提交 cbcbeedb 编写于 作者: D David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says:

====================
Netfilter/IPVS updates for net-next

The following patchset contains Netfilter/IPVS updates for your net-next
tree. Basically, a new extension for ip6tables, simplification work of
nf_tables that saves us 500 LoC, allow raw table registration before
defragmentation, conversion of the SNMP helper to use the ASN.1 code
generator, unique 64-bit handle for all nf_tables objects and fixes to
address fallout from previous nf-next batch.  More specifically, they
are:

1) Seven patches to remove family abstraction layer (struct nft_af_info)
   in nf_tables, this simplifies our codebase and it saves us 64 bytes per
   net namespace.

2) Add IPv6 segment routing header matching for ip6tables, from Ahmed
   Abdelsalam.

3) Allow to register iptable_raw table before defragmentation, some
   people do not want to waste cycles on defragmenting traffic that is
   going to be dropped, hence add a new module parameter to enable this
   behaviour in iptables and ip6tables. From Subash Abhinov
   Kasiviswanathan. This patch needed a couple of follow up patches to
   get things tidy from Arnd Bergmann.

4) SNMP helper uses the ASN.1 code generator, from Taehee Yoo. Several
   patches for this helper to prepare this change are also part of this
   patch series.

5) Add 64-bit handles to uniquely objects in nf_tables, from Harsha
   Sharma.

6) Remove log message that several netfilter subsystems print at
   boot/load time.

7) Restore x_tables module autoloading, that got broken in a previous
   patch to allow singleton NAT hook callback registration per hook
   spot, from Florian Westphal. Moreover, return EBUSY to report that
   the singleton NAT hook slot is already in instead.

8) Several fixes for the new nf_tables flowtable representation,
   including incorrect error check after nf_tables_flowtable_lookup(),
   missing Kconfig dependencies that lead to build breakage and missing
   initialization of priority and hooknum in flowtable object.

9) Missing NETFILTER_FAMILY_ARP dependency in Kconfig for the clusterip
   target. This is due to recent updates in the core to shrink the hook
   array size and compile it out if no specific family is enabled via
   .config file. Patch from Florian Westphal.

10) Remove duplicated include header files, from Wei Yongjun.

11) Sparse warning fix for the NFPROTO_INET handling from the core
    due to missing static function definition, also from Wei Yongjun.

12) Restore ICMPv6 Parameter Problem error reporting when
    defragmentation fails, from Subash Abhinov Kasiviswanathan.

13) Remove obsolete owner field initialization from struct
    file_operations, patch from Alexey Dobriyan.

14) Use boolean datatype where needed in the Netfilter codebase, from
    Gustavo A. R. Silva.

15) Remove double semicolon in dynset nf_tables expression, from
    Luis de Bethencourt.
====================
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
......@@ -143,22 +143,22 @@ static inline void nft_data_debug(const struct nft_data *data)
* struct nft_ctx - nf_tables rule/set context
*
* @net: net namespace
* @afi: address family info
* @table: the table the chain is contained in
* @chain: the chain the rule is contained in
* @nla: netlink attributes
* @portid: netlink portID of the original message
* @seq: netlink sequence number
* @family: protocol family
* @report: notify via unicast netlink message
*/
struct nft_ctx {
struct net *net;
struct nft_af_info *afi;
struct nft_table *table;
struct nft_chain *chain;
const struct nlattr * const *nla;
u32 portid;
u32 seq;
u8 family;
bool report;
};
......@@ -374,6 +374,7 @@ void nft_unregister_set(struct nft_set_type *type);
* @list: table set list node
* @bindings: list of set bindings
* @name: name of the set
* @handle: unique handle of the set
* @ktype: key type (numeric type defined by userspace, not used in the kernel)
* @dtype: data type (verdict or numeric type defined by userspace)
* @objtype: object type (see NFT_OBJECT_* definitions)
......@@ -396,6 +397,7 @@ struct nft_set {
struct list_head list;
struct list_head bindings;
char *name;
u64 handle;
u32 ktype;
u32 dtype;
u32 objtype;
......@@ -946,9 +948,11 @@ unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv);
* @objects: stateful objects in the table
* @flowtables: flow tables in the table
* @hgenerator: handle generator state
* @handle: table handle
* @use: number of chain references to this table
* @flags: table flag (see enum nft_table_flags)
* @genmask: generation mask
* @afinfo: address family info
* @name: name of the table
*/
struct nft_table {
......@@ -958,38 +962,14 @@ struct nft_table {
struct list_head objects;
struct list_head flowtables;
u64 hgenerator;
u64 handle;
u32 use;
u16 flags:14,
u16 family:6,
flags:8,
genmask:2;
char *name;
};
enum nft_af_flags {
NFT_AF_NEEDS_DEV = (1 << 0),
};
/**
* struct nft_af_info - nf_tables address family info
*
* @list: used internally
* @family: address family
* @nhooks: number of hooks in this family
* @owner: module owner
* @tables: used internally
* @flags: family flags
*/
struct nft_af_info {
struct list_head list;
int family;
unsigned int nhooks;
struct module *owner;
struct list_head tables;
u32 flags;
};
int nft_register_afinfo(struct net *, struct nft_af_info *);
void nft_unregister_afinfo(struct net *, struct nft_af_info *);
int nft_register_chain_type(const struct nf_chain_type *);
void nft_unregister_chain_type(const struct nf_chain_type *);
......@@ -1007,9 +987,9 @@ int nft_verdict_dump(struct sk_buff *skb, int type,
* @name: name of this stateful object
* @genmask: generation mask
* @use: number of references to this stateful object
* @data: object data, layout depends on type
* @handle: unique object handle
* @ops: object operations
* @data: pointer to object data
* @data: object data, layout depends on type
*/
struct nft_object {
struct list_head list;
......@@ -1017,6 +997,7 @@ struct nft_object {
struct nft_table *table;
u32 genmask:2,
use:30;
u64 handle;
/* runtime data below here */
const struct nft_object_ops *ops ____cacheline_aligned;
unsigned char data[]
......@@ -1098,6 +1079,7 @@ void nft_unregister_obj(struct nft_object_type *obj_type);
* @ops_len: number of hooks in array
* @genmask: generation mask
* @use: number of references to this flow table
* @handle: unique object handle
* @data: rhashtable and garbage collector
* @ops: array of hooks
*/
......@@ -1110,6 +1092,7 @@ struct nft_flowtable {
int ops_len;
u32 genmask:2,
use:30;
u64 handle;
/* runtime data below here */
struct nf_hook_ops *ops ____cacheline_aligned;
struct nf_flowtable data;
......@@ -1154,9 +1137,6 @@ void nft_trace_init(struct nft_traceinfo *info, const struct nft_pktinfo *pkt,
void nft_trace_notify(struct nft_traceinfo *info);
#define MODULE_ALIAS_NFT_FAMILY(family) \
MODULE_ALIAS("nft-afinfo-" __stringify(family))
#define MODULE_ALIAS_NFT_CHAIN(family, name) \
MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)
......
......@@ -7,14 +7,8 @@
struct nft_af_info;
struct netns_nftables {
struct list_head af_info;
struct list_head tables;
struct list_head commit_list;
struct nft_af_info *ipv4;
struct nft_af_info *ipv6;
struct nft_af_info *inet;
struct nft_af_info *arp;
struct nft_af_info *bridge;
struct nft_af_info *netdev;
unsigned int base_seq;
u8 gencursor;
};
......
......@@ -174,6 +174,8 @@ enum nft_table_attributes {
NFTA_TABLE_NAME,
NFTA_TABLE_FLAGS,
NFTA_TABLE_USE,
NFTA_TABLE_HANDLE,
NFTA_TABLE_PAD,
__NFTA_TABLE_MAX
};
#define NFTA_TABLE_MAX (__NFTA_TABLE_MAX - 1)
......@@ -317,6 +319,7 @@ enum nft_set_desc_attributes {
* @NFTA_SET_GC_INTERVAL: garbage collection interval (NLA_U32)
* @NFTA_SET_USERDATA: user data (NLA_BINARY)
* @NFTA_SET_OBJ_TYPE: stateful object type (NLA_U32: NFT_OBJECT_*)
* @NFTA_SET_HANDLE: set handle (NLA_U64)
*/
enum nft_set_attributes {
NFTA_SET_UNSPEC,
......@@ -335,6 +338,7 @@ enum nft_set_attributes {
NFTA_SET_USERDATA,
NFTA_SET_PAD,
NFTA_SET_OBJ_TYPE,
NFTA_SET_HANDLE,
__NFTA_SET_MAX
};
#define NFTA_SET_MAX (__NFTA_SET_MAX - 1)
......@@ -1314,6 +1318,7 @@ enum nft_ct_helper_attributes {
* @NFTA_OBJ_TYPE: stateful object type (NLA_U32)
* @NFTA_OBJ_DATA: stateful object data (NLA_NESTED)
* @NFTA_OBJ_USE: number of references to this expression (NLA_U32)
* @NFTA_OBJ_HANDLE: object handle (NLA_U64)
*/
enum nft_object_attributes {
NFTA_OBJ_UNSPEC,
......@@ -1322,6 +1327,8 @@ enum nft_object_attributes {
NFTA_OBJ_TYPE,
NFTA_OBJ_DATA,
NFTA_OBJ_USE,
NFTA_OBJ_HANDLE,
NFTA_OBJ_PAD,
__NFTA_OBJ_MAX
};
#define NFTA_OBJ_MAX (__NFTA_OBJ_MAX - 1)
......@@ -1333,6 +1340,7 @@ enum nft_object_attributes {
* @NFTA_FLOWTABLE_NAME: name of this flow table (NLA_STRING)
* @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32)
* @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32)
* @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64)
*/
enum nft_flowtable_attributes {
NFTA_FLOWTABLE_UNSPEC,
......@@ -1340,6 +1348,8 @@ enum nft_flowtable_attributes {
NFTA_FLOWTABLE_NAME,
NFTA_FLOWTABLE_HOOK,
NFTA_FLOWTABLE_USE,
NFTA_FLOWTABLE_HANDLE,
NFTA_FLOWTABLE_PAD,
__NFTA_FLOWTABLE_MAX
};
#define NFTA_FLOWTABLE_MAX (__NFTA_FLOWTABLE_MAX - 1)
......
......@@ -57,6 +57,7 @@
enum nf_ip_hook_priorities {
NF_IP_PRI_FIRST = INT_MIN,
NF_IP_PRI_RAW_BEFORE_DEFRAG = -450,
NF_IP_PRI_CONNTRACK_DEFRAG = -400,
NF_IP_PRI_RAW = -300,
NF_IP_PRI_SELINUX_FIRST = -225,
......
......@@ -62,6 +62,7 @@
enum nf_ip6_hook_priorities {
NF_IP6_PRI_FIRST = INT_MIN,
NF_IP6_PRI_RAW_BEFORE_DEFRAG = -450,
NF_IP6_PRI_CONNTRACK_DEFRAG = -400,
NF_IP6_PRI_RAW = -300,
NF_IP6_PRI_SELINUX_FIRST = -225,
......
/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
#ifndef _IP6T_SRH_H
#define _IP6T_SRH_H
#include <linux/types.h>
#include <linux/netfilter.h>
/* Values for "mt_flags" field in struct ip6t_srh */
#define IP6T_SRH_NEXTHDR 0x0001
#define IP6T_SRH_LEN_EQ 0x0002
#define IP6T_SRH_LEN_GT 0x0004
#define IP6T_SRH_LEN_LT 0x0008
#define IP6T_SRH_SEGS_EQ 0x0010
#define IP6T_SRH_SEGS_GT 0x0020
#define IP6T_SRH_SEGS_LT 0x0040
#define IP6T_SRH_LAST_EQ 0x0080
#define IP6T_SRH_LAST_GT 0x0100
#define IP6T_SRH_LAST_LT 0x0200
#define IP6T_SRH_TAG 0x0400
#define IP6T_SRH_MASK 0x07FF
/* Values for "mt_invflags" field in struct ip6t_srh */
#define IP6T_SRH_INV_NEXTHDR 0x0001
#define IP6T_SRH_INV_LEN_EQ 0x0002
#define IP6T_SRH_INV_LEN_GT 0x0004
#define IP6T_SRH_INV_LEN_LT 0x0008
#define IP6T_SRH_INV_SEGS_EQ 0x0010
#define IP6T_SRH_INV_SEGS_GT 0x0020
#define IP6T_SRH_INV_SEGS_LT 0x0040
#define IP6T_SRH_INV_LAST_EQ 0x0080
#define IP6T_SRH_INV_LAST_GT 0x0100
#define IP6T_SRH_INV_LAST_LT 0x0200
#define IP6T_SRH_INV_TAG 0x0400
#define IP6T_SRH_INV_MASK 0x07FF
/**
* struct ip6t_srh - SRH match options
* @ next_hdr: Next header field of SRH
* @ hdr_len: Extension header length field of SRH
* @ segs_left: Segments left field of SRH
* @ last_entry: Last entry field of SRH
* @ tag: Tag field of SRH
* @ mt_flags: match options
* @ mt_invflags: Invert the sense of match options
*/
struct ip6t_srh {
__u8 next_hdr;
__u8 hdr_len;
__u8 segs_left;
__u8 last_entry;
__u16 tag;
__u16 mt_flags;
__u16 mt_invflags;
};
#endif /*_IP6T_SRH_H*/
......@@ -2445,7 +2445,6 @@ static int __init ebtables_init(void)
return ret;
}
printk(KERN_INFO "Ebtables v2.0 registered\n");
return 0;
}
......@@ -2453,7 +2452,6 @@ static void __exit ebtables_fini(void)
{
nf_unregister_sockopt(&ebt_sockopts);
xt_unregister_target(&ebt_standard_target);
printk(KERN_INFO "Ebtables v2.0 unregistered\n");
}
EXPORT_SYMBOL(ebt_register_table);
......
......@@ -42,40 +42,6 @@ nft_do_chain_bridge(void *priv,
return nft_do_chain(&pkt, priv);
}
static struct nft_af_info nft_af_bridge __read_mostly = {
.family = NFPROTO_BRIDGE,
.nhooks = NF_BR_NUMHOOKS,
.owner = THIS_MODULE,
};
static int nf_tables_bridge_init_net(struct net *net)
{
net->nft.bridge = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
if (net->nft.bridge == NULL)
return -ENOMEM;
memcpy(net->nft.bridge, &nft_af_bridge, sizeof(nft_af_bridge));
if (nft_register_afinfo(net, net->nft.bridge) < 0)
goto err;
return 0;
err:
kfree(net->nft.bridge);
return -ENOMEM;
}
static void nf_tables_bridge_exit_net(struct net *net)
{
nft_unregister_afinfo(net, net->nft.bridge);
kfree(net->nft.bridge);
}
static struct pernet_operations nf_tables_bridge_net_ops = {
.init = nf_tables_bridge_init_net,
.exit = nf_tables_bridge_exit_net,
};
static const struct nf_chain_type filter_bridge = {
.name = "filter",
.type = NFT_CHAIN_T_DEFAULT,
......@@ -97,27 +63,11 @@ static const struct nf_chain_type filter_bridge = {
static int __init nf_tables_bridge_init(void)
{
int ret;
ret = nft_register_chain_type(&filter_bridge);
if (ret < 0)
return ret;
ret = register_pernet_subsys(&nf_tables_bridge_net_ops);
if (ret < 0)
goto err_register_subsys;
return ret;
err_register_subsys:
nft_unregister_chain_type(&filter_bridge);
return ret;
return nft_register_chain_type(&filter_bridge);
}
static void __exit nf_tables_bridge_exit(void)
{
unregister_pernet_subsys(&nf_tables_bridge_net_ops);
nft_unregister_chain_type(&filter_bridge);
}
......@@ -126,4 +76,4 @@ module_exit(nf_tables_bridge_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_FAMILY(AF_BRIDGE);
MODULE_ALIAS_NFT_CHAIN(AF_BRIDGE, "filter");
......@@ -79,8 +79,9 @@ config NF_TABLES_ARP
endif # NF_TABLES
config NF_FLOW_TABLE_IPV4
select NF_FLOW_TABLE
tristate "Netfilter flow table IPv4 module"
depends on NF_CONNTRACK && NF_TABLES
select NF_FLOW_TABLE
help
This option adds the flow table IPv4 support.
......@@ -157,6 +158,7 @@ config NF_NAT_SNMP_BASIC
depends on NF_CONNTRACK_SNMP
depends on NETFILTER_ADVANCED
default NF_NAT && NF_CONNTRACK_SNMP
select ASN1
---help---
This module implements an Application Layer Gateway (ALG) for
......@@ -342,6 +344,7 @@ config IP_NF_TARGET_CLUSTERIP
depends on NF_CONNTRACK_IPV4
depends on NETFILTER_ADVANCED
select NF_CONNTRACK_MARK
select NETFILTER_FAMILY_ARP
help
The CLUSTERIP target allows you to build load-balancing clusters of
network servers without having a dedicated load-balancing
......
......@@ -27,9 +27,15 @@ obj-$(CONFIG_NF_REJECT_IPV4) += nf_reject_ipv4.o
# NAT helpers (nf_conntrack)
obj-$(CONFIG_NF_NAT_H323) += nf_nat_h323.o
obj-$(CONFIG_NF_NAT_PPTP) += nf_nat_pptp.o
nf_nat_snmp_basic-y := nf_nat_snmp_basic-asn1.o nf_nat_snmp_basic_main.o
nf_nat_snmp_basic-y : nf_nat_snmp_basic-asn1.h nf_nat_snmp_basic-asn1.c
obj-$(CONFIG_NF_NAT_SNMP_BASIC) += nf_nat_snmp_basic.o
clean-files := nf_nat_snmp_basic-asn1.c nf_nat_snmp_basic-asn1.h
obj-$(CONFIG_NF_NAT_MASQUERADE_IPV4) += nf_nat_masquerade_ipv4.o
# NAT protocols (nf_nat)
obj-$(CONFIG_NF_NAT_PROTO_GRE) += nf_nat_proto_gre.o
......
......@@ -1656,7 +1656,6 @@ static int __init arp_tables_init(void)
if (ret < 0)
goto err4;
pr_info("arp_tables: (C) 2002 David S. Miller\n");
return 0;
err4:
......
......@@ -1939,7 +1939,6 @@ static int __init ip_tables_init(void)
if (ret < 0)
goto err5;
pr_info("(C) 2000-2006 Netfilter Core Team\n");
return 0;
err5:
......
......@@ -3,6 +3,7 @@
*
* Copyright (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
*/
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/slab.h>
......@@ -12,6 +13,10 @@
static int __net_init iptable_raw_table_init(struct net *net);
static bool raw_before_defrag __read_mostly;
MODULE_PARM_DESC(raw_before_defrag, "Enable raw table before defrag");
module_param(raw_before_defrag, bool, 0000);
static const struct xt_table packet_raw = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
......@@ -21,6 +26,15 @@ static const struct xt_table packet_raw = {
.table_init = iptable_raw_table_init,
};
static const struct xt_table packet_raw_before_defrag = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
.me = THIS_MODULE,
.af = NFPROTO_IPV4,
.priority = NF_IP_PRI_RAW_BEFORE_DEFRAG,
.table_init = iptable_raw_table_init,
};
/* The work comes in here from netfilter.c. */
static unsigned int
iptable_raw_hook(void *priv, struct sk_buff *skb,
......@@ -34,15 +48,19 @@ static struct nf_hook_ops *rawtable_ops __read_mostly;
static int __net_init iptable_raw_table_init(struct net *net)
{
struct ipt_replace *repl;
const struct xt_table *table = &packet_raw;
int ret;
if (raw_before_defrag)
table = &packet_raw_before_defrag;
if (net->ipv4.iptable_raw)
return 0;
repl = ipt_alloc_initial_table(&packet_raw);
repl = ipt_alloc_initial_table(table);
if (repl == NULL)
return -ENOMEM;
ret = ipt_register_table(net, &packet_raw, repl, rawtable_ops,
ret = ipt_register_table(net, table, repl, rawtable_ops,
&net->ipv4.iptable_raw);
kfree(repl);
return ret;
......@@ -63,8 +81,15 @@ static struct pernet_operations iptable_raw_net_ops = {
static int __init iptable_raw_init(void)
{
int ret;
const struct xt_table *table = &packet_raw;
if (raw_before_defrag) {
table = &packet_raw_before_defrag;
pr_info("Enabling raw table before defrag\n");
}
rawtable_ops = xt_hook_ops_alloc(&packet_raw, iptable_raw_hook);
rawtable_ops = xt_hook_ops_alloc(table, iptable_raw_hook);
if (IS_ERR(rawtable_ops))
return PTR_ERR(rawtable_ops);
......
......@@ -78,6 +78,8 @@ static unsigned int ipv4_conntrack_defrag(void *priv,
if (skb_nfct(skb) && !nf_ct_is_template((struct nf_conn *)skb_nfct(skb)))
return NF_ACCEPT;
#endif
if (skb->_nfct == IP_CT_UNTRACKED)
return NF_ACCEPT;
#endif
/* Gather fragments. */
if (ip_is_fragment(ip_hdr(skb))) {
......
Message ::=
SEQUENCE {
version
INTEGER ({snmp_version}),
community
OCTET STRING,
pdu
PDUs
}
ObjectName ::=
OBJECT IDENTIFIER
ObjectSyntax ::=
CHOICE {
simple
SimpleSyntax,
application-wide
ApplicationSyntax
}
SimpleSyntax ::=
CHOICE {
integer-value
INTEGER,
string-value
OCTET STRING,
objectID-value
OBJECT IDENTIFIER
}
ApplicationSyntax ::=
CHOICE {
ipAddress-value
IpAddress,
counter-value
Counter32,
timeticks-value
TimeTicks,
arbitrary-value
Opaque,
big-counter-value
Counter64,
unsigned-integer-value
Unsigned32
}
IpAddress ::=
[APPLICATION 0]
IMPLICIT OCTET STRING OPTIONAL ({snmp_helper})
Counter32 ::=
[APPLICATION 1]
IMPLICIT INTEGER OPTIONAL
Unsigned32 ::=
[APPLICATION 2]
IMPLICIT INTEGER OPTIONAL
Gauge32 ::= Unsigned32 OPTIONAL
TimeTicks ::=
[APPLICATION 3]
IMPLICIT INTEGER OPTIONAL
Opaque ::=
[APPLICATION 4]
IMPLICIT OCTET STRING OPTIONAL
Counter64 ::=
[APPLICATION 6]
IMPLICIT INTEGER OPTIONAL
PDUs ::=
CHOICE {
get-request
GetRequest-PDU,
get-next-request
GetNextRequest-PDU,
get-bulk-request
GetBulkRequest-PDU,
response
Response-PDU,
set-request
SetRequest-PDU,
inform-request
InformRequest-PDU,
snmpV2-trap
SNMPv2-Trap-PDU,
report
Report-PDU
}
GetRequest-PDU ::=
[0] IMPLICIT PDU OPTIONAL
GetNextRequest-PDU ::=
[1] IMPLICIT PDU OPTIONAL
Response-PDU ::=
[2] IMPLICIT PDU OPTIONAL
SetRequest-PDU ::=
[3] IMPLICIT PDU OPTIONAL
-- [4] is obsolete
GetBulkRequest-PDU ::=
[5] IMPLICIT PDU OPTIONAL
InformRequest-PDU ::=
[6] IMPLICIT PDU OPTIONAL
SNMPv2-Trap-PDU ::=
[7] IMPLICIT PDU OPTIONAL
Report-PDU ::=
[8] IMPLICIT PDU OPTIONAL
PDU ::=
SEQUENCE {
request-id
INTEGER,
error-status
INTEGER,
error-index
INTEGER,
variable-bindings
VarBindList
}
VarBind ::=
SEQUENCE {
name
ObjectName,
CHOICE {
value
ObjectSyntax,
unSpecified
NULL,
noSuchObject
[0] IMPLICIT NULL,
noSuchInstance
[1] IMPLICIT NULL,
endOfMibView
[2] IMPLICIT NULL
}
}
VarBindList ::= SEQUENCE OF VarBind
此差异已折叠。
/*
* nf_nat_snmp_basic.c
*
* Basic SNMP Application Layer Gateway
*
* This IP NAT module is intended for use with SNMP network
* discovery and monitoring applications where target networks use
* conflicting private address realms.
*
* Static NAT is used to remap the networks from the view of the network
* management system at the IP layer, and this module remaps some application
* layer addresses to match.
*
* The simplest form of ALG is performed, where only tagged IP addresses
* are modified. The module does not need to be MIB aware and only scans
* messages at the ASN.1/BER level.
*
* Currently, only SNMPv1 and SNMPv2 are supported.
*
* More information on ALG and associated issues can be found in
* RFC 2962
*
* The ASB.1/BER parsing code is derived from the gxsnmp package by Gregory
* McLean & Jochen Friedrich, stripped down for use in the kernel.
*
* Copyright (c) 2000 RP Internet (www.rpi.net.au).
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*
* Author: James Morris <jmorris@intercode.com.au>
*
* Copyright (c) 2006-2010 Patrick McHardy <kaber@trash.net>
*/
#include <linux/module.h>
#include <linux/moduleparam.h>
#include <linux/types.h>
#include <linux/kernel.h>
#include <linux/in.h>
#include <linux/ip.h>
#include <linux/udp.h>
#include <net/checksum.h>
#include <net/udp.h>
#include <net/netfilter/nf_nat.h>
#include <net/netfilter/nf_conntrack_expect.h>
#include <net/netfilter/nf_conntrack_helper.h>
#include <linux/netfilter/nf_conntrack_snmp.h>
#include "nf_nat_snmp_basic-asn1.h"
MODULE_LICENSE("GPL");
MODULE_AUTHOR("James Morris <jmorris@intercode.com.au>");
MODULE_DESCRIPTION("Basic SNMP Application Layer Gateway");
MODULE_ALIAS("ip_nat_snmp_basic");
#define SNMP_PORT 161
#define SNMP_TRAP_PORT 162
static DEFINE_SPINLOCK(snmp_lock);
struct snmp_ctx {
unsigned char *begin;
__sum16 *check;
__be32 from;
__be32 to;
};
static void fast_csum(struct snmp_ctx *ctx, unsigned char offset)
{
unsigned char s[12] = {0,};
int size;
if (offset & 1) {
memcpy(&s[1], &ctx->from, 4);
memcpy(&s[7], &ctx->to, 4);
s[0] = ~0;
s[1] = ~s[1];
s[2] = ~s[2];
s[3] = ~s[3];
s[4] = ~s[4];
s[5] = ~0;
size = 12;
} else {
memcpy(&s[0], &ctx->from, 4);
memcpy(&s[4], &ctx->to, 4);
s[0] = ~s[0];
s[1] = ~s[1];
s[2] = ~s[2];
s[3] = ~s[3];
size = 8;
}
*ctx->check = csum_fold(csum_partial(s, size,
~csum_unfold(*ctx->check)));
}
int snmp_version(void *context, size_t hdrlen, unsigned char tag,
const void *data, size_t datalen)
{
if (*(unsigned char *)data > 1)
return -ENOTSUPP;
return 1;
}
int snmp_helper(void *context, size_t hdrlen, unsigned char tag,
const void *data, size_t datalen)
{
struct snmp_ctx *ctx = (struct snmp_ctx *)context;
__be32 *pdata = (__be32 *)data;
if (*pdata == ctx->from) {
pr_debug("%s: %pI4 to %pI4\n", __func__,
(void *)&ctx->from, (void *)&ctx->to);
if (*ctx->check)
fast_csum(ctx, (unsigned char *)data - ctx->begin);
*pdata = ctx->to;
}
return 1;
}
static int snmp_translate(struct nf_conn *ct, int dir, struct sk_buff *skb)
{
struct iphdr *iph = ip_hdr(skb);
struct udphdr *udph = (struct udphdr *)((__be32 *)iph + iph->ihl);
u16 datalen = ntohs(udph->len) - sizeof(struct udphdr);
char *data = (unsigned char *)udph + sizeof(struct udphdr);
struct snmp_ctx ctx;
int ret;
if (dir == IP_CT_DIR_ORIGINAL) {
ctx.from = ct->tuplehash[dir].tuple.src.u3.ip;
ctx.to = ct->tuplehash[!dir].tuple.dst.u3.ip;
} else {
ctx.from = ct->tuplehash[!dir].tuple.src.u3.ip;
ctx.to = ct->tuplehash[dir].tuple.dst.u3.ip;
}
if (ctx.from == ctx.to)
return NF_ACCEPT;
ctx.begin = (unsigned char *)udph + sizeof(struct udphdr);
ctx.check = &udph->check;
ret = asn1_ber_decoder(&nf_nat_snmp_basic_decoder, &ctx, data, datalen);
if (ret < 0) {
nf_ct_helper_log(skb, ct, "parser failed\n");
return NF_DROP;
}
return NF_ACCEPT;
}
/* We don't actually set up expectations, just adjust internal IP
* addresses if this is being NATted
*/
static int help(struct sk_buff *skb, unsigned int protoff,
struct nf_conn *ct,
enum ip_conntrack_info ctinfo)
{
int dir = CTINFO2DIR(ctinfo);
unsigned int ret;
const struct iphdr *iph = ip_hdr(skb);
const struct udphdr *udph = (struct udphdr *)((__be32 *)iph + iph->ihl);
/* SNMP replies and originating SNMP traps get mangled */
if (udph->source == htons(SNMP_PORT) && dir != IP_CT_DIR_REPLY)
return NF_ACCEPT;
if (udph->dest == htons(SNMP_TRAP_PORT) && dir != IP_CT_DIR_ORIGINAL)
return NF_ACCEPT;
/* No NAT? */
if (!(ct->status & IPS_NAT_MASK))
return NF_ACCEPT;
/* Make sure the packet length is ok. So far, we were only guaranteed
* to have a valid length IP header plus 8 bytes, which means we have
* enough room for a UDP header. Just verify the UDP length field so we
* can mess around with the payload.
*/
if (ntohs(udph->len) != skb->len - (iph->ihl << 2)) {
nf_ct_helper_log(skb, ct, "dropping malformed packet\n");
return NF_DROP;
}
if (!skb_make_writable(skb, skb->len)) {
nf_ct_helper_log(skb, ct, "cannot mangle packet");
return NF_DROP;
}
spin_lock_bh(&snmp_lock);
ret = snmp_translate(ct, dir, skb);
spin_unlock_bh(&snmp_lock);
return ret;
}
static const struct nf_conntrack_expect_policy snmp_exp_policy = {
.max_expected = 0,
.timeout = 180,
};
static struct nf_conntrack_helper snmp_trap_helper __read_mostly = {
.me = THIS_MODULE,
.help = help,
.expect_policy = &snmp_exp_policy,
.name = "snmp_trap",
.tuple.src.l3num = AF_INET,
.tuple.src.u.udp.port = cpu_to_be16(SNMP_TRAP_PORT),
.tuple.dst.protonum = IPPROTO_UDP,
};
static int __init nf_nat_snmp_basic_init(void)
{
BUG_ON(nf_nat_snmp_hook != NULL);
RCU_INIT_POINTER(nf_nat_snmp_hook, help);
return nf_conntrack_helper_register(&snmp_trap_helper);
}
static void __exit nf_nat_snmp_basic_fini(void)
{
RCU_INIT_POINTER(nf_nat_snmp_hook, NULL);
synchronize_rcu();
nf_conntrack_helper_unregister(&snmp_trap_helper);
}
module_init(nf_nat_snmp_basic_init);
module_exit(nf_nat_snmp_basic_fini);
......@@ -27,40 +27,6 @@ nft_do_chain_arp(void *priv,
return nft_do_chain(&pkt, priv);
}
static struct nft_af_info nft_af_arp __read_mostly = {
.family = NFPROTO_ARP,
.nhooks = NF_ARP_NUMHOOKS,
.owner = THIS_MODULE,
};
static int nf_tables_arp_init_net(struct net *net)
{
net->nft.arp = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
if (net->nft.arp== NULL)
return -ENOMEM;
memcpy(net->nft.arp, &nft_af_arp, sizeof(nft_af_arp));
if (nft_register_afinfo(net, net->nft.arp) < 0)
goto err;
return 0;
err:
kfree(net->nft.arp);
return -ENOMEM;
}
static void nf_tables_arp_exit_net(struct net *net)
{
nft_unregister_afinfo(net, net->nft.arp);
kfree(net->nft.arp);
}
static struct pernet_operations nf_tables_arp_net_ops = {
.init = nf_tables_arp_init_net,
.exit = nf_tables_arp_exit_net,
};
static const struct nf_chain_type filter_arp = {
.name = "filter",
.type = NFT_CHAIN_T_DEFAULT,
......@@ -76,22 +42,11 @@ static const struct nf_chain_type filter_arp = {
static int __init nf_tables_arp_init(void)
{
int ret;
ret = nft_register_chain_type(&filter_arp);
if (ret < 0)
return ret;
ret = register_pernet_subsys(&nf_tables_arp_net_ops);
if (ret < 0)
nft_unregister_chain_type(&filter_arp);
return ret;
return nft_register_chain_type(&filter_arp);
}
static void __exit nf_tables_arp_exit(void)
{
unregister_pernet_subsys(&nf_tables_arp_net_ops);
nft_unregister_chain_type(&filter_arp);
}
......@@ -100,4 +55,4 @@ module_exit(nf_tables_arp_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_FAMILY(3); /* NFPROTO_ARP */
MODULE_ALIAS_NFT_CHAIN(3, "filter"); /* NFPROTO_ARP */
......@@ -30,40 +30,6 @@ static unsigned int nft_do_chain_ipv4(void *priv,
return nft_do_chain(&pkt, priv);
}
static struct nft_af_info nft_af_ipv4 __read_mostly = {
.family = NFPROTO_IPV4,
.nhooks = NF_INET_NUMHOOKS,
.owner = THIS_MODULE,
};
static int nf_tables_ipv4_init_net(struct net *net)
{
net->nft.ipv4 = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
if (net->nft.ipv4 == NULL)
return -ENOMEM;
memcpy(net->nft.ipv4, &nft_af_ipv4, sizeof(nft_af_ipv4));
if (nft_register_afinfo(net, net->nft.ipv4) < 0)
goto err;
return 0;
err:
kfree(net->nft.ipv4);
return -ENOMEM;
}
static void nf_tables_ipv4_exit_net(struct net *net)
{
nft_unregister_afinfo(net, net->nft.ipv4);
kfree(net->nft.ipv4);
}
static struct pernet_operations nf_tables_ipv4_net_ops = {
.init = nf_tables_ipv4_init_net,
.exit = nf_tables_ipv4_exit_net,
};
static const struct nf_chain_type filter_ipv4 = {
.name = "filter",
.type = NFT_CHAIN_T_DEFAULT,
......@@ -85,22 +51,11 @@ static const struct nf_chain_type filter_ipv4 = {
static int __init nf_tables_ipv4_init(void)
{
int ret;
ret = nft_register_chain_type(&filter_ipv4);
if (ret < 0)
return ret;
ret = register_pernet_subsys(&nf_tables_ipv4_net_ops);
if (ret < 0)
nft_unregister_chain_type(&filter_ipv4);
return ret;
return nft_register_chain_type(&filter_ipv4);
}
static void __exit nf_tables_ipv4_exit(void)
{
unregister_pernet_subsys(&nf_tables_ipv4_net_ops);
nft_unregister_chain_type(&filter_ipv4);
}
......@@ -109,4 +64,4 @@ module_exit(nf_tables_ipv4_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_FAMILY(AF_INET);
MODULE_ALIAS_NFT_CHAIN(AF_INET, "filter");
......@@ -72,8 +72,9 @@ endif # NF_TABLES_IPV6
endif # NF_TABLES
config NF_FLOW_TABLE_IPV6
select NF_FLOW_TABLE
tristate "Netfilter flow table IPv6 module"
depends on NF_CONNTRACK && NF_TABLES
select NF_FLOW_TABLE
help
This option adds the flow table IPv6 support.
......@@ -240,6 +241,15 @@ config IP6_NF_MATCH_RT
To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_MATCH_SRH
tristate '"srh" Segment Routing header match support'
depends on NETFILTER_ADVANCED
help
srh matching allows you to match packets based on the segment
routing header of the packet.
To compile it as a module, choose M here. If unsure, say N.
# The targets
config IP6_NF_TARGET_HL
tristate '"HL" hoplimit target support'
......
......@@ -57,6 +57,7 @@ obj-$(CONFIG_IP6_NF_MATCH_MH) += ip6t_mh.o
obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o
obj-$(CONFIG_IP6_NF_MATCH_RPFILTER) += ip6t_rpfilter.o
obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
obj-$(CONFIG_IP6_NF_MATCH_SRH) += ip6t_srh.o
# targets
obj-$(CONFIG_IP6_NF_TARGET_MASQUERADE) += ip6t_MASQUERADE.o
......
......@@ -1952,7 +1952,6 @@ static int __init ip6_tables_init(void)
if (ret < 0)
goto err5;
pr_info("(C) 2000-2006 Netfilter Core Team\n");
return 0;
err5:
......
/* Kernel module to match Segment Routing Header (SRH) parameters. */
/* Author:
* Ahmed Abdelsalam <amsalam20@gmail.com>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*/
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ipv6.h>
#include <linux/types.h>
#include <net/ipv6.h>
#include <net/seg6.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv6/ip6t_srh.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
/* Test a struct->mt_invflags and a boolean for inequality */
#define NF_SRH_INVF(ptr, flag, boolean) \
((boolean) ^ !!((ptr)->mt_invflags & (flag)))
static bool srh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct ip6t_srh *srhinfo = par->matchinfo;
struct ipv6_sr_hdr *srh;
struct ipv6_sr_hdr _srh;
int hdrlen, srhoff = 0;
if (ipv6_find_hdr(skb, &srhoff, IPPROTO_ROUTING, NULL, NULL) < 0)
return false;
srh = skb_header_pointer(skb, srhoff, sizeof(_srh), &_srh);
if (!srh)
return false;
hdrlen = ipv6_optlen(srh);
if (skb->len - srhoff < hdrlen)
return false;
if (srh->type != IPV6_SRCRT_TYPE_4)
return false;
if (srh->segments_left > srh->first_segment)
return false;
/* Next Header matching */
if (srhinfo->mt_flags & IP6T_SRH_NEXTHDR)
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_NEXTHDR,
!(srh->nexthdr == srhinfo->next_hdr)))
return false;
/* Header Extension Length matching */
if (srhinfo->mt_flags & IP6T_SRH_LEN_EQ)
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LEN_EQ,
!(srh->hdrlen == srhinfo->hdr_len)))
return false;
if (srhinfo->mt_flags & IP6T_SRH_LEN_GT)
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LEN_GT,
!(srh->hdrlen > srhinfo->hdr_len)))
return false;
if (srhinfo->mt_flags & IP6T_SRH_LEN_LT)
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LEN_LT,
!(srh->hdrlen < srhinfo->hdr_len)))
return false;
/* Segments Left matching */
if (srhinfo->mt_flags & IP6T_SRH_SEGS_EQ)
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_SEGS_EQ,
!(srh->segments_left == srhinfo->segs_left)))
return false;
if (srhinfo->mt_flags & IP6T_SRH_SEGS_GT)
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_SEGS_GT,
!(srh->segments_left > srhinfo->segs_left)))
return false;
if (srhinfo->mt_flags & IP6T_SRH_SEGS_LT)
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_SEGS_LT,
!(srh->segments_left < srhinfo->segs_left)))
return false;
/**
* Last Entry matching
* Last_Entry field was introduced in revision 6 of the SRH draft.
* It was called First_Segment in the previous revision
*/
if (srhinfo->mt_flags & IP6T_SRH_LAST_EQ)
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LAST_EQ,
!(srh->first_segment == srhinfo->last_entry)))
return false;
if (srhinfo->mt_flags & IP6T_SRH_LAST_GT)
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LAST_GT,
!(srh->first_segment > srhinfo->last_entry)))
return false;
if (srhinfo->mt_flags & IP6T_SRH_LAST_LT)
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LAST_LT,
!(srh->first_segment < srhinfo->last_entry)))
return false;
/**
* Tag matchig
* Tag field was introduced in revision 6 of the SRH draft.
*/
if (srhinfo->mt_flags & IP6T_SRH_TAG)
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_TAG,
!(srh->tag == srhinfo->tag)))
return false;
return true;
}
static int srh_mt6_check(const struct xt_mtchk_param *par)
{
const struct ip6t_srh *srhinfo = par->matchinfo;
if (srhinfo->mt_flags & ~IP6T_SRH_MASK) {
pr_err("unknown srh match flags %X\n", srhinfo->mt_flags);
return -EINVAL;
}
if (srhinfo->mt_invflags & ~IP6T_SRH_INV_MASK) {
pr_err("unknown srh invflags %X\n", srhinfo->mt_invflags);
return -EINVAL;
}
return 0;
}
static struct xt_match srh_mt6_reg __read_mostly = {
.name = "srh",
.family = NFPROTO_IPV6,
.match = srh_mt6,
.matchsize = sizeof(struct ip6t_srh),
.checkentry = srh_mt6_check,
.me = THIS_MODULE,
};
static int __init srh_mt6_init(void)
{
return xt_register_match(&srh_mt6_reg);
}
static void __exit srh_mt6_exit(void)
{
xt_unregister_match(&srh_mt6_reg);
}
module_init(srh_mt6_init);
module_exit(srh_mt6_exit);
MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("Xtables: IPv6 Segment Routing Header match");
MODULE_AUTHOR("Ahmed Abdelsalam <amsalam20@gmail.com>");
......@@ -3,6 +3,7 @@
*
* Copyright (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
*/
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <linux/slab.h>
......@@ -11,6 +12,10 @@
static int __net_init ip6table_raw_table_init(struct net *net);
static bool raw_before_defrag __read_mostly;
MODULE_PARM_DESC(raw_before_defrag, "Enable raw table before defrag");
module_param(raw_before_defrag, bool, 0000);
static const struct xt_table packet_raw = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
......@@ -20,6 +25,15 @@ static const struct xt_table packet_raw = {
.table_init = ip6table_raw_table_init,
};
static const struct xt_table packet_raw_before_defrag = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
.me = THIS_MODULE,
.af = NFPROTO_IPV6,
.priority = NF_IP6_PRI_RAW_BEFORE_DEFRAG,
.table_init = ip6table_raw_table_init,
};
/* The work comes in here from netfilter.c. */
static unsigned int
ip6table_raw_hook(void *priv, struct sk_buff *skb,
......@@ -33,15 +47,19 @@ static struct nf_hook_ops *rawtable_ops __read_mostly;
static int __net_init ip6table_raw_table_init(struct net *net)
{
struct ip6t_replace *repl;
const struct xt_table *table = &packet_raw;
int ret;
if (raw_before_defrag)
table = &packet_raw_before_defrag;
if (net->ipv6.ip6table_raw)
return 0;
repl = ip6t_alloc_initial_table(&packet_raw);
repl = ip6t_alloc_initial_table(table);
if (repl == NULL)
return -ENOMEM;
ret = ip6t_register_table(net, &packet_raw, repl, rawtable_ops,
ret = ip6t_register_table(net, table, repl, rawtable_ops,
&net->ipv6.ip6table_raw);
kfree(repl);
return ret;
......@@ -62,9 +80,16 @@ static struct pernet_operations ip6table_raw_net_ops = {
static int __init ip6table_raw_init(void)
{
int ret;
const struct xt_table *table = &packet_raw;
if (raw_before_defrag) {
table = &packet_raw_before_defrag;
pr_info("Enabling raw table before defrag\n");
}
/* Register hooks */
rawtable_ops = xt_hook_ops_alloc(&packet_raw, ip6table_raw_hook);
rawtable_ops = xt_hook_ops_alloc(table, ip6table_raw_hook);
if (IS_ERR(rawtable_ops))
return PTR_ERR(rawtable_ops);
......
......@@ -231,7 +231,7 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
if ((unsigned int)end > IPV6_MAXPLEN) {
pr_debug("offset is too large.\n");
return -1;
return -EINVAL;
}
ecn = ip6_frag_ecn(ipv6_hdr(skb));
......@@ -264,7 +264,7 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
* this case. -DaveM
*/
pr_debug("end of fragment not rounded to 8 bytes.\n");
return -1;
return -EPROTO;
}
if (end > fq->q.len) {
/* Some bits beyond end -> corruption. */
......@@ -358,7 +358,7 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
discard_fq:
inet_frag_kill(&fq->q, &nf_frags);
err:
return -1;
return -EINVAL;
}
/*
......@@ -567,6 +567,7 @@ find_prev_fhdr(struct sk_buff *skb, u8 *prevhdrp, int *prevhoff, int *fhoff)
int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
{
u16 savethdr = skb->transport_header;
struct net_device *dev = skb->dev;
int fhoff, nhoff, ret;
struct frag_hdr *fhdr;
......@@ -600,8 +601,12 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
spin_lock_bh(&fq->q.lock);
if (nf_ct_frag6_queue(fq, skb, fhdr, nhoff) < 0) {
ret = -EINVAL;
ret = nf_ct_frag6_queue(fq, skb, fhdr, nhoff);
if (ret < 0) {
if (ret == -EPROTO) {
skb->transport_header = savethdr;
ret = 0;
}
goto out_unlock;
}
......
......@@ -63,6 +63,9 @@ static unsigned int ipv6_defrag(void *priv,
/* Previously seen (loopback)? */
if (skb_nfct(skb) && !nf_ct_is_template((struct nf_conn *)skb_nfct(skb)))
return NF_ACCEPT;
if (skb->_nfct == IP_CT_UNTRACKED)
return NF_ACCEPT;
#endif
err = nf_ct_frag6_gather(state->net, skb,
......
......@@ -5,7 +5,6 @@
#include <linux/rhashtable.h>
#include <linux/ipv6.h>
#include <linux/netdevice.h>
#include <linux/ipv6.h>
#include <net/ipv6.h>
#include <net/ip6_route.h>
#include <net/neighbour.h>
......
......@@ -28,40 +28,6 @@ static unsigned int nft_do_chain_ipv6(void *priv,
return nft_do_chain(&pkt, priv);
}
static struct nft_af_info nft_af_ipv6 __read_mostly = {
.family = NFPROTO_IPV6,
.nhooks = NF_INET_NUMHOOKS,
.owner = THIS_MODULE,
};
static int nf_tables_ipv6_init_net(struct net *net)
{
net->nft.ipv6 = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
if (net->nft.ipv6 == NULL)
return -ENOMEM;
memcpy(net->nft.ipv6, &nft_af_ipv6, sizeof(nft_af_ipv6));
if (nft_register_afinfo(net, net->nft.ipv6) < 0)
goto err;
return 0;
err:
kfree(net->nft.ipv6);
return -ENOMEM;
}
static void nf_tables_ipv6_exit_net(struct net *net)
{
nft_unregister_afinfo(net, net->nft.ipv6);
kfree(net->nft.ipv6);
}
static struct pernet_operations nf_tables_ipv6_net_ops = {
.init = nf_tables_ipv6_init_net,
.exit = nf_tables_ipv6_exit_net,
};
static const struct nf_chain_type filter_ipv6 = {
.name = "filter",
.type = NFT_CHAIN_T_DEFAULT,
......@@ -83,22 +49,11 @@ static const struct nf_chain_type filter_ipv6 = {
static int __init nf_tables_ipv6_init(void)
{
int ret;
ret = nft_register_chain_type(&filter_ipv6);
if (ret < 0)
return ret;
ret = register_pernet_subsys(&nf_tables_ipv6_net_ops);
if (ret < 0)
nft_unregister_chain_type(&filter_ipv6);
return ret;
return nft_register_chain_type(&filter_ipv6);
}
static void __exit nf_tables_ipv6_exit(void)
{
unregister_pernet_subsys(&nf_tables_ipv6_net_ops);
nft_unregister_chain_type(&filter_ipv6);
}
......@@ -107,4 +62,4 @@ module_exit(nf_tables_ipv6_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_FAMILY(AF_INET6);
MODULE_ALIAS_NFT_CHAIN(AF_INET6, "filter");
......@@ -506,7 +506,7 @@ config NFT_CT
connection tracking information such as the flow state.
config NFT_FLOW_OFFLOAD
depends on NF_CONNTRACK
depends on NF_CONNTRACK && NF_FLOW_TABLE
tristate "Netfilter nf_tables hardware flow offload module"
help
This option adds the "flow_offload" expression that you can use to
......@@ -665,8 +665,9 @@ endif # NF_TABLES_NETDEV
endif # NF_TABLES
config NF_FLOW_TABLE_INET
select NF_FLOW_TABLE
tristate "Netfilter flow table mixed IPv4/IPv6 module"
depends on NF_FLOW_TABLE_IPV4 && NF_FLOW_TABLE_IPV6
select NF_FLOW_TABLE
help
This option adds the flow table mixed IPv4/IPv6 support.
......@@ -674,6 +675,7 @@ config NF_FLOW_TABLE_INET
config NF_FLOW_TABLE
tristate "Netfilter flow table module"
depends on NF_CONNTRACK && NF_TABLES
help
This option adds the flow table core infrastructure.
......
......@@ -140,7 +140,7 @@ nf_hook_entries_grow(const struct nf_hook_entries *old,
if (reg->nat_hook && orig_ops[i]->nat_hook) {
kvfree(new);
return ERR_PTR(-EEXIST);
return ERR_PTR(-EBUSY);
}
if (inserted || reg->priority > orig_ops[i]->priority) {
......@@ -377,8 +377,8 @@ static void nf_remove_net_hook(struct nf_hook_entries *old,
}
}
void __nf_unregister_net_hook(struct net *net, int pf,
const struct nf_hook_ops *reg)
static void __nf_unregister_net_hook(struct net *net, int pf,
const struct nf_hook_ops *reg)
{
struct nf_hook_entries __rcu **pp;
struct nf_hook_entries *p;
......
......@@ -2122,7 +2122,6 @@ ip_set_init(void)
return ret;
}
pr_info("ip_set: protocol %u\n", IPSET_PROTOCOL);
return 0;
}
......@@ -2138,3 +2137,5 @@ ip_set_fini(void)
module_init(ip_set_init);
module_exit(ip_set_fini);
MODULE_DESCRIPTION("ip_set: protocol " __stringify(IPSET_PROTOCOL));
......@@ -595,7 +595,6 @@ static int ip_vs_app_open(struct inode *inode, struct file *file)
}
static const struct file_operations ip_vs_app_fops = {
.owner = THIS_MODULE,
.open = ip_vs_app_open,
.read = seq_read,
.llseek = seq_lseek,
......
......@@ -1143,7 +1143,6 @@ static int ip_vs_conn_open(struct inode *inode, struct file *file)
}
static const struct file_operations ip_vs_conn_fops = {
.owner = THIS_MODULE,
.open = ip_vs_conn_open,
.read = seq_read,
.llseek = seq_lseek,
......@@ -1221,7 +1220,6 @@ static int ip_vs_conn_sync_open(struct inode *inode, struct file *file)
}
static const struct file_operations ip_vs_conn_sync_fops = {
.owner = THIS_MODULE,
.open = ip_vs_conn_sync_open,
.read = seq_read,
.llseek = seq_lseek,
......
......@@ -2116,7 +2116,6 @@ static int ip_vs_info_open(struct inode *inode, struct file *file)
}
static const struct file_operations ip_vs_info_fops = {
.owner = THIS_MODULE,
.open = ip_vs_info_open,
.read = seq_read,
.llseek = seq_lseek,
......@@ -2161,7 +2160,6 @@ static int ip_vs_stats_seq_open(struct inode *inode, struct file *file)
}
static const struct file_operations ip_vs_stats_fops = {
.owner = THIS_MODULE,
.open = ip_vs_stats_seq_open,
.read = seq_read,
.llseek = seq_lseek,
......@@ -2230,7 +2228,6 @@ static int ip_vs_stats_percpu_seq_open(struct inode *inode, struct file *file)
}
static const struct file_operations ip_vs_stats_percpu_fops = {
.owner = THIS_MODULE,
.open = ip_vs_stats_percpu_seq_open,
.read = seq_read,
.llseek = seq_lseek,
......
......@@ -71,7 +71,7 @@ static inline bool already_closed(const struct nf_conn *conn)
return conn->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT ||
conn->proto.tcp.state == TCP_CONNTRACK_CLOSE;
else
return 0;
return false;
}
static int key_diff(const u32 *a, const u32 *b, unsigned int klen)
......
......@@ -58,8 +58,6 @@
#include "nf_internals.h"
#define NF_CONNTRACK_VERSION "0.5.0"
int (*nfnetlink_parse_nat_setup_hook)(struct nf_conn *ct,
enum nf_nat_manip_type manip,
const struct nlattr *attr) __read_mostly;
......@@ -2068,10 +2066,6 @@ int nf_conntrack_init_start(void)
if (!nf_conntrack_cachep)
goto err_cachep;
printk(KERN_INFO "nf_conntrack version %s (%u buckets, %d max)\n",
NF_CONNTRACK_VERSION, nf_conntrack_htable_size,
nf_conntrack_max);
ret = nf_conntrack_expect_init();
if (ret < 0)
goto err_expect;
......
......@@ -649,7 +649,6 @@ static int exp_open(struct inode *inode, struct file *file)
}
static const struct file_operations exp_file_ops = {
.owner = THIS_MODULE,
.open = exp_open,
.read = seq_read,
.llseek = seq_lseek,
......
......@@ -57,8 +57,6 @@
MODULE_LICENSE("GPL");
static char __initdata version[] = "0.93";
static int ctnetlink_dump_tuples_proto(struct sk_buff *skb,
const struct nf_conntrack_tuple *tuple,
const struct nf_conntrack_l4proto *l4proto)
......@@ -3425,7 +3423,6 @@ static int __init ctnetlink_init(void)
{
int ret;
pr_info("ctnetlink v%s: registering with nfnetlink.\n", version);
ret = nfnetlink_subsys_register(&ctnl_subsys);
if (ret < 0) {
pr_err("ctnetlink_init: cannot register with nfnetlink.\n");
......@@ -3459,8 +3456,6 @@ static int __init ctnetlink_init(void)
static void __exit ctnetlink_exit(void)
{
pr_info("ctnetlink: unregistering from nfnetlink.\n");
unregister_pernet_subsys(&ctnetlink_net_ops);
nfnetlink_subsys_unregister(&ctnl_exp_subsys);
nfnetlink_subsys_unregister(&ctnl_subsys);
......
......@@ -382,7 +382,6 @@ static int ct_open(struct inode *inode, struct file *file)
}
static const struct file_operations ct_file_ops = {
.owner = THIS_MODULE,
.open = ct_open,
.read = seq_read,
.llseek = seq_lseek,
......@@ -475,7 +474,6 @@ static int ct_cpu_seq_open(struct inode *inode, struct file *file)
}
static const struct file_operations ct_cpu_seq_fops = {
.owner = THIS_MODULE,
.open = ct_cpu_seq_open,
.read = seq_read,
.llseek = seq_lseek,
......
......@@ -402,7 +402,6 @@ static int nflog_open(struct inode *inode, struct file *file)
}
static const struct file_operations nflog_file_ops = {
.owner = THIS_MODULE,
.open = nflog_open,
.read = seq_read,
.llseek = seq_lseek,
......
......@@ -15,8 +15,6 @@
#include <linux/netfilter_bridge.h>
#include <linux/seq_file.h>
#include <linux/rcupdate.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv6.h>
#include <net/protocol.h>
#include <net/netfilter/nf_queue.h>
#include <net/dst.h>
......
......@@ -317,7 +317,6 @@ static int synproxy_cpu_seq_open(struct inode *inode, struct file *file)
}
static const struct file_operations synproxy_cpu_seq_fops = {
.owner = THIS_MODULE,
.open = synproxy_cpu_seq_open,
.read = seq_read,
.llseek = seq_lseek,
......
此差异已折叠。
......@@ -38,40 +38,6 @@ static unsigned int nft_do_chain_inet(void *priv, struct sk_buff *skb,
return nft_do_chain(&pkt, priv);
}
static struct nft_af_info nft_af_inet __read_mostly = {
.family = NFPROTO_INET,
.nhooks = NF_INET_NUMHOOKS,
.owner = THIS_MODULE,
};
static int __net_init nf_tables_inet_init_net(struct net *net)
{
net->nft.inet = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
if (net->nft.inet == NULL)
return -ENOMEM;
memcpy(net->nft.inet, &nft_af_inet, sizeof(nft_af_inet));
if (nft_register_afinfo(net, net->nft.inet) < 0)
goto err;
return 0;
err:
kfree(net->nft.inet);
return -ENOMEM;
}
static void __net_exit nf_tables_inet_exit_net(struct net *net)
{
nft_unregister_afinfo(net, net->nft.inet);
kfree(net->nft.inet);
}
static struct pernet_operations nf_tables_inet_net_ops = {
.init = nf_tables_inet_init_net,
.exit = nf_tables_inet_exit_net,
};
static const struct nf_chain_type filter_inet = {
.name = "filter",
.type = NFT_CHAIN_T_DEFAULT,
......@@ -93,22 +59,11 @@ static const struct nf_chain_type filter_inet = {
static int __init nf_tables_inet_init(void)
{
int ret;
ret = nft_register_chain_type(&filter_inet);
if (ret < 0)
return ret;
ret = register_pernet_subsys(&nf_tables_inet_net_ops);
if (ret < 0)
nft_unregister_chain_type(&filter_inet);
return ret;
return nft_register_chain_type(&filter_inet);
}
static void __exit nf_tables_inet_exit(void)
{
unregister_pernet_subsys(&nf_tables_inet_net_ops);
nft_unregister_chain_type(&filter_inet);
}
......@@ -117,4 +72,4 @@ module_exit(nf_tables_inet_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_FAMILY(1);
MODULE_ALIAS_NFT_CHAIN(1, "filter");
......@@ -38,41 +38,6 @@ nft_do_chain_netdev(void *priv, struct sk_buff *skb,
return nft_do_chain(&pkt, priv);
}
static struct nft_af_info nft_af_netdev __read_mostly = {
.family = NFPROTO_NETDEV,
.nhooks = NF_NETDEV_NUMHOOKS,
.owner = THIS_MODULE,
.flags = NFT_AF_NEEDS_DEV,
};
static int nf_tables_netdev_init_net(struct net *net)
{
net->nft.netdev = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
if (net->nft.netdev == NULL)
return -ENOMEM;
memcpy(net->nft.netdev, &nft_af_netdev, sizeof(nft_af_netdev));
if (nft_register_afinfo(net, net->nft.netdev) < 0)
goto err;
return 0;
err:
kfree(net->nft.netdev);
return -ENOMEM;
}
static void nf_tables_netdev_exit_net(struct net *net)
{
nft_unregister_afinfo(net, net->nft.netdev);
kfree(net->nft.netdev);
}
static struct pernet_operations nf_tables_netdev_net_ops = {
.init = nf_tables_netdev_init_net,
.exit = nf_tables_netdev_exit_net,
};
static const struct nf_chain_type nft_filter_chain_netdev = {
.name = "filter",
.type = NFT_CHAIN_T_DEFAULT,
......@@ -109,7 +74,6 @@ static int nf_tables_netdev_event(struct notifier_block *this,
unsigned long event, void *ptr)
{
struct net_device *dev = netdev_notifier_info_to_dev(ptr);
struct nft_af_info *afi;
struct nft_table *table;
struct nft_chain *chain, *nr;
struct nft_ctx ctx = {
......@@ -121,20 +85,18 @@ static int nf_tables_netdev_event(struct notifier_block *this,
return NOTIFY_DONE;
nfnl_lock(NFNL_SUBSYS_NFTABLES);
list_for_each_entry(afi, &dev_net(dev)->nft.af_info, list) {
ctx.afi = afi;
if (afi->family != NFPROTO_NETDEV)
list_for_each_entry(table, &ctx.net->nft.tables, list) {
if (table->family != NFPROTO_NETDEV)
continue;
list_for_each_entry(table, &afi->tables, list) {
ctx.table = table;
list_for_each_entry_safe(chain, nr, &table->chains, list) {
if (!nft_is_base_chain(chain))
continue;
ctx.family = table->family;
ctx.table = table;
list_for_each_entry_safe(chain, nr, &table->chains, list) {
if (!nft_is_base_chain(chain))
continue;
ctx.chain = chain;
nft_netdev_event(event, dev, &ctx);
}
ctx.chain = chain;
nft_netdev_event(event, dev, &ctx);
}
}
nfnl_unlock(NFNL_SUBSYS_NFTABLES);
......@@ -154,27 +116,21 @@ static int __init nf_tables_netdev_init(void)
if (ret)
return ret;
ret = register_pernet_subsys(&nf_tables_netdev_net_ops);
if (ret)
goto err1;
ret = register_netdevice_notifier(&nf_tables_netdev_notifier);
if (ret)
goto err2;
goto err_register_netdevice_notifier;
return 0;
err2:
unregister_pernet_subsys(&nf_tables_netdev_net_ops);
err1:
err_register_netdevice_notifier:
nft_unregister_chain_type(&nft_filter_chain_netdev);
return ret;
}
static void __exit nf_tables_netdev_exit(void)
{
unregister_netdevice_notifier(&nf_tables_netdev_notifier);
unregister_pernet_subsys(&nf_tables_netdev_net_ops);
nft_unregister_chain_type(&nft_filter_chain_netdev);
}
......@@ -183,4 +139,4 @@ module_exit(nf_tables_netdev_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NFT_FAMILY(5); /* NFPROTO_NETDEV */
MODULE_ALIAS_NFT_CHAIN(5, "filter"); /* NFPROTO_NETDEV */
......@@ -37,8 +37,6 @@ MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_NETFILTER);
rcu_dereference_protected(table[(id)].subsys, \
lockdep_nfnl_is_held((id)))
static char __initdata nfversion[] = "0.30";
static struct {
struct mutex mutex;
const struct nfnetlink_subsystem __rcu *subsys;
......@@ -580,13 +578,11 @@ static int __init nfnetlink_init(void)
for (i=0; i<NFNL_SUBSYS_COUNT; i++)
mutex_init(&table[i].mutex);
pr_info("Netfilter messages via NETLINK v%s.\n", nfversion);
return register_pernet_subsys(&nfnetlink_net_ops);
}
static void __exit nfnetlink_exit(void)
{
pr_info("Removing netfilter NETLINK layer.\n");
unregister_pernet_subsys(&nfnetlink_net_ops);
}
module_init(nfnetlink_init);
......
......@@ -527,7 +527,6 @@ static int __init nfnl_acct_init(void)
goto err_out;
}
pr_info("nfnl_acct: registering with nfnetlink.\n");
ret = nfnetlink_subsys_register(&nfnl_acct_subsys);
if (ret < 0) {
pr_err("nfnl_acct_init: cannot register with nfnetlink.\n");
......@@ -543,7 +542,6 @@ static int __init nfnl_acct_init(void)
static void __exit nfnl_acct_exit(void)
{
pr_info("nfnl_acct: unregistering from nfnetlink.\n");
nfnetlink_subsys_unregister(&nfnl_acct_subsys);
unregister_pernet_subsys(&nfnl_acct_ops);
}
......
......@@ -615,8 +615,6 @@ static int __init cttimeout_init(void)
static void __exit cttimeout_exit(void)
{
pr_info("cttimeout: unregistering from nfnetlink.\n");
nfnetlink_subsys_unregister(&cttimeout_subsys);
unregister_pernet_subsys(&cttimeout_ops);
......
......@@ -1054,7 +1054,6 @@ static int nful_open(struct inode *inode, struct file *file)
}
static const struct file_operations nful_file_ops = {
.owner = THIS_MODULE,
.open = nful_open,
.read = seq_read,
.llseek = seq_lseek,
......
......@@ -1477,7 +1477,6 @@ static int nfqnl_open(struct inode *inode, struct file *file)
}
static const struct file_operations nfqnl_file_ops = {
.owner = THIS_MODULE,
.open = nfqnl_open,
.read = seq_read,
.llseek = seq_lseek,
......
......@@ -144,7 +144,7 @@ nft_target_set_tgchk_param(struct xt_tgchk_param *par,
{
par->net = ctx->net;
par->table = ctx->table->name;
switch (ctx->afi->family) {
switch (ctx->family) {
case AF_INET:
entry->e4.ip.proto = proto;
entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
......@@ -175,7 +175,7 @@ nft_target_set_tgchk_param(struct xt_tgchk_param *par,
} else {
par->hook_mask = 0;
}
par->family = ctx->afi->family;
par->family = ctx->family;
par->nft_compat = true;
}
......@@ -267,7 +267,7 @@ nft_target_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
par.net = ctx->net;
par.target = target;
par.targinfo = info;
par.family = ctx->afi->family;
par.family = ctx->family;
if (par.target->destroy != NULL)
par.target->destroy(&par);
......@@ -358,7 +358,7 @@ nft_match_set_mtchk_param(struct xt_mtchk_param *par, const struct nft_ctx *ctx,
{
par->net = ctx->net;
par->table = ctx->table->name;
switch (ctx->afi->family) {
switch (ctx->family) {
case AF_INET:
entry->e4.ip.proto = proto;
entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
......@@ -389,7 +389,7 @@ nft_match_set_mtchk_param(struct xt_mtchk_param *par, const struct nft_ctx *ctx,
} else {
par->hook_mask = 0;
}
par->family = ctx->afi->family;
par->family = ctx->family;
par->nft_compat = true;
}
......@@ -446,7 +446,7 @@ nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
par.net = ctx->net;
par.match = match;
par.matchinfo = info;
par.family = ctx->afi->family;
par.family = ctx->family;
if (par.match->destroy != NULL)
par.match->destroy(&par);
......@@ -648,7 +648,7 @@ nft_match_select_ops(const struct nft_ctx *ctx,
mt_name = nla_data(tb[NFTA_MATCH_NAME]);
rev = ntohl(nla_get_be32(tb[NFTA_MATCH_REV]));
family = ctx->afi->family;
family = ctx->family;
/* Re-use the existing match if it's already loaded. */
list_for_each_entry(nft_match, &nft_match_list, head) {
......@@ -733,7 +733,7 @@ nft_target_select_ops(const struct nft_ctx *ctx,
tg_name = nla_data(tb[NFTA_TARGET_NAME]);
rev = ntohl(nla_get_be32(tb[NFTA_TARGET_REV]));
family = ctx->afi->family;
family = ctx->family;
/* Re-use the existing target if it's already loaded. */
list_for_each_entry(nft_target, &nft_target_list, head) {
......@@ -812,8 +812,6 @@ static int __init nft_compat_module_init(void)
goto err_target;
}
pr_info("nf_tables_compat: (c) 2012 Pablo Neira Ayuso <pablo@netfilter.org>\n");
return ret;
err_target:
......
此差异已折叠。
此差异已折叠。
此差异已折叠。
此差异已折叠。
此差异已折叠。
此差异已折叠。
此差异已折叠。
此差异已折叠。
此差异已折叠。
此差异已折叠。
此差异已折叠。
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册