mirror of
https://github.com/torvalds/linux.git
synced 2024-12-27 05:11:48 +00:00
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
Pablo Neira Ayuso says: ==================== Netfilter/IPVS updates for net-next The following patchset contains Netfilter/IPVS updates for your net-next tree. Basically, a new extension for ip6tables, simplification work of nf_tables that saves us 500 LoC, allow raw table registration before defragmentation, conversion of the SNMP helper to use the ASN.1 code generator, unique 64-bit handle for all nf_tables objects and fixes to address fallout from previous nf-next batch. More specifically, they are: 1) Seven patches to remove family abstraction layer (struct nft_af_info) in nf_tables, this simplifies our codebase and it saves us 64 bytes per net namespace. 2) Add IPv6 segment routing header matching for ip6tables, from Ahmed Abdelsalam. 3) Allow to register iptable_raw table before defragmentation, some people do not want to waste cycles on defragmenting traffic that is going to be dropped, hence add a new module parameter to enable this behaviour in iptables and ip6tables. From Subash Abhinov Kasiviswanathan. This patch needed a couple of follow up patches to get things tidy from Arnd Bergmann. 4) SNMP helper uses the ASN.1 code generator, from Taehee Yoo. Several patches for this helper to prepare this change are also part of this patch series. 5) Add 64-bit handles to uniquely objects in nf_tables, from Harsha Sharma. 6) Remove log message that several netfilter subsystems print at boot/load time. 7) Restore x_tables module autoloading, that got broken in a previous patch to allow singleton NAT hook callback registration per hook spot, from Florian Westphal. Moreover, return EBUSY to report that the singleton NAT hook slot is already in instead. 8) Several fixes for the new nf_tables flowtable representation, including incorrect error check after nf_tables_flowtable_lookup(), missing Kconfig dependencies that lead to build breakage and missing initialization of priority and hooknum in flowtable object. 9) Missing NETFILTER_FAMILY_ARP dependency in Kconfig for the clusterip target. This is due to recent updates in the core to shrink the hook array size and compile it out if no specific family is enabled via .config file. Patch from Florian Westphal. 10) Remove duplicated include header files, from Wei Yongjun. 11) Sparse warning fix for the NFPROTO_INET handling from the core due to missing static function definition, also from Wei Yongjun. 12) Restore ICMPv6 Parameter Problem error reporting when defragmentation fails, from Subash Abhinov Kasiviswanathan. 13) Remove obsolete owner field initialization from struct file_operations, patch from Alexey Dobriyan. 14) Use boolean datatype where needed in the Netfilter codebase, from Gustavo A. R. Silva. 15) Remove double semicolon in dynset nf_tables expression, from Luis de Bethencourt. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
commit
cbcbeedbfd
@ -143,22 +143,22 @@ static inline void nft_data_debug(const struct nft_data *data)
|
||||
* struct nft_ctx - nf_tables rule/set context
|
||||
*
|
||||
* @net: net namespace
|
||||
* @afi: address family info
|
||||
* @table: the table the chain is contained in
|
||||
* @chain: the chain the rule is contained in
|
||||
* @nla: netlink attributes
|
||||
* @portid: netlink portID of the original message
|
||||
* @seq: netlink sequence number
|
||||
* @family: protocol family
|
||||
* @report: notify via unicast netlink message
|
||||
*/
|
||||
struct nft_ctx {
|
||||
struct net *net;
|
||||
struct nft_af_info *afi;
|
||||
struct nft_table *table;
|
||||
struct nft_chain *chain;
|
||||
const struct nlattr * const *nla;
|
||||
u32 portid;
|
||||
u32 seq;
|
||||
u8 family;
|
||||
bool report;
|
||||
};
|
||||
|
||||
@ -374,6 +374,7 @@ void nft_unregister_set(struct nft_set_type *type);
|
||||
* @list: table set list node
|
||||
* @bindings: list of set bindings
|
||||
* @name: name of the set
|
||||
* @handle: unique handle of the set
|
||||
* @ktype: key type (numeric type defined by userspace, not used in the kernel)
|
||||
* @dtype: data type (verdict or numeric type defined by userspace)
|
||||
* @objtype: object type (see NFT_OBJECT_* definitions)
|
||||
@ -396,6 +397,7 @@ struct nft_set {
|
||||
struct list_head list;
|
||||
struct list_head bindings;
|
||||
char *name;
|
||||
u64 handle;
|
||||
u32 ktype;
|
||||
u32 dtype;
|
||||
u32 objtype;
|
||||
@ -946,9 +948,11 @@ unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv);
|
||||
* @objects: stateful objects in the table
|
||||
* @flowtables: flow tables in the table
|
||||
* @hgenerator: handle generator state
|
||||
* @handle: table handle
|
||||
* @use: number of chain references to this table
|
||||
* @flags: table flag (see enum nft_table_flags)
|
||||
* @genmask: generation mask
|
||||
* @afinfo: address family info
|
||||
* @name: name of the table
|
||||
*/
|
||||
struct nft_table {
|
||||
@ -958,38 +962,14 @@ struct nft_table {
|
||||
struct list_head objects;
|
||||
struct list_head flowtables;
|
||||
u64 hgenerator;
|
||||
u64 handle;
|
||||
u32 use;
|
||||
u16 flags:14,
|
||||
u16 family:6,
|
||||
flags:8,
|
||||
genmask:2;
|
||||
char *name;
|
||||
};
|
||||
|
||||
enum nft_af_flags {
|
||||
NFT_AF_NEEDS_DEV = (1 << 0),
|
||||
};
|
||||
|
||||
/**
|
||||
* struct nft_af_info - nf_tables address family info
|
||||
*
|
||||
* @list: used internally
|
||||
* @family: address family
|
||||
* @nhooks: number of hooks in this family
|
||||
* @owner: module owner
|
||||
* @tables: used internally
|
||||
* @flags: family flags
|
||||
*/
|
||||
struct nft_af_info {
|
||||
struct list_head list;
|
||||
int family;
|
||||
unsigned int nhooks;
|
||||
struct module *owner;
|
||||
struct list_head tables;
|
||||
u32 flags;
|
||||
};
|
||||
|
||||
int nft_register_afinfo(struct net *, struct nft_af_info *);
|
||||
void nft_unregister_afinfo(struct net *, struct nft_af_info *);
|
||||
|
||||
int nft_register_chain_type(const struct nf_chain_type *);
|
||||
void nft_unregister_chain_type(const struct nf_chain_type *);
|
||||
|
||||
@ -1007,9 +987,9 @@ int nft_verdict_dump(struct sk_buff *skb, int type,
|
||||
* @name: name of this stateful object
|
||||
* @genmask: generation mask
|
||||
* @use: number of references to this stateful object
|
||||
* @data: object data, layout depends on type
|
||||
* @handle: unique object handle
|
||||
* @ops: object operations
|
||||
* @data: pointer to object data
|
||||
* @data: object data, layout depends on type
|
||||
*/
|
||||
struct nft_object {
|
||||
struct list_head list;
|
||||
@ -1017,6 +997,7 @@ struct nft_object {
|
||||
struct nft_table *table;
|
||||
u32 genmask:2,
|
||||
use:30;
|
||||
u64 handle;
|
||||
/* runtime data below here */
|
||||
const struct nft_object_ops *ops ____cacheline_aligned;
|
||||
unsigned char data[]
|
||||
@ -1098,6 +1079,7 @@ void nft_unregister_obj(struct nft_object_type *obj_type);
|
||||
* @ops_len: number of hooks in array
|
||||
* @genmask: generation mask
|
||||
* @use: number of references to this flow table
|
||||
* @handle: unique object handle
|
||||
* @data: rhashtable and garbage collector
|
||||
* @ops: array of hooks
|
||||
*/
|
||||
@ -1110,6 +1092,7 @@ struct nft_flowtable {
|
||||
int ops_len;
|
||||
u32 genmask:2,
|
||||
use:30;
|
||||
u64 handle;
|
||||
/* runtime data below here */
|
||||
struct nf_hook_ops *ops ____cacheline_aligned;
|
||||
struct nf_flowtable data;
|
||||
@ -1154,9 +1137,6 @@ void nft_trace_init(struct nft_traceinfo *info, const struct nft_pktinfo *pkt,
|
||||
|
||||
void nft_trace_notify(struct nft_traceinfo *info);
|
||||
|
||||
#define MODULE_ALIAS_NFT_FAMILY(family) \
|
||||
MODULE_ALIAS("nft-afinfo-" __stringify(family))
|
||||
|
||||
#define MODULE_ALIAS_NFT_CHAIN(family, name) \
|
||||
MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)
|
||||
|
||||
|
@ -7,14 +7,8 @@
|
||||
struct nft_af_info;
|
||||
|
||||
struct netns_nftables {
|
||||
struct list_head af_info;
|
||||
struct list_head tables;
|
||||
struct list_head commit_list;
|
||||
struct nft_af_info *ipv4;
|
||||
struct nft_af_info *ipv6;
|
||||
struct nft_af_info *inet;
|
||||
struct nft_af_info *arp;
|
||||
struct nft_af_info *bridge;
|
||||
struct nft_af_info *netdev;
|
||||
unsigned int base_seq;
|
||||
u8 gencursor;
|
||||
};
|
||||
|
@ -174,6 +174,8 @@ enum nft_table_attributes {
|
||||
NFTA_TABLE_NAME,
|
||||
NFTA_TABLE_FLAGS,
|
||||
NFTA_TABLE_USE,
|
||||
NFTA_TABLE_HANDLE,
|
||||
NFTA_TABLE_PAD,
|
||||
__NFTA_TABLE_MAX
|
||||
};
|
||||
#define NFTA_TABLE_MAX (__NFTA_TABLE_MAX - 1)
|
||||
@ -317,6 +319,7 @@ enum nft_set_desc_attributes {
|
||||
* @NFTA_SET_GC_INTERVAL: garbage collection interval (NLA_U32)
|
||||
* @NFTA_SET_USERDATA: user data (NLA_BINARY)
|
||||
* @NFTA_SET_OBJ_TYPE: stateful object type (NLA_U32: NFT_OBJECT_*)
|
||||
* @NFTA_SET_HANDLE: set handle (NLA_U64)
|
||||
*/
|
||||
enum nft_set_attributes {
|
||||
NFTA_SET_UNSPEC,
|
||||
@ -335,6 +338,7 @@ enum nft_set_attributes {
|
||||
NFTA_SET_USERDATA,
|
||||
NFTA_SET_PAD,
|
||||
NFTA_SET_OBJ_TYPE,
|
||||
NFTA_SET_HANDLE,
|
||||
__NFTA_SET_MAX
|
||||
};
|
||||
#define NFTA_SET_MAX (__NFTA_SET_MAX - 1)
|
||||
@ -1314,6 +1318,7 @@ enum nft_ct_helper_attributes {
|
||||
* @NFTA_OBJ_TYPE: stateful object type (NLA_U32)
|
||||
* @NFTA_OBJ_DATA: stateful object data (NLA_NESTED)
|
||||
* @NFTA_OBJ_USE: number of references to this expression (NLA_U32)
|
||||
* @NFTA_OBJ_HANDLE: object handle (NLA_U64)
|
||||
*/
|
||||
enum nft_object_attributes {
|
||||
NFTA_OBJ_UNSPEC,
|
||||
@ -1322,6 +1327,8 @@ enum nft_object_attributes {
|
||||
NFTA_OBJ_TYPE,
|
||||
NFTA_OBJ_DATA,
|
||||
NFTA_OBJ_USE,
|
||||
NFTA_OBJ_HANDLE,
|
||||
NFTA_OBJ_PAD,
|
||||
__NFTA_OBJ_MAX
|
||||
};
|
||||
#define NFTA_OBJ_MAX (__NFTA_OBJ_MAX - 1)
|
||||
@ -1333,6 +1340,7 @@ enum nft_object_attributes {
|
||||
* @NFTA_FLOWTABLE_NAME: name of this flow table (NLA_STRING)
|
||||
* @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32)
|
||||
* @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32)
|
||||
* @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64)
|
||||
*/
|
||||
enum nft_flowtable_attributes {
|
||||
NFTA_FLOWTABLE_UNSPEC,
|
||||
@ -1340,6 +1348,8 @@ enum nft_flowtable_attributes {
|
||||
NFTA_FLOWTABLE_NAME,
|
||||
NFTA_FLOWTABLE_HOOK,
|
||||
NFTA_FLOWTABLE_USE,
|
||||
NFTA_FLOWTABLE_HANDLE,
|
||||
NFTA_FLOWTABLE_PAD,
|
||||
__NFTA_FLOWTABLE_MAX
|
||||
};
|
||||
#define NFTA_FLOWTABLE_MAX (__NFTA_FLOWTABLE_MAX - 1)
|
||||
|
@ -57,6 +57,7 @@
|
||||
|
||||
enum nf_ip_hook_priorities {
|
||||
NF_IP_PRI_FIRST = INT_MIN,
|
||||
NF_IP_PRI_RAW_BEFORE_DEFRAG = -450,
|
||||
NF_IP_PRI_CONNTRACK_DEFRAG = -400,
|
||||
NF_IP_PRI_RAW = -300,
|
||||
NF_IP_PRI_SELINUX_FIRST = -225,
|
||||
|
@ -62,6 +62,7 @@
|
||||
|
||||
enum nf_ip6_hook_priorities {
|
||||
NF_IP6_PRI_FIRST = INT_MIN,
|
||||
NF_IP6_PRI_RAW_BEFORE_DEFRAG = -450,
|
||||
NF_IP6_PRI_CONNTRACK_DEFRAG = -400,
|
||||
NF_IP6_PRI_RAW = -300,
|
||||
NF_IP6_PRI_SELINUX_FIRST = -225,
|
||||
|
57
include/uapi/linux/netfilter_ipv6/ip6t_srh.h
Normal file
57
include/uapi/linux/netfilter_ipv6/ip6t_srh.h
Normal file
@ -0,0 +1,57 @@
|
||||
/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
|
||||
#ifndef _IP6T_SRH_H
|
||||
#define _IP6T_SRH_H
|
||||
|
||||
#include <linux/types.h>
|
||||
#include <linux/netfilter.h>
|
||||
|
||||
/* Values for "mt_flags" field in struct ip6t_srh */
|
||||
#define IP6T_SRH_NEXTHDR 0x0001
|
||||
#define IP6T_SRH_LEN_EQ 0x0002
|
||||
#define IP6T_SRH_LEN_GT 0x0004
|
||||
#define IP6T_SRH_LEN_LT 0x0008
|
||||
#define IP6T_SRH_SEGS_EQ 0x0010
|
||||
#define IP6T_SRH_SEGS_GT 0x0020
|
||||
#define IP6T_SRH_SEGS_LT 0x0040
|
||||
#define IP6T_SRH_LAST_EQ 0x0080
|
||||
#define IP6T_SRH_LAST_GT 0x0100
|
||||
#define IP6T_SRH_LAST_LT 0x0200
|
||||
#define IP6T_SRH_TAG 0x0400
|
||||
#define IP6T_SRH_MASK 0x07FF
|
||||
|
||||
/* Values for "mt_invflags" field in struct ip6t_srh */
|
||||
#define IP6T_SRH_INV_NEXTHDR 0x0001
|
||||
#define IP6T_SRH_INV_LEN_EQ 0x0002
|
||||
#define IP6T_SRH_INV_LEN_GT 0x0004
|
||||
#define IP6T_SRH_INV_LEN_LT 0x0008
|
||||
#define IP6T_SRH_INV_SEGS_EQ 0x0010
|
||||
#define IP6T_SRH_INV_SEGS_GT 0x0020
|
||||
#define IP6T_SRH_INV_SEGS_LT 0x0040
|
||||
#define IP6T_SRH_INV_LAST_EQ 0x0080
|
||||
#define IP6T_SRH_INV_LAST_GT 0x0100
|
||||
#define IP6T_SRH_INV_LAST_LT 0x0200
|
||||
#define IP6T_SRH_INV_TAG 0x0400
|
||||
#define IP6T_SRH_INV_MASK 0x07FF
|
||||
|
||||
/**
|
||||
* struct ip6t_srh - SRH match options
|
||||
* @ next_hdr: Next header field of SRH
|
||||
* @ hdr_len: Extension header length field of SRH
|
||||
* @ segs_left: Segments left field of SRH
|
||||
* @ last_entry: Last entry field of SRH
|
||||
* @ tag: Tag field of SRH
|
||||
* @ mt_flags: match options
|
||||
* @ mt_invflags: Invert the sense of match options
|
||||
*/
|
||||
|
||||
struct ip6t_srh {
|
||||
__u8 next_hdr;
|
||||
__u8 hdr_len;
|
||||
__u8 segs_left;
|
||||
__u8 last_entry;
|
||||
__u16 tag;
|
||||
__u16 mt_flags;
|
||||
__u16 mt_invflags;
|
||||
};
|
||||
|
||||
#endif /*_IP6T_SRH_H*/
|
@ -2445,7 +2445,6 @@ static int __init ebtables_init(void)
|
||||
return ret;
|
||||
}
|
||||
|
||||
printk(KERN_INFO "Ebtables v2.0 registered\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -2453,7 +2452,6 @@ static void __exit ebtables_fini(void)
|
||||
{
|
||||
nf_unregister_sockopt(&ebt_sockopts);
|
||||
xt_unregister_target(&ebt_standard_target);
|
||||
printk(KERN_INFO "Ebtables v2.0 unregistered\n");
|
||||
}
|
||||
|
||||
EXPORT_SYMBOL(ebt_register_table);
|
||||
|
@ -42,40 +42,6 @@ nft_do_chain_bridge(void *priv,
|
||||
return nft_do_chain(&pkt, priv);
|
||||
}
|
||||
|
||||
static struct nft_af_info nft_af_bridge __read_mostly = {
|
||||
.family = NFPROTO_BRIDGE,
|
||||
.nhooks = NF_BR_NUMHOOKS,
|
||||
.owner = THIS_MODULE,
|
||||
};
|
||||
|
||||
static int nf_tables_bridge_init_net(struct net *net)
|
||||
{
|
||||
net->nft.bridge = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
|
||||
if (net->nft.bridge == NULL)
|
||||
return -ENOMEM;
|
||||
|
||||
memcpy(net->nft.bridge, &nft_af_bridge, sizeof(nft_af_bridge));
|
||||
|
||||
if (nft_register_afinfo(net, net->nft.bridge) < 0)
|
||||
goto err;
|
||||
|
||||
return 0;
|
||||
err:
|
||||
kfree(net->nft.bridge);
|
||||
return -ENOMEM;
|
||||
}
|
||||
|
||||
static void nf_tables_bridge_exit_net(struct net *net)
|
||||
{
|
||||
nft_unregister_afinfo(net, net->nft.bridge);
|
||||
kfree(net->nft.bridge);
|
||||
}
|
||||
|
||||
static struct pernet_operations nf_tables_bridge_net_ops = {
|
||||
.init = nf_tables_bridge_init_net,
|
||||
.exit = nf_tables_bridge_exit_net,
|
||||
};
|
||||
|
||||
static const struct nf_chain_type filter_bridge = {
|
||||
.name = "filter",
|
||||
.type = NFT_CHAIN_T_DEFAULT,
|
||||
@ -97,27 +63,11 @@ static const struct nf_chain_type filter_bridge = {
|
||||
|
||||
static int __init nf_tables_bridge_init(void)
|
||||
{
|
||||
int ret;
|
||||
|
||||
ret = nft_register_chain_type(&filter_bridge);
|
||||
if (ret < 0)
|
||||
return ret;
|
||||
|
||||
ret = register_pernet_subsys(&nf_tables_bridge_net_ops);
|
||||
if (ret < 0)
|
||||
goto err_register_subsys;
|
||||
|
||||
return ret;
|
||||
|
||||
err_register_subsys:
|
||||
nft_unregister_chain_type(&filter_bridge);
|
||||
|
||||
return ret;
|
||||
return nft_register_chain_type(&filter_bridge);
|
||||
}
|
||||
|
||||
static void __exit nf_tables_bridge_exit(void)
|
||||
{
|
||||
unregister_pernet_subsys(&nf_tables_bridge_net_ops);
|
||||
nft_unregister_chain_type(&filter_bridge);
|
||||
}
|
||||
|
||||
@ -126,4 +76,4 @@ module_exit(nf_tables_bridge_exit);
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
|
||||
MODULE_ALIAS_NFT_FAMILY(AF_BRIDGE);
|
||||
MODULE_ALIAS_NFT_CHAIN(AF_BRIDGE, "filter");
|
||||
|
@ -79,8 +79,9 @@ config NF_TABLES_ARP
|
||||
endif # NF_TABLES
|
||||
|
||||
config NF_FLOW_TABLE_IPV4
|
||||
select NF_FLOW_TABLE
|
||||
tristate "Netfilter flow table IPv4 module"
|
||||
depends on NF_CONNTRACK && NF_TABLES
|
||||
select NF_FLOW_TABLE
|
||||
help
|
||||
This option adds the flow table IPv4 support.
|
||||
|
||||
@ -157,6 +158,7 @@ config NF_NAT_SNMP_BASIC
|
||||
depends on NF_CONNTRACK_SNMP
|
||||
depends on NETFILTER_ADVANCED
|
||||
default NF_NAT && NF_CONNTRACK_SNMP
|
||||
select ASN1
|
||||
---help---
|
||||
|
||||
This module implements an Application Layer Gateway (ALG) for
|
||||
@ -342,6 +344,7 @@ config IP_NF_TARGET_CLUSTERIP
|
||||
depends on NF_CONNTRACK_IPV4
|
||||
depends on NETFILTER_ADVANCED
|
||||
select NF_CONNTRACK_MARK
|
||||
select NETFILTER_FAMILY_ARP
|
||||
help
|
||||
The CLUSTERIP target allows you to build load-balancing clusters of
|
||||
network servers without having a dedicated load-balancing
|
||||
|
@ -27,9 +27,15 @@ obj-$(CONFIG_NF_REJECT_IPV4) += nf_reject_ipv4.o
|
||||
# NAT helpers (nf_conntrack)
|
||||
obj-$(CONFIG_NF_NAT_H323) += nf_nat_h323.o
|
||||
obj-$(CONFIG_NF_NAT_PPTP) += nf_nat_pptp.o
|
||||
|
||||
nf_nat_snmp_basic-y := nf_nat_snmp_basic-asn1.o nf_nat_snmp_basic_main.o
|
||||
nf_nat_snmp_basic-y : nf_nat_snmp_basic-asn1.h nf_nat_snmp_basic-asn1.c
|
||||
obj-$(CONFIG_NF_NAT_SNMP_BASIC) += nf_nat_snmp_basic.o
|
||||
clean-files := nf_nat_snmp_basic-asn1.c nf_nat_snmp_basic-asn1.h
|
||||
|
||||
obj-$(CONFIG_NF_NAT_MASQUERADE_IPV4) += nf_nat_masquerade_ipv4.o
|
||||
|
||||
|
||||
# NAT protocols (nf_nat)
|
||||
obj-$(CONFIG_NF_NAT_PROTO_GRE) += nf_nat_proto_gre.o
|
||||
|
||||
|
@ -1656,7 +1656,6 @@ static int __init arp_tables_init(void)
|
||||
if (ret < 0)
|
||||
goto err4;
|
||||
|
||||
pr_info("arp_tables: (C) 2002 David S. Miller\n");
|
||||
return 0;
|
||||
|
||||
err4:
|
||||
|
@ -1939,7 +1939,6 @@ static int __init ip_tables_init(void)
|
||||
if (ret < 0)
|
||||
goto err5;
|
||||
|
||||
pr_info("(C) 2000-2006 Netfilter Core Team\n");
|
||||
return 0;
|
||||
|
||||
err5:
|
||||
|
@ -3,6 +3,7 @@
|
||||
*
|
||||
* Copyright (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
||||
*/
|
||||
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
||||
#include <linux/module.h>
|
||||
#include <linux/netfilter_ipv4/ip_tables.h>
|
||||
#include <linux/slab.h>
|
||||
@ -12,6 +13,10 @@
|
||||
|
||||
static int __net_init iptable_raw_table_init(struct net *net);
|
||||
|
||||
static bool raw_before_defrag __read_mostly;
|
||||
MODULE_PARM_DESC(raw_before_defrag, "Enable raw table before defrag");
|
||||
module_param(raw_before_defrag, bool, 0000);
|
||||
|
||||
static const struct xt_table packet_raw = {
|
||||
.name = "raw",
|
||||
.valid_hooks = RAW_VALID_HOOKS,
|
||||
@ -21,6 +26,15 @@ static const struct xt_table packet_raw = {
|
||||
.table_init = iptable_raw_table_init,
|
||||
};
|
||||
|
||||
static const struct xt_table packet_raw_before_defrag = {
|
||||
.name = "raw",
|
||||
.valid_hooks = RAW_VALID_HOOKS,
|
||||
.me = THIS_MODULE,
|
||||
.af = NFPROTO_IPV4,
|
||||
.priority = NF_IP_PRI_RAW_BEFORE_DEFRAG,
|
||||
.table_init = iptable_raw_table_init,
|
||||
};
|
||||
|
||||
/* The work comes in here from netfilter.c. */
|
||||
static unsigned int
|
||||
iptable_raw_hook(void *priv, struct sk_buff *skb,
|
||||
@ -34,15 +48,19 @@ static struct nf_hook_ops *rawtable_ops __read_mostly;
|
||||
static int __net_init iptable_raw_table_init(struct net *net)
|
||||
{
|
||||
struct ipt_replace *repl;
|
||||
const struct xt_table *table = &packet_raw;
|
||||
int ret;
|
||||
|
||||
if (raw_before_defrag)
|
||||
table = &packet_raw_before_defrag;
|
||||
|
||||
if (net->ipv4.iptable_raw)
|
||||
return 0;
|
||||
|
||||
repl = ipt_alloc_initial_table(&packet_raw);
|
||||
repl = ipt_alloc_initial_table(table);
|
||||
if (repl == NULL)
|
||||
return -ENOMEM;
|
||||
ret = ipt_register_table(net, &packet_raw, repl, rawtable_ops,
|
||||
ret = ipt_register_table(net, table, repl, rawtable_ops,
|
||||
&net->ipv4.iptable_raw);
|
||||
kfree(repl);
|
||||
return ret;
|
||||
@ -63,8 +81,15 @@ static struct pernet_operations iptable_raw_net_ops = {
|
||||
static int __init iptable_raw_init(void)
|
||||
{
|
||||
int ret;
|
||||
const struct xt_table *table = &packet_raw;
|
||||
|
||||
rawtable_ops = xt_hook_ops_alloc(&packet_raw, iptable_raw_hook);
|
||||
if (raw_before_defrag) {
|
||||
table = &packet_raw_before_defrag;
|
||||
|
||||
pr_info("Enabling raw table before defrag\n");
|
||||
}
|
||||
|
||||
rawtable_ops = xt_hook_ops_alloc(table, iptable_raw_hook);
|
||||
if (IS_ERR(rawtable_ops))
|
||||
return PTR_ERR(rawtable_ops);
|
||||
|
||||
|
@ -78,6 +78,8 @@ static unsigned int ipv4_conntrack_defrag(void *priv,
|
||||
if (skb_nfct(skb) && !nf_ct_is_template((struct nf_conn *)skb_nfct(skb)))
|
||||
return NF_ACCEPT;
|
||||
#endif
|
||||
if (skb->_nfct == IP_CT_UNTRACKED)
|
||||
return NF_ACCEPT;
|
||||
#endif
|
||||
/* Gather fragments. */
|
||||
if (ip_is_fragment(ip_hdr(skb))) {
|
||||
|
177
net/ipv4/netfilter/nf_nat_snmp_basic.asn1
Normal file
177
net/ipv4/netfilter/nf_nat_snmp_basic.asn1
Normal file
@ -0,0 +1,177 @@
|
||||
Message ::=
|
||||
SEQUENCE {
|
||||
version
|
||||
INTEGER ({snmp_version}),
|
||||
|
||||
community
|
||||
OCTET STRING,
|
||||
|
||||
pdu
|
||||
PDUs
|
||||
}
|
||||
|
||||
|
||||
ObjectName ::=
|
||||
OBJECT IDENTIFIER
|
||||
|
||||
ObjectSyntax ::=
|
||||
CHOICE {
|
||||
simple
|
||||
SimpleSyntax,
|
||||
|
||||
application-wide
|
||||
ApplicationSyntax
|
||||
}
|
||||
|
||||
SimpleSyntax ::=
|
||||
CHOICE {
|
||||
integer-value
|
||||
INTEGER,
|
||||
|
||||
string-value
|
||||
OCTET STRING,
|
||||
|
||||
objectID-value
|
||||
OBJECT IDENTIFIER
|
||||
}
|
||||
|
||||
ApplicationSyntax ::=
|
||||
CHOICE {
|
||||
ipAddress-value
|
||||
IpAddress,
|
||||
|
||||
counter-value
|
||||
Counter32,
|
||||
|
||||
timeticks-value
|
||||
TimeTicks,
|
||||
|
||||
arbitrary-value
|
||||
Opaque,
|
||||
|
||||
big-counter-value
|
||||
Counter64,
|
||||
|
||||
unsigned-integer-value
|
||||
Unsigned32
|
||||
}
|
||||
|
||||
IpAddress ::=
|
||||
[APPLICATION 0]
|
||||
IMPLICIT OCTET STRING OPTIONAL ({snmp_helper})
|
||||
|
||||
Counter32 ::=
|
||||
[APPLICATION 1]
|
||||
IMPLICIT INTEGER OPTIONAL
|
||||
|
||||
Unsigned32 ::=
|
||||
[APPLICATION 2]
|
||||
IMPLICIT INTEGER OPTIONAL
|
||||
|
||||
Gauge32 ::= Unsigned32 OPTIONAL
|
||||
|
||||
TimeTicks ::=
|
||||
[APPLICATION 3]
|
||||
IMPLICIT INTEGER OPTIONAL
|
||||
|
||||
Opaque ::=
|
||||
[APPLICATION 4]
|
||||
IMPLICIT OCTET STRING OPTIONAL
|
||||
|
||||
Counter64 ::=
|
||||
[APPLICATION 6]
|
||||
IMPLICIT INTEGER OPTIONAL
|
||||
|
||||
PDUs ::=
|
||||
CHOICE {
|
||||
get-request
|
||||
GetRequest-PDU,
|
||||
|
||||
get-next-request
|
||||
GetNextRequest-PDU,
|
||||
|
||||
get-bulk-request
|
||||
GetBulkRequest-PDU,
|
||||
|
||||
response
|
||||
Response-PDU,
|
||||
|
||||
set-request
|
||||
SetRequest-PDU,
|
||||
|
||||
inform-request
|
||||
InformRequest-PDU,
|
||||
|
||||
snmpV2-trap
|
||||
SNMPv2-Trap-PDU,
|
||||
|
||||
report
|
||||
Report-PDU
|
||||
}
|
||||
|
||||
GetRequest-PDU ::=
|
||||
[0] IMPLICIT PDU OPTIONAL
|
||||
|
||||
GetNextRequest-PDU ::=
|
||||
[1] IMPLICIT PDU OPTIONAL
|
||||
|
||||
Response-PDU ::=
|
||||
[2] IMPLICIT PDU OPTIONAL
|
||||
|
||||
SetRequest-PDU ::=
|
||||
[3] IMPLICIT PDU OPTIONAL
|
||||
|
||||
-- [4] is obsolete
|
||||
|
||||
GetBulkRequest-PDU ::=
|
||||
[5] IMPLICIT PDU OPTIONAL
|
||||
|
||||
InformRequest-PDU ::=
|
||||
[6] IMPLICIT PDU OPTIONAL
|
||||
|
||||
SNMPv2-Trap-PDU ::=
|
||||
[7] IMPLICIT PDU OPTIONAL
|
||||
|
||||
Report-PDU ::=
|
||||
[8] IMPLICIT PDU OPTIONAL
|
||||
|
||||
PDU ::=
|
||||
SEQUENCE {
|
||||
request-id
|
||||
INTEGER,
|
||||
|
||||
error-status
|
||||
INTEGER,
|
||||
|
||||
error-index
|
||||
INTEGER,
|
||||
|
||||
variable-bindings
|
||||
VarBindList
|
||||
}
|
||||
|
||||
|
||||
VarBind ::=
|
||||
SEQUENCE {
|
||||
name
|
||||
ObjectName,
|
||||
|
||||
CHOICE {
|
||||
value
|
||||
ObjectSyntax,
|
||||
|
||||
unSpecified
|
||||
NULL,
|
||||
|
||||
noSuchObject
|
||||
[0] IMPLICIT NULL,
|
||||
|
||||
noSuchInstance
|
||||
[1] IMPLICIT NULL,
|
||||
|
||||
endOfMibView
|
||||
[2] IMPLICIT NULL
|
||||
}
|
||||
}
|
||||
|
||||
VarBindList ::= SEQUENCE OF VarBind
|
File diff suppressed because it is too large
Load Diff
235
net/ipv4/netfilter/nf_nat_snmp_basic_main.c
Normal file
235
net/ipv4/netfilter/nf_nat_snmp_basic_main.c
Normal file
@ -0,0 +1,235 @@
|
||||
/*
|
||||
* nf_nat_snmp_basic.c
|
||||
*
|
||||
* Basic SNMP Application Layer Gateway
|
||||
*
|
||||
* This IP NAT module is intended for use with SNMP network
|
||||
* discovery and monitoring applications where target networks use
|
||||
* conflicting private address realms.
|
||||
*
|
||||
* Static NAT is used to remap the networks from the view of the network
|
||||
* management system at the IP layer, and this module remaps some application
|
||||
* layer addresses to match.
|
||||
*
|
||||
* The simplest form of ALG is performed, where only tagged IP addresses
|
||||
* are modified. The module does not need to be MIB aware and only scans
|
||||
* messages at the ASN.1/BER level.
|
||||
*
|
||||
* Currently, only SNMPv1 and SNMPv2 are supported.
|
||||
*
|
||||
* More information on ALG and associated issues can be found in
|
||||
* RFC 2962
|
||||
*
|
||||
* The ASB.1/BER parsing code is derived from the gxsnmp package by Gregory
|
||||
* McLean & Jochen Friedrich, stripped down for use in the kernel.
|
||||
*
|
||||
* Copyright (c) 2000 RP Internet (www.rpi.net.au).
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 2 of the License, or
|
||||
* (at your option) any later version.
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
* Author: James Morris <jmorris@intercode.com.au>
|
||||
*
|
||||
* Copyright (c) 2006-2010 Patrick McHardy <kaber@trash.net>
|
||||
*/
|
||||
#include <linux/module.h>
|
||||
#include <linux/moduleparam.h>
|
||||
#include <linux/types.h>
|
||||
#include <linux/kernel.h>
|
||||
#include <linux/in.h>
|
||||
#include <linux/ip.h>
|
||||
#include <linux/udp.h>
|
||||
#include <net/checksum.h>
|
||||
#include <net/udp.h>
|
||||
|
||||
#include <net/netfilter/nf_nat.h>
|
||||
#include <net/netfilter/nf_conntrack_expect.h>
|
||||
#include <net/netfilter/nf_conntrack_helper.h>
|
||||
#include <linux/netfilter/nf_conntrack_snmp.h>
|
||||
#include "nf_nat_snmp_basic-asn1.h"
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_AUTHOR("James Morris <jmorris@intercode.com.au>");
|
||||
MODULE_DESCRIPTION("Basic SNMP Application Layer Gateway");
|
||||
MODULE_ALIAS("ip_nat_snmp_basic");
|
||||
|
||||
#define SNMP_PORT 161
|
||||
#define SNMP_TRAP_PORT 162
|
||||
|
||||
static DEFINE_SPINLOCK(snmp_lock);
|
||||
|
||||
struct snmp_ctx {
|
||||
unsigned char *begin;
|
||||
__sum16 *check;
|
||||
__be32 from;
|
||||
__be32 to;
|
||||
};
|
||||
|
||||
static void fast_csum(struct snmp_ctx *ctx, unsigned char offset)
|
||||
{
|
||||
unsigned char s[12] = {0,};
|
||||
int size;
|
||||
|
||||
if (offset & 1) {
|
||||
memcpy(&s[1], &ctx->from, 4);
|
||||
memcpy(&s[7], &ctx->to, 4);
|
||||
s[0] = ~0;
|
||||
s[1] = ~s[1];
|
||||
s[2] = ~s[2];
|
||||
s[3] = ~s[3];
|
||||
s[4] = ~s[4];
|
||||
s[5] = ~0;
|
||||
size = 12;
|
||||
} else {
|
||||
memcpy(&s[0], &ctx->from, 4);
|
||||
memcpy(&s[4], &ctx->to, 4);
|
||||
s[0] = ~s[0];
|
||||
s[1] = ~s[1];
|
||||
s[2] = ~s[2];
|
||||
s[3] = ~s[3];
|
||||
size = 8;
|
||||
}
|
||||
*ctx->check = csum_fold(csum_partial(s, size,
|
||||
~csum_unfold(*ctx->check)));
|
||||
}
|
||||
|
||||
int snmp_version(void *context, size_t hdrlen, unsigned char tag,
|
||||
const void *data, size_t datalen)
|
||||
{
|
||||
if (*(unsigned char *)data > 1)
|
||||
return -ENOTSUPP;
|
||||
return 1;
|
||||
}
|
||||
|
||||
int snmp_helper(void *context, size_t hdrlen, unsigned char tag,
|
||||
const void *data, size_t datalen)
|
||||
{
|
||||
struct snmp_ctx *ctx = (struct snmp_ctx *)context;
|
||||
__be32 *pdata = (__be32 *)data;
|
||||
|
||||
if (*pdata == ctx->from) {
|
||||
pr_debug("%s: %pI4 to %pI4\n", __func__,
|
||||
(void *)&ctx->from, (void *)&ctx->to);
|
||||
|
||||
if (*ctx->check)
|
||||
fast_csum(ctx, (unsigned char *)data - ctx->begin);
|
||||
*pdata = ctx->to;
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int snmp_translate(struct nf_conn *ct, int dir, struct sk_buff *skb)
|
||||
{
|
||||
struct iphdr *iph = ip_hdr(skb);
|
||||
struct udphdr *udph = (struct udphdr *)((__be32 *)iph + iph->ihl);
|
||||
u16 datalen = ntohs(udph->len) - sizeof(struct udphdr);
|
||||
char *data = (unsigned char *)udph + sizeof(struct udphdr);
|
||||
struct snmp_ctx ctx;
|
||||
int ret;
|
||||
|
||||
if (dir == IP_CT_DIR_ORIGINAL) {
|
||||
ctx.from = ct->tuplehash[dir].tuple.src.u3.ip;
|
||||
ctx.to = ct->tuplehash[!dir].tuple.dst.u3.ip;
|
||||
} else {
|
||||
ctx.from = ct->tuplehash[!dir].tuple.src.u3.ip;
|
||||
ctx.to = ct->tuplehash[dir].tuple.dst.u3.ip;
|
||||
}
|
||||
|
||||
if (ctx.from == ctx.to)
|
||||
return NF_ACCEPT;
|
||||
|
||||
ctx.begin = (unsigned char *)udph + sizeof(struct udphdr);
|
||||
ctx.check = &udph->check;
|
||||
ret = asn1_ber_decoder(&nf_nat_snmp_basic_decoder, &ctx, data, datalen);
|
||||
if (ret < 0) {
|
||||
nf_ct_helper_log(skb, ct, "parser failed\n");
|
||||
return NF_DROP;
|
||||
}
|
||||
|
||||
return NF_ACCEPT;
|
||||
}
|
||||
|
||||
/* We don't actually set up expectations, just adjust internal IP
|
||||
* addresses if this is being NATted
|
||||
*/
|
||||
static int help(struct sk_buff *skb, unsigned int protoff,
|
||||
struct nf_conn *ct,
|
||||
enum ip_conntrack_info ctinfo)
|
||||
{
|
||||
int dir = CTINFO2DIR(ctinfo);
|
||||
unsigned int ret;
|
||||
const struct iphdr *iph = ip_hdr(skb);
|
||||
const struct udphdr *udph = (struct udphdr *)((__be32 *)iph + iph->ihl);
|
||||
|
||||
/* SNMP replies and originating SNMP traps get mangled */
|
||||
if (udph->source == htons(SNMP_PORT) && dir != IP_CT_DIR_REPLY)
|
||||
return NF_ACCEPT;
|
||||
if (udph->dest == htons(SNMP_TRAP_PORT) && dir != IP_CT_DIR_ORIGINAL)
|
||||
return NF_ACCEPT;
|
||||
|
||||
/* No NAT? */
|
||||
if (!(ct->status & IPS_NAT_MASK))
|
||||
return NF_ACCEPT;
|
||||
|
||||
/* Make sure the packet length is ok. So far, we were only guaranteed
|
||||
* to have a valid length IP header plus 8 bytes, which means we have
|
||||
* enough room for a UDP header. Just verify the UDP length field so we
|
||||
* can mess around with the payload.
|
||||
*/
|
||||
if (ntohs(udph->len) != skb->len - (iph->ihl << 2)) {
|
||||
nf_ct_helper_log(skb, ct, "dropping malformed packet\n");
|
||||
return NF_DROP;
|
||||
}
|
||||
|
||||
if (!skb_make_writable(skb, skb->len)) {
|
||||
nf_ct_helper_log(skb, ct, "cannot mangle packet");
|
||||
return NF_DROP;
|
||||
}
|
||||
|
||||
spin_lock_bh(&snmp_lock);
|
||||
ret = snmp_translate(ct, dir, skb);
|
||||
spin_unlock_bh(&snmp_lock);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static const struct nf_conntrack_expect_policy snmp_exp_policy = {
|
||||
.max_expected = 0,
|
||||
.timeout = 180,
|
||||
};
|
||||
|
||||
static struct nf_conntrack_helper snmp_trap_helper __read_mostly = {
|
||||
.me = THIS_MODULE,
|
||||
.help = help,
|
||||
.expect_policy = &snmp_exp_policy,
|
||||
.name = "snmp_trap",
|
||||
.tuple.src.l3num = AF_INET,
|
||||
.tuple.src.u.udp.port = cpu_to_be16(SNMP_TRAP_PORT),
|
||||
.tuple.dst.protonum = IPPROTO_UDP,
|
||||
};
|
||||
|
||||
static int __init nf_nat_snmp_basic_init(void)
|
||||
{
|
||||
BUG_ON(nf_nat_snmp_hook != NULL);
|
||||
RCU_INIT_POINTER(nf_nat_snmp_hook, help);
|
||||
|
||||
return nf_conntrack_helper_register(&snmp_trap_helper);
|
||||
}
|
||||
|
||||
static void __exit nf_nat_snmp_basic_fini(void)
|
||||
{
|
||||
RCU_INIT_POINTER(nf_nat_snmp_hook, NULL);
|
||||
synchronize_rcu();
|
||||
nf_conntrack_helper_unregister(&snmp_trap_helper);
|
||||
}
|
||||
|
||||
module_init(nf_nat_snmp_basic_init);
|
||||
module_exit(nf_nat_snmp_basic_fini);
|
@ -27,40 +27,6 @@ nft_do_chain_arp(void *priv,
|
||||
return nft_do_chain(&pkt, priv);
|
||||
}
|
||||
|
||||
static struct nft_af_info nft_af_arp __read_mostly = {
|
||||
.family = NFPROTO_ARP,
|
||||
.nhooks = NF_ARP_NUMHOOKS,
|
||||
.owner = THIS_MODULE,
|
||||
};
|
||||
|
||||
static int nf_tables_arp_init_net(struct net *net)
|
||||
{
|
||||
net->nft.arp = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
|
||||
if (net->nft.arp== NULL)
|
||||
return -ENOMEM;
|
||||
|
||||
memcpy(net->nft.arp, &nft_af_arp, sizeof(nft_af_arp));
|
||||
|
||||
if (nft_register_afinfo(net, net->nft.arp) < 0)
|
||||
goto err;
|
||||
|
||||
return 0;
|
||||
err:
|
||||
kfree(net->nft.arp);
|
||||
return -ENOMEM;
|
||||
}
|
||||
|
||||
static void nf_tables_arp_exit_net(struct net *net)
|
||||
{
|
||||
nft_unregister_afinfo(net, net->nft.arp);
|
||||
kfree(net->nft.arp);
|
||||
}
|
||||
|
||||
static struct pernet_operations nf_tables_arp_net_ops = {
|
||||
.init = nf_tables_arp_init_net,
|
||||
.exit = nf_tables_arp_exit_net,
|
||||
};
|
||||
|
||||
static const struct nf_chain_type filter_arp = {
|
||||
.name = "filter",
|
||||
.type = NFT_CHAIN_T_DEFAULT,
|
||||
@ -76,22 +42,11 @@ static const struct nf_chain_type filter_arp = {
|
||||
|
||||
static int __init nf_tables_arp_init(void)
|
||||
{
|
||||
int ret;
|
||||
|
||||
ret = nft_register_chain_type(&filter_arp);
|
||||
if (ret < 0)
|
||||
return ret;
|
||||
|
||||
ret = register_pernet_subsys(&nf_tables_arp_net_ops);
|
||||
if (ret < 0)
|
||||
nft_unregister_chain_type(&filter_arp);
|
||||
|
||||
return ret;
|
||||
return nft_register_chain_type(&filter_arp);
|
||||
}
|
||||
|
||||
static void __exit nf_tables_arp_exit(void)
|
||||
{
|
||||
unregister_pernet_subsys(&nf_tables_arp_net_ops);
|
||||
nft_unregister_chain_type(&filter_arp);
|
||||
}
|
||||
|
||||
@ -100,4 +55,4 @@ module_exit(nf_tables_arp_exit);
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
|
||||
MODULE_ALIAS_NFT_FAMILY(3); /* NFPROTO_ARP */
|
||||
MODULE_ALIAS_NFT_CHAIN(3, "filter"); /* NFPROTO_ARP */
|
||||
|
@ -30,40 +30,6 @@ static unsigned int nft_do_chain_ipv4(void *priv,
|
||||
return nft_do_chain(&pkt, priv);
|
||||
}
|
||||
|
||||
static struct nft_af_info nft_af_ipv4 __read_mostly = {
|
||||
.family = NFPROTO_IPV4,
|
||||
.nhooks = NF_INET_NUMHOOKS,
|
||||
.owner = THIS_MODULE,
|
||||
};
|
||||
|
||||
static int nf_tables_ipv4_init_net(struct net *net)
|
||||
{
|
||||
net->nft.ipv4 = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
|
||||
if (net->nft.ipv4 == NULL)
|
||||
return -ENOMEM;
|
||||
|
||||
memcpy(net->nft.ipv4, &nft_af_ipv4, sizeof(nft_af_ipv4));
|
||||
|
||||
if (nft_register_afinfo(net, net->nft.ipv4) < 0)
|
||||
goto err;
|
||||
|
||||
return 0;
|
||||
err:
|
||||
kfree(net->nft.ipv4);
|
||||
return -ENOMEM;
|
||||
}
|
||||
|
||||
static void nf_tables_ipv4_exit_net(struct net *net)
|
||||
{
|
||||
nft_unregister_afinfo(net, net->nft.ipv4);
|
||||
kfree(net->nft.ipv4);
|
||||
}
|
||||
|
||||
static struct pernet_operations nf_tables_ipv4_net_ops = {
|
||||
.init = nf_tables_ipv4_init_net,
|
||||
.exit = nf_tables_ipv4_exit_net,
|
||||
};
|
||||
|
||||
static const struct nf_chain_type filter_ipv4 = {
|
||||
.name = "filter",
|
||||
.type = NFT_CHAIN_T_DEFAULT,
|
||||
@ -85,22 +51,11 @@ static const struct nf_chain_type filter_ipv4 = {
|
||||
|
||||
static int __init nf_tables_ipv4_init(void)
|
||||
{
|
||||
int ret;
|
||||
|
||||
ret = nft_register_chain_type(&filter_ipv4);
|
||||
if (ret < 0)
|
||||
return ret;
|
||||
|
||||
ret = register_pernet_subsys(&nf_tables_ipv4_net_ops);
|
||||
if (ret < 0)
|
||||
nft_unregister_chain_type(&filter_ipv4);
|
||||
|
||||
return ret;
|
||||
return nft_register_chain_type(&filter_ipv4);
|
||||
}
|
||||
|
||||
static void __exit nf_tables_ipv4_exit(void)
|
||||
{
|
||||
unregister_pernet_subsys(&nf_tables_ipv4_net_ops);
|
||||
nft_unregister_chain_type(&filter_ipv4);
|
||||
}
|
||||
|
||||
@ -109,4 +64,4 @@ module_exit(nf_tables_ipv4_exit);
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
|
||||
MODULE_ALIAS_NFT_FAMILY(AF_INET);
|
||||
MODULE_ALIAS_NFT_CHAIN(AF_INET, "filter");
|
||||
|
@ -72,8 +72,9 @@ endif # NF_TABLES_IPV6
|
||||
endif # NF_TABLES
|
||||
|
||||
config NF_FLOW_TABLE_IPV6
|
||||
select NF_FLOW_TABLE
|
||||
tristate "Netfilter flow table IPv6 module"
|
||||
depends on NF_CONNTRACK && NF_TABLES
|
||||
select NF_FLOW_TABLE
|
||||
help
|
||||
This option adds the flow table IPv6 support.
|
||||
|
||||
@ -240,6 +241,15 @@ config IP6_NF_MATCH_RT
|
||||
|
||||
To compile it as a module, choose M here. If unsure, say N.
|
||||
|
||||
config IP6_NF_MATCH_SRH
|
||||
tristate '"srh" Segment Routing header match support'
|
||||
depends on NETFILTER_ADVANCED
|
||||
help
|
||||
srh matching allows you to match packets based on the segment
|
||||
routing header of the packet.
|
||||
|
||||
To compile it as a module, choose M here. If unsure, say N.
|
||||
|
||||
# The targets
|
||||
config IP6_NF_TARGET_HL
|
||||
tristate '"HL" hoplimit target support'
|
||||
|
@ -57,6 +57,7 @@ obj-$(CONFIG_IP6_NF_MATCH_MH) += ip6t_mh.o
|
||||
obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o
|
||||
obj-$(CONFIG_IP6_NF_MATCH_RPFILTER) += ip6t_rpfilter.o
|
||||
obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
|
||||
obj-$(CONFIG_IP6_NF_MATCH_SRH) += ip6t_srh.o
|
||||
|
||||
# targets
|
||||
obj-$(CONFIG_IP6_NF_TARGET_MASQUERADE) += ip6t_MASQUERADE.o
|
||||
|
@ -1952,7 +1952,6 @@ static int __init ip6_tables_init(void)
|
||||
if (ret < 0)
|
||||
goto err5;
|
||||
|
||||
pr_info("(C) 2000-2006 Netfilter Core Team\n");
|
||||
return 0;
|
||||
|
||||
err5:
|
||||
|
161
net/ipv6/netfilter/ip6t_srh.c
Normal file
161
net/ipv6/netfilter/ip6t_srh.c
Normal file
@ -0,0 +1,161 @@
|
||||
/* Kernel module to match Segment Routing Header (SRH) parameters. */
|
||||
|
||||
/* Author:
|
||||
* Ahmed Abdelsalam <amsalam20@gmail.com>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
* as published by the Free Software Foundation; either version 2
|
||||
* of the License, or (at your option) any later version.
|
||||
*/
|
||||
|
||||
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
||||
#include <linux/module.h>
|
||||
#include <linux/skbuff.h>
|
||||
#include <linux/ipv6.h>
|
||||
#include <linux/types.h>
|
||||
#include <net/ipv6.h>
|
||||
#include <net/seg6.h>
|
||||
|
||||
#include <linux/netfilter/x_tables.h>
|
||||
#include <linux/netfilter_ipv6/ip6t_srh.h>
|
||||
#include <linux/netfilter_ipv6/ip6_tables.h>
|
||||
|
||||
/* Test a struct->mt_invflags and a boolean for inequality */
|
||||
#define NF_SRH_INVF(ptr, flag, boolean) \
|
||||
((boolean) ^ !!((ptr)->mt_invflags & (flag)))
|
||||
|
||||
static bool srh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
{
|
||||
const struct ip6t_srh *srhinfo = par->matchinfo;
|
||||
struct ipv6_sr_hdr *srh;
|
||||
struct ipv6_sr_hdr _srh;
|
||||
int hdrlen, srhoff = 0;
|
||||
|
||||
if (ipv6_find_hdr(skb, &srhoff, IPPROTO_ROUTING, NULL, NULL) < 0)
|
||||
return false;
|
||||
srh = skb_header_pointer(skb, srhoff, sizeof(_srh), &_srh);
|
||||
if (!srh)
|
||||
return false;
|
||||
|
||||
hdrlen = ipv6_optlen(srh);
|
||||
if (skb->len - srhoff < hdrlen)
|
||||
return false;
|
||||
|
||||
if (srh->type != IPV6_SRCRT_TYPE_4)
|
||||
return false;
|
||||
|
||||
if (srh->segments_left > srh->first_segment)
|
||||
return false;
|
||||
|
||||
/* Next Header matching */
|
||||
if (srhinfo->mt_flags & IP6T_SRH_NEXTHDR)
|
||||
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_NEXTHDR,
|
||||
!(srh->nexthdr == srhinfo->next_hdr)))
|
||||
return false;
|
||||
|
||||
/* Header Extension Length matching */
|
||||
if (srhinfo->mt_flags & IP6T_SRH_LEN_EQ)
|
||||
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LEN_EQ,
|
||||
!(srh->hdrlen == srhinfo->hdr_len)))
|
||||
return false;
|
||||
|
||||
if (srhinfo->mt_flags & IP6T_SRH_LEN_GT)
|
||||
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LEN_GT,
|
||||
!(srh->hdrlen > srhinfo->hdr_len)))
|
||||
return false;
|
||||
|
||||
if (srhinfo->mt_flags & IP6T_SRH_LEN_LT)
|
||||
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LEN_LT,
|
||||
!(srh->hdrlen < srhinfo->hdr_len)))
|
||||
return false;
|
||||
|
||||
/* Segments Left matching */
|
||||
if (srhinfo->mt_flags & IP6T_SRH_SEGS_EQ)
|
||||
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_SEGS_EQ,
|
||||
!(srh->segments_left == srhinfo->segs_left)))
|
||||
return false;
|
||||
|
||||
if (srhinfo->mt_flags & IP6T_SRH_SEGS_GT)
|
||||
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_SEGS_GT,
|
||||
!(srh->segments_left > srhinfo->segs_left)))
|
||||
return false;
|
||||
|
||||
if (srhinfo->mt_flags & IP6T_SRH_SEGS_LT)
|
||||
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_SEGS_LT,
|
||||
!(srh->segments_left < srhinfo->segs_left)))
|
||||
return false;
|
||||
|
||||
/**
|
||||
* Last Entry matching
|
||||
* Last_Entry field was introduced in revision 6 of the SRH draft.
|
||||
* It was called First_Segment in the previous revision
|
||||
*/
|
||||
if (srhinfo->mt_flags & IP6T_SRH_LAST_EQ)
|
||||
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LAST_EQ,
|
||||
!(srh->first_segment == srhinfo->last_entry)))
|
||||
return false;
|
||||
|
||||
if (srhinfo->mt_flags & IP6T_SRH_LAST_GT)
|
||||
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LAST_GT,
|
||||
!(srh->first_segment > srhinfo->last_entry)))
|
||||
return false;
|
||||
|
||||
if (srhinfo->mt_flags & IP6T_SRH_LAST_LT)
|
||||
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LAST_LT,
|
||||
!(srh->first_segment < srhinfo->last_entry)))
|
||||
return false;
|
||||
|
||||
/**
|
||||
* Tag matchig
|
||||
* Tag field was introduced in revision 6 of the SRH draft.
|
||||
*/
|
||||
if (srhinfo->mt_flags & IP6T_SRH_TAG)
|
||||
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_TAG,
|
||||
!(srh->tag == srhinfo->tag)))
|
||||
return false;
|
||||
return true;
|
||||
}
|
||||
|
||||
static int srh_mt6_check(const struct xt_mtchk_param *par)
|
||||
{
|
||||
const struct ip6t_srh *srhinfo = par->matchinfo;
|
||||
|
||||
if (srhinfo->mt_flags & ~IP6T_SRH_MASK) {
|
||||
pr_err("unknown srh match flags %X\n", srhinfo->mt_flags);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
if (srhinfo->mt_invflags & ~IP6T_SRH_INV_MASK) {
|
||||
pr_err("unknown srh invflags %X\n", srhinfo->mt_invflags);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static struct xt_match srh_mt6_reg __read_mostly = {
|
||||
.name = "srh",
|
||||
.family = NFPROTO_IPV6,
|
||||
.match = srh_mt6,
|
||||
.matchsize = sizeof(struct ip6t_srh),
|
||||
.checkentry = srh_mt6_check,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
static int __init srh_mt6_init(void)
|
||||
{
|
||||
return xt_register_match(&srh_mt6_reg);
|
||||
}
|
||||
|
||||
static void __exit srh_mt6_exit(void)
|
||||
{
|
||||
xt_unregister_match(&srh_mt6_reg);
|
||||
}
|
||||
|
||||
module_init(srh_mt6_init);
|
||||
module_exit(srh_mt6_exit);
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("Xtables: IPv6 Segment Routing Header match");
|
||||
MODULE_AUTHOR("Ahmed Abdelsalam <amsalam20@gmail.com>");
|
@ -3,6 +3,7 @@
|
||||
*
|
||||
* Copyright (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
||||
*/
|
||||
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
||||
#include <linux/module.h>
|
||||
#include <linux/netfilter_ipv6/ip6_tables.h>
|
||||
#include <linux/slab.h>
|
||||
@ -11,6 +12,10 @@
|
||||
|
||||
static int __net_init ip6table_raw_table_init(struct net *net);
|
||||
|
||||
static bool raw_before_defrag __read_mostly;
|
||||
MODULE_PARM_DESC(raw_before_defrag, "Enable raw table before defrag");
|
||||
module_param(raw_before_defrag, bool, 0000);
|
||||
|
||||
static const struct xt_table packet_raw = {
|
||||
.name = "raw",
|
||||
.valid_hooks = RAW_VALID_HOOKS,
|
||||
@ -20,6 +25,15 @@ static const struct xt_table packet_raw = {
|
||||
.table_init = ip6table_raw_table_init,
|
||||
};
|
||||
|
||||
static const struct xt_table packet_raw_before_defrag = {
|
||||
.name = "raw",
|
||||
.valid_hooks = RAW_VALID_HOOKS,
|
||||
.me = THIS_MODULE,
|
||||
.af = NFPROTO_IPV6,
|
||||
.priority = NF_IP6_PRI_RAW_BEFORE_DEFRAG,
|
||||
.table_init = ip6table_raw_table_init,
|
||||
};
|
||||
|
||||
/* The work comes in here from netfilter.c. */
|
||||
static unsigned int
|
||||
ip6table_raw_hook(void *priv, struct sk_buff *skb,
|
||||
@ -33,15 +47,19 @@ static struct nf_hook_ops *rawtable_ops __read_mostly;
|
||||
static int __net_init ip6table_raw_table_init(struct net *net)
|
||||
{
|
||||
struct ip6t_replace *repl;
|
||||
const struct xt_table *table = &packet_raw;
|
||||
int ret;
|
||||
|
||||
if (raw_before_defrag)
|
||||
table = &packet_raw_before_defrag;
|
||||
|
||||
if (net->ipv6.ip6table_raw)
|
||||
return 0;
|
||||
|
||||
repl = ip6t_alloc_initial_table(&packet_raw);
|
||||
repl = ip6t_alloc_initial_table(table);
|
||||
if (repl == NULL)
|
||||
return -ENOMEM;
|
||||
ret = ip6t_register_table(net, &packet_raw, repl, rawtable_ops,
|
||||
ret = ip6t_register_table(net, table, repl, rawtable_ops,
|
||||
&net->ipv6.ip6table_raw);
|
||||
kfree(repl);
|
||||
return ret;
|
||||
@ -62,9 +80,16 @@ static struct pernet_operations ip6table_raw_net_ops = {
|
||||
static int __init ip6table_raw_init(void)
|
||||
{
|
||||
int ret;
|
||||
const struct xt_table *table = &packet_raw;
|
||||
|
||||
if (raw_before_defrag) {
|
||||
table = &packet_raw_before_defrag;
|
||||
|
||||
pr_info("Enabling raw table before defrag\n");
|
||||
}
|
||||
|
||||
/* Register hooks */
|
||||
rawtable_ops = xt_hook_ops_alloc(&packet_raw, ip6table_raw_hook);
|
||||
rawtable_ops = xt_hook_ops_alloc(table, ip6table_raw_hook);
|
||||
if (IS_ERR(rawtable_ops))
|
||||
return PTR_ERR(rawtable_ops);
|
||||
|
||||
|
@ -231,7 +231,7 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
|
||||
|
||||
if ((unsigned int)end > IPV6_MAXPLEN) {
|
||||
pr_debug("offset is too large.\n");
|
||||
return -1;
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
ecn = ip6_frag_ecn(ipv6_hdr(skb));
|
||||
@ -264,7 +264,7 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
|
||||
* this case. -DaveM
|
||||
*/
|
||||
pr_debug("end of fragment not rounded to 8 bytes.\n");
|
||||
return -1;
|
||||
return -EPROTO;
|
||||
}
|
||||
if (end > fq->q.len) {
|
||||
/* Some bits beyond end -> corruption. */
|
||||
@ -358,7 +358,7 @@ found:
|
||||
discard_fq:
|
||||
inet_frag_kill(&fq->q, &nf_frags);
|
||||
err:
|
||||
return -1;
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
/*
|
||||
@ -567,6 +567,7 @@ find_prev_fhdr(struct sk_buff *skb, u8 *prevhdrp, int *prevhoff, int *fhoff)
|
||||
|
||||
int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
|
||||
{
|
||||
u16 savethdr = skb->transport_header;
|
||||
struct net_device *dev = skb->dev;
|
||||
int fhoff, nhoff, ret;
|
||||
struct frag_hdr *fhdr;
|
||||
@ -600,8 +601,12 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
|
||||
|
||||
spin_lock_bh(&fq->q.lock);
|
||||
|
||||
if (nf_ct_frag6_queue(fq, skb, fhdr, nhoff) < 0) {
|
||||
ret = -EINVAL;
|
||||
ret = nf_ct_frag6_queue(fq, skb, fhdr, nhoff);
|
||||
if (ret < 0) {
|
||||
if (ret == -EPROTO) {
|
||||
skb->transport_header = savethdr;
|
||||
ret = 0;
|
||||
}
|
||||
goto out_unlock;
|
||||
}
|
||||
|
||||
|
@ -63,6 +63,9 @@ static unsigned int ipv6_defrag(void *priv,
|
||||
/* Previously seen (loopback)? */
|
||||
if (skb_nfct(skb) && !nf_ct_is_template((struct nf_conn *)skb_nfct(skb)))
|
||||
return NF_ACCEPT;
|
||||
|
||||
if (skb->_nfct == IP_CT_UNTRACKED)
|
||||
return NF_ACCEPT;
|
||||
#endif
|
||||
|
||||
err = nf_ct_frag6_gather(state->net, skb,
|
||||
|
@ -5,7 +5,6 @@
|
||||
#include <linux/rhashtable.h>
|
||||
#include <linux/ipv6.h>
|
||||
#include <linux/netdevice.h>
|
||||
#include <linux/ipv6.h>
|
||||
#include <net/ipv6.h>
|
||||
#include <net/ip6_route.h>
|
||||
#include <net/neighbour.h>
|
||||
|
@ -28,40 +28,6 @@ static unsigned int nft_do_chain_ipv6(void *priv,
|
||||
return nft_do_chain(&pkt, priv);
|
||||
}
|
||||
|
||||
static struct nft_af_info nft_af_ipv6 __read_mostly = {
|
||||
.family = NFPROTO_IPV6,
|
||||
.nhooks = NF_INET_NUMHOOKS,
|
||||
.owner = THIS_MODULE,
|
||||
};
|
||||
|
||||
static int nf_tables_ipv6_init_net(struct net *net)
|
||||
{
|
||||
net->nft.ipv6 = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
|
||||
if (net->nft.ipv6 == NULL)
|
||||
return -ENOMEM;
|
||||
|
||||
memcpy(net->nft.ipv6, &nft_af_ipv6, sizeof(nft_af_ipv6));
|
||||
|
||||
if (nft_register_afinfo(net, net->nft.ipv6) < 0)
|
||||
goto err;
|
||||
|
||||
return 0;
|
||||
err:
|
||||
kfree(net->nft.ipv6);
|
||||
return -ENOMEM;
|
||||
}
|
||||
|
||||
static void nf_tables_ipv6_exit_net(struct net *net)
|
||||
{
|
||||
nft_unregister_afinfo(net, net->nft.ipv6);
|
||||
kfree(net->nft.ipv6);
|
||||
}
|
||||
|
||||
static struct pernet_operations nf_tables_ipv6_net_ops = {
|
||||
.init = nf_tables_ipv6_init_net,
|
||||
.exit = nf_tables_ipv6_exit_net,
|
||||
};
|
||||
|
||||
static const struct nf_chain_type filter_ipv6 = {
|
||||
.name = "filter",
|
||||
.type = NFT_CHAIN_T_DEFAULT,
|
||||
@ -83,22 +49,11 @@ static const struct nf_chain_type filter_ipv6 = {
|
||||
|
||||
static int __init nf_tables_ipv6_init(void)
|
||||
{
|
||||
int ret;
|
||||
|
||||
ret = nft_register_chain_type(&filter_ipv6);
|
||||
if (ret < 0)
|
||||
return ret;
|
||||
|
||||
ret = register_pernet_subsys(&nf_tables_ipv6_net_ops);
|
||||
if (ret < 0)
|
||||
nft_unregister_chain_type(&filter_ipv6);
|
||||
|
||||
return ret;
|
||||
return nft_register_chain_type(&filter_ipv6);
|
||||
}
|
||||
|
||||
static void __exit nf_tables_ipv6_exit(void)
|
||||
{
|
||||
unregister_pernet_subsys(&nf_tables_ipv6_net_ops);
|
||||
nft_unregister_chain_type(&filter_ipv6);
|
||||
}
|
||||
|
||||
@ -107,4 +62,4 @@ module_exit(nf_tables_ipv6_exit);
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
|
||||
MODULE_ALIAS_NFT_FAMILY(AF_INET6);
|
||||
MODULE_ALIAS_NFT_CHAIN(AF_INET6, "filter");
|
||||
|
@ -506,7 +506,7 @@ config NFT_CT
|
||||
connection tracking information such as the flow state.
|
||||
|
||||
config NFT_FLOW_OFFLOAD
|
||||
depends on NF_CONNTRACK
|
||||
depends on NF_CONNTRACK && NF_FLOW_TABLE
|
||||
tristate "Netfilter nf_tables hardware flow offload module"
|
||||
help
|
||||
This option adds the "flow_offload" expression that you can use to
|
||||
@ -665,8 +665,9 @@ endif # NF_TABLES_NETDEV
|
||||
endif # NF_TABLES
|
||||
|
||||
config NF_FLOW_TABLE_INET
|
||||
select NF_FLOW_TABLE
|
||||
tristate "Netfilter flow table mixed IPv4/IPv6 module"
|
||||
depends on NF_FLOW_TABLE_IPV4 && NF_FLOW_TABLE_IPV6
|
||||
select NF_FLOW_TABLE
|
||||
help
|
||||
This option adds the flow table mixed IPv4/IPv6 support.
|
||||
|
||||
@ -674,6 +675,7 @@ config NF_FLOW_TABLE_INET
|
||||
|
||||
config NF_FLOW_TABLE
|
||||
tristate "Netfilter flow table module"
|
||||
depends on NF_CONNTRACK && NF_TABLES
|
||||
help
|
||||
This option adds the flow table core infrastructure.
|
||||
|
||||
|
@ -140,7 +140,7 @@ nf_hook_entries_grow(const struct nf_hook_entries *old,
|
||||
|
||||
if (reg->nat_hook && orig_ops[i]->nat_hook) {
|
||||
kvfree(new);
|
||||
return ERR_PTR(-EEXIST);
|
||||
return ERR_PTR(-EBUSY);
|
||||
}
|
||||
|
||||
if (inserted || reg->priority > orig_ops[i]->priority) {
|
||||
@ -377,8 +377,8 @@ static void nf_remove_net_hook(struct nf_hook_entries *old,
|
||||
}
|
||||
}
|
||||
|
||||
void __nf_unregister_net_hook(struct net *net, int pf,
|
||||
const struct nf_hook_ops *reg)
|
||||
static void __nf_unregister_net_hook(struct net *net, int pf,
|
||||
const struct nf_hook_ops *reg)
|
||||
{
|
||||
struct nf_hook_entries __rcu **pp;
|
||||
struct nf_hook_entries *p;
|
||||
|
@ -2122,7 +2122,6 @@ ip_set_init(void)
|
||||
return ret;
|
||||
}
|
||||
|
||||
pr_info("ip_set: protocol %u\n", IPSET_PROTOCOL);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -2138,3 +2137,5 @@ ip_set_fini(void)
|
||||
|
||||
module_init(ip_set_init);
|
||||
module_exit(ip_set_fini);
|
||||
|
||||
MODULE_DESCRIPTION("ip_set: protocol " __stringify(IPSET_PROTOCOL));
|
||||
|
@ -595,7 +595,6 @@ static int ip_vs_app_open(struct inode *inode, struct file *file)
|
||||
}
|
||||
|
||||
static const struct file_operations ip_vs_app_fops = {
|
||||
.owner = THIS_MODULE,
|
||||
.open = ip_vs_app_open,
|
||||
.read = seq_read,
|
||||
.llseek = seq_lseek,
|
||||
|
@ -1143,7 +1143,6 @@ static int ip_vs_conn_open(struct inode *inode, struct file *file)
|
||||
}
|
||||
|
||||
static const struct file_operations ip_vs_conn_fops = {
|
||||
.owner = THIS_MODULE,
|
||||
.open = ip_vs_conn_open,
|
||||
.read = seq_read,
|
||||
.llseek = seq_lseek,
|
||||
@ -1221,7 +1220,6 @@ static int ip_vs_conn_sync_open(struct inode *inode, struct file *file)
|
||||
}
|
||||
|
||||
static const struct file_operations ip_vs_conn_sync_fops = {
|
||||
.owner = THIS_MODULE,
|
||||
.open = ip_vs_conn_sync_open,
|
||||
.read = seq_read,
|
||||
.llseek = seq_lseek,
|
||||
|
@ -2116,7 +2116,6 @@ static int ip_vs_info_open(struct inode *inode, struct file *file)
|
||||
}
|
||||
|
||||
static const struct file_operations ip_vs_info_fops = {
|
||||
.owner = THIS_MODULE,
|
||||
.open = ip_vs_info_open,
|
||||
.read = seq_read,
|
||||
.llseek = seq_lseek,
|
||||
@ -2161,7 +2160,6 @@ static int ip_vs_stats_seq_open(struct inode *inode, struct file *file)
|
||||
}
|
||||
|
||||
static const struct file_operations ip_vs_stats_fops = {
|
||||
.owner = THIS_MODULE,
|
||||
.open = ip_vs_stats_seq_open,
|
||||
.read = seq_read,
|
||||
.llseek = seq_lseek,
|
||||
@ -2230,7 +2228,6 @@ static int ip_vs_stats_percpu_seq_open(struct inode *inode, struct file *file)
|
||||
}
|
||||
|
||||
static const struct file_operations ip_vs_stats_percpu_fops = {
|
||||
.owner = THIS_MODULE,
|
||||
.open = ip_vs_stats_percpu_seq_open,
|
||||
.read = seq_read,
|
||||
.llseek = seq_lseek,
|
||||
|
@ -71,7 +71,7 @@ static inline bool already_closed(const struct nf_conn *conn)
|
||||
return conn->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT ||
|
||||
conn->proto.tcp.state == TCP_CONNTRACK_CLOSE;
|
||||
else
|
||||
return 0;
|
||||
return false;
|
||||
}
|
||||
|
||||
static int key_diff(const u32 *a, const u32 *b, unsigned int klen)
|
||||
|
@ -58,8 +58,6 @@
|
||||
|
||||
#include "nf_internals.h"
|
||||
|
||||
#define NF_CONNTRACK_VERSION "0.5.0"
|
||||
|
||||
int (*nfnetlink_parse_nat_setup_hook)(struct nf_conn *ct,
|
||||
enum nf_nat_manip_type manip,
|
||||
const struct nlattr *attr) __read_mostly;
|
||||
@ -2068,10 +2066,6 @@ int nf_conntrack_init_start(void)
|
||||
if (!nf_conntrack_cachep)
|
||||
goto err_cachep;
|
||||
|
||||
printk(KERN_INFO "nf_conntrack version %s (%u buckets, %d max)\n",
|
||||
NF_CONNTRACK_VERSION, nf_conntrack_htable_size,
|
||||
nf_conntrack_max);
|
||||
|
||||
ret = nf_conntrack_expect_init();
|
||||
if (ret < 0)
|
||||
goto err_expect;
|
||||
|
@ -649,7 +649,6 @@ static int exp_open(struct inode *inode, struct file *file)
|
||||
}
|
||||
|
||||
static const struct file_operations exp_file_ops = {
|
||||
.owner = THIS_MODULE,
|
||||
.open = exp_open,
|
||||
.read = seq_read,
|
||||
.llseek = seq_lseek,
|
||||
|
@ -57,8 +57,6 @@
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
|
||||
static char __initdata version[] = "0.93";
|
||||
|
||||
static int ctnetlink_dump_tuples_proto(struct sk_buff *skb,
|
||||
const struct nf_conntrack_tuple *tuple,
|
||||
const struct nf_conntrack_l4proto *l4proto)
|
||||
@ -3425,7 +3423,6 @@ static int __init ctnetlink_init(void)
|
||||
{
|
||||
int ret;
|
||||
|
||||
pr_info("ctnetlink v%s: registering with nfnetlink.\n", version);
|
||||
ret = nfnetlink_subsys_register(&ctnl_subsys);
|
||||
if (ret < 0) {
|
||||
pr_err("ctnetlink_init: cannot register with nfnetlink.\n");
|
||||
@ -3459,8 +3456,6 @@ err_out:
|
||||
|
||||
static void __exit ctnetlink_exit(void)
|
||||
{
|
||||
pr_info("ctnetlink: unregistering from nfnetlink.\n");
|
||||
|
||||
unregister_pernet_subsys(&ctnetlink_net_ops);
|
||||
nfnetlink_subsys_unregister(&ctnl_exp_subsys);
|
||||
nfnetlink_subsys_unregister(&ctnl_subsys);
|
||||
|
@ -382,7 +382,6 @@ static int ct_open(struct inode *inode, struct file *file)
|
||||
}
|
||||
|
||||
static const struct file_operations ct_file_ops = {
|
||||
.owner = THIS_MODULE,
|
||||
.open = ct_open,
|
||||
.read = seq_read,
|
||||
.llseek = seq_lseek,
|
||||
@ -475,7 +474,6 @@ static int ct_cpu_seq_open(struct inode *inode, struct file *file)
|
||||
}
|
||||
|
||||
static const struct file_operations ct_cpu_seq_fops = {
|
||||
.owner = THIS_MODULE,
|
||||
.open = ct_cpu_seq_open,
|
||||
.read = seq_read,
|
||||
.llseek = seq_lseek,
|
||||
|
@ -402,7 +402,6 @@ static int nflog_open(struct inode *inode, struct file *file)
|
||||
}
|
||||
|
||||
static const struct file_operations nflog_file_ops = {
|
||||
.owner = THIS_MODULE,
|
||||
.open = nflog_open,
|
||||
.read = seq_read,
|
||||
.llseek = seq_lseek,
|
||||
|
@ -15,8 +15,6 @@
|
||||
#include <linux/netfilter_bridge.h>
|
||||
#include <linux/seq_file.h>
|
||||
#include <linux/rcupdate.h>
|
||||
#include <linux/netfilter_ipv4.h>
|
||||
#include <linux/netfilter_ipv6.h>
|
||||
#include <net/protocol.h>
|
||||
#include <net/netfilter/nf_queue.h>
|
||||
#include <net/dst.h>
|
||||
|
@ -317,7 +317,6 @@ static int synproxy_cpu_seq_open(struct inode *inode, struct file *file)
|
||||
}
|
||||
|
||||
static const struct file_operations synproxy_cpu_seq_fops = {
|
||||
.owner = THIS_MODULE,
|
||||
.open = synproxy_cpu_seq_open,
|
||||
.read = seq_read,
|
||||
.llseek = seq_lseek,
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -38,40 +38,6 @@ static unsigned int nft_do_chain_inet(void *priv, struct sk_buff *skb,
|
||||
return nft_do_chain(&pkt, priv);
|
||||
}
|
||||
|
||||
static struct nft_af_info nft_af_inet __read_mostly = {
|
||||
.family = NFPROTO_INET,
|
||||
.nhooks = NF_INET_NUMHOOKS,
|
||||
.owner = THIS_MODULE,
|
||||
};
|
||||
|
||||
static int __net_init nf_tables_inet_init_net(struct net *net)
|
||||
{
|
||||
net->nft.inet = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
|
||||
if (net->nft.inet == NULL)
|
||||
return -ENOMEM;
|
||||
memcpy(net->nft.inet, &nft_af_inet, sizeof(nft_af_inet));
|
||||
|
||||
if (nft_register_afinfo(net, net->nft.inet) < 0)
|
||||
goto err;
|
||||
|
||||
return 0;
|
||||
|
||||
err:
|
||||
kfree(net->nft.inet);
|
||||
return -ENOMEM;
|
||||
}
|
||||
|
||||
static void __net_exit nf_tables_inet_exit_net(struct net *net)
|
||||
{
|
||||
nft_unregister_afinfo(net, net->nft.inet);
|
||||
kfree(net->nft.inet);
|
||||
}
|
||||
|
||||
static struct pernet_operations nf_tables_inet_net_ops = {
|
||||
.init = nf_tables_inet_init_net,
|
||||
.exit = nf_tables_inet_exit_net,
|
||||
};
|
||||
|
||||
static const struct nf_chain_type filter_inet = {
|
||||
.name = "filter",
|
||||
.type = NFT_CHAIN_T_DEFAULT,
|
||||
@ -93,22 +59,11 @@ static const struct nf_chain_type filter_inet = {
|
||||
|
||||
static int __init nf_tables_inet_init(void)
|
||||
{
|
||||
int ret;
|
||||
|
||||
ret = nft_register_chain_type(&filter_inet);
|
||||
if (ret < 0)
|
||||
return ret;
|
||||
|
||||
ret = register_pernet_subsys(&nf_tables_inet_net_ops);
|
||||
if (ret < 0)
|
||||
nft_unregister_chain_type(&filter_inet);
|
||||
|
||||
return ret;
|
||||
return nft_register_chain_type(&filter_inet);
|
||||
}
|
||||
|
||||
static void __exit nf_tables_inet_exit(void)
|
||||
{
|
||||
unregister_pernet_subsys(&nf_tables_inet_net_ops);
|
||||
nft_unregister_chain_type(&filter_inet);
|
||||
}
|
||||
|
||||
@ -117,4 +72,4 @@ module_exit(nf_tables_inet_exit);
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
|
||||
MODULE_ALIAS_NFT_FAMILY(1);
|
||||
MODULE_ALIAS_NFT_CHAIN(1, "filter");
|
||||
|
@ -38,41 +38,6 @@ nft_do_chain_netdev(void *priv, struct sk_buff *skb,
|
||||
return nft_do_chain(&pkt, priv);
|
||||
}
|
||||
|
||||
static struct nft_af_info nft_af_netdev __read_mostly = {
|
||||
.family = NFPROTO_NETDEV,
|
||||
.nhooks = NF_NETDEV_NUMHOOKS,
|
||||
.owner = THIS_MODULE,
|
||||
.flags = NFT_AF_NEEDS_DEV,
|
||||
};
|
||||
|
||||
static int nf_tables_netdev_init_net(struct net *net)
|
||||
{
|
||||
net->nft.netdev = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
|
||||
if (net->nft.netdev == NULL)
|
||||
return -ENOMEM;
|
||||
|
||||
memcpy(net->nft.netdev, &nft_af_netdev, sizeof(nft_af_netdev));
|
||||
|
||||
if (nft_register_afinfo(net, net->nft.netdev) < 0)
|
||||
goto err;
|
||||
|
||||
return 0;
|
||||
err:
|
||||
kfree(net->nft.netdev);
|
||||
return -ENOMEM;
|
||||
}
|
||||
|
||||
static void nf_tables_netdev_exit_net(struct net *net)
|
||||
{
|
||||
nft_unregister_afinfo(net, net->nft.netdev);
|
||||
kfree(net->nft.netdev);
|
||||
}
|
||||
|
||||
static struct pernet_operations nf_tables_netdev_net_ops = {
|
||||
.init = nf_tables_netdev_init_net,
|
||||
.exit = nf_tables_netdev_exit_net,
|
||||
};
|
||||
|
||||
static const struct nf_chain_type nft_filter_chain_netdev = {
|
||||
.name = "filter",
|
||||
.type = NFT_CHAIN_T_DEFAULT,
|
||||
@ -109,7 +74,6 @@ static int nf_tables_netdev_event(struct notifier_block *this,
|
||||
unsigned long event, void *ptr)
|
||||
{
|
||||
struct net_device *dev = netdev_notifier_info_to_dev(ptr);
|
||||
struct nft_af_info *afi;
|
||||
struct nft_table *table;
|
||||
struct nft_chain *chain, *nr;
|
||||
struct nft_ctx ctx = {
|
||||
@ -121,20 +85,18 @@ static int nf_tables_netdev_event(struct notifier_block *this,
|
||||
return NOTIFY_DONE;
|
||||
|
||||
nfnl_lock(NFNL_SUBSYS_NFTABLES);
|
||||
list_for_each_entry(afi, &dev_net(dev)->nft.af_info, list) {
|
||||
ctx.afi = afi;
|
||||
if (afi->family != NFPROTO_NETDEV)
|
||||
list_for_each_entry(table, &ctx.net->nft.tables, list) {
|
||||
if (table->family != NFPROTO_NETDEV)
|
||||
continue;
|
||||
|
||||
list_for_each_entry(table, &afi->tables, list) {
|
||||
ctx.table = table;
|
||||
list_for_each_entry_safe(chain, nr, &table->chains, list) {
|
||||
if (!nft_is_base_chain(chain))
|
||||
continue;
|
||||
ctx.family = table->family;
|
||||
ctx.table = table;
|
||||
list_for_each_entry_safe(chain, nr, &table->chains, list) {
|
||||
if (!nft_is_base_chain(chain))
|
||||
continue;
|
||||
|
||||
ctx.chain = chain;
|
||||
nft_netdev_event(event, dev, &ctx);
|
||||
}
|
||||
ctx.chain = chain;
|
||||
nft_netdev_event(event, dev, &ctx);
|
||||
}
|
||||
}
|
||||
nfnl_unlock(NFNL_SUBSYS_NFTABLES);
|
||||
@ -154,27 +116,21 @@ static int __init nf_tables_netdev_init(void)
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
ret = register_pernet_subsys(&nf_tables_netdev_net_ops);
|
||||
if (ret)
|
||||
goto err1;
|
||||
|
||||
ret = register_netdevice_notifier(&nf_tables_netdev_notifier);
|
||||
if (ret)
|
||||
goto err2;
|
||||
goto err_register_netdevice_notifier;
|
||||
|
||||
return 0;
|
||||
|
||||
err2:
|
||||
unregister_pernet_subsys(&nf_tables_netdev_net_ops);
|
||||
err1:
|
||||
err_register_netdevice_notifier:
|
||||
nft_unregister_chain_type(&nft_filter_chain_netdev);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void __exit nf_tables_netdev_exit(void)
|
||||
{
|
||||
unregister_netdevice_notifier(&nf_tables_netdev_notifier);
|
||||
unregister_pernet_subsys(&nf_tables_netdev_net_ops);
|
||||
nft_unregister_chain_type(&nft_filter_chain_netdev);
|
||||
}
|
||||
|
||||
@ -183,4 +139,4 @@ module_exit(nf_tables_netdev_exit);
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
|
||||
MODULE_ALIAS_NFT_FAMILY(5); /* NFPROTO_NETDEV */
|
||||
MODULE_ALIAS_NFT_CHAIN(5, "filter"); /* NFPROTO_NETDEV */
|
||||
|
@ -37,8 +37,6 @@ MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_NETFILTER);
|
||||
rcu_dereference_protected(table[(id)].subsys, \
|
||||
lockdep_nfnl_is_held((id)))
|
||||
|
||||
static char __initdata nfversion[] = "0.30";
|
||||
|
||||
static struct {
|
||||
struct mutex mutex;
|
||||
const struct nfnetlink_subsystem __rcu *subsys;
|
||||
@ -580,13 +578,11 @@ static int __init nfnetlink_init(void)
|
||||
for (i=0; i<NFNL_SUBSYS_COUNT; i++)
|
||||
mutex_init(&table[i].mutex);
|
||||
|
||||
pr_info("Netfilter messages via NETLINK v%s.\n", nfversion);
|
||||
return register_pernet_subsys(&nfnetlink_net_ops);
|
||||
}
|
||||
|
||||
static void __exit nfnetlink_exit(void)
|
||||
{
|
||||
pr_info("Removing netfilter NETLINK layer.\n");
|
||||
unregister_pernet_subsys(&nfnetlink_net_ops);
|
||||
}
|
||||
module_init(nfnetlink_init);
|
||||
|
@ -527,7 +527,6 @@ static int __init nfnl_acct_init(void)
|
||||
goto err_out;
|
||||
}
|
||||
|
||||
pr_info("nfnl_acct: registering with nfnetlink.\n");
|
||||
ret = nfnetlink_subsys_register(&nfnl_acct_subsys);
|
||||
if (ret < 0) {
|
||||
pr_err("nfnl_acct_init: cannot register with nfnetlink.\n");
|
||||
@ -543,7 +542,6 @@ err_out:
|
||||
|
||||
static void __exit nfnl_acct_exit(void)
|
||||
{
|
||||
pr_info("nfnl_acct: unregistering from nfnetlink.\n");
|
||||
nfnetlink_subsys_unregister(&nfnl_acct_subsys);
|
||||
unregister_pernet_subsys(&nfnl_acct_ops);
|
||||
}
|
||||
|
@ -615,8 +615,6 @@ err_out:
|
||||
|
||||
static void __exit cttimeout_exit(void)
|
||||
{
|
||||
pr_info("cttimeout: unregistering from nfnetlink.\n");
|
||||
|
||||
nfnetlink_subsys_unregister(&cttimeout_subsys);
|
||||
|
||||
unregister_pernet_subsys(&cttimeout_ops);
|
||||
|
@ -1054,7 +1054,6 @@ static int nful_open(struct inode *inode, struct file *file)
|
||||
}
|
||||
|
||||
static const struct file_operations nful_file_ops = {
|
||||
.owner = THIS_MODULE,
|
||||
.open = nful_open,
|
||||
.read = seq_read,
|
||||
.llseek = seq_lseek,
|
||||
|
@ -1477,7 +1477,6 @@ static int nfqnl_open(struct inode *inode, struct file *file)
|
||||
}
|
||||
|
||||
static const struct file_operations nfqnl_file_ops = {
|
||||
.owner = THIS_MODULE,
|
||||
.open = nfqnl_open,
|
||||
.read = seq_read,
|
||||
.llseek = seq_lseek,
|
||||
|
@ -144,7 +144,7 @@ nft_target_set_tgchk_param(struct xt_tgchk_param *par,
|
||||
{
|
||||
par->net = ctx->net;
|
||||
par->table = ctx->table->name;
|
||||
switch (ctx->afi->family) {
|
||||
switch (ctx->family) {
|
||||
case AF_INET:
|
||||
entry->e4.ip.proto = proto;
|
||||
entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
|
||||
@ -175,7 +175,7 @@ nft_target_set_tgchk_param(struct xt_tgchk_param *par,
|
||||
} else {
|
||||
par->hook_mask = 0;
|
||||
}
|
||||
par->family = ctx->afi->family;
|
||||
par->family = ctx->family;
|
||||
par->nft_compat = true;
|
||||
}
|
||||
|
||||
@ -267,7 +267,7 @@ nft_target_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
|
||||
par.net = ctx->net;
|
||||
par.target = target;
|
||||
par.targinfo = info;
|
||||
par.family = ctx->afi->family;
|
||||
par.family = ctx->family;
|
||||
if (par.target->destroy != NULL)
|
||||
par.target->destroy(&par);
|
||||
|
||||
@ -358,7 +358,7 @@ nft_match_set_mtchk_param(struct xt_mtchk_param *par, const struct nft_ctx *ctx,
|
||||
{
|
||||
par->net = ctx->net;
|
||||
par->table = ctx->table->name;
|
||||
switch (ctx->afi->family) {
|
||||
switch (ctx->family) {
|
||||
case AF_INET:
|
||||
entry->e4.ip.proto = proto;
|
||||
entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
|
||||
@ -389,7 +389,7 @@ nft_match_set_mtchk_param(struct xt_mtchk_param *par, const struct nft_ctx *ctx,
|
||||
} else {
|
||||
par->hook_mask = 0;
|
||||
}
|
||||
par->family = ctx->afi->family;
|
||||
par->family = ctx->family;
|
||||
par->nft_compat = true;
|
||||
}
|
||||
|
||||
@ -446,7 +446,7 @@ nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
|
||||
par.net = ctx->net;
|
||||
par.match = match;
|
||||
par.matchinfo = info;
|
||||
par.family = ctx->afi->family;
|
||||
par.family = ctx->family;
|
||||
if (par.match->destroy != NULL)
|
||||
par.match->destroy(&par);
|
||||
|
||||
@ -648,7 +648,7 @@ nft_match_select_ops(const struct nft_ctx *ctx,
|
||||
|
||||
mt_name = nla_data(tb[NFTA_MATCH_NAME]);
|
||||
rev = ntohl(nla_get_be32(tb[NFTA_MATCH_REV]));
|
||||
family = ctx->afi->family;
|
||||
family = ctx->family;
|
||||
|
||||
/* Re-use the existing match if it's already loaded. */
|
||||
list_for_each_entry(nft_match, &nft_match_list, head) {
|
||||
@ -733,7 +733,7 @@ nft_target_select_ops(const struct nft_ctx *ctx,
|
||||
|
||||
tg_name = nla_data(tb[NFTA_TARGET_NAME]);
|
||||
rev = ntohl(nla_get_be32(tb[NFTA_TARGET_REV]));
|
||||
family = ctx->afi->family;
|
||||
family = ctx->family;
|
||||
|
||||
/* Re-use the existing target if it's already loaded. */
|
||||
list_for_each_entry(nft_target, &nft_target_list, head) {
|
||||
@ -812,8 +812,6 @@ static int __init nft_compat_module_init(void)
|
||||
goto err_target;
|
||||
}
|
||||
|
||||
pr_info("nf_tables_compat: (c) 2012 Pablo Neira Ayuso <pablo@netfilter.org>\n");
|
||||
|
||||
return ret;
|
||||
|
||||
err_target:
|
||||
|
@ -405,7 +405,7 @@ static int nft_ct_get_init(const struct nft_ctx *ctx,
|
||||
if (tb[NFTA_CT_DIRECTION] == NULL)
|
||||
return -EINVAL;
|
||||
|
||||
switch (ctx->afi->family) {
|
||||
switch (ctx->family) {
|
||||
case NFPROTO_IPV4:
|
||||
len = FIELD_SIZEOF(struct nf_conntrack_tuple,
|
||||
src.u3.ip);
|
||||
@ -456,7 +456,7 @@ static int nft_ct_get_init(const struct nft_ctx *ctx,
|
||||
if (err < 0)
|
||||
return err;
|
||||
|
||||
err = nf_ct_netns_get(ctx->net, ctx->afi->family);
|
||||
err = nf_ct_netns_get(ctx->net, ctx->family);
|
||||
if (err < 0)
|
||||
return err;
|
||||
|
||||
@ -550,7 +550,7 @@ static int nft_ct_set_init(const struct nft_ctx *ctx,
|
||||
if (err < 0)
|
||||
goto err1;
|
||||
|
||||
err = nf_ct_netns_get(ctx->net, ctx->afi->family);
|
||||
err = nf_ct_netns_get(ctx->net, ctx->family);
|
||||
if (err < 0)
|
||||
goto err1;
|
||||
|
||||
@ -564,7 +564,7 @@ err1:
|
||||
static void nft_ct_get_destroy(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr)
|
||||
{
|
||||
nf_ct_netns_put(ctx->net, ctx->afi->family);
|
||||
nf_ct_netns_put(ctx->net, ctx->family);
|
||||
}
|
||||
|
||||
static void nft_ct_set_destroy(const struct nft_ctx *ctx,
|
||||
@ -573,7 +573,7 @@ static void nft_ct_set_destroy(const struct nft_ctx *ctx,
|
||||
struct nft_ct *priv = nft_expr_priv(expr);
|
||||
|
||||
__nft_ct_set_destroy(ctx, priv);
|
||||
nf_ct_netns_put(ctx->net, ctx->afi->family);
|
||||
nf_ct_netns_put(ctx->net, ctx->family);
|
||||
}
|
||||
|
||||
static int nft_ct_get_dump(struct sk_buff *skb, const struct nft_expr *expr)
|
||||
@ -734,7 +734,7 @@ static int nft_ct_helper_obj_init(const struct nft_ctx *ctx,
|
||||
struct nft_ct_helper_obj *priv = nft_obj_data(obj);
|
||||
struct nf_conntrack_helper *help4, *help6;
|
||||
char name[NF_CT_HELPER_NAME_LEN];
|
||||
int family = ctx->afi->family;
|
||||
int family = ctx->family;
|
||||
|
||||
if (!tb[NFTA_CT_HELPER_NAME] || !tb[NFTA_CT_HELPER_L4PROTO])
|
||||
return -EINVAL;
|
||||
@ -753,14 +753,14 @@ static int nft_ct_helper_obj_init(const struct nft_ctx *ctx,
|
||||
|
||||
switch (family) {
|
||||
case NFPROTO_IPV4:
|
||||
if (ctx->afi->family == NFPROTO_IPV6)
|
||||
if (ctx->family == NFPROTO_IPV6)
|
||||
return -EINVAL;
|
||||
|
||||
help4 = nf_conntrack_helper_try_module_get(name, family,
|
||||
priv->l4proto);
|
||||
break;
|
||||
case NFPROTO_IPV6:
|
||||
if (ctx->afi->family == NFPROTO_IPV4)
|
||||
if (ctx->family == NFPROTO_IPV4)
|
||||
return -EINVAL;
|
||||
|
||||
help6 = nf_conntrack_helper_try_module_get(name, family,
|
||||
|
@ -164,7 +164,7 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
|
||||
}
|
||||
|
||||
priv->sreg_key = nft_parse_register(tb[NFTA_DYNSET_SREG_KEY]);
|
||||
err = nft_validate_register_load(priv->sreg_key, set->klen);;
|
||||
err = nft_validate_register_load(priv->sreg_key, set->klen);
|
||||
if (err < 0)
|
||||
return err;
|
||||
|
||||
|
@ -151,7 +151,7 @@ static int nft_flow_offload_init(const struct nft_ctx *ctx,
|
||||
priv->flowtable = flowtable;
|
||||
flowtable->use++;
|
||||
|
||||
return nf_ct_netns_get(ctx->net, ctx->afi->family);
|
||||
return nf_ct_netns_get(ctx->net, ctx->family);
|
||||
}
|
||||
|
||||
static void nft_flow_offload_destroy(const struct nft_ctx *ctx,
|
||||
@ -160,7 +160,7 @@ static void nft_flow_offload_destroy(const struct nft_ctx *ctx,
|
||||
struct nft_flow_offload *priv = nft_expr_priv(expr);
|
||||
|
||||
priv->flowtable->use--;
|
||||
nf_ct_netns_put(ctx->net, ctx->afi->family);
|
||||
nf_ct_netns_put(ctx->net, ctx->family);
|
||||
}
|
||||
|
||||
static int nft_flow_offload_dump(struct sk_buff *skb, const struct nft_expr *expr)
|
||||
|
@ -112,7 +112,7 @@ static int nft_log_init(const struct nft_ctx *ctx,
|
||||
break;
|
||||
}
|
||||
|
||||
err = nf_logger_find_get(ctx->afi->family, li->type);
|
||||
err = nf_logger_find_get(ctx->family, li->type);
|
||||
if (err < 0)
|
||||
goto err1;
|
||||
|
||||
@ -133,7 +133,7 @@ static void nft_log_destroy(const struct nft_ctx *ctx,
|
||||
if (priv->prefix != nft_log_null_prefix)
|
||||
kfree(priv->prefix);
|
||||
|
||||
nf_logger_put(ctx->afi->family, li->type);
|
||||
nf_logger_put(ctx->family, li->type);
|
||||
}
|
||||
|
||||
static int nft_log_dump(struct sk_buff *skb, const struct nft_expr *expr)
|
||||
|
@ -73,7 +73,7 @@ int nft_masq_init(const struct nft_ctx *ctx,
|
||||
}
|
||||
}
|
||||
|
||||
return nf_ct_netns_get(ctx->net, ctx->afi->family);
|
||||
return nf_ct_netns_get(ctx->net, ctx->family);
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(nft_masq_init);
|
||||
|
||||
|
@ -339,7 +339,7 @@ static int nft_meta_get_validate(const struct nft_ctx *ctx,
|
||||
if (priv->key != NFT_META_SECPATH)
|
||||
return 0;
|
||||
|
||||
switch (ctx->afi->family) {
|
||||
switch (ctx->family) {
|
||||
case NFPROTO_NETDEV:
|
||||
hooks = 1 << NF_NETDEV_INGRESS;
|
||||
break;
|
||||
@ -370,7 +370,7 @@ int nft_meta_set_validate(const struct nft_ctx *ctx,
|
||||
if (priv->key != NFT_META_PKTTYPE)
|
||||
return 0;
|
||||
|
||||
switch (ctx->afi->family) {
|
||||
switch (ctx->family) {
|
||||
case NFPROTO_BRIDGE:
|
||||
hooks = 1 << NF_BR_PRE_ROUTING;
|
||||
break;
|
||||
|
@ -142,7 +142,7 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
|
||||
return -EINVAL;
|
||||
|
||||
family = ntohl(nla_get_be32(tb[NFTA_NAT_FAMILY]));
|
||||
if (family != ctx->afi->family)
|
||||
if (family != ctx->family)
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
switch (family) {
|
||||
|
@ -75,7 +75,7 @@ int nft_redir_init(const struct nft_ctx *ctx,
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
return nf_ct_netns_get(ctx->net, ctx->afi->family);
|
||||
return nf_ct_netns_get(ctx->net, ctx->family);
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(nft_redir_init);
|
||||
|
||||
|
@ -1082,10 +1082,10 @@ struct xt_table *xt_request_find_table_lock(struct net *net, u_int8_t af,
|
||||
{
|
||||
struct xt_table *t = xt_find_table_lock(net, af, name);
|
||||
|
||||
#ifdef CONFIG_MODULE
|
||||
#ifdef CONFIG_MODULES
|
||||
if (IS_ERR(t)) {
|
||||
int err = request_module("%stable_%s", xt_prefix[af], name);
|
||||
if (err)
|
||||
if (err < 0)
|
||||
return ERR_PTR(err);
|
||||
t = xt_find_table_lock(net, af, name);
|
||||
}
|
||||
@ -1362,7 +1362,6 @@ static int xt_table_open(struct inode *inode, struct file *file)
|
||||
}
|
||||
|
||||
static const struct file_operations xt_table_ops = {
|
||||
.owner = THIS_MODULE,
|
||||
.open = xt_table_open,
|
||||
.read = seq_read,
|
||||
.llseek = seq_lseek,
|
||||
@ -1498,7 +1497,6 @@ static int xt_match_open(struct inode *inode, struct file *file)
|
||||
}
|
||||
|
||||
static const struct file_operations xt_match_ops = {
|
||||
.owner = THIS_MODULE,
|
||||
.open = xt_match_open,
|
||||
.read = seq_read,
|
||||
.llseek = seq_lseek,
|
||||
@ -1551,7 +1549,6 @@ static int xt_target_open(struct inode *inode, struct file *file)
|
||||
}
|
||||
|
||||
static const struct file_operations xt_target_ops = {
|
||||
.owner = THIS_MODULE,
|
||||
.open = xt_target_open,
|
||||
.read = seq_read,
|
||||
.llseek = seq_lseek,
|
||||
|
@ -353,7 +353,7 @@ static int htable_create(struct net *net, struct hashlimit_cfg3 *cfg,
|
||||
static bool select_all(const struct xt_hashlimit_htable *ht,
|
||||
const struct dsthash_ent *he)
|
||||
{
|
||||
return 1;
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool select_gc(const struct xt_hashlimit_htable *ht,
|
||||
@ -1266,7 +1266,6 @@ static int dl_proc_open(struct inode *inode, struct file *file)
|
||||
}
|
||||
|
||||
static const struct file_operations dl_file_ops_v2 = {
|
||||
.owner = THIS_MODULE,
|
||||
.open = dl_proc_open_v2,
|
||||
.read = seq_read,
|
||||
.llseek = seq_lseek,
|
||||
@ -1274,7 +1273,6 @@ static const struct file_operations dl_file_ops_v2 = {
|
||||
};
|
||||
|
||||
static const struct file_operations dl_file_ops_v1 = {
|
||||
.owner = THIS_MODULE,
|
||||
.open = dl_proc_open_v1,
|
||||
.read = seq_read,
|
||||
.llseek = seq_lseek,
|
||||
@ -1282,7 +1280,6 @@ static const struct file_operations dl_file_ops_v1 = {
|
||||
};
|
||||
|
||||
static const struct file_operations dl_file_ops = {
|
||||
.owner = THIS_MODULE,
|
||||
.open = dl_proc_open,
|
||||
.read = seq_read,
|
||||
.llseek = seq_lseek,
|
||||
|
@ -58,7 +58,7 @@ static bool comp_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
*/
|
||||
pr_debug("Dropping evil IPComp tinygram.\n");
|
||||
par->hotdrop = true;
|
||||
return 0;
|
||||
return false;
|
||||
}
|
||||
|
||||
return spi_match(compinfo->spis[0], compinfo->spis[1],
|
||||
|
Loading…
Reference in New Issue
Block a user