diff options
Diffstat (limited to 'net/ipv6/netfilter')
| -rw-r--r-- | net/ipv6/netfilter/Kconfig | 11 | ||||
| -rw-r--r-- | net/ipv6/netfilter/Makefile | 1 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6_queue.c | 152 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6_tables.c | 52 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6t_HL.c | 29 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6t_LOG.c | 27 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6t_REJECT.c | 46 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6t_ah.c | 30 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6t_eui64.c | 8 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6t_frag.c | 8 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6t_hbh.c | 1 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6t_hl.c | 13 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6t_ipv6header.c | 10 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6t_mh.c | 115 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6t_owner.c | 8 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6t_rt.c | 8 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6table_filter.c | 21 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6table_mangle.c | 31 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6table_raw.c | 35 | ||||
| -rw-r--r-- | net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 8 | ||||
| -rw-r--r-- | net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 7 | ||||
| -rw-r--r-- | net/ipv6/netfilter/nf_conntrack_reasm.c | 50 |
22 files changed, 381 insertions, 290 deletions
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig index adcd6131df2..da07e9a88ee 100644 --- a/net/ipv6/netfilter/Kconfig +++ b/net/ipv6/netfilter/Kconfig @@ -42,7 +42,8 @@ config IP6_NF_QUEUE config IP6_NF_IPTABLES tristate "IP6 tables support (required for filtering)" - depends on INET && IPV6 && EXPERIMENTAL && NETFILTER_XTABLES + depends on INET && IPV6 && EXPERIMENTAL + select NETFILTER_XTABLES help ip6tables is a general, extensible packet identification framework. Currently only the packet filtering and packet mangling subsystem @@ -114,6 +115,14 @@ config IP6_NF_MATCH_AH To compile it as a module, choose M here. If unsure, say N. +config IP6_NF_MATCH_MH + tristate "MH match support" + depends on IP6_NF_IPTABLES + help + This module allows one to match MH packets. + + To compile it as a module, choose M here. If unsure, say N. + config IP6_NF_MATCH_EUI64 tristate "EUI64 address check" depends on IP6_NF_IPTABLES diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile index ac1dfebde17..4513eab7739 100644 --- a/net/ipv6/netfilter/Makefile +++ b/net/ipv6/netfilter/Makefile @@ -19,6 +19,7 @@ obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o obj-$(CONFIG_IP6_NF_TARGET_REJECT) += ip6t_REJECT.o +obj-$(CONFIG_IP6_NF_MATCH_MH) += ip6t_mh.o # objects for l3 independent conntrack nf_conntrack_ipv6-objs := nf_conntrack_l3proto_ipv6.o nf_conntrack_proto_icmpv6.o nf_conntrack_reasm.o diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c index d4d9f182441..58847d3b61e 100644 --- a/net/ipv6/netfilter/ip6_queue.c +++ b/net/ipv6/netfilter/ip6_queue.c @@ -95,7 +95,7 @@ __ipq_find_entry(ipq_cmpfn cmpfn, unsigned long data) list_for_each_prev(p, &queue_list) { struct ipq_queue_entry *entry = (struct ipq_queue_entry *)p; - + if (!cmpfn || cmpfn(entry, data)) return entry; } @@ -127,7 +127,7 @@ static inline void __ipq_flush(int verdict) { struct ipq_queue_entry *entry; - + while ((entry = __ipq_find_dequeue_entry(NULL, 0))) ipq_issue_verdict(entry, verdict); } @@ -136,21 +136,21 @@ static inline int __ipq_set_mode(unsigned char mode, unsigned int range) { int status = 0; - + switch(mode) { case IPQ_COPY_NONE: case IPQ_COPY_META: copy_mode = mode; copy_range = 0; break; - + case IPQ_COPY_PACKET: copy_mode = mode; copy_range = range; if (copy_range > 0xFFFF) copy_range = 0xFFFF; break; - + default: status = -EINVAL; @@ -171,7 +171,7 @@ static struct ipq_queue_entry * ipq_find_dequeue_entry(ipq_cmpfn cmpfn, unsigned long data) { struct ipq_queue_entry *entry; - + write_lock_bh(&queue_lock); entry = __ipq_find_dequeue_entry(cmpfn, data); write_unlock_bh(&queue_lock); @@ -197,14 +197,14 @@ ipq_build_packet_message(struct ipq_queue_entry *entry, int *errp) struct nlmsghdr *nlh; read_lock_bh(&queue_lock); - + switch (copy_mode) { case IPQ_COPY_META: case IPQ_COPY_NONE: size = NLMSG_SPACE(sizeof(*pmsg)); data_len = 0; break; - + case IPQ_COPY_PACKET: if ((entry->skb->ip_summed == CHECKSUM_PARTIAL || entry->skb->ip_summed == CHECKSUM_COMPLETE) && @@ -216,10 +216,10 @@ ipq_build_packet_message(struct ipq_queue_entry *entry, int *errp) data_len = entry->skb->len; else data_len = copy_range; - + size = NLMSG_SPACE(sizeof(*pmsg) + data_len); break; - + default: *errp = -EINVAL; read_unlock_bh(&queue_lock); @@ -231,7 +231,7 @@ ipq_build_packet_message(struct ipq_queue_entry *entry, int *errp) skb = alloc_skb(size, GFP_ATOMIC); if (!skb) goto nlmsg_failure; - + old_tail= skb->tail; nlh = NLMSG_PUT(skb, 0, 0, IPQM_PACKET, size - sizeof(*nlh)); pmsg = NLMSG_DATA(nlh); @@ -244,29 +244,29 @@ ipq_build_packet_message(struct ipq_queue_entry *entry, int *errp) pmsg->mark = entry->skb->mark; pmsg->hook = entry->info->hook; pmsg->hw_protocol = entry->skb->protocol; - + if (entry->info->indev) strcpy(pmsg->indev_name, entry->info->indev->name); else pmsg->indev_name[0] = '\0'; - + if (entry->info->outdev) strcpy(pmsg->outdev_name, entry->info->outdev->name); else pmsg->outdev_name[0] = '\0'; - + if (entry->info->indev && entry->skb->dev) { pmsg->hw_type = entry->skb->dev->type; if (entry->skb->dev->hard_header_parse) pmsg->hw_addrlen = entry->skb->dev->hard_header_parse(entry->skb, - pmsg->hw_addr); + pmsg->hw_addr); } - + if (data_len) if (skb_copy_bits(entry->skb, 0, pmsg->payload, data_len)) BUG(); - + nlh->nlmsg_len = skb->tail - old_tail; return skb; @@ -279,7 +279,7 @@ nlmsg_failure: } static int -ipq_enqueue_packet(struct sk_buff *skb, struct nf_info *info, +ipq_enqueue_packet(struct sk_buff *skb, struct nf_info *info, unsigned int queuenum, void *data) { int status = -EINVAL; @@ -301,37 +301,37 @@ ipq_enqueue_packet(struct sk_buff *skb, struct nf_info *info, nskb = ipq_build_packet_message(entry, &status); if (nskb == NULL) goto err_out_free; - + write_lock_bh(&queue_lock); - + if (!peer_pid) - goto err_out_free_nskb; + goto err_out_free_nskb; if (queue_total >= queue_maxlen) { - queue_dropped++; + queue_dropped++; status = -ENOSPC; if (net_ratelimit()) - printk (KERN_WARNING "ip6_queue: fill at %d entries, " + printk (KERN_WARNING "ip6_queue: fill at %d entries, " "dropping packet(s). Dropped: %d\n", queue_total, queue_dropped); goto err_out_free_nskb; } - /* netlink_unicast will either free the nskb or attach it to a socket */ + /* netlink_unicast will either free the nskb or attach it to a socket */ status = netlink_unicast(ipqnl, nskb, peer_pid, MSG_DONTWAIT); if (status < 0) { - queue_user_dropped++; + queue_user_dropped++; goto err_out_unlock; } - + __ipq_enqueue_entry(entry); write_unlock_bh(&queue_lock); return status; - + err_out_free_nskb: - kfree_skb(nskb); - + kfree_skb(nskb); + err_out_unlock: write_unlock_bh(&queue_lock); @@ -357,11 +357,11 @@ ipq_mangle_ipv6(ipq_verdict_msg_t *v, struct ipq_queue_entry *e) return -EINVAL; if (diff > skb_tailroom(e->skb)) { struct sk_buff *newskb; - + newskb = skb_copy_expand(e->skb, - skb_headroom(e->skb), - diff, - GFP_ATOMIC); + skb_headroom(e->skb), + diff, + GFP_ATOMIC); if (newskb == NULL) { printk(KERN_WARNING "ip6_queue: OOM " "in mangle, dropping packet\n"); @@ -401,11 +401,11 @@ ipq_set_verdict(struct ipq_verdict_msg *vmsg, unsigned int len) return -ENOENT; else { int verdict = vmsg->value; - + if (vmsg->data_len && vmsg->data_len == len) if (ipq_mangle_ipv6(vmsg, entry) < 0) verdict = NF_DROP; - + ipq_issue_verdict(entry, verdict); return 0; } @@ -424,7 +424,7 @@ ipq_set_mode(unsigned char mode, unsigned int range) static int ipq_receive_peer(struct ipq_peer_msg *pmsg, - unsigned char type, unsigned int len) + unsigned char type, unsigned int len) { int status = 0; @@ -434,15 +434,15 @@ ipq_receive_peer(struct ipq_peer_msg *pmsg, switch (type) { case IPQM_MODE: status = ipq_set_mode(pmsg->msg.mode.value, - pmsg->msg.mode.range); + pmsg->msg.mode.range); break; - + case IPQM_VERDICT: if (pmsg->msg.verdict.value > NF_MAX_VERDICT) status = -EINVAL; else status = ipq_set_verdict(&pmsg->msg.verdict, - len - sizeof(*pmsg)); + len - sizeof(*pmsg)); break; default: status = -EINVAL; @@ -456,7 +456,7 @@ dev_cmp(struct ipq_queue_entry *entry, unsigned long ifindex) if (entry->info->indev) if (entry->info->indev->ifindex == ifindex) return 1; - + if (entry->info->outdev) if (entry->info->outdev->ifindex == ifindex) return 1; @@ -468,7 +468,7 @@ static void ipq_dev_drop(int ifindex) { struct ipq_queue_entry *entry; - + while ((entry = ipq_find_dequeue_entry(dev_cmp, ifindex)) != NULL) ipq_issue_verdict(entry, NF_DROP); } @@ -492,25 +492,25 @@ ipq_rcv_skb(struct sk_buff *skb) pid = nlh->nlmsg_pid; flags = nlh->nlmsg_flags; - + if(pid <= 0 || !(flags & NLM_F_REQUEST) || flags & NLM_F_MULTI) RCV_SKB_FAIL(-EINVAL); - + if (flags & MSG_TRUNC) RCV_SKB_FAIL(-ECOMM); - + type = nlh->nlmsg_type; if (type < NLMSG_NOOP || type >= IPQM_MAX) RCV_SKB_FAIL(-EINVAL); - + if (type <= IPQM_BASE) return; - + if (security_netlink_recv(skb, CAP_NET_ADMIN)) - RCV_SKB_FAIL(-EPERM); + RCV_SKB_FAIL(-EPERM); write_lock_bh(&queue_lock); - + if (peer_pid) { if (peer_pid != pid) { write_unlock_bh(&queue_lock); @@ -520,17 +520,17 @@ ipq_rcv_skb(struct sk_buff *skb) net_enable_timestamp(); peer_pid = pid; } - + write_unlock_bh(&queue_lock); - + status = ipq_receive_peer(NLMSG_DATA(nlh), type, - nlmsglen - NLMSG_LENGTH(0)); + nlmsglen - NLMSG_LENGTH(0)); if (status < 0) RCV_SKB_FAIL(status); - + if (flags & NLM_F_ACK) netlink_ack(skb, nlh, 0); - return; + return; } static void @@ -540,19 +540,19 @@ ipq_rcv_sk(struct sock *sk, int len) unsigned int qlen; mutex_lock(&ipqnl_mutex); - + for (qlen = skb_queue_len(&sk->sk_receive_queue); qlen; qlen--) { skb = skb_dequeue(&sk->sk_receive_queue); ipq_rcv_skb(skb); kfree_skb(skb); } - + mutex_unlock(&ipqnl_mutex); } static int ipq_rcv_dev_event(struct notifier_block *this, - unsigned long event, void *ptr) + unsigned long event, void *ptr) { struct net_device *dev = ptr; @@ -568,7 +568,7 @@ static struct notifier_block ipq_dev_notifier = { static int ipq_rcv_nl_event(struct notifier_block *this, - unsigned long event, void *ptr) + unsigned long event, void *ptr) { struct netlink_notify *n = ptr; @@ -597,7 +597,7 @@ static ctl_table ipq_table[] = { .mode = 0644, .proc_handler = proc_dointvec }, - { .ctl_name = 0 } + { .ctl_name = 0 } }; static ctl_table ipq_dir_table[] = { @@ -627,25 +627,25 @@ ipq_get_info(char *buffer, char **start, off_t offset, int length) int len; read_lock_bh(&queue_lock); - + len = sprintf(buffer, - "Peer PID : %d\n" - "Copy mode : %hu\n" - "Copy range : %u\n" - "Queue length : %u\n" - "Queue max. length : %u\n" + "Peer PID : %d\n" + "Copy mode : %hu\n" + "Copy range : %u\n" + "Queue length : %u\n" + "Queue max. length : %u\n" "Queue dropped : %u\n" "Netfilter dropped : %u\n", - peer_pid, - copy_mode, - copy_range, - queue_total, - queue_maxlen, + peer_pid, + copy_mode, + copy_range, + queue_total, + queue_maxlen, queue_dropped, queue_user_dropped); read_unlock_bh(&queue_lock); - + *start = buffer + offset; len -= offset; if (len > length) @@ -665,10 +665,10 @@ static int __init ip6_queue_init(void) { int status = -ENOMEM; struct proc_dir_entry *proc; - + netlink_register_notifier(&ipq_nl_notifier); ipqnl = netlink_kernel_create(NETLINK_IP6_FW, 0, ipq_rcv_sk, - THIS_MODULE); + THIS_MODULE); if (ipqnl == NULL) { printk(KERN_ERR "ip6_queue: failed to create netlink socket\n"); goto cleanup_netlink_notifier; @@ -681,10 +681,10 @@ static int __init ip6_queue_init(void) printk(KERN_ERR "ip6_queue: failed to create proc entry\n"); goto cleanup_ipqnl; } - + register_netdevice_notifier(&ipq_dev_notifier); ipq_sysctl_header = register_sysctl_table(ipq_root_table, 0); - + status = nf_register_queue_handler(PF_INET6, &nfqh); if (status < 0) { printk(KERN_ERR "ip6_queue: failed to register queue handler\n"); @@ -696,12 +696,12 @@ cleanup_sysctl: unregister_sysctl_table(ipq_sysctl_header); unregister_netdevice_notifier(&ipq_dev_notifier); proc_net_remove(IPQ_PROC_FS_NAME); - + cleanup_ipqnl: sock_release(ipqnl->sk_socket); mutex_lock(&ipqnl_mutex); mutex_unlock(&ipqnl_mutex); - + cleanup_netlink_notifier: netlink_unregister_notifier(&ipq_nl_notifier); return status; diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 99502c5da4c..7c512e13f95 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c @@ -92,16 +92,16 @@ do { \ #endif /* Check for an extension */ -int +int ip6t_ext_hdr(u8 nexthdr) { - return ( (nexthdr == IPPROTO_HOPOPTS) || - (nexthdr == IPPROTO_ROUTING) || - (nexthdr == IPPROTO_FRAGMENT) || - (nexthdr == IPPROTO_ESP) || - (nexthdr == IPPROTO_AH) || - (nexthdr == IPPROTO_NONE) || - (nexthdr == IPPROTO_DSTOPTS) ); + return ( (nexthdr == IPPROTO_HOPOPTS) || + (nexthdr == IPPROTO_ROUTING) || + (nexthdr == IPPROTO_FRAGMENT) || + (nexthdr == IPPROTO_ESP) || + (nexthdr == IPPROTO_AH) || + (nexthdr == IPPROTO_NONE) || + (nexthdr == IPPROTO_DSTOPTS) ); } /* Returns whether matches rule or not. */ @@ -120,9 +120,9 @@ ip6_packet_match(const struct sk_buff *skb, #define FWINV(bool,invflg) ((bool) ^ !!(ip6info->invflags & invflg)) if (FWINV(ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk, - &ip6info->src), IP6T_INV_SRCIP) + &ip6info->src), IP6T_INV_SRCIP) || FWINV(ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk, - &ip6info->dst), IP6T_INV_DSTIP)) { + &ip6info->dst), IP6T_INV_DSTIP)) { dprintf("Source or dest mismatch.\n"); /* dprintf("SRC: %u. Mask: %u. Target: %u.%s\n", ip->saddr, @@ -177,7 +177,7 @@ ip6_packet_match(const struct sk_buff *skb, *fragoff = _frag_off; dprintf("Packet protocol %hi ?= %s%hi.\n", - protohdr, + protohdr, ip6info->invflags & IP6T_INV_PROTO ? "!":"", ip6info->proto); @@ -197,7 +197,7 @@ ip6_packet_match(const struct sk_buff *skb, } /* should be ip6 safe */ -static inline int +static inline int ip6_checkentry(const struct ip6t_ip6 *ipv6) { if (ipv6->flags & ~IP6T_F_MASK) { @@ -337,7 +337,7 @@ ip6t_do_table(struct sk_buff **pskb, e = get_entry(table_base, v); } else { /* Targets which reenter must return - abs. verdicts */ + abs. verdicts */ #ifdef CONFIG_NETFILTER_DEBUG ((struct ip6t_entry *)table_base)->comefrom = 0xeeeeeeec; @@ -530,14 +530,14 @@ check_match(struct ip6t_entry_match *m, unsigned int hookmask, unsigned int *i) { - struct ip6t_match *match; + struct xt_match *match; int ret; match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name, - m->u.user.revision), + m->u.user.revision), "ip6t_%s", m->u.user.name); if (IS_ERR(match) || !match) { - duprintf("check_match: `%s' not found\n", m->u.user.name); + duprintf("check_match: `%s' not found\n", m->u.user.name); return match ? PTR_ERR(match) : -ENOENT; } m->u.kernel.match = match; @@ -564,14 +564,14 @@ err: return ret; } -static struct ip6t_target ip6t_standard_target; +static struct xt_target ip6t_standard_target; static inline int check_entry(struct ip6t_entry *e, const char *name, unsigned int size, unsigned int *i) { struct ip6t_entry_target *t; - struct ip6t_target *target; + struct xt_target *target; int ret; unsigned int j; @@ -661,7 +661,7 @@ check_entry_size_and_hooks(struct ip6t_entry *e, } /* FIXME: underflows must be unconditional, standard verdicts - < 0 (not IP6T_RETURN). --RR */ + < 0 (not IP6T_RETURN). --RR */ /* Clear counters and comefrom */ e->counters = ((struct xt_counters) { 0, 0 }); @@ -1003,8 +1003,8 @@ do_replace(void __user *user, unsigned int len) /* Update module usage count based on number of rules */ duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n", oldinfo->number, oldinfo->initial_entries, newinfo->number); - if ((oldinfo->number > oldinfo->initial_entries) || - (newinfo->number <= oldinfo->initial_entries)) + if ((oldinfo->number > oldinfo->initial_entries) || + (newinfo->number <= oldinfo->initial_entries)) module_put(t->me); if ((oldinfo->number > oldinfo->initial_entries) && (newinfo->number <= oldinfo->initial_entries)) @@ -1348,13 +1348,13 @@ icmp6_checkentry(const char *tablename, } /* The built-in targets: standard (NULL) and error. */ -static struct ip6t_target ip6t_standard_target = { +static struct xt_target ip6t_standard_target = { .name = IP6T_STANDARD_TARGET, .targetsize = sizeof(int), .family = AF_INET6, }; -static struct ip6t_target ip6t_error_target = { +static struct xt_target ip6t_error_target = { .name = IP6T_ERROR_TARGET, .target = ip6t_error, .targetsize = IP6T_FUNCTION_MAXNAMELEN, @@ -1371,7 +1371,7 @@ static struct nf_sockopt_ops ip6t_sockopts = { .get = do_ip6t_get_ctl, }; -static struct ip6t_match icmp6_matchstruct = { +static struct xt_match icmp6_matchstruct = { .name = "icmp6", .match = &icmp6_match, .matchsize = sizeof(struct ip6t_icmp), @@ -1492,9 +1492,9 @@ int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset, } hdrlen = 8; } else if (nexthdr == NEXTHDR_AUTH) - hdrlen = (hp->hdrlen + 2) << 2; + hdrlen = (hp->hdrlen + 2) << 2; else - hdrlen = ipv6_optlen(hp); + hdrlen = ipv6_optlen(hp); nexthdr = hp->nexthdr; len -= hdrlen; diff --git a/net/ipv6/netfilter/ip6t_HL.c b/net/ipv6/netfilter/ip6t_HL.c index 435750f664d..ccbab66277e 100644 --- a/net/ipv6/netfilter/ip6t_HL.c +++ b/net/ipv6/netfilter/ip6t_HL.c @@ -1,4 +1,4 @@ -/* +/* * Hop Limit modification target for ip6tables * Maciej Soltysiak <solt@dns.toxicfilms.tv> * Based on HW's TTL module @@ -9,15 +9,16 @@ #include <linux/module.h> #include <linux/skbuff.h> #include <linux/ip.h> +#include <linux/ipv6.h> -#include <linux/netfilter_ipv6/ip6_tables.h> +#include <linux/netfilter/x_tables.h> #include <linux/netfilter_ipv6/ip6t_HL.h> MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>"); -MODULE_DESCRIPTION("IP tables Hop Limit modification module"); +MODULE_DESCRIPTION("IP6 tables Hop Limit modification module"); MODULE_LICENSE("GPL"); -static unsigned int ip6t_hl_target(struct sk_buff **pskb, +static unsigned int ip6t_hl_target(struct sk_buff **pskb, const struct net_device *in, const struct net_device *out, unsigned int hooknum, @@ -52,10 +53,9 @@ static unsigned int ip6t_hl_target(struct sk_buff **pskb, break; } - if (new_hl != ip6h->hop_limit) - ip6h->hop_limit = new_hl; + ip6h->hop_limit = new_hl; - return IP6T_CONTINUE; + return XT_CONTINUE; } static int ip6t_hl_checkentry(const char *tablename, @@ -67,7 +67,7 @@ static int ip6t_hl_checkentry(const char *tablename, struct ip6t_HL_info *info = targinfo; if (info->mode > IP6T_HL_MAXMODE) { - printk(KERN_WARNING "ip6t_HL: invalid or unknown Mode %u\n", + printk(KERN_WARNING "ip6t_HL: invalid or unknown Mode %u\n", info->mode); return 0; } @@ -79,23 +79,24 @@ static int ip6t_hl_checkentry(const char *tablename, return 1; } -static struct ip6t_target ip6t_HL = { - .name = "HL", - .target = ip6t_hl_target, +static struct xt_target ip6t_HL = { + .name = "HL", + .family = AF_INET6, + .target = ip6t_hl_target, .targetsize = sizeof(struct ip6t_HL_info), .table = "mangle", - .checkentry = ip6t_hl_checkentry, + .checkentry = ip6t_hl_checkentry, .me = THIS_MODULE }; static int __init ip6t_hl_init(void) { - return ip6t_register_target(&ip6t_HL); + return xt_register_target(&ip6t_HL); } static void __exit ip6t_hl_fini(void) { - ip6t_unregister_target(&ip6t_HL); + xt_unregister_target(&ip6t_HL); } module_init(ip6t_hl_init); diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c index 33b1faa90d7..afaa039d0b7 100644 --- a/net/ipv6/netfilter/ip6t_LOG.c +++ b/net/ipv6/netfilter/ip6t_LOG.c @@ -21,6 +21,7 @@ #include <net/tcp.h> #include <net/ipv6.h> #include <linux/netfilter.h> +#include <linux/netfilter/x_tables.h> #include <linux/netfilter_ipv6/ip6_tables.h> MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>"); @@ -144,7 +145,7 @@ static void dump_packet(const struct nf_loginfo *info, &_ahdr); if (ah == NULL) { /* - * Max length: 26 "INCOMPLETE [65535 + * Max length: 26 "INCOMPLETE [65535 * bytes] )" */ printk("INCOMPLETE [%u bytes] )", @@ -386,7 +387,7 @@ ip6t_log_packet(unsigned int pf, loginfo = &default_loginfo; spin_lock_bh(&log_lock); - printk("<%d>%sIN=%s OUT=%s ", loginfo->u.log.level, + printk("<%d>%sIN=%s OUT=%s ", loginfo->u.log.level, prefix, in ? in->name : "", out ? out->name : ""); @@ -441,8 +442,8 @@ ip6t_log_target(struct sk_buff **pskb, li.u.log.logflags = loginfo->logflags; ip6t_log_packet(PF_INET6, hooknum, *pskb, in, out, &li, - loginfo->prefix); - return IP6T_CONTINUE; + loginfo->prefix); + return XT_CONTINUE; } @@ -466,11 +467,12 @@ static int ip6t_log_checkentry(const char *tablename, return 1; } -static struct ip6t_target ip6t_log_reg = { +static struct xt_target ip6t_log_reg = { .name = "LOG", - .target = ip6t_log_target, + .family = AF_INET6, + .target = ip6t_log_target, .targetsize = sizeof(struct ip6t_log_info), - .checkentry = ip6t_log_checkentry, + .checkentry = ip6t_log_checkentry, .me = THIS_MODULE, }; @@ -482,8 +484,11 @@ static struct nf_logger ip6t_logger = { static int __init ip6t_log_init(void) { - if (ip6t_register_target(&ip6t_log_reg)) - return -EINVAL; + int ret; + + ret = xt_register_target(&ip6t_log_reg); + if (ret < 0) + return ret; if (nf_log_register(PF_INET6, &ip6t_logger) < 0) { printk(KERN_WARNING "ip6t_LOG: not logging via system console " "since somebody else already registered for PF_INET6\n"); @@ -496,8 +501,8 @@ static int __init ip6t_log_init(void) static void __exit ip6t_log_fini(void) { - nf_log_unregister_logger(&ip6t_logger); - ip6t_unregister_target(&ip6t_log_reg); + nf_log_unregister(&ip6t_logger); + xt_unregister_target(&ip6t_log_reg); } module_init(ip6t_log_init); diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c index 311eae82feb..6abee94c929 100644 --- a/net/ipv6/netfilter/ip6t_REJECT.c +++ b/net/ipv6/netfilter/ip6t_REJECT.c @@ -26,6 +26,7 @@ #include <net/ip6_fib.h> #include <net/ip6_route.h> #include <net/flow.h> +#include <linux/netfilter/x_tables.h> #include <linux/netfilter_ipv6/ip6_tables.h> #include <linux/netfilter_ipv6/ip6t_REJECT.h> @@ -188,23 +189,23 @@ static unsigned int reject6_target(struct sk_buff **pskb, /* WARNING: This code causes reentry within ip6tables. This means that the ip6tables jump stack is now crap. We must return an absolute verdict. --RR */ - switch (reject->with) { - case IP6T_ICMP6_NO_ROUTE: - send_unreach(*pskb, ICMPV6_NOROUTE, hooknum); - break; - case IP6T_ICMP6_ADM_PROHIBITED: - send_unreach(*pskb, ICMPV6_ADM_PROHIBITED, hooknum); - break; - case IP6T_ICMP6_NOT_NEIGHBOUR: - send_unreach(*pskb, ICMPV6_NOT_NEIGHBOUR, hooknum); - break; - case IP6T_ICMP6_ADDR_UNREACH: - send_unreach(*pskb, ICMPV6_ADDR_UNREACH, hooknum); - break; - case IP6T_ICMP6_PORT_UNREACH: - send_unreach(*pskb, ICMPV6_PORT_UNREACH, hooknum); - break; - case IP6T_ICMP6_ECHOREPLY: + switch (reject->with) { + case IP6T_ICMP6_NO_ROUTE: + send_unreach(*pskb, ICMPV6_NOROUTE, hooknum); + break; + case IP6T_ICMP6_ADM_PROHIBITED: + send_unreach(*pskb, ICMPV6_ADM_PROHIBITED, hooknum); + break; + case IP6T_ICMP6_NOT_NEIGHBOUR: + send_unreach(*pskb, ICMPV6_NOT_NEIGHBOUR, hooknum); + break; + case IP6T_ICMP6_ADDR_UNREACH: + send_unreach(*pskb, ICMPV6_ADDR_UNREACH, hooknum); + break; + case IP6T_ICMP6_PORT_UNREACH: + send_unreach(*pskb, ICMPV6_PORT_UNREACH, hooknum); + break; + case IP6T_ICMP6_ECHOREPLY: /* Do nothing */ break; case IP6T_TCP_RESET: @@ -225,7 +226,7 @@ static int check(const char *tablename, void *targinfo, unsigned int hook_mask) { - const struct ip6t_reject_info *rejinfo = targinfo; + const struct ip6t_reject_info *rejinfo = targinfo; const struct ip6t_entry *e = entry; if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) { @@ -234,7 +235,7 @@ static int check(const char *tablename, } else if (rejinfo->with == IP6T_TCP_RESET) { /* Must specify that it's a TCP packet */ if (e->ipv6.proto != IPPROTO_TCP - || (e->ipv6.invflags & IP6T_INV_PROTO)) { + || (e->ipv6.invflags & XT_INV_PROTO)) { DEBUGP("ip6t_REJECT: TCP_RESET illegal for non-tcp\n"); return 0; } @@ -242,8 +243,9 @@ static int check(const char *tablename, return 1; } -static struct ip6t_target ip6t_reject_reg = { +static struct xt_target ip6t_reject_reg = { .name = "REJECT", + .family = AF_INET6, .target = reject6_target, .targetsize = sizeof(struct ip6t_reject_info), .table = "filter", @@ -255,12 +257,12 @@ static struct ip6t_target ip6t_reject_reg = { static int __init ip6t_reject_init(void) { - return ip6t_register_target(&ip6t_reject_reg); + return xt_register_target(&ip6t_reject_reg); } static void __exit ip6t_reject_fini(void) { - ip6t_unregister_target(&ip6t_reject_reg); + xt_unregister_target(&ip6t_reject_reg); } module_init(ip6t_reject_init); diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c index 46486645eb7..d3c154371b4 100644 --- a/net/ipv6/netfilter/ip6t_ah.c +++ b/net/ipv6/netfilter/ip6t_ah.c @@ -15,6 +15,7 @@ #include <net/checksum.h> #include <net/ipv6.h> +#include <linux/netfilter/x_tables.h> #include <linux/netfilter_ipv6/ip6_tables.h> #include <linux/netfilter_ipv6/ip6t_ah.h> @@ -77,13 +78,13 @@ match(const struct sk_buff *skb, DEBUGP("IPv6 AH spi %02X ", (spi_match(ahinfo->spis[0], ahinfo->spis[1], - ntohl(ah->spi), - !!(ahinfo->invflags & IP6T_AH_INV_SPI)))); + ntohl(ah->spi), + !!(ahinfo->invflags & IP6T_AH_INV_SPI)))); DEBUGP("len %02X %04X %02X ", ahinfo->hdrlen, hdrlen, (!ahinfo->hdrlen || - (ahinfo->hdrlen == hdrlen) ^ - !!(ahinfo->invflags & IP6T_AH_INV_LEN))); + (ahinfo->hdrlen == hdrlen) ^ + !!(ahinfo->invflags & IP6T_AH_INV_LEN))); DEBUGP("res %02X %04X %02X\n", ahinfo->hdrres, ah->reserved, !(ahinfo->hdrres && ah->reserved)); @@ -91,12 +92,12 @@ match(const struct sk_buff *skb, return (ah != NULL) && (spi_match(ahinfo->spis[0], ahinfo->spis[1], - ntohl(ah->spi), - !!(ahinfo->invflags & IP6T_AH_INV_SPI))) + ntohl(ah->spi), + !!(ahinfo->invflags & IP6T_AH_INV_SPI))) && (!ahinfo->hdrlen || - (ahinfo->hdrlen == hdrlen) ^ - !!(ahinfo->invflags & IP6T_AH_INV_LEN)) + (ahinfo->hdrlen == hdrlen) ^ + !!(ahinfo->invflags & IP6T_AH_INV_LEN)) && !(ahinfo->hdrres && ah->reserved); } @@ -104,10 +105,10 @@ match(const struct sk_buff *skb, /* Called when user tries to insert an entry of this type. */ static int checkentry(const char *tablename, - const void *entry, + const void *entry, const struct xt_match *match, - void *matchinfo, - unsigned int hook_mask) + void *matchinfo, + unsigned int hook_mask) { const struct ip6t_ah *ahinfo = matchinfo; @@ -118,8 +119,9 @@ checkentry(const char *tablename, return 1; } -static struct ip6t_match ah_match = { +static struct xt_match ah_match = { .name = "ah", + .family = AF_INET6, .match = match, .matchsize = sizeof(struct ip6t_ah), .checkentry = checkentry, @@ -128,12 +130,12 @@ static struct ip6t_match ah_match = { static int __init ip6t_ah_init(void) { - return ip6t_register_match(&ah_match); + return xt_register_match(&ah_match); } static void __exit ip6t_ah_fini(void) { - ip6t_unregister_match(&ah_match); + xt_unregister_match(&ah_match); } module_init(ip6t_ah_init); diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c index 4f6b84c8f4a..967bed71d4a 100644 --- a/net/ipv6/netfilter/ip6t_eui64.c +++ b/net/ipv6/netfilter/ip6t_eui64.c @@ -12,6 +12,7 @@ #include <linux/ipv6.h> #include <linux/if_ether.h> +#include <linux/netfilter/x_tables.h> #include <linux/netfilter_ipv6/ip6_tables.h> MODULE_DESCRIPTION("IPv6 EUI64 address checking match"); @@ -61,8 +62,9 @@ match(const struct sk_buff *skb, return 0; } -static struct ip6t_match eui64_match = { +static struct xt_match eui64_match = { .name = "eui64", + .family = AF_INET6, .match = match, .matchsize = sizeof(int), .hooks = (1 << NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_IN) | @@ -72,12 +74,12 @@ static struct ip6t_match eui64_match = { static int __init ip6t_eui64_init(void) { - return ip6t_register_match(&eui64_match); + return xt_register_match(&eui64_match); } static void __exit ip6t_eui64_fini(void) { - ip6t_unregister_match(&eui64_match); + xt_unregister_match(&eui64_match); } module_init(ip6t_eui64_init); diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c index cd22eaaccdc..5a5da71321b 100644 --- a/net/ipv6/netfilter/ip6t_frag.c +++ b/net/ipv6/netfilter/ip6t_frag.c @@ -14,6 +14,7 @@ #include <net/checksum.h> #include <net/ipv6.h> +#include <linux/netfilter/x_tables.h> #include <linux/netfilter_ipv6/ip6_tables.h> #include <linux/netfilter_ipv6/ip6t_frag.h> @@ -135,8 +136,9 @@ checkentry(const char *tablename, return 1; } -static struct ip6t_match frag_match = { +static struct xt_match frag_match = { .name = "frag", + .family = AF_INET6, .match = match, .matchsize = sizeof(struct ip6t_frag), .checkentry = checkentry, @@ -145,12 +147,12 @@ static struct ip6t_match frag_match = { static int __init ip6t_frag_init(void) { - return ip6t_register_match(&frag_match); + return xt_register_match(&frag_match); } static void __exit ip6t_frag_fini(void) { - ip6t_unregister_match(&frag_match); + xt_unregister_match(&frag_match); } module_init(ip6t_frag_init); diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c index 3f25babe044..d2373c7cd35 100644 --- a/net/ipv6/netfilter/ip6t_hbh.c +++ b/net/ipv6/netfilter/ip6t_hbh.c @@ -16,6 +16,7 @@ #include <asm/byteorder.h> +#include <linux/netfilter/x_tables.h> #include <linux/netfilter_ipv6/ip6_tables.h> #include <linux/netfilter_ipv6/ip6t_opts.h> diff --git a/net/ipv6/netfilter/ip6t_hl.c b/net/ipv6/netfilter/ip6t_hl.c index 44a729e17c4..37c8a4d4ed7 100644 --- a/net/ipv6/netfilter/ip6t_hl.c +++ b/net/ipv6/netfilter/ip6t_hl.c @@ -8,11 +8,12 @@ * published by the Free Software Foundation. */ +#include <linux/ipv6.h> #include <linux/module.h> #include <linux/skbuff.h> #include <linux/netfilter_ipv6/ip6t_hl.h> -#include <linux/netfilter_ipv6/ip6_tables.h> +#include <linux/netfilter/x_tables.h> MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>"); MODULE_DESCRIPTION("IP tables Hop Limit matching module"); @@ -40,7 +41,7 @@ static int match(const struct sk_buff *skb, return (ip6h->hop_limit > info->hop_limit); break; default: - printk(KERN_WARNING "ip6t_hl: unknown mode %d\n", + printk(KERN_WARNING "ip6t_hl: unknown mode %d\n", info->mode); return 0; } @@ -48,8 +49,9 @@ static int match(const struct sk_buff *skb, return 0; } -static struct ip6t_match hl_match = { +static struct xt_match hl_match = { .name = "hl", + .family = AF_INET6, .match = match, .matchsize = sizeof(struct ip6t_hl_info), .me = THIS_MODULE, @@ -57,13 +59,12 @@ static struct ip6t_match hl_match = { static int __init ip6t_hl_init(void) { - return ip6t_register_match(&hl_match); + return xt_register_match(&hl_match); } static void __exit ip6t_hl_fini(void) { - ip6t_unregister_match(&hl_match); - + xt_unregister_match(&hl_match); } module_init(ip6t_hl_init); diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c index 3093c398002..700a11d25de 100644 --- a/net/ipv6/netfilter/ip6t_ipv6header.c +++ b/net/ipv6/netfilter/ip6t_ipv6header.c @@ -1,7 +1,7 @@ /* ipv6header match - matches IPv6 packets based on whether they contain certain headers */ -/* Original idea: Brad Chapman +/* Original idea: Brad Chapman * Rewritten by: Andras Kis-Szabo <kisza@sch.bme.hu> */ /* (C) 2001-2002 Andras Kis-Szabo <kisza@sch.bme.hu> @@ -18,6 +18,7 @@ #include <net/checksum.h> #include <net/ipv6.h> +#include <linux/netfilter/x_tables.h> #include <linux/netfilter_ipv6/ip6_tables.h> #include <linux/netfilter_ipv6/ip6t_ipv6header.h> @@ -140,8 +141,9 @@ ipv6header_checkentry(const char *tablename, return 1; } -static struct ip6t_match ip6t_ipv6header_match = { +static struct xt_match ip6t_ipv6header_match = { .name = "ipv6header", + .family = AF_INET6, .match = &ipv6header_match, .matchsize = sizeof(struct ip6t_ipv6header_info), .checkentry = &ipv6header_checkentry, @@ -151,12 +153,12 @@ static struct ip6t_match ip6t_ipv6header_match = { static int __init ipv6header_init(void) { - return ip6t_register_match(&ip6t_ipv6header_match); + return xt_register_match(&ip6t_ipv6header_match); } static void __exit ipv6header_exit(void) { - ip6t_unregister_match(&ip6t_ipv6header_match); + xt_unregister_match(&ip6t_ipv6header_match); } module_init(ipv6header_init); diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c new file mode 100644 index 00000000000..c2a909893a6 --- /dev/null +++ b/net/ipv6/netfilter/ip6t_mh.c @@ -0,0 +1,115 @@ +/* + * Copyright (C)2006 USAGI/WIDE Project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + * Author: + * Masahide NAKAMURA @USAGI <masahide.nakamura.cz@hitachi.com> + * + * Based on net/netfilter/xt_tcpudp.c + * + */ +#include <linux/types.h> +#include <linux/module.h> +#include <net/ip.h> +#include <linux/ipv6.h> +#include <net/ipv6.h> +#include <net/mip6.h> + +#include <linux/netfilter/x_tables.h> +#include <linux/netfilter_ipv6/ip6t_mh.h> + +MODULE_DESCRIPTION("ip6t_tables match for MH"); +MODULE_LICENSE("GPL"); + +#ifdef DEBUG_IP_FIREWALL_USER +#define duprintf(format, args...) printk(format , ## args) +#else +#define duprintf(format, args...) +#endif + +/* Returns 1 if the type is matched by the range, 0 otherwise */ +static inline int +type_match(u_int8_t min, u_int8_t max, u_int8_t type, int invert) +{ + int ret; + + ret = (type >= min && type <= max) ^ invert; + return ret; +} + +static int +match(const struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, + const struct xt_match *match, + const void *matchinfo, + int offset, + unsigned int protoff, + int *hotdrop) +{ + struct ip6_mh _mh, *mh; + const struct ip6t_mh *mhinfo = matchinfo; + + /* Must not be a fragment. */ + if (offset) + return 0; + + mh = skb_header_pointer(skb, protoff, sizeof(_mh), &_mh); + if (mh == NULL) { + /* We've been asked to examine this packet, and we + can't. Hence, no choice but to drop. */ + duprintf("Dropping evil MH tinygram.\n"); + *hotdrop = 1; + return 0; + } + + if (mh->ip6mh_proto != IPPROTO_NONE) { + duprintf("Dropping invalid MH Payload Proto: %u\n", + mh->ip6mh_proto); + *hotdrop = 1; + return 0; + } + + return type_match(mhinfo->types[0], mhinfo->types[1], mh->ip6mh_type, + !!(mhinfo->invflags & IP6T_MH_INV_TYPE)); +} + +/* Called when user tries to insert an entry of this type. */ +static int +mh_checkentry(const char *tablename, + const void *entry, + const struct xt_match *match, + void *matchinfo, + unsigned int hook_mask) +{ + const struct ip6t_mh *mhinfo = matchinfo; + + /* Must specify no unknown invflags */ + return !(mhinfo->invflags & ~IP6T_MH_INV_MASK); +} + +static struct xt_match mh_match = { + .name = "mh", + .family = AF_INET6, + .checkentry = mh_checkentry, + .match = match, + .matchsize = sizeof(struct ip6t_mh), + .proto = IPPROTO_MH, + .me = THIS_MODULE, +}; + +static int __init ip6t_mh_init(void) +{ + return xt_register_match(&mh_match); +} + +static void __exit ip6t_mh_fini(void) +{ + xt_unregister_match(&mh_match); +} + +module_init(ip6t_mh_init); +module_exit(ip6t_mh_fini); diff --git a/net/ipv6/netfilter/ip6t_owner.c b/net/ipv6/netfilter/ip6t_owner.c index 4eb9bbc4ebc..43738bba00b 100644 --- a/net/ipv6/netfilter/ip6t_owner.c +++ b/net/ipv6/netfilter/ip6t_owner.c @@ -16,6 +16,7 @@ #include <linux/netfilter_ipv6/ip6t_owner.h> #include <linux/netfilter_ipv6/ip6_tables.h> +#include <linux/netfilter/x_tables.h> MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>"); MODULE_DESCRIPTION("IP6 tables owner matching module"); @@ -69,8 +70,9 @@ checkentry(const char *tablename, return 1; } -static struct ip6t_match owner_match = { +static struct xt_match owner_match = { .name = "owner", + .family = AF_INET6, .match = match, .matchsize = sizeof(struct ip6t_owner_info), .hooks = (1 << NF_IP6_LOCAL_OUT) | (1 << NF_IP6_POST_ROUTING), @@ -80,12 +82,12 @@ static struct ip6t_match owner_match = { static int __init ip6t_owner_init(void) { - return ip6t_register_match(&owner_match); + return xt_register_match(&owner_match); } static void __exit ip6t_owner_fini(void) { - ip6t_unregister_match(&owner_match); + xt_unregister_match(&owner_match); } module_init(ip6t_owner_init); diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c index 54d7d14134f..81ab00d8c18 100644 --- a/net/ipv6/netfilter/ip6t_rt.c +++ b/net/ipv6/netfilter/ip6t_rt.c @@ -16,6 +16,7 @@ #include <asm/byteorder.h> +#include <linux/netfilter/x_tables.h> #include <linux/netfilter_ipv6/ip6_tables.h> #include <linux/netfilter_ipv6/ip6t_rt.h> @@ -221,8 +222,9 @@ checkentry(const char *tablename, return 1; } -static struct ip6t_match rt_match = { +static struct xt_match rt_match = { .name = "rt", + .family = AF_INET6, .match = match, .matchsize = sizeof(struct ip6t_rt), .checkentry = checkentry, @@ -231,12 +233,12 @@ static struct ip6t_match rt_match = { static int __init ip6t_rt_init(void) { - return ip6t_register_match(&rt_match); + return xt_register_match(&rt_match); } static void __exit ip6t_rt_fini(void) { - ip6t_unregister_match(&rt_match); + xt_unregister_match(&rt_match); } module_init(ip6t_rt_init); diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c index 2fc07c74dec..112a21d0c6d 100644 --- a/net/ipv6/netfilter/ip6table_filter.c +++ b/net/ipv6/netfilter/ip6table_filter.c @@ -19,25 +19,6 @@ MODULE_DESCRIPTION("ip6tables filter table"); #define FILTER_VALID_HOOKS ((1 << NF_IP6_LOCAL_IN) | (1 << NF_IP6_FORWARD) | (1 << NF_IP6_LOCAL_OUT)) -/* Standard entry. */ -struct ip6t_standard -{ - struct ip6t_entry entry; - struct ip6t_standard_target target; -}; - -struct ip6t_error_target -{ - struct ip6t_entry_target target; - char errorname[IP6T_FUNCTION_MAXNAMELEN]; -}; - -struct ip6t_error -{ - struct ip6t_entry entry; - struct ip6t_error_target target; -}; - static struct { struct ip6t_replace repl; @@ -92,7 +73,7 @@ static struct } }; -static struct ip6t_table packet_filter = { +static struct xt_table packet_filter = { .name = "filter", .valid_hooks = FILTER_VALID_HOOKS, .lock = RW_LOCK_UNLOCKED, diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c index 6250e86a6dd..0c468d35a93 100644 --- a/net/ipv6/netfilter/ip6table_mangle.c +++ b/net/ipv6/netfilter/ip6table_mangle.c @@ -29,25 +29,6 @@ MODULE_DESCRIPTION("ip6tables mangle table"); #define DEBUGP(x, args...) #endif -/* Standard entry. */ -struct ip6t_standard -{ - struct ip6t_entry entry; - struct ip6t_standard_target target; -}; - -struct ip6t_error_target -{ - struct ip6t_entry_target target; - char errorname[IP6T_FUNCTION_MAXNAMELEN]; -}; - -struct ip6t_error -{ - struct ip6t_entry entry; - struct ip6t_error_target target; -}; - static struct { struct ip6t_replace repl; @@ -69,7 +50,7 @@ static struct 0, NULL, { } }, { /* PRE_ROUTING */ - { { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 }, + { { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 }, 0, sizeof(struct ip6t_entry), sizeof(struct ip6t_standard), @@ -77,7 +58,7 @@ static struct { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } }, -NF_ACCEPT - 1 } }, /* LOCAL_IN */ - { { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 }, + { { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 }, 0, sizeof(struct ip6t_entry), sizeof(struct ip6t_standard), @@ -85,7 +66,7 @@ static struct { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } }, -NF_ACCEPT - 1 } }, /* FORWARD */ - { { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 }, + { { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 }, 0, sizeof(struct ip6t_entry), sizeof(struct ip6t_standard), @@ -93,7 +74,7 @@ static struct { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } }, -NF_ACCEPT - 1 } }, /* LOCAL_OUT */ - { { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 }, + { { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 }, 0, sizeof(struct ip6t_entry), sizeof(struct ip6t_standard), @@ -122,7 +103,7 @@ static struct } }; -static struct ip6t_table packet_mangler = { +static struct xt_table packet_mangler = { .name = "mangle", .valid_hooks = MANGLE_VALID_HOOKS, .lock = RW_LOCK_UNLOCKED, @@ -175,7 +156,7 @@ ip6t_local_hook(unsigned int hook, ret = ip6t_do_table(pskb, hook, in, out, &packet_mangler); - if (ret != NF_DROP && ret != NF_STOLEN + if (ret != NF_DROP && ret != NF_STOLEN && (memcmp(&(*pskb)->nh.ipv6h->saddr, &saddr, sizeof(saddr)) || memcmp(&(*pskb)->nh.ipv6h->daddr, &daddr, sizeof(daddr)) || (*pskb)->mark != mark diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c index b4154da575c..a3eb5b8ce18 100644 --- a/net/ipv6/netfilter/ip6table_raw.c +++ b/net/ipv6/netfilter/ip6table_raw.c @@ -14,25 +14,6 @@ #define DEBUGP(x, args...) #endif -/* Standard entry. */ -struct ip6t_standard -{ - struct ip6t_entry entry; - struct ip6t_standard_target target; -}; - -struct ip6t_error_target -{ - struct ip6t_entry_target target; - char errorname[IP6T_FUNCTION_MAXNAMELEN]; -}; - -struct ip6t_error -{ - struct ip6t_entry entry; - struct ip6t_error_target target; -}; - static struct { struct ip6t_replace repl; @@ -106,10 +87,10 @@ static struct } }; -static struct xt_table packet_raw = { - .name = "raw", - .valid_hooks = RAW_VALID_HOOKS, - .lock = RW_LOCK_UNLOCKED, +static struct xt_table packet_raw = { + .name = "raw", + .valid_hooks = RAW_VALID_HOOKS, + .lock = RW_LOCK_UNLOCKED, .me = THIS_MODULE, .af = AF_INET6, }; @@ -125,17 +106,17 @@ ip6t_hook(unsigned int hook, return ip6t_do_table(pskb, hook, in, out, &packet_raw); } -static struct nf_hook_ops ip6t_ops[] = { +static struct nf_hook_ops ip6t_ops[] = { { - .hook = ip6t_hook, + .hook = ip6t_hook, .pf = PF_INET6, .hooknum = NF_IP6_PRE_ROUTING, .priority = NF_IP6_PRI_FIRST, .owner = THIS_MODULE, }, { - .hook = ip6t_hook, - .pf = PF_INET6, + .hook = ip6t_hook, + .pf = PF_INET6, .hooknum = NF_IP6_LOCAL_OUT, .priority = NF_IP6_PRI_FIRST, .owner = THIS_MODULE, diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c index a20615ffccf..4b7be4bb4d0 100644 --- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c +++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c @@ -154,8 +154,8 @@ ipv6_prepare(struct sk_buff **pskb, unsigned int hooknum, unsigned int *dataoff, */ if ((protoff < 0) || (protoff > (*pskb)->len)) { DEBUGP("ip6_conntrack_core: can't find proto in pkt\n"); - NF_CT_STAT_INC(error); - NF_CT_STAT_INC(invalid); + NF_CT_STAT_INC_ATOMIC(error); + NF_CT_STAT_INC_ATOMIC(invalid); return -NF_ACCEPT; } @@ -349,7 +349,7 @@ static ctl_table nf_ct_ipv6_sysctl_table[] = { .mode = 0644, .proc_handler = &proc_dointvec, }, - { .ctl_name = 0 } + { .ctl_name = 0 } }; #endif @@ -386,7 +386,7 @@ static int ipv6_nfattr_to_tuple(struct nfattr *tb[], if (nfattr_bad_size(tb, CTA_IP_MAX, cta_min_ip)) return -EINVAL; - memcpy(&t->src.u3.ip6, NFA_DATA(tb[CTA_IP_V6_SRC-1]), + memcpy(&t->src.u3.ip6, NFA_DATA(tb[CTA_IP_V6_SRC-1]), sizeof(u_int32_t) * 4); memcpy(&t->dst.u3.ip6, NFA_DATA(tb[CTA_IP_V6_DST-1]), sizeof(u_int32_t) * 4); diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c index 3905cacc69a..19bdb7cb8ff 100644 --- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c +++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c @@ -104,9 +104,9 @@ static int icmpv6_packet(struct nf_conn *ct, unsigned int hooknum) { /* Try to delete connection immediately after all replies: - won't actually vanish as we still have skb, and del_timer - means this will only run once even if count hits zero twice - (theoretically possible with SMP) */ + won't actually vanish as we still have skb, and del_timer + means this will only run once even if count hits zero twice + (theoretically possible with SMP) */ if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) { if (atomic_dec_and_test(&ct->proto.icmp.count) && del_timer(&ct->timeout)) @@ -182,6 +182,7 @@ icmpv6_error_message(struct sk_buff *skb, return -NF_ACCEPT; } + /* rcu_read_lock()ed by nf_hook_slow */ inproto = __nf_ct_l4proto_find(PF_INET6, inprotonum); /* Are they talking about one of our connections? */ diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c index d9c15402ba6..15ab1e3e8b5 100644 --- a/net/ipv6/netfilter/nf_conntrack_reasm.c +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c @@ -311,7 +311,7 @@ static struct nf_ct_frag6_queue *nf_ct_frag6_intern(unsigned int hash, write_lock(&nf_ct_frag6_lock); #ifdef CONFIG_SMP hlist_for_each_entry(fq, n, &nf_ct_frag6_hash[hash], list) { - if (fq->id == fq_in->id && + if (fq->id == fq_in->id && ipv6_addr_equal(&fq_in->saddr, &fq->saddr) && ipv6_addr_equal(&fq_in->daddr, &fq->daddr)) { atomic_inc(&fq->refcnt); @@ -374,7 +374,7 @@ fq_find(__be32 id, struct in6_addr *src, struct in6_addr *dst) read_lock(&nf_ct_frag6_lock); hlist_for_each_entry(fq, n, &nf_ct_frag6_hash[hash], list) { - if (fq->id == id && + if (fq->id == id && ipv6_addr_equal(src, &fq->saddr) && ipv6_addr_equal(dst, &fq->daddr)) { atomic_inc(&fq->refcnt); @@ -388,7 +388,7 @@ fq_find(__be32 id, struct in6_addr *src, struct in6_addr *dst) } -static int nf_ct_frag6_queue(struct nf_ct_frag6_queue *fq, struct sk_buff *skb, +static int nf_ct_frag6_queue(struct nf_ct_frag6_queue *fq, struct sk_buff *skb, struct frag_hdr *fhdr, int nhoff) { struct sk_buff *prev, *next; @@ -405,12 +405,12 @@ static int nf_ct_frag6_queue(struct nf_ct_frag6_queue *fq, struct sk_buff *skb, if ((unsigned int)end > IPV6_MAXPLEN) { DEBUGP("offset is too large.\n"); - return -1; + return -1; } - if (skb->ip_summed == CHECKSUM_COMPLETE) - skb->csum = csum_sub(skb->csum, - csum_partial(skb->nh.raw, + if (skb->ip_summed == CHECKSUM_COMPLETE) + skb->csum = csum_sub(skb->csum, + csum_partial(skb->nh.raw, (u8*)(fhdr + 1) - skb->nh.raw, 0)); @@ -625,7 +625,7 @@ nf_ct_frag6_reasm(struct nf_ct_frag6_queue *fq, struct net_device *dev) /* We have to remove fragment header from datagram and to relocate * header in order to calculate ICV correctly. */ head->nh.raw[fq->nhoffset] = head->h.raw[0]; - memmove(head->head + sizeof(struct frag_hdr), head->head, + memmove(head->head + sizeof(struct frag_hdr), head->head, (head->data - head->head) - sizeof(struct frag_hdr)); head->mac.raw += sizeof(struct frag_hdr); head->nh.raw += sizeof(struct frag_hdr); @@ -701,41 +701,41 @@ out_fail: static int find_prev_fhdr(struct sk_buff *skb, u8 *prevhdrp, int *prevhoff, int *fhoff) { - u8 nexthdr = skb->nh.ipv6h->nexthdr; + u8 nexthdr = skb->nh.ipv6h->nexthdr; u8 prev_nhoff = (u8 *)&skb->nh.ipv6h->nexthdr - skb->data; int start = (u8 *)(skb->nh.ipv6h+1) - skb->data; int len = skb->len - start; u8 prevhdr = NEXTHDR_IPV6; - while (nexthdr != NEXTHDR_FRAGMENT) { - struct ipv6_opt_hdr hdr; - int hdrlen; + while (nexthdr != NEXTHDR_FRAGMENT) { + struct ipv6_opt_hdr hdr; + int hdrlen; if (!ipv6_ext_hdr(nexthdr)) { return -1; } - if (len < (int)sizeof(struct ipv6_opt_hdr)) { + if (len < (int)sizeof(struct ipv6_opt_hdr)) { DEBUGP("too short\n"); return -1; } - if (nexthdr == NEXTHDR_NONE) { + if (nexthdr == NEXTHDR_NONE) { DEBUGP("next header is none\n"); return -1; } - if (skb_copy_bits(skb, start, &hdr, sizeof(hdr))) - BUG(); - if (nexthdr == NEXTHDR_AUTH) - hdrlen = (hdr.hdrlen+2)<<2; - else - hdrlen = ipv6_optlen(&hdr); + if (skb_copy_bits(skb, start, &hdr, sizeof(hdr))) + BUG(); + if (nexthdr == NEXTHDR_AUTH) + hdrlen = (hdr.hdrlen+2)<<2; + else + hdrlen = ipv6_optlen(&hdr); prevhdr = nexthdr; prev_nhoff = start; - nexthdr = hdr.nexthdr; - len -= hdrlen; - start += hdrlen; - } + nexthdr = hdr.nexthdr; + len -= hdrlen; + start += hdrlen; + } if (len < 0) return -1; @@ -749,7 +749,7 @@ find_prev_fhdr(struct sk_buff *skb, u8 *prevhdrp, int *prevhoff, int *fhoff) struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb) { - struct sk_buff *clone; + struct sk_buff *clone; struct net_device *dev = skb->dev; struct frag_hdr *fhdr; struct nf_ct_frag6_queue *fq; |