Techwizz/kernel-fxtec-pro1x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge branch 'nf-next' of git://1984.lsi.us.es/net-next

Browse source
This commit is contained in:
David S. Miller 2011-12-28 13:16:59 -05:00
commit d79aec83b2
11 changed files with 258 additions and 171 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
include/linux/netfilter/Kbuild
View file

@ -43,6 +43,7 @@ header-y += xt_cpu.h
header-y += xt_dccp.h
header-y += xt_devgroup.h
header-y += xt_dscp.h
header-y += xt_ecn.h
header-y += xt_esp.h
header-y += xt_hashlimit.h
header-y += xt_helper.h

35
include/linux/netfilter/xt_ecn.h Normal file
View file

@ -0,0 +1,35 @@
/* iptables module for matching the ECN header in IPv4 and TCP header
*
* (C) 2002 Harald Welte <laforge@gnumonks.org>
*
* This software is distributed under GNU GPL v2, 1991
*
* ipt_ecn.h,v 1.4 2002/08/05 19:39:00 laforge Exp
*/
#ifndef _XT_ECN_H
#define _XT_ECN_H
#include <linux/types.h>
#include <linux/netfilter/xt_dscp.h>
#define XT_ECN_IP_MASK (~XT_DSCP_MASK)
#define XT_ECN_OP_MATCH_IP 0x01
#define XT_ECN_OP_MATCH_ECE 0x10
#define XT_ECN_OP_MATCH_CWR 0x20
#define XT_ECN_OP_MATCH_MASK 0xce
/* match info */
struct xt_ecn_info {
__u8 operation;
__u8 invert;
__u8 ip_ect;
union {
struct {
__u8 ect;
} tcp;
} proto;
};
#endif /* _XT_ECN_H */

38
include/linux/netfilter_ipv4/ipt_ecn.h
View file

@ -1,35 +1,15 @@
/* iptables module for matching the ECN header in IPv4 and TCP header
*
* (C) 2002 Harald Welte <laforge@gnumonks.org>
*
* This software is distributed under GNU GPL v2, 1991
*
* ipt_ecn.h,v 1.4 2002/08/05 19:39:00 laforge Exp
*/
#ifndef _IPT_ECN_H
#define _IPT_ECN_H
#include <linux/types.h>
#include <linux/netfilter/xt_dscp.h>
#include <linux/netfilter/xt_ecn.h>
#define ipt_ecn_info xt_ecn_info
#define IPT_ECN_IP_MASK (~XT_DSCP_MASK)
#define IPT_ECN_OP_MATCH_IP 0x01
#define IPT_ECN_OP_MATCH_ECE 0x10
#define IPT_ECN_OP_MATCH_CWR 0x20
#define IPT_ECN_OP_MATCH_MASK 0xce
/* match info */
struct ipt_ecn_info {
__u8 operation;
__u8 invert;
__u8 ip_ect;
union {
struct {
__u8 ect;
} tcp;
} proto;
enum {
IPT_ECN_IP_MASK = XT_ECN_IP_MASK,
IPT_ECN_OP_MATCH_IP = XT_ECN_OP_MATCH_IP,
IPT_ECN_OP_MATCH_ECE = XT_ECN_OP_MATCH_ECE,
IPT_ECN_OP_MATCH_CWR = XT_ECN_OP_MATCH_CWR,
IPT_ECN_OP_MATCH_MASK = XT_ECN_OP_MATCH_MASK,
};
#endif /* _IPT_ECN_H */
#endif /* IPT_ECN_H */

12
net/ipv4/netfilter/Kconfig
View file

@ -27,7 +27,7 @@ config NF_CONNTRACK_IPV4
config NF_CONNTRACK_PROC_COMPAT
bool "proc/sysctl compatibility with old connection tracking"
depends on NF_CONNTRACK_IPV4
depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
default y
help
This option enables /proc and sysctl compatibility with the old
@ -76,11 +76,11 @@ config IP_NF_MATCH_AH
config IP_NF_MATCH_ECN
tristate '"ecn" match support'
depends on NETFILTER_ADVANCED
help
This option adds a `ECN' match, which allows you to match against
the IPv4 and TCP header ECN fields.
To compile it as a module, choose M here. If unsure, say N.
select NETFILTER_XT_MATCH_ECN
---help---
This is a backwards-compat option for the user's convenience
(e.g. when running oldconfig). It selects
CONFIG_NETFILTER_XT_MATCH_ECN.
config IP_NF_MATCH_RPFILTER
tristate '"rpfilter" reverse path filter match support'

1
net/ipv4/netfilter/Makefile
View file

@ -49,7 +49,6 @@ obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o
# matches
obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
obj-$(CONFIG_IP_NF_MATCH_RPFILTER) += ipt_rpfilter.o
# targets

127
net/ipv4/netfilter/ipt_ecn.c
View file

@ -1,127 +0,0 @@
/* IP tables module for matching the value of the IPv4 and TCP ECN bits
*
* (C) 2002 by Harald Welte <laforge@gnumonks.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/in.h>
#include <linux/ip.h>
#include <net/ip.h>
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/tcp.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ipt_ecn.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
MODULE_DESCRIPTION("Xtables: Explicit Congestion Notification (ECN) flag match for IPv4");
MODULE_LICENSE("GPL");
static inline bool match_ip(const struct sk_buff *skb,
const struct ipt_ecn_info *einfo)
{
return ((ip_hdr(skb)->tos & IPT_ECN_IP_MASK) == einfo->ip_ect) ^
!!(einfo->invert & IPT_ECN_OP_MATCH_IP);
}
static inline bool match_tcp(const struct sk_buff *skb,
const struct ipt_ecn_info *einfo,
bool *hotdrop)
{
struct tcphdr _tcph;
const struct tcphdr *th;
/* In practice, TCP match does this, so can't fail. But let's
* be good citizens.
*/
th = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_tcph), &_tcph);
if (th == NULL) {
*hotdrop = false;
return false;
}
if (einfo->operation & IPT_ECN_OP_MATCH_ECE) {
if (einfo->invert & IPT_ECN_OP_MATCH_ECE) {
if (th->ece == 1)
return false;
} else {
if (th->ece == 0)
return false;
}
}
if (einfo->operation & IPT_ECN_OP_MATCH_CWR) {
if (einfo->invert & IPT_ECN_OP_MATCH_CWR) {
if (th->cwr == 1)
return false;
} else {
if (th->cwr == 0)
return false;
}
}
return true;
}
static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct ipt_ecn_info *info = par->matchinfo;
if (info->operation & IPT_ECN_OP_MATCH_IP)
if (!match_ip(skb, info))
return false;
if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) {
if (!match_tcp(skb, info, &par->hotdrop))
return false;
}
return true;
}
static int ecn_mt_check(const struct xt_mtchk_param *par)
{
const struct ipt_ecn_info *info = par->matchinfo;
const struct ipt_ip *ip = par->entryinfo;
if (info->operation & IPT_ECN_OP_MATCH_MASK)
return -EINVAL;
if (info->invert & IPT_ECN_OP_MATCH_MASK)
return -EINVAL;
if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) &&
(ip->proto != IPPROTO_TCP || ip->invflags & IPT_INV_PROTO)) {
pr_info("cannot match TCP bits in rule for non-tcp packets\n");
return -EINVAL;
}
return 0;
}
static struct xt_match ecn_mt_reg __read_mostly = {
.name = "ecn",
.family = NFPROTO_IPV4,
.match = ecn_mt,
.matchsize = sizeof(struct ipt_ecn_info),
.checkentry = ecn_mt_check,
.me = THIS_MODULE,
};
static int __init ecn_mt_init(void)
{
return xt_register_match(&ecn_mt_reg);
}
static void __exit ecn_mt_exit(void)
{
xt_unregister_match(&ecn_mt_reg);
}
module_init(ecn_mt_init);
module_exit(ecn_mt_exit);

19
net/netfilter/Kconfig
View file

@ -83,6 +83,16 @@ config NF_CONNTRACK_ZONES
If unsure, say `N'.
config NF_CONNTRACK_PROCFS
bool "Supply CT list in procfs (OBSOLETE)"
default y
depends on PROC_FS
---help---
This option enables for the list of known conntrack entries
to be shown in procfs under net/netfilter/nf_conntrack. This
is considered obsolete in favor of using the conntrack(8)
tool which uses Netlink.
config NF_CONNTRACK_EVENTS
bool "Connection tracking events"
depends on NETFILTER_ADVANCED
@ -778,6 +788,15 @@ config NETFILTER_XT_MATCH_DSCP
To compile it as a module, choose M here. If unsure, say N.
config NETFILTER_XT_MATCH_ECN
tristate '"ecn" match support'
depends on NETFILTER_ADVANCED
---help---
This option adds an "ECN" match, which allows you to match against
the IPv4 and TCP header ECN fields.
To compile it as a module, choose M here. If unsure, say N.
config NETFILTER_XT_MATCH_ESP
tristate '"esp" match support'
depends on NETFILTER_ADVANCED

1
net/netfilter/Makefile
View file

@ -81,6 +81,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CPU) += xt_cpu.o
obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_DEVGROUP) += xt_devgroup.o
obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_ECN) += xt_ecn.o
obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o

12
net/netfilter/nf_conntrack_expect.c
View file

@ -455,7 +455,7 @@ int nf_ct_expect_related_report(struct nf_conntrack_expect *expect,
}
EXPORT_SYMBOL_GPL(nf_ct_expect_related_report);
#ifdef CONFIG_PROC_FS
#ifdef CONFIG_NF_CONNTRACK_PROCFS
struct ct_expect_iter_state {
struct seq_net_private p;
unsigned int bucket;
@ -583,25 +583,25 @@ static const struct file_operations exp_file_ops = {
.llseek = seq_lseek,
.release = seq_release_net,
};
#endif /* CONFIG_PROC_FS */
#endif /* CONFIG_NF_CONNTRACK_PROCFS */
static int exp_proc_init(struct net *net)
{
#ifdef CONFIG_PROC_FS
#ifdef CONFIG_NF_CONNTRACK_PROCFS
struct proc_dir_entry *proc;
proc = proc_net_fops_create(net, "nf_conntrack_expect", 0440, &exp_file_ops);
if (!proc)
return -ENOMEM;
#endif /* CONFIG_PROC_FS */
#endif /* CONFIG_NF_CONNTRACK_PROCFS */
return 0;
}
static void exp_proc_remove(struct net *net)
{
#ifdef CONFIG_PROC_FS
#ifdef CONFIG_NF_CONNTRACK_PROCFS
proc_net_remove(net, "nf_conntrack_expect");
#endif /* CONFIG_PROC_FS */
#endif /* CONFIG_NF_CONNTRACK_PROCFS */
}
module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0400);

4
net/netfilter/nf_conntrack_standalone.c
View file

@ -34,7 +34,7 @@
MODULE_LICENSE("GPL");
#ifdef CONFIG_PROC_FS
#ifdef CONFIG_NF_CONNTRACK_PROCFS
int
print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple,
const struct nf_conntrack_l3proto *l3proto,
@ -396,7 +396,7 @@ static int nf_conntrack_standalone_init_proc(struct net *net)
static void nf_conntrack_standalone_fini_proc(struct net *net)
{
}
#endif /* CONFIG_PROC_FS */
#endif /* CONFIG_NF_CONNTRACK_PROCFS */
/* Sysctl support */

179
net/netfilter/xt_ecn.c Normal file
View file

@ -0,0 +1,179 @@
/*
* Xtables module for matching the value of the IPv4/IPv6 and TCP ECN bits
*
* (C) 2002 by Harald Welte <laforge@gnumonks.org>
* (C) 2011 Patrick McHardy <kaber@trash.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/in.h>
#include <linux/ip.h>
#include <net/ip.h>
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/tcp.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_ecn.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
MODULE_DESCRIPTION("Xtables: Explicit Congestion Notification (ECN) flag match");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_ecn");
MODULE_ALIAS("ip6t_ecn");
static bool match_tcp(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_ecn_info *einfo = par->matchinfo;
struct tcphdr _tcph;
const struct tcphdr *th;
/* In practice, TCP match does this, so can't fail. But let's
* be good citizens.
*/
th = skb_header_pointer(skb, par->thoff, sizeof(_tcph), &_tcph);
if (th == NULL)
return false;
if (einfo->operation & XT_ECN_OP_MATCH_ECE) {
if (einfo->invert & XT_ECN_OP_MATCH_ECE) {
if (th->ece == 1)
return false;
} else {
if (th->ece == 0)
return false;
}
}
if (einfo->operation & XT_ECN_OP_MATCH_CWR) {
if (einfo->invert & XT_ECN_OP_MATCH_CWR) {
if (th->cwr == 1)
return false;
} else {
if (th->cwr == 0)
return false;
}
}
return true;
}
static inline bool match_ip(const struct sk_buff *skb,
const struct xt_ecn_info *einfo)
{
return ((ip_hdr(skb)->tos & XT_ECN_IP_MASK) == einfo->ip_ect) ^
!!(einfo->invert & XT_ECN_OP_MATCH_IP);
}
static bool ecn_mt4(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_ecn_info *info = par->matchinfo;
if (info->operation & XT_ECN_OP_MATCH_IP && !match_ip(skb, info))
return false;
if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR) &&
!match_tcp(skb, par))
return false;
return true;
}
static int ecn_mt_check4(const struct xt_mtchk_param *par)
{
const struct xt_ecn_info *info = par->matchinfo;
const struct ipt_ip *ip = par->entryinfo;
if (info->operation & XT_ECN_OP_MATCH_MASK)
return -EINVAL;
if (info->invert & XT_ECN_OP_MATCH_MASK)
return -EINVAL;
if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR) &&
(ip->proto != IPPROTO_TCP || ip->invflags & IPT_INV_PROTO)) {
pr_info("cannot match TCP bits in rule for non-tcp packets\n");
return -EINVAL;
}
return 0;
}
static inline bool match_ipv6(const struct sk_buff *skb,
const struct xt_ecn_info *einfo)
{
return (((ipv6_hdr(skb)->flow_lbl[0] >> 4) & XT_ECN_IP_MASK) ==
einfo->ip_ect) ^
!!(einfo->invert & XT_ECN_OP_MATCH_IP);
}
static bool ecn_mt6(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_ecn_info *info = par->matchinfo;
if (info->operation & XT_ECN_OP_MATCH_IP && !match_ipv6(skb, info))
return false;
if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR) &&
!match_tcp(skb, par))
return false;
return true;
}
static int ecn_mt_check6(const struct xt_mtchk_param *par)
{
const struct xt_ecn_info *info = par->matchinfo;
const struct ip6t_ip6 *ip = par->entryinfo;
if (info->operation & XT_ECN_OP_MATCH_MASK)
return -EINVAL;
if (info->invert & XT_ECN_OP_MATCH_MASK)
return -EINVAL;
if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR) &&
(ip->proto != IPPROTO_TCP || ip->invflags & IP6T_INV_PROTO)) {
pr_info("cannot match TCP bits in rule for non-tcp packets\n");
return -EINVAL;
}
return 0;
}
static struct xt_match ecn_mt_reg[] __read_mostly = {
{
.name = "ecn",
.family = NFPROTO_IPV4,
.match = ecn_mt4,
.matchsize = sizeof(struct xt_ecn_info),
.checkentry = ecn_mt_check4,
.me = THIS_MODULE,
},
{
.name = "ecn",
.family = NFPROTO_IPV6,
.match = ecn_mt6,
.matchsize = sizeof(struct xt_ecn_info),
.checkentry = ecn_mt_check6,
.me = THIS_MODULE,
},
};
static int __init ecn_mt_init(void)
{
return xt_register_matches(ecn_mt_reg, ARRAY_SIZE(ecn_mt_reg));
}
static void __exit ecn_mt_exit(void)
{
xt_unregister_matches(ecn_mt_reg, ARRAY_SIZE(ecn_mt_reg));
}
module_init(ecn_mt_init);
module_exit(ecn_mt_exit);