Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
cloud-kernel
提交
9d930594
cloud-kernel
项目概览
openanolis
/
cloud-kernel
1 年多 前同步成功
通知
160
Star
36
Fork
7
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
10
列表
看板
标记
里程碑
合并请求
2
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
cloud-kernel
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
10
Issue
10
列表
看板
标记
里程碑
合并请求
2
合并请求
2
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
9d930594
编写于
4月 05, 2011
作者:
D
David S. Miller
浏览文件
操作
浏览文件
下载
差异文件
Merge branch 'master' of
git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6
上级
738faca3
96120d86
变更
18
隐藏空白更改
内联
并排
Showing
18 changed file
with
151 addition
and
115 deletion
+151
-115
include/linux/netfilter.h
include/linux/netfilter.h
+2
-1
include/linux/netfilter/ipset/ip_set.h
include/linux/netfilter/ipset/ip_set.h
+1
-1
include/linux/netfilter/ipset/ip_set_ahash.h
include/linux/netfilter/ipset/ip_set_ahash.h
+1
-2
include/net/ip_vs.h
include/net/ip_vs.h
+1
-1
net/ipv4/netfilter.c
net/ipv4/netfilter.c
+3
-2
net/ipv6/netfilter.c
net/ipv6/netfilter.c
+11
-2
net/netfilter/Kconfig
net/netfilter/Kconfig
+0
-1
net/netfilter/ipset/ip_set_bitmap_ip.c
net/netfilter/ipset/ip_set_bitmap_ip.c
+1
-2
net/netfilter/ipset/ip_set_bitmap_ipmac.c
net/netfilter/ipset/ip_set_bitmap_ipmac.c
+1
-2
net/netfilter/ipset/ip_set_bitmap_port.c
net/netfilter/ipset/ip_set_bitmap_port.c
+1
-2
net/netfilter/ipset/ip_set_core.c
net/netfilter/ipset/ip_set_core.c
+66
-43
net/netfilter/ipset/ip_set_list_set.c
net/netfilter/ipset/ip_set_list_set.c
+23
-30
net/netfilter/ipvs/ip_vs_ctl.c
net/netfilter/ipvs/ip_vs_ctl.c
+1
-1
net/netfilter/nf_conntrack_h323_asn1.c
net/netfilter/nf_conntrack_h323_asn1.c
+1
-1
net/netfilter/nf_conntrack_h323_main.c
net/netfilter/nf_conntrack_h323_main.c
+8
-8
net/netfilter/xt_TCPMSS.c
net/netfilter/xt_TCPMSS.c
+1
-1
net/netfilter/xt_addrtype.c
net/netfilter/xt_addrtype.c
+28
-14
net/netfilter/xt_conntrack.c
net/netfilter/xt_conntrack.c
+1
-1
未找到文件。
include/linux/netfilter.h
浏览文件 @
9d930594
...
...
@@ -270,7 +270,8 @@ struct nf_afinfo {
unsigned
int
dataoff
,
unsigned
int
len
,
u_int8_t
protocol
);
int
(
*
route
)(
struct
dst_entry
**
dst
,
struct
flowi
*
fl
);
int
(
*
route
)(
struct
net
*
net
,
struct
dst_entry
**
dst
,
struct
flowi
*
fl
,
bool
strict
);
void
(
*
saveroute
)(
const
struct
sk_buff
*
skb
,
struct
nf_queue_entry
*
entry
);
int
(
*
reroute
)(
struct
sk_buff
*
skb
,
...
...
include/linux/netfilter/ipset/ip_set.h
浏览文件 @
9d930594
...
...
@@ -293,7 +293,7 @@ struct ip_set {
/* Lock protecting the set data */
rwlock_t
lock
;
/* References to the set */
atomic_t
ref
;
u32
ref
;
/* The core set type */
struct
ip_set_type
*
type
;
/* The type variant doing the real job */
...
...
include/linux/netfilter/ipset/ip_set_ahash.h
浏览文件 @
9d930594
...
...
@@ -515,8 +515,7 @@ type_pf_head(struct ip_set *set, struct sk_buff *skb)
if
(
h
->
netmask
!=
HOST_MASK
)
NLA_PUT_U8
(
skb
,
IPSET_ATTR_NETMASK
,
h
->
netmask
);
#endif
NLA_PUT_NET32
(
skb
,
IPSET_ATTR_REFERENCES
,
htonl
(
atomic_read
(
&
set
->
ref
)
-
1
));
NLA_PUT_NET32
(
skb
,
IPSET_ATTR_REFERENCES
,
htonl
(
set
->
ref
-
1
));
NLA_PUT_NET32
(
skb
,
IPSET_ATTR_MEMSIZE
,
htonl
(
memsize
));
if
(
with_timeout
(
h
->
timeout
))
NLA_PUT_NET32
(
skb
,
IPSET_ATTR_TIMEOUT
,
htonl
(
h
->
timeout
));
...
...
include/net/ip_vs.h
浏览文件 @
9d930594
...
...
@@ -52,7 +52,7 @@ static inline struct net *skb_net(const struct sk_buff *skb)
*/
if
(
likely
(
skb
->
dev
&&
skb
->
dev
->
nd_net
))
return
dev_net
(
skb
->
dev
);
if
(
skb_dst
(
skb
)
->
dev
)
if
(
skb_dst
(
skb
)
&&
skb_dst
(
skb
)
->
dev
)
return
dev_net
(
skb_dst
(
skb
)
->
dev
);
WARN
(
skb
->
sk
,
"Maybe skb_sknet should be used in %s() at line:%d
\n
"
,
__func__
,
__LINE__
);
...
...
net/ipv4/netfilter.c
浏览文件 @
9d930594
...
...
@@ -221,9 +221,10 @@ static __sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
return
csum
;
}
static
int
nf_ip_route
(
struct
dst_entry
**
dst
,
struct
flowi
*
fl
)
static
int
nf_ip_route
(
struct
net
*
net
,
struct
dst_entry
**
dst
,
struct
flowi
*
fl
,
bool
strict
__always_unused
)
{
struct
rtable
*
rt
=
ip_route_output_key
(
&
init_
net
,
&
fl
->
u
.
ip4
);
struct
rtable
*
rt
=
ip_route_output_key
(
net
,
&
fl
->
u
.
ip4
);
if
(
IS_ERR
(
rt
))
return
PTR_ERR
(
rt
);
*
dst
=
&
rt
->
dst
;
...
...
net/ipv6/netfilter.c
浏览文件 @
9d930594
...
...
@@ -90,9 +90,18 @@ static int nf_ip6_reroute(struct sk_buff *skb,
return
0
;
}
static
int
nf_ip6_route
(
struct
dst_entry
**
dst
,
struct
flowi
*
fl
)
static
int
nf_ip6_route
(
struct
net
*
net
,
struct
dst_entry
**
dst
,
struct
flowi
*
fl
,
bool
strict
)
{
*
dst
=
ip6_route_output
(
&
init_net
,
NULL
,
&
fl
->
u
.
ip6
);
static
const
struct
ipv6_pinfo
fake_pinfo
;
static
const
struct
inet_sock
fake_sk
=
{
/* makes ip6_route_output set RT6_LOOKUP_F_IFACE: */
.
sk
.
sk_bound_dev_if
=
1
,
.
pinet6
=
(
struct
ipv6_pinfo
*
)
&
fake_pinfo
,
};
const
void
*
sk
=
strict
?
&
fake_sk
:
NULL
;
*
dst
=
ip6_route_output
(
net
,
sk
,
&
fl
->
u
.
ip6
);
return
(
*
dst
)
->
error
;
}
...
...
net/netfilter/Kconfig
浏览文件 @
9d930594
...
...
@@ -652,7 +652,6 @@ comment "Xtables matches"
config NETFILTER_XT_MATCH_ADDRTYPE
tristate '"addrtype" address type match support'
depends on NETFILTER_ADVANCED
depends on (IPV6 || IPV6=n)
---help---
This option allows you to match what routing thinks of an address,
eg. UNICAST, LOCAL, BROADCAST, ...
...
...
net/netfilter/ipset/ip_set_bitmap_ip.c
浏览文件 @
9d930594
...
...
@@ -338,8 +338,7 @@ bitmap_ip_head(struct ip_set *set, struct sk_buff *skb)
NLA_PUT_IPADDR4
(
skb
,
IPSET_ATTR_IP_TO
,
htonl
(
map
->
last_ip
));
if
(
map
->
netmask
!=
32
)
NLA_PUT_U8
(
skb
,
IPSET_ATTR_NETMASK
,
map
->
netmask
);
NLA_PUT_NET32
(
skb
,
IPSET_ATTR_REFERENCES
,
htonl
(
atomic_read
(
&
set
->
ref
)
-
1
));
NLA_PUT_NET32
(
skb
,
IPSET_ATTR_REFERENCES
,
htonl
(
set
->
ref
-
1
));
NLA_PUT_NET32
(
skb
,
IPSET_ATTR_MEMSIZE
,
htonl
(
sizeof
(
*
map
)
+
map
->
memsize
));
if
(
with_timeout
(
map
->
timeout
))
...
...
net/netfilter/ipset/ip_set_bitmap_ipmac.c
浏览文件 @
9d930594
...
...
@@ -434,8 +434,7 @@ bitmap_ipmac_head(struct ip_set *set, struct sk_buff *skb)
goto
nla_put_failure
;
NLA_PUT_IPADDR4
(
skb
,
IPSET_ATTR_IP
,
htonl
(
map
->
first_ip
));
NLA_PUT_IPADDR4
(
skb
,
IPSET_ATTR_IP_TO
,
htonl
(
map
->
last_ip
));
NLA_PUT_NET32
(
skb
,
IPSET_ATTR_REFERENCES
,
htonl
(
atomic_read
(
&
set
->
ref
)
-
1
));
NLA_PUT_NET32
(
skb
,
IPSET_ATTR_REFERENCES
,
htonl
(
set
->
ref
-
1
));
NLA_PUT_NET32
(
skb
,
IPSET_ATTR_MEMSIZE
,
htonl
(
sizeof
(
*
map
)
+
(
map
->
last_ip
-
map
->
first_ip
+
1
)
*
map
->
dsize
));
...
...
net/netfilter/ipset/ip_set_bitmap_port.c
浏览文件 @
9d930594
...
...
@@ -320,8 +320,7 @@ bitmap_port_head(struct ip_set *set, struct sk_buff *skb)
goto
nla_put_failure
;
NLA_PUT_NET16
(
skb
,
IPSET_ATTR_PORT
,
htons
(
map
->
first_port
));
NLA_PUT_NET16
(
skb
,
IPSET_ATTR_PORT_TO
,
htons
(
map
->
last_port
));
NLA_PUT_NET32
(
skb
,
IPSET_ATTR_REFERENCES
,
htonl
(
atomic_read
(
&
set
->
ref
)
-
1
));
NLA_PUT_NET32
(
skb
,
IPSET_ATTR_REFERENCES
,
htonl
(
set
->
ref
-
1
));
NLA_PUT_NET32
(
skb
,
IPSET_ATTR_MEMSIZE
,
htonl
(
sizeof
(
*
map
)
+
map
->
memsize
));
if
(
with_timeout
(
map
->
timeout
))
...
...
net/netfilter/ipset/ip_set_core.c
浏览文件 @
9d930594
...
...
@@ -26,6 +26,7 @@
static
LIST_HEAD
(
ip_set_type_list
);
/* all registered set types */
static
DEFINE_MUTEX
(
ip_set_type_mutex
);
/* protects ip_set_type_list */
static
DEFINE_RWLOCK
(
ip_set_ref_lock
);
/* protects the set refs */
static
struct
ip_set
**
ip_set_list
;
/* all individual sets */
static
ip_set_id_t
ip_set_max
=
CONFIG_IP_SET_MAX
;
/* max number of sets */
...
...
@@ -301,13 +302,18 @@ EXPORT_SYMBOL_GPL(ip_set_get_ipaddr6);
static
inline
void
__ip_set_get
(
ip_set_id_t
index
)
{
atomic_inc
(
&
ip_set_list
[
index
]
->
ref
);
write_lock_bh
(
&
ip_set_ref_lock
);
ip_set_list
[
index
]
->
ref
++
;
write_unlock_bh
(
&
ip_set_ref_lock
);
}
static
inline
void
__ip_set_put
(
ip_set_id_t
index
)
{
atomic_dec
(
&
ip_set_list
[
index
]
->
ref
);
write_lock_bh
(
&
ip_set_ref_lock
);
BUG_ON
(
ip_set_list
[
index
]
->
ref
==
0
);
ip_set_list
[
index
]
->
ref
--
;
write_unlock_bh
(
&
ip_set_ref_lock
);
}
/*
...
...
@@ -324,7 +330,7 @@ ip_set_test(ip_set_id_t index, const struct sk_buff *skb,
struct
ip_set
*
set
=
ip_set_list
[
index
];
int
ret
=
0
;
BUG_ON
(
set
==
NULL
||
atomic_read
(
&
set
->
ref
)
==
0
);
BUG_ON
(
set
==
NULL
);
pr_debug
(
"set %s, index %u
\n
"
,
set
->
name
,
index
);
if
(
dim
<
set
->
type
->
dimension
||
...
...
@@ -356,7 +362,7 @@ ip_set_add(ip_set_id_t index, const struct sk_buff *skb,
struct
ip_set
*
set
=
ip_set_list
[
index
];
int
ret
;
BUG_ON
(
set
==
NULL
||
atomic_read
(
&
set
->
ref
)
==
0
);
BUG_ON
(
set
==
NULL
);
pr_debug
(
"set %s, index %u
\n
"
,
set
->
name
,
index
);
if
(
dim
<
set
->
type
->
dimension
||
...
...
@@ -378,7 +384,7 @@ ip_set_del(ip_set_id_t index, const struct sk_buff *skb,
struct
ip_set
*
set
=
ip_set_list
[
index
];
int
ret
=
0
;
BUG_ON
(
set
==
NULL
||
atomic_read
(
&
set
->
ref
)
==
0
);
BUG_ON
(
set
==
NULL
);
pr_debug
(
"set %s, index %u
\n
"
,
set
->
name
,
index
);
if
(
dim
<
set
->
type
->
dimension
||
...
...
@@ -397,7 +403,6 @@ EXPORT_SYMBOL_GPL(ip_set_del);
* Find set by name, reference it once. The reference makes sure the
* thing pointed to, does not go away under our feet.
*
* The nfnl mutex must already be activated.
*/
ip_set_id_t
ip_set_get_byname
(
const
char
*
name
,
struct
ip_set
**
set
)
...
...
@@ -423,15 +428,12 @@ EXPORT_SYMBOL_GPL(ip_set_get_byname);
* reference count by 1. The caller shall not assume the index
* to be valid, after calling this function.
*
* The nfnl mutex must already be activated.
*/
void
ip_set_put_byindex
(
ip_set_id_t
index
)
{
if
(
ip_set_list
[
index
]
!=
NULL
)
{
BUG_ON
(
atomic_read
(
&
ip_set_list
[
index
]
->
ref
)
==
0
);
if
(
ip_set_list
[
index
]
!=
NULL
)
__ip_set_put
(
index
);
}
}
EXPORT_SYMBOL_GPL
(
ip_set_put_byindex
);
...
...
@@ -441,7 +443,6 @@ EXPORT_SYMBOL_GPL(ip_set_put_byindex);
* can't be destroyed. The set cannot be renamed due to
* the referencing either.
*
* The nfnl mutex must already be activated.
*/
const
char
*
ip_set_name_byindex
(
ip_set_id_t
index
)
...
...
@@ -449,7 +450,7 @@ ip_set_name_byindex(ip_set_id_t index)
const
struct
ip_set
*
set
=
ip_set_list
[
index
];
BUG_ON
(
set
==
NULL
);
BUG_ON
(
atomic_read
(
&
set
->
ref
)
==
0
);
BUG_ON
(
set
->
ref
==
0
);
/* Referenced, so it's safe */
return
set
->
name
;
...
...
@@ -515,10 +516,7 @@ void
ip_set_nfnl_put
(
ip_set_id_t
index
)
{
nfnl_lock
();
if
(
ip_set_list
[
index
]
!=
NULL
)
{
BUG_ON
(
atomic_read
(
&
ip_set_list
[
index
]
->
ref
)
==
0
);
__ip_set_put
(
index
);
}
ip_set_put_byindex
(
index
);
nfnl_unlock
();
}
EXPORT_SYMBOL_GPL
(
ip_set_nfnl_put
);
...
...
@@ -526,7 +524,7 @@ EXPORT_SYMBOL_GPL(ip_set_nfnl_put);
/*
* Communication protocol with userspace over netlink.
*
*
We already locked by nfnl_lock
.
*
The commands are serialized by the nfnl mutex
.
*/
static
inline
bool
...
...
@@ -657,7 +655,6 @@ ip_set_create(struct sock *ctnl, struct sk_buff *skb,
return
-
ENOMEM
;
rwlock_init
(
&
set
->
lock
);
strlcpy
(
set
->
name
,
name
,
IPSET_MAXNAMELEN
);
atomic_set
(
&
set
->
ref
,
0
);
set
->
family
=
family
;
/*
...
...
@@ -690,8 +687,8 @@ ip_set_create(struct sock *ctnl, struct sk_buff *skb,
/*
* Here, we have a valid, constructed set and we are protected
* by
nfnl_lock. Find the first free index in ip_set_list and
* check clashing.
* by
the nfnl mutex. Find the first free index in ip_set_list
*
and
check clashing.
*/
if
((
ret
=
find_free_id
(
set
->
name
,
&
index
,
&
clash
))
!=
0
)
{
/* If this is the same set and requested, ignore error */
...
...
@@ -751,31 +748,51 @@ ip_set_destroy(struct sock *ctnl, struct sk_buff *skb,
const
struct
nlattr
*
const
attr
[])
{
ip_set_id_t
i
;
int
ret
=
0
;
if
(
unlikely
(
protocol_failed
(
attr
)))
return
-
IPSET_ERR_PROTOCOL
;
/* References are protected by the nfnl mutex */
/* Commands are serialized and references are
* protected by the ip_set_ref_lock.
* External systems (i.e. xt_set) must call
* ip_set_put|get_nfnl_* functions, that way we
* can safely check references here.
*
* list:set timer can only decrement the reference
* counter, so if it's already zero, we can proceed
* without holding the lock.
*/
read_lock_bh
(
&
ip_set_ref_lock
);
if
(
!
attr
[
IPSET_ATTR_SETNAME
])
{
for
(
i
=
0
;
i
<
ip_set_max
;
i
++
)
{
if
(
ip_set_list
[
i
]
!=
NULL
&&
(
atomic_read
(
&
ip_set_list
[
i
]
->
ref
)))
return
-
IPSET_ERR_BUSY
;
if
(
ip_set_list
[
i
]
!=
NULL
&&
ip_set_list
[
i
]
->
ref
)
{
ret
=
IPSET_ERR_BUSY
;
goto
out
;
}
}
read_unlock_bh
(
&
ip_set_ref_lock
);
for
(
i
=
0
;
i
<
ip_set_max
;
i
++
)
{
if
(
ip_set_list
[
i
]
!=
NULL
)
ip_set_destroy_set
(
i
);
}
}
else
{
i
=
find_set_id
(
nla_data
(
attr
[
IPSET_ATTR_SETNAME
]));
if
(
i
==
IPSET_INVALID_ID
)
return
-
ENOENT
;
else
if
(
atomic_read
(
&
ip_set_list
[
i
]
->
ref
))
return
-
IPSET_ERR_BUSY
;
if
(
i
==
IPSET_INVALID_ID
)
{
ret
=
-
ENOENT
;
goto
out
;
}
else
if
(
ip_set_list
[
i
]
->
ref
)
{
ret
=
-
IPSET_ERR_BUSY
;
goto
out
;
}
read_unlock_bh
(
&
ip_set_ref_lock
);
ip_set_destroy_set
(
i
);
}
return
0
;
out:
read_unlock_bh
(
&
ip_set_ref_lock
);
return
ret
;
}
/* Flush sets */
...
...
@@ -834,6 +851,7 @@ ip_set_rename(struct sock *ctnl, struct sk_buff *skb,
struct
ip_set
*
set
;
const
char
*
name2
;
ip_set_id_t
i
;
int
ret
=
0
;
if
(
unlikely
(
protocol_failed
(
attr
)
||
attr
[
IPSET_ATTR_SETNAME
]
==
NULL
||
...
...
@@ -843,25 +861,33 @@ ip_set_rename(struct sock *ctnl, struct sk_buff *skb,
set
=
find_set
(
nla_data
(
attr
[
IPSET_ATTR_SETNAME
]));
if
(
set
==
NULL
)
return
-
ENOENT
;
if
(
atomic_read
(
&
set
->
ref
)
!=
0
)
return
-
IPSET_ERR_REFERENCED
;
read_lock_bh
(
&
ip_set_ref_lock
);
if
(
set
->
ref
!=
0
)
{
ret
=
-
IPSET_ERR_REFERENCED
;
goto
out
;
}
name2
=
nla_data
(
attr
[
IPSET_ATTR_SETNAME2
]);
for
(
i
=
0
;
i
<
ip_set_max
;
i
++
)
{
if
(
ip_set_list
[
i
]
!=
NULL
&&
STREQ
(
ip_set_list
[
i
]
->
name
,
name2
))
return
-
IPSET_ERR_EXIST_SETNAME2
;
STREQ
(
ip_set_list
[
i
]
->
name
,
name2
))
{
ret
=
-
IPSET_ERR_EXIST_SETNAME2
;
goto
out
;
}
}
strncpy
(
set
->
name
,
name2
,
IPSET_MAXNAMELEN
);
return
0
;
out:
read_unlock_bh
(
&
ip_set_ref_lock
);
return
ret
;
}
/* Swap two sets so that name/index points to the other.
* References and set names are also swapped.
*
*
We are protect
ed by the nfnl mutex and references are
*
manipulated only by holding the mutex
. The kernel interfaces
*
The commands are serializ
ed by the nfnl mutex and references are
*
protected by the ip_set_ref_lock
. The kernel interfaces
* do not hold the mutex but the pointer settings are atomic
* so the ip_set_list always contains valid pointers to the sets.
*/
...
...
@@ -874,7 +900,6 @@ ip_set_swap(struct sock *ctnl, struct sk_buff *skb,
struct
ip_set
*
from
,
*
to
;
ip_set_id_t
from_id
,
to_id
;
char
from_name
[
IPSET_MAXNAMELEN
];
u32
from_ref
;
if
(
unlikely
(
protocol_failed
(
attr
)
||
attr
[
IPSET_ATTR_SETNAME
]
==
NULL
||
...
...
@@ -899,17 +924,15 @@ ip_set_swap(struct sock *ctnl, struct sk_buff *skb,
from
->
type
->
family
==
to
->
type
->
family
))
return
-
IPSET_ERR_TYPE_MISMATCH
;
/* No magic here: ref munging protected by the nfnl_lock */
strncpy
(
from_name
,
from
->
name
,
IPSET_MAXNAMELEN
);
from_ref
=
atomic_read
(
&
from
->
ref
);
strncpy
(
from
->
name
,
to
->
name
,
IPSET_MAXNAMELEN
);
atomic_set
(
&
from
->
ref
,
atomic_read
(
&
to
->
ref
));
strncpy
(
to
->
name
,
from_name
,
IPSET_MAXNAMELEN
);
atomic_set
(
&
to
->
ref
,
from_ref
);
write_lock_bh
(
&
ip_set_ref_lock
);
swap
(
from
->
ref
,
to
->
ref
);
ip_set_list
[
from_id
]
=
to
;
ip_set_list
[
to_id
]
=
from
;
write_unlock_bh
(
&
ip_set_ref_lock
);
return
0
;
}
...
...
@@ -926,7 +949,7 @@ ip_set_dump_done(struct netlink_callback *cb)
{
if
(
cb
->
args
[
2
])
{
pr_debug
(
"release set %s
\n
"
,
ip_set_list
[
cb
->
args
[
1
]]
->
name
);
__ip_set_put
((
ip_set_id_t
)
cb
->
args
[
1
]);
ip_set_put_byindex
((
ip_set_id_t
)
cb
->
args
[
1
]);
}
return
0
;
}
...
...
@@ -1068,7 +1091,7 @@ ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
/* If there was an error or set is done, release set */
if
(
ret
||
!
cb
->
args
[
2
])
{
pr_debug
(
"release set %s
\n
"
,
ip_set_list
[
index
]
->
name
);
__ip_set_put
(
index
);
ip_set_put_byindex
(
index
);
}
/* If we dump all sets, continue with dumping last ones */
...
...
net/netfilter/ipset/ip_set_list_set.c
浏览文件 @
9d930594
...
...
@@ -43,14 +43,19 @@ struct list_set {
static
inline
struct
set_elem
*
list_set_elem
(
const
struct
list_set
*
map
,
u32
id
)
{
return
(
struct
set_elem
*
)((
char
*
)
map
->
members
+
id
*
map
->
dsize
);
return
(
struct
set_elem
*
)((
void
*
)
map
->
members
+
id
*
map
->
dsize
);
}
static
inline
struct
set_telem
*
list_set_telem
(
const
struct
list_set
*
map
,
u32
id
)
{
return
(
struct
set_telem
*
)((
void
*
)
map
->
members
+
id
*
map
->
dsize
);
}
static
inline
bool
list_set_timeout
(
const
struct
list_set
*
map
,
u32
id
)
{
const
struct
set_telem
*
elem
=
(
const
struct
set_telem
*
)
list_set_elem
(
map
,
id
);
const
struct
set_telem
*
elem
=
list_set_telem
(
map
,
id
);
return
ip_set_timeout_test
(
elem
->
timeout
);
}
...
...
@@ -58,19 +63,11 @@ list_set_timeout(const struct list_set *map, u32 id)
static
inline
bool
list_set_expired
(
const
struct
list_set
*
map
,
u32
id
)
{
const
struct
set_telem
*
elem
=
(
const
struct
set_telem
*
)
list_set_elem
(
map
,
id
);
const
struct
set_telem
*
elem
=
list_set_telem
(
map
,
id
);
return
ip_set_timeout_expired
(
elem
->
timeout
);
}
static
inline
int
list_set_exist
(
const
struct
set_telem
*
elem
)
{
return
elem
->
id
!=
IPSET_INVALID_ID
&&
!
ip_set_timeout_expired
(
elem
->
timeout
);
}
/* Set list without and with timeout */
static
int
...
...
@@ -146,11 +143,11 @@ list_elem_tadd(struct list_set *map, u32 i, ip_set_id_t id,
struct
set_telem
*
e
;
for
(;
i
<
map
->
size
;
i
++
)
{
e
=
(
struct
set_telem
*
)
list_set_
elem
(
map
,
i
);
e
=
list_set_t
elem
(
map
,
i
);
swap
(
e
->
id
,
id
);
swap
(
e
->
timeout
,
timeout
);
if
(
e
->
id
==
IPSET_INVALID_ID
)
break
;
swap
(
e
->
timeout
,
timeout
);
}
}
...
...
@@ -164,7 +161,7 @@ list_set_add(struct list_set *map, u32 i, ip_set_id_t id,
/* Last element replaced: e.g. add new,before,last */
ip_set_put_byindex
(
e
->
id
);
if
(
with_timeout
(
map
->
timeout
))
list_elem_tadd
(
map
,
i
,
id
,
timeout
);
list_elem_tadd
(
map
,
i
,
id
,
ip_set_timeout_set
(
timeout
)
);
else
list_elem_add
(
map
,
i
,
id
);
...
...
@@ -172,11 +169,11 @@ list_set_add(struct list_set *map, u32 i, ip_set_id_t id,
}
static
int
list_set_del
(
struct
list_set
*
map
,
ip_set_id_t
id
,
u32
i
)
list_set_del
(
struct
list_set
*
map
,
u32
i
)
{
struct
set_elem
*
a
=
list_set_elem
(
map
,
i
),
*
b
;
ip_set_put_byindex
(
id
);
ip_set_put_byindex
(
a
->
id
);
for
(;
i
<
map
->
size
-
1
;
i
++
)
{
b
=
list_set_elem
(
map
,
i
+
1
);
...
...
@@ -308,11 +305,11 @@ list_set_uadt(struct ip_set *set, struct nlattr *tb[],
(
before
==
0
||
(
before
>
0
&&
next_id_eq
(
map
,
i
,
refid
))))
ret
=
list_set_del
(
map
,
i
d
,
i
);
ret
=
list_set_del
(
map
,
i
);
else
if
(
before
<
0
&&
elem
->
id
==
refid
&&
next_id_eq
(
map
,
i
,
id
))
ret
=
list_set_del
(
map
,
i
d
,
i
+
1
);
ret
=
list_set_del
(
map
,
i
+
1
);
}
break
;
default:
...
...
@@ -369,8 +366,7 @@ list_set_head(struct ip_set *set, struct sk_buff *skb)
NLA_PUT_NET32
(
skb
,
IPSET_ATTR_SIZE
,
htonl
(
map
->
size
));
if
(
with_timeout
(
map
->
timeout
))
NLA_PUT_NET32
(
skb
,
IPSET_ATTR_TIMEOUT
,
htonl
(
map
->
timeout
));
NLA_PUT_NET32
(
skb
,
IPSET_ATTR_REFERENCES
,
htonl
(
atomic_read
(
&
set
->
ref
)
-
1
));
NLA_PUT_NET32
(
skb
,
IPSET_ATTR_REFERENCES
,
htonl
(
set
->
ref
-
1
));
NLA_PUT_NET32
(
skb
,
IPSET_ATTR_MEMSIZE
,
htonl
(
sizeof
(
*
map
)
+
map
->
size
*
map
->
dsize
));
ipset_nest_end
(
skb
,
nested
);
...
...
@@ -461,16 +457,13 @@ list_set_gc(unsigned long ul_set)
struct
set_telem
*
e
;
u32
i
;
/* We run parallel with other readers (test element)
* but adding/deleting new entries is locked out */
read_lock_bh
(
&
set
->
lock
);
for
(
i
=
map
->
size
-
1
;
i
>=
0
;
i
--
)
{
e
=
(
struct
set_telem
*
)
list_set_elem
(
map
,
i
);
if
(
e
->
id
!=
IPSET_INVALID_ID
&&
list_set_expired
(
map
,
i
))
list_set_del
(
map
,
e
->
id
,
i
);
write_lock_bh
(
&
set
->
lock
);
for
(
i
=
0
;
i
<
map
->
size
;
i
++
)
{
e
=
list_set_telem
(
map
,
i
);
if
(
e
->
id
!=
IPSET_INVALID_ID
&&
list_set_expired
(
map
,
i
))
list_set_del
(
map
,
i
);
}
read
_unlock_bh
(
&
set
->
lock
);
write
_unlock_bh
(
&
set
->
lock
);
map
->
gc
.
expires
=
jiffies
+
IPSET_GC_PERIOD
(
map
->
timeout
)
*
HZ
;
add_timer
(
&
map
->
gc
);
...
...
net/netfilter/ipvs/ip_vs_ctl.c
浏览文件 @
9d930594
...
...
@@ -3120,7 +3120,7 @@ static int ip_vs_genl_dump_daemon(struct sk_buff *skb, __be32 state,
static
int
ip_vs_genl_dump_daemons
(
struct
sk_buff
*
skb
,
struct
netlink_callback
*
cb
)
{
struct
net
*
net
=
skb_net
(
skb
);
struct
net
*
net
=
skb_
sk
net
(
skb
);
struct
netns_ipvs
*
ipvs
=
net_ipvs
(
net
);
mutex_lock
(
&
__ip_vs_mutex
);
...
...
net/netfilter/nf_conntrack_h323_asn1.c
浏览文件 @
9d930594
...
...
@@ -631,7 +631,7 @@ static int decode_seqof(bitstr_t *bs, const struct field_t *f,
CHECK_BOUND
(
bs
,
2
);
count
=
*
bs
->
cur
++
;
count
<<=
8
;
count
=
*
bs
->
cur
++
;
count
+
=
*
bs
->
cur
++
;
break
;
case
SEMI
:
BYTE_ALIGN
(
bs
);
...
...
net/netfilter/nf_conntrack_h323_main.c
浏览文件 @
9d930594
...
...
@@ -731,10 +731,10 @@ static int callforward_do_filter(const union nf_inet_addr *src,
memset
(
&
fl2
,
0
,
sizeof
(
fl2
));
fl2
.
daddr
=
dst
->
ip
;
if
(
!
afinfo
->
route
((
struct
dst_entry
**
)
&
rt1
,
flowi4_to_flowi
(
&
fl1
)))
{
if
(
!
afinfo
->
route
((
struct
dst_entry
**
)
&
rt2
,
flowi4_to_flowi
(
&
fl2
)))
{
if
(
!
afinfo
->
route
(
&
init_net
,
(
struct
dst_entry
**
)
&
rt1
,
flowi4_to_flowi
(
&
fl1
)
,
false
))
{
if
(
!
afinfo
->
route
(
&
init_net
,
(
struct
dst_entry
**
)
&
rt2
,
flowi4_to_flowi
(
&
fl2
)
,
false
))
{
if
(
rt1
->
rt_gateway
==
rt2
->
rt_gateway
&&
rt1
->
dst
.
dev
==
rt2
->
dst
.
dev
)
ret
=
1
;
...
...
@@ -755,10 +755,10 @@ static int callforward_do_filter(const union nf_inet_addr *src,
memset
(
&
fl2
,
0
,
sizeof
(
fl2
));
ipv6_addr_copy
(
&
fl2
.
daddr
,
&
dst
->
in6
);
if
(
!
afinfo
->
route
((
struct
dst_entry
**
)
&
rt1
,
flowi6_to_flowi
(
&
fl1
)))
{
if
(
!
afinfo
->
route
((
struct
dst_entry
**
)
&
rt2
,
flowi6_to_flowi
(
&
fl2
)))
{
if
(
!
afinfo
->
route
(
&
init_net
,
(
struct
dst_entry
**
)
&
rt1
,
flowi6_to_flowi
(
&
fl1
)
,
false
))
{
if
(
!
afinfo
->
route
(
&
init_net
,
(
struct
dst_entry
**
)
&
rt2
,
flowi6_to_flowi
(
&
fl2
)
,
false
))
{
if
(
!
memcmp
(
&
rt1
->
rt6i_gateway
,
&
rt2
->
rt6i_gateway
,
sizeof
(
rt1
->
rt6i_gateway
))
&&
rt1
->
dst
.
dev
==
rt2
->
dst
.
dev
)
...
...
net/netfilter/xt_TCPMSS.c
浏览文件 @
9d930594
...
...
@@ -166,7 +166,7 @@ static u_int32_t tcpmss_reverse_mtu(const struct sk_buff *skb,
rcu_read_lock
();
ai
=
nf_get_afinfo
(
family
);
if
(
ai
!=
NULL
)
ai
->
route
(
(
struct
dst_entry
**
)
&
rt
,
&
fl
);
ai
->
route
(
&
init_net
,
(
struct
dst_entry
**
)
&
rt
,
&
fl
,
false
);
rcu_read_unlock
();
if
(
rt
!=
NULL
)
{
...
...
net/netfilter/xt_addrtype.c
浏览文件 @
9d930594
...
...
@@ -32,11 +32,32 @@ MODULE_ALIAS("ipt_addrtype");
MODULE_ALIAS
(
"ip6t_addrtype"
);
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
static
u32
xt_addrtype_rt6_to_type
(
const
struct
rt6_info
*
rt
)
static
u32
match_lookup_rt6
(
struct
net
*
net
,
const
struct
net_device
*
dev
,
const
struct
in6_addr
*
addr
)
{
const
struct
nf_afinfo
*
afinfo
;
struct
flowi6
flow
;
struct
rt6_info
*
rt
;
u32
ret
;
int
route_err
;
if
(
!
rt
)
memset
(
&
flow
,
0
,
sizeof
(
flow
));
ipv6_addr_copy
(
&
flow
.
daddr
,
addr
);
if
(
dev
)
flow
.
flowi6_oif
=
dev
->
ifindex
;
rcu_read_lock
();
afinfo
=
nf_get_afinfo
(
NFPROTO_IPV6
);
if
(
afinfo
!=
NULL
)
route_err
=
afinfo
->
route
(
net
,
(
struct
dst_entry
**
)
&
rt
,
flowi6_to_flowi
(
&
flow
),
!!
dev
);
else
route_err
=
1
;
rcu_read_unlock
();
if
(
route_err
)
return
XT_ADDRTYPE_UNREACHABLE
;
if
(
rt
->
rt6i_flags
&
RTF_REJECT
)
...
...
@@ -48,6 +69,9 @@ static u32 xt_addrtype_rt6_to_type(const struct rt6_info *rt)
ret
|=
XT_ADDRTYPE_LOCAL
;
if
(
rt
->
rt6i_flags
&
RTF_ANYCAST
)
ret
|=
XT_ADDRTYPE_ANYCAST
;
dst_release
(
&
rt
->
dst
);
return
ret
;
}
...
...
@@ -65,18 +89,8 @@ static bool match_type6(struct net *net, const struct net_device *dev,
return
false
;
if
((
XT_ADDRTYPE_LOCAL
|
XT_ADDRTYPE_ANYCAST
|
XT_ADDRTYPE_UNREACHABLE
)
&
mask
)
{
struct
rt6_info
*
rt
;
u32
type
;
int
ifindex
=
dev
?
dev
->
ifindex
:
0
;
rt
=
rt6_lookup
(
net
,
addr
,
NULL
,
ifindex
,
!!
dev
);
type
=
xt_addrtype_rt6_to_type
(
rt
);
dst_release
(
&
rt
->
dst
);
return
!!
(
mask
&
type
);
}
XT_ADDRTYPE_UNREACHABLE
)
&
mask
)
return
!!
(
mask
&
match_lookup_rt6
(
net
,
dev
,
addr
));
return
true
;
}
...
...
net/netfilter/xt_conntrack.c
浏览文件 @
9d930594
...
...
@@ -195,7 +195,7 @@ conntrack_mt(const struct sk_buff *skb, struct xt_action_param *par,
return
info
->
match_flags
&
XT_CONNTRACK_STATE
;
if
((
info
->
match_flags
&
XT_CONNTRACK_DIRECTION
)
&&
(
CTINFO2DIR
(
ctinfo
)
==
IP_CT_DIR_ORIGINAL
)
^
!
!
(
info
->
invert_flags
&
XT_CONNTRACK_DIRECTION
))
!
(
info
->
invert_flags
&
XT_CONNTRACK_DIRECTION
))
return
false
;
if
(
info
->
match_flags
&
XT_CONNTRACK_ORIGSRC
)
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录