提交 b4ba2611 编写于 作者: J Jan Engelhardt

netfilter: xtables: change hotdrop pointer to direct modification

Since xt_action_param is writable, let's use it. The pointer to
'bool hotdrop' always worried (8 bytes (64-bit) to write 1 byte!).
Surprisingly results in a reduction in size:

   text    data     bss filename
5457066  692730  357892 vmlinux.o-prev
5456554  692730  357892 vmlinux.o
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
上级 62fc8051
...@@ -196,6 +196,9 @@ struct xt_counters_info { ...@@ -196,6 +196,9 @@ struct xt_counters_info {
* @hook: hook number given packet came from * @hook: hook number given packet came from
* @family: Actual NFPROTO_* through which the function is invoked * @family: Actual NFPROTO_* through which the function is invoked
* (helpful when match->family == NFPROTO_UNSPEC) * (helpful when match->family == NFPROTO_UNSPEC)
*
* Fields written to by extensions:
*
* @hotdrop: drop packet if we had inspection problems * @hotdrop: drop packet if we had inspection problems
* Network namespace obtainable using dev_net(in/out) * Network namespace obtainable using dev_net(in/out)
*/ */
...@@ -212,7 +215,7 @@ struct xt_action_param { ...@@ -212,7 +215,7 @@ struct xt_action_param {
unsigned int thoff; unsigned int thoff;
unsigned int hooknum; unsigned int hooknum;
u_int8_t family; u_int8_t family;
bool *hotdrop; bool hotdrop;
}; };
/** /**
......
...@@ -186,13 +186,12 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb, ...@@ -186,13 +186,12 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
struct ebt_entries *chaininfo; struct ebt_entries *chaininfo;
const char *base; const char *base;
const struct ebt_table_info *private; const struct ebt_table_info *private;
bool hotdrop = false;
struct xt_action_param acpar; struct xt_action_param acpar;
acpar.family = NFPROTO_BRIDGE; acpar.family = NFPROTO_BRIDGE;
acpar.in = in; acpar.in = in;
acpar.out = out; acpar.out = out;
acpar.hotdrop = &hotdrop; acpar.hotdrop = false;
acpar.hooknum = hook; acpar.hooknum = hook;
read_lock_bh(&table->lock); read_lock_bh(&table->lock);
...@@ -216,7 +215,7 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb, ...@@ -216,7 +215,7 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0) if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0)
goto letscontinue; goto letscontinue;
if (hotdrop) { if (acpar.hotdrop) {
read_unlock_bh(&table->lock); read_unlock_bh(&table->lock);
return NF_DROP; return NF_DROP;
} }
......
...@@ -260,7 +260,6 @@ unsigned int arpt_do_table(struct sk_buff *skb, ...@@ -260,7 +260,6 @@ unsigned int arpt_do_table(struct sk_buff *skb,
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
unsigned int verdict = NF_DROP; unsigned int verdict = NF_DROP;
const struct arphdr *arp; const struct arphdr *arp;
bool hotdrop = false;
struct arpt_entry *e, *back; struct arpt_entry *e, *back;
const char *indev, *outdev; const char *indev, *outdev;
void *table_base; void *table_base;
...@@ -284,6 +283,7 @@ unsigned int arpt_do_table(struct sk_buff *skb, ...@@ -284,6 +283,7 @@ unsigned int arpt_do_table(struct sk_buff *skb,
acpar.out = out; acpar.out = out;
acpar.hooknum = hook; acpar.hooknum = hook;
acpar.family = NFPROTO_ARP; acpar.family = NFPROTO_ARP;
acpar.hotdrop = false;
arp = arp_hdr(skb); arp = arp_hdr(skb);
do { do {
...@@ -345,10 +345,10 @@ unsigned int arpt_do_table(struct sk_buff *skb, ...@@ -345,10 +345,10 @@ unsigned int arpt_do_table(struct sk_buff *skb,
else else
/* Verdict */ /* Verdict */
break; break;
} while (!hotdrop); } while (!acpar.hotdrop);
xt_info_rdunlock_bh(); xt_info_rdunlock_bh();
if (hotdrop) if (acpar.hotdrop)
return NF_DROP; return NF_DROP;
else else
return verdict; return verdict;
......
...@@ -308,7 +308,6 @@ ipt_do_table(struct sk_buff *skb, ...@@ -308,7 +308,6 @@ ipt_do_table(struct sk_buff *skb,
{ {
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
const struct iphdr *ip; const struct iphdr *ip;
bool hotdrop = false;
/* Initializing verdict to NF_DROP keeps gcc happy. */ /* Initializing verdict to NF_DROP keeps gcc happy. */
unsigned int verdict = NF_DROP; unsigned int verdict = NF_DROP;
const char *indev, *outdev; const char *indev, *outdev;
...@@ -330,7 +329,7 @@ ipt_do_table(struct sk_buff *skb, ...@@ -330,7 +329,7 @@ ipt_do_table(struct sk_buff *skb,
* match it. */ * match it. */
acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET; acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
acpar.thoff = ip_hdrlen(skb); acpar.thoff = ip_hdrlen(skb);
acpar.hotdrop = &hotdrop; acpar.hotdrop = false;
acpar.in = in; acpar.in = in;
acpar.out = out; acpar.out = out;
acpar.family = NFPROTO_IPV4; acpar.family = NFPROTO_IPV4;
...@@ -432,7 +431,7 @@ ipt_do_table(struct sk_buff *skb, ...@@ -432,7 +431,7 @@ ipt_do_table(struct sk_buff *skb,
else else
/* Verdict */ /* Verdict */
break; break;
} while (!hotdrop); } while (!acpar.hotdrop);
xt_info_rdunlock_bh(); xt_info_rdunlock_bh();
pr_debug("Exiting %s; resetting sp from %u to %u\n", pr_debug("Exiting %s; resetting sp from %u to %u\n",
__func__, *stackptr, origptr); __func__, *stackptr, origptr);
...@@ -440,7 +439,7 @@ ipt_do_table(struct sk_buff *skb, ...@@ -440,7 +439,7 @@ ipt_do_table(struct sk_buff *skb,
#ifdef DEBUG_ALLOW_ALL #ifdef DEBUG_ALLOW_ALL
return NF_ACCEPT; return NF_ACCEPT;
#else #else
if (hotdrop) if (acpar.hotdrop)
return NF_DROP; return NF_DROP;
else return verdict; else return verdict;
#endif #endif
...@@ -2154,7 +2153,7 @@ icmp_match(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -2154,7 +2153,7 @@ icmp_match(const struct sk_buff *skb, struct xt_action_param *par)
* can't. Hence, no choice but to drop. * can't. Hence, no choice but to drop.
*/ */
duprintf("Dropping evil ICMP tinygram.\n"); duprintf("Dropping evil ICMP tinygram.\n");
*par->hotdrop = true; par->hotdrop = true;
return false; return false;
} }
......
...@@ -46,7 +46,7 @@ static bool ah_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -46,7 +46,7 @@ static bool ah_mt(const struct sk_buff *skb, struct xt_action_param *par)
* can't. Hence, no choice but to drop. * can't. Hence, no choice but to drop.
*/ */
pr_debug("Dropping evil AH tinygram.\n"); pr_debug("Dropping evil AH tinygram.\n");
*par->hotdrop = true; par->hotdrop = true;
return 0; return 0;
} }
......
...@@ -78,7 +78,7 @@ static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -78,7 +78,7 @@ static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par)
if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) { if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) {
if (ip_hdr(skb)->protocol != IPPROTO_TCP) if (ip_hdr(skb)->protocol != IPPROTO_TCP)
return false; return false;
if (!match_tcp(skb, info, par->hotdrop)) if (!match_tcp(skb, info, &par->hotdrop))
return false; return false;
} }
......
...@@ -337,7 +337,6 @@ ip6t_do_table(struct sk_buff *skb, ...@@ -337,7 +337,6 @@ ip6t_do_table(struct sk_buff *skb,
struct xt_table *table) struct xt_table *table)
{ {
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
bool hotdrop = false;
/* Initializing verdict to NF_DROP keeps gcc happy. */ /* Initializing verdict to NF_DROP keeps gcc happy. */
unsigned int verdict = NF_DROP; unsigned int verdict = NF_DROP;
const char *indev, *outdev; const char *indev, *outdev;
...@@ -356,7 +355,7 @@ ip6t_do_table(struct sk_buff *skb, ...@@ -356,7 +355,7 @@ ip6t_do_table(struct sk_buff *skb,
* things we don't know, ie. tcp syn flag or ports). If the * things we don't know, ie. tcp syn flag or ports). If the
* rule is also a fragment-specific rule, non-fragments won't * rule is also a fragment-specific rule, non-fragments won't
* match it. */ * match it. */
acpar.hotdrop = &hotdrop; acpar.hotdrop = false;
acpar.in = in; acpar.in = in;
acpar.out = out; acpar.out = out;
acpar.family = NFPROTO_IPV6; acpar.family = NFPROTO_IPV6;
...@@ -380,7 +379,7 @@ ip6t_do_table(struct sk_buff *skb, ...@@ -380,7 +379,7 @@ ip6t_do_table(struct sk_buff *skb,
IP_NF_ASSERT(e); IP_NF_ASSERT(e);
if (!ip6_packet_match(skb, indev, outdev, &e->ipv6, if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
&acpar.thoff, &acpar.fragoff, &hotdrop)) { &acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) {
no_match: no_match:
e = ip6t_next_entry(e); e = ip6t_next_entry(e);
continue; continue;
...@@ -447,7 +446,7 @@ ip6t_do_table(struct sk_buff *skb, ...@@ -447,7 +446,7 @@ ip6t_do_table(struct sk_buff *skb,
else else
/* Verdict */ /* Verdict */
break; break;
} while (!hotdrop); } while (!acpar.hotdrop);
xt_info_rdunlock_bh(); xt_info_rdunlock_bh();
*stackptr = origptr; *stackptr = origptr;
...@@ -455,7 +454,7 @@ ip6t_do_table(struct sk_buff *skb, ...@@ -455,7 +454,7 @@ ip6t_do_table(struct sk_buff *skb,
#ifdef DEBUG_ALLOW_ALL #ifdef DEBUG_ALLOW_ALL
return NF_ACCEPT; return NF_ACCEPT;
#else #else
if (hotdrop) if (acpar.hotdrop)
return NF_DROP; return NF_DROP;
else return verdict; else return verdict;
#endif #endif
...@@ -2170,7 +2169,7 @@ icmp6_match(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -2170,7 +2169,7 @@ icmp6_match(const struct sk_buff *skb, struct xt_action_param *par)
* can't. Hence, no choice but to drop. * can't. Hence, no choice but to drop.
*/ */
duprintf("Dropping evil ICMP tinygram.\n"); duprintf("Dropping evil ICMP tinygram.\n");
*par->hotdrop = true; par->hotdrop = true;
return false; return false;
} }
......
...@@ -48,13 +48,13 @@ static bool ah_mt6(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -48,13 +48,13 @@ static bool ah_mt6(const struct sk_buff *skb, struct xt_action_param *par)
err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL); err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL);
if (err < 0) { if (err < 0) {
if (err != -ENOENT) if (err != -ENOENT)
*par->hotdrop = true; par->hotdrop = true;
return false; return false;
} }
ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah); ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah);
if (ah == NULL) { if (ah == NULL) {
*par->hotdrop = true; par->hotdrop = true;
return false; return false;
} }
......
...@@ -27,7 +27,7 @@ eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -27,7 +27,7 @@ eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par)
if (!(skb_mac_header(skb) >= skb->head && if (!(skb_mac_header(skb) >= skb->head &&
skb_mac_header(skb) + ETH_HLEN <= skb->data) && skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
par->fragoff != 0) { par->fragoff != 0) {
*par->hotdrop = true; par->hotdrop = true;
return false; return false;
} }
......
...@@ -46,13 +46,13 @@ frag_mt6(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -46,13 +46,13 @@ frag_mt6(const struct sk_buff *skb, struct xt_action_param *par)
err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL); err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL);
if (err < 0) { if (err < 0) {
if (err != -ENOENT) if (err != -ENOENT)
*par->hotdrop = true; par->hotdrop = true;
return false; return false;
} }
fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag); fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag);
if (fh == NULL) { if (fh == NULL) {
*par->hotdrop = true; par->hotdrop = true;
return false; return false;
} }
......
...@@ -65,13 +65,13 @@ hbh_mt6(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -65,13 +65,13 @@ hbh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
NEXTHDR_HOP : NEXTHDR_DEST, NULL); NEXTHDR_HOP : NEXTHDR_DEST, NULL);
if (err < 0) { if (err < 0) {
if (err != -ENOENT) if (err != -ENOENT)
*par->hotdrop = true; par->hotdrop = true;
return false; return false;
} }
oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh); oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh);
if (oh == NULL) { if (oh == NULL) {
*par->hotdrop = true; par->hotdrop = true;
return false; return false;
} }
......
...@@ -47,14 +47,14 @@ static bool mh_mt6(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -47,14 +47,14 @@ static bool mh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
/* We've been asked to examine this packet, and we /* We've been asked to examine this packet, and we
can't. Hence, no choice but to drop. */ can't. Hence, no choice but to drop. */
pr_debug("Dropping evil MH tinygram.\n"); pr_debug("Dropping evil MH tinygram.\n");
*par->hotdrop = true; par->hotdrop = true;
return false; return false;
} }
if (mh->ip6mh_proto != IPPROTO_NONE) { if (mh->ip6mh_proto != IPPROTO_NONE) {
pr_debug("Dropping invalid MH Payload Proto: %u\n", pr_debug("Dropping invalid MH Payload Proto: %u\n",
mh->ip6mh_proto); mh->ip6mh_proto);
*par->hotdrop = true; par->hotdrop = true;
return false; return false;
} }
......
...@@ -52,13 +52,13 @@ static bool rt_mt6(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -52,13 +52,13 @@ static bool rt_mt6(const struct sk_buff *skb, struct xt_action_param *par)
err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL); err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL);
if (err < 0) { if (err < 0) {
if (err != -ENOENT) if (err != -ENOENT)
*par->hotdrop = true; par->hotdrop = true;
return false; return false;
} }
rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route); rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route);
if (rh == NULL) { if (rh == NULL) {
*par->hotdrop = true; par->hotdrop = true;
return false; return false;
} }
......
...@@ -206,14 +206,14 @@ connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -206,14 +206,14 @@ connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
if (connections < 0) { if (connections < 0) {
/* kmalloc failed, drop it entirely */ /* kmalloc failed, drop it entirely */
*par->hotdrop = true; par->hotdrop = true;
return false; return false;
} }
return (connections > info->limit) ^ info->inverse; return (connections > info->limit) ^ info->inverse;
hotdrop: hotdrop:
*par->hotdrop = true; par->hotdrop = true;
return false; return false;
} }
......
...@@ -107,7 +107,7 @@ dccp_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -107,7 +107,7 @@ dccp_mt(const struct sk_buff *skb, struct xt_action_param *par)
dh = skb_header_pointer(skb, par->thoff, sizeof(_dh), &_dh); dh = skb_header_pointer(skb, par->thoff, sizeof(_dh), &_dh);
if (dh == NULL) { if (dh == NULL) {
*par->hotdrop = true; par->hotdrop = true;
return false; return false;
} }
...@@ -120,7 +120,7 @@ dccp_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -120,7 +120,7 @@ dccp_mt(const struct sk_buff *skb, struct xt_action_param *par)
&& DCCHECK(match_types(dh, info->typemask), && DCCHECK(match_types(dh, info->typemask),
XT_DCCP_TYPE, info->flags, info->invflags) XT_DCCP_TYPE, info->flags, info->invflags)
&& DCCHECK(match_option(info->option, skb, par->thoff, dh, && DCCHECK(match_option(info->option, skb, par->thoff, dh,
par->hotdrop), &par->hotdrop),
XT_DCCP_OPTION, info->flags, info->invflags); XT_DCCP_OPTION, info->flags, info->invflags);
} }
......
...@@ -52,7 +52,7 @@ static bool esp_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -52,7 +52,7 @@ static bool esp_mt(const struct sk_buff *skb, struct xt_action_param *par)
* can't. Hence, no choice but to drop. * can't. Hence, no choice but to drop.
*/ */
pr_debug("Dropping evil ESP tinygram.\n"); pr_debug("Dropping evil ESP tinygram.\n");
*par->hotdrop = true; par->hotdrop = true;
return false; return false;
} }
......
...@@ -562,7 +562,7 @@ hashlimit_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -562,7 +562,7 @@ hashlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
return info->cfg.mode & XT_HASHLIMIT_INVERT; return info->cfg.mode & XT_HASHLIMIT_INVERT;
hotdrop: hotdrop:
*par->hotdrop = true; par->hotdrop = true;
return false; return false;
} }
......
...@@ -87,7 +87,7 @@ multiport_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -87,7 +87,7 @@ multiport_mt(const struct sk_buff *skb, struct xt_action_param *par)
* can't. Hence, no choice but to drop. * can't. Hence, no choice but to drop.
*/ */
pr_debug("Dropping evil offset=0 tinygram.\n"); pr_debug("Dropping evil offset=0 tinygram.\n");
*par->hotdrop = true; par->hotdrop = true;
return false; return false;
} }
......
...@@ -268,7 +268,7 @@ recent_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -268,7 +268,7 @@ recent_mt(const struct sk_buff *skb, struct xt_action_param *par)
goto out; goto out;
e = recent_entry_init(t, &addr, par->family, ttl); e = recent_entry_init(t, &addr, par->family, ttl);
if (e == NULL) if (e == NULL)
*par->hotdrop = true; par->hotdrop = true;
ret = !ret; ret = !ret;
goto out; goto out;
} }
......
...@@ -128,7 +128,7 @@ sctp_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -128,7 +128,7 @@ sctp_mt(const struct sk_buff *skb, struct xt_action_param *par)
sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh); sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh);
if (sh == NULL) { if (sh == NULL) {
pr_debug("Dropping evil TCP offset=0 tinygram.\n"); pr_debug("Dropping evil TCP offset=0 tinygram.\n");
*par->hotdrop = true; par->hotdrop = true;
return false; return false;
} }
pr_debug("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest)); pr_debug("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
...@@ -140,7 +140,7 @@ sctp_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -140,7 +140,7 @@ sctp_mt(const struct sk_buff *skb, struct xt_action_param *par)
&& ntohs(sh->dest) <= info->dpts[1], && ntohs(sh->dest) <= info->dpts[1],
XT_SCTP_DEST_PORTS, info->flags, info->invflags) XT_SCTP_DEST_PORTS, info->flags, info->invflags)
&& SCCHECK(match_packet(skb, par->thoff + sizeof(sctp_sctphdr_t), && SCCHECK(match_packet(skb, par->thoff + sizeof(sctp_sctphdr_t),
info, par->hotdrop), info, &par->hotdrop),
XT_SCTP_CHUNK_TYPES, info->flags, info->invflags); XT_SCTP_CHUNK_TYPES, info->flags, info->invflags);
} }
......
...@@ -73,7 +73,7 @@ tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -73,7 +73,7 @@ tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par)
return info->invert; return info->invert;
dropit: dropit:
*par->hotdrop = true; par->hotdrop = true;
return false; return false;
} }
......
...@@ -77,7 +77,7 @@ static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -77,7 +77,7 @@ static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par)
*/ */
if (par->fragoff == 1) { if (par->fragoff == 1) {
pr_debug("Dropping evil TCP offset=1 frag.\n"); pr_debug("Dropping evil TCP offset=1 frag.\n");
*par->hotdrop = true; par->hotdrop = true;
} }
/* Must not be a fragment. */ /* Must not be a fragment. */
return false; return false;
...@@ -90,7 +90,7 @@ static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -90,7 +90,7 @@ static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par)
/* We've been asked to examine this packet, and we /* We've been asked to examine this packet, and we
can't. Hence, no choice but to drop. */ can't. Hence, no choice but to drop. */
pr_debug("Dropping evil TCP offset=0 tinygram.\n"); pr_debug("Dropping evil TCP offset=0 tinygram.\n");
*par->hotdrop = true; par->hotdrop = true;
return false; return false;
} }
...@@ -108,13 +108,13 @@ static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -108,13 +108,13 @@ static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par)
return false; return false;
if (tcpinfo->option) { if (tcpinfo->option) {
if (th->doff * 4 < sizeof(_tcph)) { if (th->doff * 4 < sizeof(_tcph)) {
*par->hotdrop = true; par->hotdrop = true;
return false; return false;
} }
if (!tcp_find_option(tcpinfo->option, skb, par->thoff, if (!tcp_find_option(tcpinfo->option, skb, par->thoff,
th->doff*4 - sizeof(_tcph), th->doff*4 - sizeof(_tcph),
tcpinfo->invflags & XT_TCP_INV_OPTION, tcpinfo->invflags & XT_TCP_INV_OPTION,
par->hotdrop)) &par->hotdrop))
return false; return false;
} }
return true; return true;
...@@ -143,7 +143,7 @@ static bool udp_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -143,7 +143,7 @@ static bool udp_mt(const struct sk_buff *skb, struct xt_action_param *par)
/* We've been asked to examine this packet, and we /* We've been asked to examine this packet, and we
can't. Hence, no choice but to drop. */ can't. Hence, no choice but to drop. */
pr_debug("Dropping evil UDP tinygram.\n"); pr_debug("Dropping evil UDP tinygram.\n");
*par->hotdrop = true; par->hotdrop = true;
return false; return false;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册
新手
引导
客服 返回
顶部