86,7 +86,7 @@ xt_cluster_is_multicast_addr(const struct sk_buff *skb, u_int8_t family)
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
xt_cluster_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
xt_cluster_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
struct sk_buff *pskb = (struct sk_buff *)skb;
|
struct sk_buff *pskb = (struct sk_buff *)skb;
|
||||||
const struct xt_cluster_match_info *info = par->matchinfo;
|
const struct xt_cluster_match_info *info = par->matchinfo;
|
||||||
|
|
|
||||||
|
|
@ -16,7 +16,7 @@ MODULE_ALIAS("ipt_comment");
|
||||||
MODULE_ALIAS("ip6t_comment");
|
MODULE_ALIAS("ip6t_comment");
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
comment_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
comment_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
/* We always match */
|
/* We always match */
|
||||||
return true;
|
return true;
|
||||||
|
|
|
||||||
|
|
@ -18,7 +18,7 @@ MODULE_ALIAS("ipt_connbytes");
|
||||||
MODULE_ALIAS("ip6t_connbytes");
|
MODULE_ALIAS("ip6t_connbytes");
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
connbytes_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
connbytes_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_connbytes_info *sinfo = par->matchinfo;
|
const struct xt_connbytes_info *sinfo = par->matchinfo;
|
||||||
const struct nf_conn *ct;
|
const struct nf_conn *ct;
|
||||||
|
|
|
||||||
|
|
@ -173,7 +173,7 @@ static int count_them(struct net *net,
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
connlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
struct net *net = dev_net(par->in ? par->in : par->out);
|
struct net *net = dev_net(par->in ? par->in : par->out);
|
||||||
const struct xt_connlimit_info *info = par->matchinfo;
|
const struct xt_connlimit_info *info = par->matchinfo;
|
||||||
|
|
@ -206,14 +206,14 @@ connlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
|
|
||||||
if (connections < 0) {
|
if (connections < 0) {
|
||||||
/* kmalloc failed, drop it entirely */
|
/* kmalloc failed, drop it entirely */
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
return (connections > info->limit) ^ info->inverse;
|
return (connections > info->limit) ^ info->inverse;
|
||||||
|
|
||||||
hotdrop:
|
hotdrop:
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -37,7 +37,7 @@ MODULE_ALIAS("ipt_connmark");
|
||||||
MODULE_ALIAS("ip6t_connmark");
|
MODULE_ALIAS("ip6t_connmark");
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
connmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
connmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_connmark_tginfo1 *info = par->targinfo;
|
const struct xt_connmark_tginfo1 *info = par->targinfo;
|
||||||
enum ip_conntrack_info ctinfo;
|
enum ip_conntrack_info ctinfo;
|
||||||
|
|
@ -91,7 +91,7 @@ static void connmark_tg_destroy(const struct xt_tgdtor_param *par)
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
connmark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
connmark_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_connmark_mtinfo1 *info = par->matchinfo;
|
const struct xt_connmark_mtinfo1 *info = par->matchinfo;
|
||||||
enum ip_conntrack_info ctinfo;
|
enum ip_conntrack_info ctinfo;
|
||||||
|
|
|
||||||
|
|
@ -113,7 +113,7 @@ ct_proto_port_check(const struct xt_conntrack_mtinfo2 *info,
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par,
|
conntrack_mt(const struct sk_buff *skb, struct xt_action_param *par,
|
||||||
u16 state_mask, u16 status_mask)
|
u16 state_mask, u16 status_mask)
|
||||||
{
|
{
|
||||||
const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
|
const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
|
||||||
|
|
@ -191,7 +191,7 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par,
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
conntrack_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
|
conntrack_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_conntrack_mtinfo1 *info = par->matchinfo;
|
const struct xt_conntrack_mtinfo1 *info = par->matchinfo;
|
||||||
|
|
||||||
|
|
@ -199,7 +199,7 @@ conntrack_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
conntrack_mt_v2(const struct sk_buff *skb, const struct xt_match_param *par)
|
conntrack_mt_v2(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
|
const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -96,7 +96,7 @@ match_option(u_int8_t option, const struct sk_buff *skb, unsigned int protoff,
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
dccp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
dccp_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_dccp_info *info = par->matchinfo;
|
const struct xt_dccp_info *info = par->matchinfo;
|
||||||
const struct dccp_hdr *dh;
|
const struct dccp_hdr *dh;
|
||||||
|
|
@ -107,7 +107,7 @@ dccp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
|
|
||||||
dh = skb_header_pointer(skb, par->thoff, sizeof(_dh), &_dh);
|
dh = skb_header_pointer(skb, par->thoff, sizeof(_dh), &_dh);
|
||||||
if (dh == NULL) {
|
if (dh == NULL) {
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -120,7 +120,7 @@ dccp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
&& DCCHECK(match_types(dh, info->typemask),
|
&& DCCHECK(match_types(dh, info->typemask),
|
||||||
XT_DCCP_TYPE, info->flags, info->invflags)
|
XT_DCCP_TYPE, info->flags, info->invflags)
|
||||||
&& DCCHECK(match_option(info->option, skb, par->thoff, dh,
|
&& DCCHECK(match_option(info->option, skb, par->thoff, dh,
|
||||||
par->hotdrop),
|
&par->hotdrop),
|
||||||
XT_DCCP_OPTION, info->flags, info->invflags);
|
XT_DCCP_OPTION, info->flags, info->invflags);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -25,7 +25,7 @@ MODULE_ALIAS("ipt_tos");
|
||||||
MODULE_ALIAS("ip6t_tos");
|
MODULE_ALIAS("ip6t_tos");
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
dscp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
dscp_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_dscp_info *info = par->matchinfo;
|
const struct xt_dscp_info *info = par->matchinfo;
|
||||||
u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT;
|
u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT;
|
||||||
|
|
@ -34,7 +34,7 @@ dscp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
dscp_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
dscp_mt6(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_dscp_info *info = par->matchinfo;
|
const struct xt_dscp_info *info = par->matchinfo;
|
||||||
u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT;
|
u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT;
|
||||||
|
|
@ -54,7 +54,7 @@ static int dscp_mt_check(const struct xt_mtchk_param *par)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool tos_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
static bool tos_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_tos_match_info *info = par->matchinfo;
|
const struct xt_tos_match_info *info = par->matchinfo;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -36,7 +36,7 @@ spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool esp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
static bool esp_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ip_esp_hdr *eh;
|
const struct ip_esp_hdr *eh;
|
||||||
struct ip_esp_hdr _esp;
|
struct ip_esp_hdr _esp;
|
||||||
|
|
@ -52,7 +52,7 @@ static bool esp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
* can't. Hence, no choice but to drop.
|
* can't. Hence, no choice but to drop.
|
||||||
*/
|
*/
|
||||||
pr_debug("Dropping evil ESP tinygram.\n");
|
pr_debug("Dropping evil ESP tinygram.\n");
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -516,7 +516,7 @@ hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo,
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
hashlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
|
const struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
|
||||||
struct xt_hashlimit_htable *hinfo = info->hinfo;
|
struct xt_hashlimit_htable *hinfo = info->hinfo;
|
||||||
|
|
@ -562,7 +562,7 @@ hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
return info->cfg.mode & XT_HASHLIMIT_INVERT;
|
return info->cfg.mode & XT_HASHLIMIT_INVERT;
|
||||||
|
|
||||||
hotdrop:
|
hotdrop:
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -24,7 +24,7 @@ MODULE_ALIAS("ip6t_helper");
|
||||||
|
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
helper_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
helper_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_helper_info *info = par->matchinfo;
|
const struct xt_helper_info *info = par->matchinfo;
|
||||||
const struct nf_conn *ct;
|
const struct nf_conn *ct;
|
||||||
|
|
|
||||||
|
|
@ -25,7 +25,7 @@ MODULE_LICENSE("GPL");
|
||||||
MODULE_ALIAS("ipt_ttl");
|
MODULE_ALIAS("ipt_ttl");
|
||||||
MODULE_ALIAS("ip6t_hl");
|
MODULE_ALIAS("ip6t_hl");
|
||||||
|
|
||||||
static bool ttl_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
static bool ttl_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ipt_ttl_info *info = par->matchinfo;
|
const struct ipt_ttl_info *info = par->matchinfo;
|
||||||
const u8 ttl = ip_hdr(skb)->ttl;
|
const u8 ttl = ip_hdr(skb)->ttl;
|
||||||
|
|
@ -44,7 +44,7 @@ static bool ttl_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool hl_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
static bool hl_mt6(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct ip6t_hl_info *info = par->matchinfo;
|
const struct ip6t_hl_info *info = par->matchinfo;
|
||||||
const struct ipv6hdr *ip6h = ipv6_hdr(skb);
|
const struct ipv6hdr *ip6h = ipv6_hdr(skb);
|
||||||
|
|
|
||||||
|
|
@ -17,7 +17,7 @@
|
||||||
#include <linux/netfilter/xt_iprange.h>
|
#include <linux/netfilter/xt_iprange.h>
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
iprange_mt4(const struct sk_buff *skb, const struct xt_match_param *par)
|
iprange_mt4(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_iprange_mtinfo *info = par->matchinfo;
|
const struct xt_iprange_mtinfo *info = par->matchinfo;
|
||||||
const struct iphdr *iph = ip_hdr(skb);
|
const struct iphdr *iph = ip_hdr(skb);
|
||||||
|
|
@ -68,7 +68,7 @@ iprange_ipv6_sub(const struct in6_addr *a, const struct in6_addr *b)
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
iprange_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
iprange_mt6(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_iprange_mtinfo *info = par->matchinfo;
|
const struct xt_iprange_mtinfo *info = par->matchinfo;
|
||||||
const struct ipv6hdr *iph = ipv6_hdr(skb);
|
const struct ipv6hdr *iph = ipv6_hdr(skb);
|
||||||
|
|
|
||||||
|
|
@ -21,7 +21,7 @@ MODULE_ALIAS("ipt_length");
|
||||||
MODULE_ALIAS("ip6t_length");
|
MODULE_ALIAS("ip6t_length");
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
length_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
length_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_length_info *info = par->matchinfo;
|
const struct xt_length_info *info = par->matchinfo;
|
||||||
u_int16_t pktlen = ntohs(ip_hdr(skb)->tot_len);
|
u_int16_t pktlen = ntohs(ip_hdr(skb)->tot_len);
|
||||||
|
|
@ -30,7 +30,7 @@ length_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
length_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
length_mt6(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_length_info *info = par->matchinfo;
|
const struct xt_length_info *info = par->matchinfo;
|
||||||
const u_int16_t pktlen = ntohs(ipv6_hdr(skb)->payload_len) +
|
const u_int16_t pktlen = ntohs(ipv6_hdr(skb)->payload_len) +
|
||||||
|
|
|
||||||
|
|
@ -65,7 +65,7 @@ static DEFINE_SPINLOCK(limit_lock);
|
||||||
#define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ)
|
#define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ)
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
limit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
limit_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_rateinfo *r = par->matchinfo;
|
const struct xt_rateinfo *r = par->matchinfo;
|
||||||
struct xt_limit_priv *priv = r->master;
|
struct xt_limit_priv *priv = r->master;
|
||||||
|
|
|
||||||
|
|
@ -25,7 +25,7 @@ MODULE_DESCRIPTION("Xtables: MAC address match");
|
||||||
MODULE_ALIAS("ipt_mac");
|
MODULE_ALIAS("ipt_mac");
|
||||||
MODULE_ALIAS("ip6t_mac");
|
MODULE_ALIAS("ip6t_mac");
|
||||||
|
|
||||||
static bool mac_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
static bool mac_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_mac_info *info = par->matchinfo;
|
const struct xt_mac_info *info = par->matchinfo;
|
||||||
bool ret;
|
bool ret;
|
||||||
|
|
|
||||||
|
|
@ -25,7 +25,7 @@ MODULE_ALIAS("ipt_MARK");
|
||||||
MODULE_ALIAS("ip6t_MARK");
|
MODULE_ALIAS("ip6t_MARK");
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
mark_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_mark_tginfo2 *info = par->targinfo;
|
const struct xt_mark_tginfo2 *info = par->targinfo;
|
||||||
|
|
||||||
|
|
@ -34,7 +34,7 @@ mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
mark_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_mark_mtinfo1 *info = par->matchinfo;
|
const struct xt_mark_mtinfo1 *info = par->matchinfo;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -72,7 +72,7 @@ ports_match_v1(const struct xt_multiport_v1 *minfo,
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
multiport_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
multiport_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const __be16 *pptr;
|
const __be16 *pptr;
|
||||||
__be16 _ports[2];
|
__be16 _ports[2];
|
||||||
|
|
@ -87,7 +87,7 @@ multiport_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
* can't. Hence, no choice but to drop.
|
* can't. Hence, no choice but to drop.
|
||||||
*/
|
*/
|
||||||
pr_debug("Dropping evil offset=0 tinygram.\n");
|
pr_debug("Dropping evil offset=0 tinygram.\n");
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -117,7 +117,7 @@ static int multiport_mt_check(const struct xt_mtchk_param *par)
|
||||||
const struct xt_multiport_v1 *multiinfo = par->matchinfo;
|
const struct xt_multiport_v1 *multiinfo = par->matchinfo;
|
||||||
|
|
||||||
return check(ip->proto, ip->invflags, multiinfo->flags,
|
return check(ip->proto, ip->invflags, multiinfo->flags,
|
||||||
multiinfo->count);
|
multiinfo->count) ? 0 : -EINVAL;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int multiport_mt6_check(const struct xt_mtchk_param *par)
|
static int multiport_mt6_check(const struct xt_mtchk_param *par)
|
||||||
|
|
@ -126,7 +126,7 @@ static int multiport_mt6_check(const struct xt_mtchk_param *par)
|
||||||
const struct xt_multiport_v1 *multiinfo = par->matchinfo;
|
const struct xt_multiport_v1 *multiinfo = par->matchinfo;
|
||||||
|
|
||||||
return check(ip->proto, ip->invflags, multiinfo->flags,
|
return check(ip->proto, ip->invflags, multiinfo->flags,
|
||||||
multiinfo->count);
|
multiinfo->count) ? 0 : -EINVAL;
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct xt_match multiport_mt_reg[] __read_mostly = {
|
static struct xt_match multiport_mt_reg[] __read_mostly = {
|
||||||
|
|
|
||||||
|
|
@ -193,8 +193,8 @@ static inline int xt_osf_ttl(const struct sk_buff *skb, const struct xt_osf_info
|
||||||
return ip->ttl == f_ttl;
|
return ip->ttl == f_ttl;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool xt_osf_match_packet(const struct sk_buff *skb,
|
static bool
|
||||||
const struct xt_match_param *p)
|
xt_osf_match_packet(const struct sk_buff *skb, struct xt_action_param *p)
|
||||||
{
|
{
|
||||||
const struct xt_osf_info *info = p->matchinfo;
|
const struct xt_osf_info *info = p->matchinfo;
|
||||||
const struct iphdr *ip = ip_hdr(skb);
|
const struct iphdr *ip = ip_hdr(skb);
|
||||||
|
|
|
||||||
|
|
@ -18,7 +18,7 @@
|
||||||
#include <linux/netfilter/xt_owner.h>
|
#include <linux/netfilter/xt_owner.h>
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
owner_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_owner_match_info *info = par->matchinfo;
|
const struct xt_owner_match_info *info = par->matchinfo;
|
||||||
const struct file *filp;
|
const struct file *filp;
|
||||||
|
|
|
||||||
|
|
@ -22,7 +22,7 @@ MODULE_ALIAS("ip6t_physdev");
|
||||||
|
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
physdev_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
physdev_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
|
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
|
||||||
const struct xt_physdev_info *info = par->matchinfo;
|
const struct xt_physdev_info *info = par->matchinfo;
|
||||||
|
|
|
||||||
|
|
@ -23,7 +23,7 @@ MODULE_ALIAS("ipt_pkttype");
|
||||||
MODULE_ALIAS("ip6t_pkttype");
|
MODULE_ALIAS("ip6t_pkttype");
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
pkttype_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
pkttype_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_pkttype_info *info = par->matchinfo;
|
const struct xt_pkttype_info *info = par->matchinfo;
|
||||||
u_int8_t type;
|
u_int8_t type;
|
||||||
|
|
|
||||||
|
|
@ -110,7 +110,7 @@ match_policy_out(const struct sk_buff *skb, const struct xt_policy_info *info,
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
policy_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
policy_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_policy_info *info = par->matchinfo;
|
const struct xt_policy_info *info = par->matchinfo;
|
||||||
int ret;
|
int ret;
|
||||||
|
|
|
||||||
|
|
@ -23,7 +23,7 @@ MODULE_ALIAS("ip6t_quota");
|
||||||
static DEFINE_SPINLOCK(quota_lock);
|
static DEFINE_SPINLOCK(quota_lock);
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
quota_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
quota_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
struct xt_quota_info *q = (void *)par->matchinfo;
|
struct xt_quota_info *q = (void *)par->matchinfo;
|
||||||
struct xt_quota_priv *priv = q->master;
|
struct xt_quota_priv *priv = q->master;
|
||||||
|
|
|
||||||
|
|
@ -15,7 +15,7 @@
|
||||||
|
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
xt_rateest_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
xt_rateest_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_rateest_match_info *info = par->matchinfo;
|
const struct xt_rateest_match_info *info = par->matchinfo;
|
||||||
struct gnet_stats_rate_est *r;
|
struct gnet_stats_rate_est *r;
|
||||||
|
|
|
||||||
|
|
@ -22,7 +22,7 @@ MODULE_DESCRIPTION("Xtables: Routing realm match");
|
||||||
MODULE_ALIAS("ipt_realm");
|
MODULE_ALIAS("ipt_realm");
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
realm_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
realm_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_realm_info *info = par->matchinfo;
|
const struct xt_realm_info *info = par->matchinfo;
|
||||||
const struct dst_entry *dst = skb_dst(skb);
|
const struct dst_entry *dst = skb_dst(skb);
|
||||||
|
|
|
||||||
|
|
@ -224,7 +224,7 @@ static void recent_table_flush(struct recent_table *t)
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
recent_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
recent_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
struct net *net = dev_net(par->in ? par->in : par->out);
|
struct net *net = dev_net(par->in ? par->in : par->out);
|
||||||
struct recent_net *recent_net = recent_pernet(net);
|
struct recent_net *recent_net = recent_pernet(net);
|
||||||
|
|
@ -268,7 +268,7 @@ recent_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
goto out;
|
goto out;
|
||||||
e = recent_entry_init(t, &addr, par->family, ttl);
|
e = recent_entry_init(t, &addr, par->family, ttl);
|
||||||
if (e == NULL)
|
if (e == NULL)
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
ret = !ret;
|
ret = !ret;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -114,7 +114,7 @@ match_packet(const struct sk_buff *skb,
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
sctp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
sctp_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_sctp_info *info = par->matchinfo;
|
const struct xt_sctp_info *info = par->matchinfo;
|
||||||
const sctp_sctphdr_t *sh;
|
const sctp_sctphdr_t *sh;
|
||||||
|
|
@ -128,7 +128,7 @@ sctp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh);
|
sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh);
|
||||||
if (sh == NULL) {
|
if (sh == NULL) {
|
||||||
pr_debug("Dropping evil TCP offset=0 tinygram.\n");
|
pr_debug("Dropping evil TCP offset=0 tinygram.\n");
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
pr_debug("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
|
pr_debug("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
|
||||||
|
|
@ -140,7 +140,7 @@ sctp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
&& ntohs(sh->dest) <= info->dpts[1],
|
&& ntohs(sh->dest) <= info->dpts[1],
|
||||||
XT_SCTP_DEST_PORTS, info->flags, info->invflags)
|
XT_SCTP_DEST_PORTS, info->flags, info->invflags)
|
||||||
&& SCCHECK(match_packet(skb, par->thoff + sizeof(sctp_sctphdr_t),
|
&& SCCHECK(match_packet(skb, par->thoff + sizeof(sctp_sctphdr_t),
|
||||||
info, par->hotdrop),
|
info, &par->hotdrop),
|
||||||
XT_SCTP_CHUNK_TYPES, info->flags, info->invflags);
|
XT_SCTP_CHUNK_TYPES, info->flags, info->invflags);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -88,7 +88,7 @@ extract_icmp_fields(const struct sk_buff *skb,
|
||||||
|
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
socket_match(const struct sk_buff *skb, const struct xt_match_param *par,
|
socket_match(const struct sk_buff *skb, struct xt_action_param *par,
|
||||||
const struct xt_socket_mtinfo1 *info)
|
const struct xt_socket_mtinfo1 *info)
|
||||||
{
|
{
|
||||||
const struct iphdr *iph = ip_hdr(skb);
|
const struct iphdr *iph = ip_hdr(skb);
|
||||||
|
|
@ -174,13 +174,13 @@ socket_match(const struct sk_buff *skb, const struct xt_match_param *par,
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
socket_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
|
socket_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
return socket_match(skb, par, NULL);
|
return socket_match(skb, par, NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
socket_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
|
socket_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
return socket_match(skb, par, par->matchinfo);
|
return socket_match(skb, par, par->matchinfo);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -21,7 +21,7 @@ MODULE_ALIAS("ipt_state");
|
||||||
MODULE_ALIAS("ip6t_state");
|
MODULE_ALIAS("ip6t_state");
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
state_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
state_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_state_info *sinfo = par->matchinfo;
|
const struct xt_state_info *sinfo = par->matchinfo;
|
||||||
enum ip_conntrack_info ctinfo;
|
enum ip_conntrack_info ctinfo;
|
||||||
|
|
|
||||||
|
|
@ -30,7 +30,7 @@ MODULE_ALIAS("ip6t_statistic");
|
||||||
static DEFINE_SPINLOCK(nth_lock);
|
static DEFINE_SPINLOCK(nth_lock);
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
statistic_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
statistic_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_statistic_info *info = par->matchinfo;
|
const struct xt_statistic_info *info = par->matchinfo;
|
||||||
bool ret = info->flags & XT_STATISTIC_INVERT;
|
bool ret = info->flags & XT_STATISTIC_INVERT;
|
||||||
|
|
|
||||||
|
|
@ -23,7 +23,7 @@ MODULE_ALIAS("ipt_string");
|
||||||
MODULE_ALIAS("ip6t_string");
|
MODULE_ALIAS("ip6t_string");
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
string_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
string_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_string_info *conf = par->matchinfo;
|
const struct xt_string_info *conf = par->matchinfo;
|
||||||
struct ts_state state;
|
struct ts_state state;
|
||||||
|
|
|
||||||
|
|
@ -25,7 +25,7 @@ MODULE_ALIAS("ipt_tcpmss");
|
||||||
MODULE_ALIAS("ip6t_tcpmss");
|
MODULE_ALIAS("ip6t_tcpmss");
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
tcpmss_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_tcpmss_match_info *info = par->matchinfo;
|
const struct xt_tcpmss_match_info *info = par->matchinfo;
|
||||||
const struct tcphdr *th;
|
const struct tcphdr *th;
|
||||||
|
|
@ -73,7 +73,7 @@ tcpmss_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
return info->invert;
|
return info->invert;
|
||||||
|
|
||||||
dropit:
|
dropit:
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -62,7 +62,7 @@ tcp_find_option(u_int8_t option,
|
||||||
return invert;
|
return invert;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct tcphdr *th;
|
const struct tcphdr *th;
|
||||||
struct tcphdr _tcph;
|
struct tcphdr _tcph;
|
||||||
|
|
@ -77,7 +77,7 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
*/
|
*/
|
||||||
if (par->fragoff == 1) {
|
if (par->fragoff == 1) {
|
||||||
pr_debug("Dropping evil TCP offset=1 frag.\n");
|
pr_debug("Dropping evil TCP offset=1 frag.\n");
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
}
|
}
|
||||||
/* Must not be a fragment. */
|
/* Must not be a fragment. */
|
||||||
return false;
|
return false;
|
||||||
|
|
@ -90,7 +90,7 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
/* We've been asked to examine this packet, and we
|
/* We've been asked to examine this packet, and we
|
||||||
can't. Hence, no choice but to drop. */
|
can't. Hence, no choice but to drop. */
|
||||||
pr_debug("Dropping evil TCP offset=0 tinygram.\n");
|
pr_debug("Dropping evil TCP offset=0 tinygram.\n");
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -108,13 +108,13 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
return false;
|
return false;
|
||||||
if (tcpinfo->option) {
|
if (tcpinfo->option) {
|
||||||
if (th->doff * 4 < sizeof(_tcph)) {
|
if (th->doff * 4 < sizeof(_tcph)) {
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if (!tcp_find_option(tcpinfo->option, skb, par->thoff,
|
if (!tcp_find_option(tcpinfo->option, skb, par->thoff,
|
||||||
th->doff*4 - sizeof(_tcph),
|
th->doff*4 - sizeof(_tcph),
|
||||||
tcpinfo->invflags & XT_TCP_INV_OPTION,
|
tcpinfo->invflags & XT_TCP_INV_OPTION,
|
||||||
par->hotdrop))
|
&par->hotdrop))
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
return true;
|
return true;
|
||||||
|
|
@ -128,7 +128,7 @@ static int tcp_mt_check(const struct xt_mtchk_param *par)
|
||||||
return (tcpinfo->invflags & ~XT_TCP_INV_MASK) ? -EINVAL : 0;
|
return (tcpinfo->invflags & ~XT_TCP_INV_MASK) ? -EINVAL : 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
static bool udp_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct udphdr *uh;
|
const struct udphdr *uh;
|
||||||
struct udphdr _udph;
|
struct udphdr _udph;
|
||||||
|
|
@ -143,7 +143,7 @@ static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
/* We've been asked to examine this packet, and we
|
/* We've been asked to examine this packet, and we
|
||||||
can't. Hence, no choice but to drop. */
|
can't. Hence, no choice but to drop. */
|
||||||
pr_debug("Dropping evil UDP tinygram.\n");
|
pr_debug("Dropping evil UDP tinygram.\n");
|
||||||
*par->hotdrop = true;
|
par->hotdrop = true;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -152,7 +152,7 @@ static void localtime_3(struct xtm *r, time_t time)
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
time_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
time_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_time_info *info = par->matchinfo;
|
const struct xt_time_info *info = par->matchinfo;
|
||||||
unsigned int packet_time;
|
unsigned int packet_time;
|
||||||
|
|
|
||||||
|
|
@ -86,7 +86,7 @@ static bool u32_match_it(const struct xt_u32 *data,
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool u32_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
static bool u32_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_u32 *data = par->matchinfo;
|
const struct xt_u32 *data = par->matchinfo;
|
||||||
bool ret;
|
bool ret;
|
||||||
|
|
|
||||||
|
|
@ -199,7 +199,7 @@ static int tcf_ipt(struct sk_buff *skb, struct tc_action *a,
|
||||||
{
|
{
|
||||||
int ret = 0, result = 0;
|
int ret = 0, result = 0;
|
||||||
struct tcf_ipt *ipt = a->priv;
|
struct tcf_ipt *ipt = a->priv;
|
||||||
struct xt_target_param par;
|
struct xt_action_param par;
|
||||||
|
|
||||||
if (skb_cloned(skb)) {
|
if (skb_cloned(skb)) {
|
||||||
if (pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
|
if (pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue