Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openeuler
Kernel
提交
e490c1de
K
Kernel
项目概览
openeuler
/
Kernel
大约 1 年 前同步成功
通知
5
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
K
Kernel
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
e490c1de
编写于
7月 02, 2010
作者:
D
David S. Miller
浏览文件
操作
浏览文件
下载
差异文件
Merge branch 'master' of
git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6
上级
0a17d8c7
4df53d8b
变更
22
隐藏空白更改
内联
并排
Showing
22 changed file
with
262 addition
and
126 deletion
+262
-126
Documentation/feature-removal-schedule.txt
Documentation/feature-removal-schedule.txt
+0
-9
Documentation/kernel-parameters.txt
Documentation/kernel-parameters.txt
+1
-2
include/linux/ip_vs.h
include/linux/ip_vs.h
+2
-0
include/linux/netfilter_ipv4/ipt_LOG.h
include/linux/netfilter_ipv4/ipt_LOG.h
+2
-1
include/linux/netfilter_ipv6/ip6t_LOG.h
include/linux/netfilter_ipv6/ip6t_LOG.h
+2
-1
include/net/netfilter/nf_conntrack_acct.h
include/net/netfilter/nf_conntrack_acct.h
+12
-0
include/net/netfilter/nf_nat_rule.h
include/net/netfilter/nf_nat_rule.h
+0
-2
net/bridge/br_netfilter.c
net/bridge/br_netfilter.c
+22
-9
net/bridge/br_private.h
net/bridge/br_private.h
+3
-0
net/bridge/br_sysfs_br.c
net/bridge/br_sysfs_br.c
+72
-0
net/ipv4/netfilter/ipt_LOG.c
net/ipv4/netfilter/ipt_LOG.c
+40
-14
net/ipv4/netfilter/ipt_NETMAP.c
net/ipv4/netfilter/ipt_NETMAP.c
+4
-2
net/ipv4/netfilter/nf_nat_rule.c
net/ipv4/netfilter/nf_nat_rule.c
+6
-4
net/ipv4/netfilter/nf_nat_standalone.c
net/ipv4/netfilter/nf_nat_standalone.c
+1
-7
net/ipv6/netfilter/ip6t_LOG.c
net/ipv6/netfilter/ip6t_LOG.c
+53
-28
net/netfilter/Kconfig
net/netfilter/Kconfig
+1
-23
net/netfilter/ipvs/ip_vs_conn.c
net/netfilter/ipvs/ip_vs_conn.c
+7
-3
net/netfilter/ipvs/ip_vs_core.c
net/netfilter/ipvs/ip_vs_core.c
+16
-4
net/netfilter/ipvs/ip_vs_ctl.c
net/netfilter/ipvs/ip_vs_ctl.c
+6
-4
net/netfilter/nf_conntrack_acct.c
net/netfilter/nf_conntrack_acct.c
+1
-13
net/netfilter/xt_IDLETIMER.c
net/netfilter/xt_IDLETIMER.c
+1
-0
net/netfilter/xt_connbytes.c
net/netfilter/xt_connbytes.c
+10
-0
未找到文件。
Documentation/feature-removal-schedule.txt
浏览文件 @
e490c1de
...
...
@@ -303,15 +303,6 @@ Who: Johannes Berg <johannes@sipsolutions.net>
---------------------------
What: CONFIG_NF_CT_ACCT
When: 2.6.29
Why: Accounting can now be enabled/disabled without kernel recompilation.
Currently used only to set a default value for a feature that is also
controlled by a kernel/module/sysfs/sysctl parameter.
Who: Krzysztof Piotr Oledzki <ole@ans.pl>
---------------------------
What: sysfs ui for changing p4-clockmod parameters
When: September 2009
Why: See commits 129f8ae9b1b5be94517da76009ea956e89104ce8 and
...
...
Documentation/kernel-parameters.txt
浏览文件 @
e490c1de
...
...
@@ -1597,8 +1597,7 @@ and is between 256 and 4096 characters. It is defined in the file
[NETFILTER] Enable connection tracking flow accounting
0 to disable accounting
1 to enable accounting
Default value depends on CONFIG_NF_CT_ACCT that is
going to be removed in 2.6.29.
Default value is 0.
nfsaddrs= [NFS]
See Documentation/filesystems/nfs/nfsroot.txt.
...
...
include/linux/ip_vs.h
浏览文件 @
e490c1de
...
...
@@ -19,6 +19,7 @@
*/
#define IP_VS_SVC_F_PERSISTENT 0x0001
/* persistent port */
#define IP_VS_SVC_F_HASHED 0x0002
/* hashed entry */
#define IP_VS_SVC_F_ONEPACKET 0x0004
/* one-packet scheduling */
/*
* Destination Server Flags
...
...
@@ -85,6 +86,7 @@
#define IP_VS_CONN_F_SEQ_MASK 0x0600
/* in/out sequence mask */
#define IP_VS_CONN_F_NO_CPORT 0x0800
/* no client port set yet */
#define IP_VS_CONN_F_TEMPLATE 0x1000
/* template, not connection */
#define IP_VS_CONN_F_ONE_PACKET 0x2000
/* forward only one packet */
#define IP_VS_SCHEDNAME_MAXLEN 16
#define IP_VS_IFNAME_MAXLEN 16
...
...
include/linux/netfilter_ipv4/ipt_LOG.h
浏览文件 @
e490c1de
...
...
@@ -7,7 +7,8 @@
#define IPT_LOG_IPOPT 0x04
/* Log IP options */
#define IPT_LOG_UID 0x08
/* Log UID owning local socket */
#define IPT_LOG_NFLOG 0x10
/* Unsupported, don't reuse */
#define IPT_LOG_MASK 0x1f
#define IPT_LOG_MACDECODE 0x20
/* Decode MAC header */
#define IPT_LOG_MASK 0x2f
struct
ipt_log_info
{
unsigned
char
level
;
...
...
include/linux/netfilter_ipv6/ip6t_LOG.h
浏览文件 @
e490c1de
...
...
@@ -7,7 +7,8 @@
#define IP6T_LOG_IPOPT 0x04
/* Log IP options */
#define IP6T_LOG_UID 0x08
/* Log UID owning local socket */
#define IP6T_LOG_NFLOG 0x10
/* Unsupported, don't use */
#define IP6T_LOG_MASK 0x1f
#define IP6T_LOG_MACDECODE 0x20
/* Decode MAC header */
#define IP6T_LOG_MASK 0x2f
struct
ip6t_log_info
{
unsigned
char
level
;
...
...
include/net/netfilter/nf_conntrack_acct.h
浏览文件 @
e490c1de
...
...
@@ -45,6 +45,18 @@ struct nf_conn_counter *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp)
extern
unsigned
int
seq_print_acct
(
struct
seq_file
*
s
,
const
struct
nf_conn
*
ct
,
int
dir
);
/* Check if connection tracking accounting is enabled */
static
inline
bool
nf_ct_acct_enabled
(
struct
net
*
net
)
{
return
net
->
ct
.
sysctl_acct
!=
0
;
}
/* Enable/disable connection tracking accounting */
static
inline
void
nf_ct_set_acct
(
struct
net
*
net
,
bool
enable
)
{
net
->
ct
.
sysctl_acct
=
enable
;
}
extern
int
nf_conntrack_acct_init
(
struct
net
*
net
);
extern
void
nf_conntrack_acct_fini
(
struct
net
*
net
);
...
...
include/net/netfilter/nf_nat_rule.h
浏览文件 @
e490c1de
...
...
@@ -12,6 +12,4 @@ extern int nf_nat_rule_find(struct sk_buff *skb,
const
struct
net_device
*
out
,
struct
nf_conn
*
ct
);
extern
unsigned
int
alloc_null_binding
(
struct
nf_conn
*
ct
,
unsigned
int
hooknum
);
#endif
/* _NF_NAT_RULE_H */
net/bridge/br_netfilter.c
浏览文件 @
e490c1de
...
...
@@ -55,6 +55,9 @@ static int brnf_call_arptables __read_mostly = 1;
static
int
brnf_filter_vlan_tagged
__read_mostly
=
0
;
static
int
brnf_filter_pppoe_tagged
__read_mostly
=
0
;
#else
#define brnf_call_iptables 1
#define brnf_call_ip6tables 1
#define brnf_call_arptables 1
#define brnf_filter_vlan_tagged 0
#define brnf_filter_pppoe_tagged 0
#endif
...
...
@@ -544,25 +547,30 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
struct
net_bridge_port
*
p
;
struct
net_bridge
*
br
;
struct
iphdr
*
iph
;
__u32
len
=
nf_bridge_encap_header_len
(
skb
);
if
(
unlikely
(
!
pskb_may_pull
(
skb
,
len
)))
goto
out
;
p
=
br_port_get_rcu
(
in
);
if
(
p
==
NULL
)
goto
out
;
br
=
p
->
br
;
if
(
skb
->
protocol
==
htons
(
ETH_P_IPV6
)
||
IS_VLAN_IPV6
(
skb
)
||
IS_PPPOE_IPV6
(
skb
))
{
#ifdef CONFIG_SYSCTL
if
(
!
brnf_call_ip6tables
)
if
(
!
brnf_call_ip6tables
&&
!
br
->
nf_call_ip6tables
)
return
NF_ACCEPT
;
#endif
nf_bridge_pull_encap_header_rcsum
(
skb
);
return
br_nf_pre_routing_ipv6
(
hook
,
skb
,
in
,
out
,
okfn
);
}
#ifdef CONFIG_SYSCTL
if
(
!
brnf_call_iptables
)
if
(
!
brnf_call_iptables
&&
!
br
->
nf_call_iptables
)
return
NF_ACCEPT
;
#endif
if
(
skb
->
protocol
!=
htons
(
ETH_P_IP
)
&&
!
IS_VLAN_IP
(
skb
)
&&
!
IS_PPPOE_IP
(
skb
))
...
...
@@ -715,12 +723,17 @@ static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff *skb,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
struct
net_bridge_port
*
p
;
struct
net_bridge
*
br
;
struct
net_device
**
d
=
(
struct
net_device
**
)(
skb
->
cb
);
#ifdef CONFIG_SYSCTL
if
(
!
brnf_call_arptables
)
p
=
br_port_get_rcu
(
out
);
if
(
p
==
NULL
)
return
NF_ACCEPT
;
br
=
p
->
br
;
if
(
!
brnf_call_arptables
&&
!
br
->
nf_call_arptables
)
return
NF_ACCEPT
;
#endif
if
(
skb
->
protocol
!=
htons
(
ETH_P_ARP
))
{
if
(
!
IS_VLAN_ARP
(
skb
))
...
...
net/bridge/br_private.h
浏览文件 @
e490c1de
...
...
@@ -176,6 +176,9 @@ struct net_bridge
unsigned
long
feature_mask
;
#ifdef CONFIG_BRIDGE_NETFILTER
struct
rtable
fake_rtable
;
bool
nf_call_iptables
;
bool
nf_call_ip6tables
;
bool
nf_call_arptables
;
#endif
unsigned
long
flags
;
#define BR_SET_MAC_ADDR 0x00000001
...
...
net/bridge/br_sysfs_br.c
浏览文件 @
e490c1de
...
...
@@ -611,6 +611,73 @@ static DEVICE_ATTR(multicast_startup_query_interval, S_IRUGO | S_IWUSR,
show_multicast_startup_query_interval
,
store_multicast_startup_query_interval
);
#endif
#ifdef CONFIG_BRIDGE_NETFILTER
static
ssize_t
show_nf_call_iptables
(
struct
device
*
d
,
struct
device_attribute
*
attr
,
char
*
buf
)
{
struct
net_bridge
*
br
=
to_bridge
(
d
);
return
sprintf
(
buf
,
"%u
\n
"
,
br
->
nf_call_iptables
);
}
static
int
set_nf_call_iptables
(
struct
net_bridge
*
br
,
unsigned
long
val
)
{
br
->
nf_call_iptables
=
val
?
true
:
false
;
return
0
;
}
static
ssize_t
store_nf_call_iptables
(
struct
device
*
d
,
struct
device_attribute
*
attr
,
const
char
*
buf
,
size_t
len
)
{
return
store_bridge_parm
(
d
,
buf
,
len
,
set_nf_call_iptables
);
}
static
DEVICE_ATTR
(
nf_call_iptables
,
S_IRUGO
|
S_IWUSR
,
show_nf_call_iptables
,
store_nf_call_iptables
);
static
ssize_t
show_nf_call_ip6tables
(
struct
device
*
d
,
struct
device_attribute
*
attr
,
char
*
buf
)
{
struct
net_bridge
*
br
=
to_bridge
(
d
);
return
sprintf
(
buf
,
"%u
\n
"
,
br
->
nf_call_ip6tables
);
}
static
int
set_nf_call_ip6tables
(
struct
net_bridge
*
br
,
unsigned
long
val
)
{
br
->
nf_call_ip6tables
=
val
?
true
:
false
;
return
0
;
}
static
ssize_t
store_nf_call_ip6tables
(
struct
device
*
d
,
struct
device_attribute
*
attr
,
const
char
*
buf
,
size_t
len
)
{
return
store_bridge_parm
(
d
,
buf
,
len
,
set_nf_call_ip6tables
);
}
static
DEVICE_ATTR
(
nf_call_ip6tables
,
S_IRUGO
|
S_IWUSR
,
show_nf_call_ip6tables
,
store_nf_call_ip6tables
);
static
ssize_t
show_nf_call_arptables
(
struct
device
*
d
,
struct
device_attribute
*
attr
,
char
*
buf
)
{
struct
net_bridge
*
br
=
to_bridge
(
d
);
return
sprintf
(
buf
,
"%u
\n
"
,
br
->
nf_call_arptables
);
}
static
int
set_nf_call_arptables
(
struct
net_bridge
*
br
,
unsigned
long
val
)
{
br
->
nf_call_arptables
=
val
?
true
:
false
;
return
0
;
}
static
ssize_t
store_nf_call_arptables
(
struct
device
*
d
,
struct
device_attribute
*
attr
,
const
char
*
buf
,
size_t
len
)
{
return
store_bridge_parm
(
d
,
buf
,
len
,
set_nf_call_arptables
);
}
static
DEVICE_ATTR
(
nf_call_arptables
,
S_IRUGO
|
S_IWUSR
,
show_nf_call_arptables
,
store_nf_call_arptables
);
#endif
static
struct
attribute
*
bridge_attrs
[]
=
{
&
dev_attr_forward_delay
.
attr
,
...
...
@@ -644,6 +711,11 @@ static struct attribute *bridge_attrs[] = {
&
dev_attr_multicast_query_interval
.
attr
,
&
dev_attr_multicast_query_response_interval
.
attr
,
&
dev_attr_multicast_startup_query_interval
.
attr
,
#endif
#ifdef CONFIG_BRIDGE_NETFILTER
&
dev_attr_nf_call_iptables
.
attr
,
&
dev_attr_nf_call_ip6tables
.
attr
,
&
dev_attr_nf_call_arptables
.
attr
,
#endif
NULL
};
...
...
net/ipv4/netfilter/ipt_LOG.c
浏览文件 @
e490c1de
...
...
@@ -13,6 +13,7 @@
#include <linux/module.h>
#include <linux/spinlock.h>
#include <linux/skbuff.h>
#include <linux/if_arp.h>
#include <linux/ip.h>
#include <net/icmp.h>
#include <net/udp.h>
...
...
@@ -363,6 +364,42 @@ static void dump_packet(const struct nf_loginfo *info,
/* maxlen = 230+ 91 + 230 + 252 = 803 */
}
static
void
dump_mac_header
(
const
struct
nf_loginfo
*
info
,
const
struct
sk_buff
*
skb
)
{
struct
net_device
*
dev
=
skb
->
dev
;
unsigned
int
logflags
=
0
;
if
(
info
->
type
==
NF_LOG_TYPE_LOG
)
logflags
=
info
->
u
.
log
.
logflags
;
if
(
!
(
logflags
&
IPT_LOG_MACDECODE
))
goto
fallback
;
switch
(
dev
->
type
)
{
case
ARPHRD_ETHER
:
printk
(
"MACSRC=%pM MACDST=%pM MACPROTO=%04x "
,
eth_hdr
(
skb
)
->
h_source
,
eth_hdr
(
skb
)
->
h_dest
,
ntohs
(
eth_hdr
(
skb
)
->
h_proto
));
return
;
default:
break
;
}
fallback:
printk
(
"MAC="
);
if
(
dev
->
hard_header_len
&&
skb
->
mac_header
!=
skb
->
network_header
)
{
const
unsigned
char
*
p
=
skb_mac_header
(
skb
);
unsigned
int
i
;
printk
(
"%02x"
,
*
p
++
);
for
(
i
=
1
;
i
<
dev
->
hard_header_len
;
i
++
,
p
++
)
printk
(
":%02x"
,
*
p
);
}
printk
(
" "
);
}
static
struct
nf_loginfo
default_loginfo
=
{
.
type
=
NF_LOG_TYPE_LOG
,
.
u
=
{
...
...
@@ -404,20 +441,9 @@ ipt_log_packet(u_int8_t pf,
}
#endif
if
(
in
&&
!
out
)
{
/* MAC logging for input chain only. */
printk
(
"MAC="
);
if
(
skb
->
dev
&&
skb
->
dev
->
hard_header_len
&&
skb
->
mac_header
!=
skb
->
network_header
)
{
int
i
;
const
unsigned
char
*
p
=
skb_mac_header
(
skb
);
for
(
i
=
0
;
i
<
skb
->
dev
->
hard_header_len
;
i
++
,
p
++
)
printk
(
"%02x%c"
,
*
p
,
i
==
skb
->
dev
->
hard_header_len
-
1
?
' '
:
':'
);
}
else
printk
(
" "
);
}
/* MAC logging for input path only. */
if
(
in
&&
!
out
)
dump_mac_header
(
loginfo
,
skb
);
dump_packet
(
loginfo
,
skb
,
0
);
printk
(
"
\n
"
);
...
...
net/ipv4/netfilter/ipt_NETMAP.c
浏览文件 @
e490c1de
...
...
@@ -48,7 +48,8 @@ netmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
NF_CT_ASSERT
(
par
->
hooknum
==
NF_INET_PRE_ROUTING
||
par
->
hooknum
==
NF_INET_POST_ROUTING
||
par
->
hooknum
==
NF_INET_LOCAL_OUT
);
par
->
hooknum
==
NF_INET_LOCAL_OUT
||
par
->
hooknum
==
NF_INET_LOCAL_IN
);
ct
=
nf_ct_get
(
skb
,
&
ctinfo
);
netmask
=
~
(
mr
->
range
[
0
].
min_ip
^
mr
->
range
[
0
].
max_ip
);
...
...
@@ -77,7 +78,8 @@ static struct xt_target netmap_tg_reg __read_mostly = {
.
table
=
"nat"
,
.
hooks
=
(
1
<<
NF_INET_PRE_ROUTING
)
|
(
1
<<
NF_INET_POST_ROUTING
)
|
(
1
<<
NF_INET_LOCAL_OUT
),
(
1
<<
NF_INET_LOCAL_OUT
)
|
(
1
<<
NF_INET_LOCAL_IN
),
.
checkentry
=
netmap_tg_check
,
.
me
=
THIS_MODULE
};
...
...
net/ipv4/netfilter/nf_nat_rule.c
浏览文件 @
e490c1de
...
...
@@ -28,7 +28,8 @@
#define NAT_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | \
(1 << NF_INET_POST_ROUTING) | \
(1 << NF_INET_LOCAL_OUT))
(1 << NF_INET_LOCAL_OUT) | \
(1 << NF_INET_LOCAL_IN))
static
const
struct
xt_table
nat_table
=
{
.
name
=
"nat"
,
...
...
@@ -45,7 +46,8 @@ ipt_snat_target(struct sk_buff *skb, const struct xt_action_param *par)
enum
ip_conntrack_info
ctinfo
;
const
struct
nf_nat_multi_range_compat
*
mr
=
par
->
targinfo
;
NF_CT_ASSERT
(
par
->
hooknum
==
NF_INET_POST_ROUTING
);
NF_CT_ASSERT
(
par
->
hooknum
==
NF_INET_POST_ROUTING
||
par
->
hooknum
==
NF_INET_LOCAL_IN
);
ct
=
nf_ct_get
(
skb
,
&
ctinfo
);
...
...
@@ -99,7 +101,7 @@ static int ipt_dnat_checkentry(const struct xt_tgchk_param *par)
return
0
;
}
unsigned
int
static
unsigned
int
alloc_null_binding
(
struct
nf_conn
*
ct
,
unsigned
int
hooknum
)
{
/* Force range to this IP; let proto decide mapping for
...
...
@@ -141,7 +143,7 @@ static struct xt_target ipt_snat_reg __read_mostly = {
.
target
=
ipt_snat_target
,
.
targetsize
=
sizeof
(
struct
nf_nat_multi_range_compat
),
.
table
=
"nat"
,
.
hooks
=
1
<<
NF_INET_POST_ROUTING
,
.
hooks
=
(
1
<<
NF_INET_POST_ROUTING
)
|
(
1
<<
NF_INET_LOCAL_IN
)
,
.
checkentry
=
ipt_snat_checkentry
,
.
family
=
AF_INET
,
};
...
...
net/ipv4/netfilter/nf_nat_standalone.c
浏览文件 @
e490c1de
...
...
@@ -131,13 +131,7 @@ nf_nat_fn(unsigned int hooknum,
if
(
!
nf_nat_initialized
(
ct
,
maniptype
))
{
unsigned
int
ret
;
if
(
hooknum
==
NF_INET_LOCAL_IN
)
/* LOCAL_IN hook doesn't have a chain! */
ret
=
alloc_null_binding
(
ct
,
hooknum
);
else
ret
=
nf_nat_rule_find
(
skb
,
hooknum
,
in
,
out
,
ct
);
ret
=
nf_nat_rule_find
(
skb
,
hooknum
,
in
,
out
,
ct
);
if
(
ret
!=
NF_ACCEPT
)
return
ret
;
}
else
...
...
net/ipv6/netfilter/ip6t_LOG.c
浏览文件 @
e490c1de
...
...
@@ -373,6 +373,56 @@ static void dump_packet(const struct nf_loginfo *info,
printk
(
"MARK=0x%x "
,
skb
->
mark
);
}
static
void
dump_mac_header
(
const
struct
nf_loginfo
*
info
,
const
struct
sk_buff
*
skb
)
{
struct
net_device
*
dev
=
skb
->
dev
;
unsigned
int
logflags
=
0
;
if
(
info
->
type
==
NF_LOG_TYPE_LOG
)
logflags
=
info
->
u
.
log
.
logflags
;
if
(
!
(
logflags
&
IP6T_LOG_MACDECODE
))
goto
fallback
;
switch
(
dev
->
type
)
{
case
ARPHRD_ETHER
:
printk
(
"MACSRC=%pM MACDST=%pM MACPROTO=%04x "
,
eth_hdr
(
skb
)
->
h_source
,
eth_hdr
(
skb
)
->
h_dest
,
ntohs
(
eth_hdr
(
skb
)
->
h_proto
));
return
;
default:
break
;
}
fallback:
printk
(
"MAC="
);
if
(
dev
->
hard_header_len
&&
skb
->
mac_header
!=
skb
->
network_header
)
{
const
unsigned
char
*
p
=
skb_mac_header
(
skb
);
unsigned
int
len
=
dev
->
hard_header_len
;
unsigned
int
i
;
if
(
dev
->
type
==
ARPHRD_SIT
&&
(
p
-=
ETH_HLEN
)
<
skb
->
head
)
p
=
NULL
;
if
(
p
!=
NULL
)
{
printk
(
"%02x"
,
*
p
++
);
for
(
i
=
1
;
i
<
len
;
i
++
)
printk
(
":%02x"
,
p
[
i
]);
}
printk
(
" "
);
if
(
dev
->
type
==
ARPHRD_SIT
)
{
const
struct
iphdr
*
iph
=
(
struct
iphdr
*
)
skb_mac_header
(
skb
);
printk
(
"TUNNEL=%pI4->%pI4 "
,
&
iph
->
saddr
,
&
iph
->
daddr
);
}
}
else
printk
(
" "
);
}
static
struct
nf_loginfo
default_loginfo
=
{
.
type
=
NF_LOG_TYPE_LOG
,
.
u
=
{
...
...
@@ -400,35 +450,10 @@ ip6t_log_packet(u_int8_t pf,
prefix
,
in
?
in
->
name
:
""
,
out
?
out
->
name
:
""
);
if
(
in
&&
!
out
)
{
unsigned
int
len
;
/* MAC logging for input chain only. */
printk
(
"MAC="
);
if
(
skb
->
dev
&&
(
len
=
skb
->
dev
->
hard_header_len
)
&&
skb
->
mac_header
!=
skb
->
network_header
)
{
const
unsigned
char
*
p
=
skb_mac_header
(
skb
);
int
i
;
if
(
skb
->
dev
->
type
==
ARPHRD_SIT
&&
(
p
-=
ETH_HLEN
)
<
skb
->
head
)
p
=
NULL
;
if
(
p
!=
NULL
)
{
for
(
i
=
0
;
i
<
len
;
i
++
)
printk
(
"%02x%s"
,
p
[
i
],
i
==
len
-
1
?
""
:
":"
);
}
printk
(
" "
);
if
(
skb
->
dev
->
type
==
ARPHRD_SIT
)
{
const
struct
iphdr
*
iph
=
(
struct
iphdr
*
)
skb_mac_header
(
skb
);
printk
(
"TUNNEL=%pI4->%pI4 "
,
&
iph
->
saddr
,
&
iph
->
daddr
);
}
}
else
printk
(
" "
);
}
/* MAC logging for input path only. */
if
(
in
&&
!
out
)
dump_mac_header
(
loginfo
,
skb
);
dump_packet
(
loginfo
,
skb
,
skb_network_offset
(
skb
),
1
);
printk
(
"
\n
"
);
...
...
net/netfilter/Kconfig
浏览文件 @
e490c1de
...
...
@@ -40,27 +40,6 @@ config NF_CONNTRACK
if NF_CONNTRACK
config NF_CT_ACCT
bool "Connection tracking flow accounting"
depends on NETFILTER_ADVANCED
help
If this option is enabled, the connection tracking code will
keep per-flow packet and byte counters.
Those counters can be used for flow-based accounting or the
`connbytes' match.
Please note that currently this option only sets a default state.
You may change it at boot time with nf_conntrack.acct=0/1 kernel
parameter or by loading the nf_conntrack module with acct=0/1.
You may also disable/enable it on a running system with:
sysctl net.netfilter.nf_conntrack_acct=0/1
This option will be removed in 2.6.29.
If unsure, say `N'.
config NF_CONNTRACK_MARK
bool 'Connection mark tracking support'
depends on NETFILTER_ADVANCED
...
...
@@ -515,7 +494,7 @@ config NETFILTER_XT_TARGET_RATEEST
To compile it as a module, choose M here. If unsure, say N.
config NETFILTER_XT_TARGET_TEE
tristate '"TEE" - packet cloning to alternate desti
an
tion'
tristate '"TEE" - packet cloning to alternate desti
na
tion'
depends on NETFILTER_ADVANCED
depends on (IPV6 || IPV6=n)
depends on !NF_CONNTRACK || NF_CONNTRACK
...
...
@@ -630,7 +609,6 @@ config NETFILTER_XT_MATCH_CONNBYTES
tristate '"connbytes" per-connection counter match support'
depends on NF_CONNTRACK
depends on NETFILTER_ADVANCED
select NF_CT_ACCT
help
This option adds a `connbytes' match, which allows you to match the
number of bytes and/or packets for each direction within a connection.
...
...
net/netfilter/ipvs/ip_vs_conn.c
浏览文件 @
e490c1de
...
...
@@ -158,6 +158,9 @@ static inline int ip_vs_conn_hash(struct ip_vs_conn *cp)
unsigned
hash
;
int
ret
;
if
(
cp
->
flags
&
IP_VS_CONN_F_ONE_PACKET
)
return
0
;
/* Hash by protocol, client address and port */
hash
=
ip_vs_conn_hashkey
(
cp
->
af
,
cp
->
protocol
,
&
cp
->
caddr
,
cp
->
cport
);
...
...
@@ -359,8 +362,9 @@ struct ip_vs_conn *ip_vs_conn_out_get
*/
void
ip_vs_conn_put
(
struct
ip_vs_conn
*
cp
)
{
/* reset it expire in its timeout */
mod_timer
(
&
cp
->
timer
,
jiffies
+
cp
->
timeout
);
unsigned
long
t
=
(
cp
->
flags
&
IP_VS_CONN_F_ONE_PACKET
)
?
0
:
cp
->
timeout
;
mod_timer
(
&
cp
->
timer
,
jiffies
+
t
);
__ip_vs_conn_put
(
cp
);
}
...
...
@@ -653,7 +657,7 @@ static void ip_vs_conn_expire(unsigned long data)
/*
* unhash it if it is hashed in the conn table
*/
if
(
!
ip_vs_conn_unhash
(
cp
))
if
(
!
ip_vs_conn_unhash
(
cp
)
&&
!
(
cp
->
flags
&
IP_VS_CONN_F_ONE_PACKET
)
)
goto
expire_later
;
/*
...
...
net/netfilter/ipvs/ip_vs_core.c
浏览文件 @
e490c1de
...
...
@@ -194,6 +194,7 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
struct
ip_vs_dest
*
dest
;
struct
ip_vs_conn
*
ct
;
__be16
dport
;
/* destination port to forward */
__be16
flags
;
union
nf_inet_addr
snet
;
/* source network of the client,
after masking */
...
...
@@ -340,6 +341,10 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
dport
=
ports
[
1
];
}
flags
=
(
svc
->
flags
&
IP_VS_SVC_F_ONEPACKET
&&
iph
.
protocol
==
IPPROTO_UDP
)
?
IP_VS_CONN_F_ONE_PACKET
:
0
;
/*
* Create a new connection according to the template
*/
...
...
@@ -347,7 +352,7 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
&
iph
.
saddr
,
ports
[
0
],
&
iph
.
daddr
,
ports
[
1
],
&
dest
->
addr
,
dport
,
0
,
flags
,
dest
);
if
(
cp
==
NULL
)
{
ip_vs_conn_put
(
ct
);
...
...
@@ -377,7 +382,7 @@ ip_vs_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
struct
ip_vs_conn
*
cp
=
NULL
;
struct
ip_vs_iphdr
iph
;
struct
ip_vs_dest
*
dest
;
__be16
_ports
[
2
],
*
pptr
;
__be16
_ports
[
2
],
*
pptr
,
flags
;
ip_vs_fill_iphdr
(
svc
->
af
,
skb_network_header
(
skb
),
&
iph
);
pptr
=
skb_header_pointer
(
skb
,
iph
.
len
,
sizeof
(
_ports
),
_ports
);
...
...
@@ -407,6 +412,10 @@ ip_vs_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
return
NULL
;
}
flags
=
(
svc
->
flags
&
IP_VS_SVC_F_ONEPACKET
&&
iph
.
protocol
==
IPPROTO_UDP
)
?
IP_VS_CONN_F_ONE_PACKET
:
0
;
/*
* Create a connection entry.
*/
...
...
@@ -414,7 +423,7 @@ ip_vs_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
&
iph
.
saddr
,
pptr
[
0
],
&
iph
.
daddr
,
pptr
[
1
],
&
dest
->
addr
,
dest
->
port
?
dest
->
port
:
pptr
[
1
],
0
,
flags
,
dest
);
if
(
cp
==
NULL
)
return
NULL
;
...
...
@@ -464,6 +473,9 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
if
(
sysctl_ip_vs_cache_bypass
&&
svc
->
fwmark
&&
unicast
)
{
int
ret
,
cs
;
struct
ip_vs_conn
*
cp
;
__u16
flags
=
(
svc
->
flags
&
IP_VS_SVC_F_ONEPACKET
&&
iph
.
protocol
==
IPPROTO_UDP
)
?
IP_VS_CONN_F_ONE_PACKET
:
0
;
union
nf_inet_addr
daddr
=
{
.
all
=
{
0
,
0
,
0
,
0
}
};
ip_vs_service_put
(
svc
);
...
...
@@ -474,7 +486,7 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
&
iph
.
saddr
,
pptr
[
0
],
&
iph
.
daddr
,
pptr
[
1
],
&
daddr
,
0
,
IP_VS_CONN_F_BYPASS
,
IP_VS_CONN_F_BYPASS
|
flags
,
NULL
);
if
(
cp
==
NULL
)
return
NF_DROP
;
...
...
net/netfilter/ipvs/ip_vs_ctl.c
浏览文件 @
e490c1de
...
...
@@ -1864,14 +1864,16 @@ static int ip_vs_info_seq_show(struct seq_file *seq, void *v)
svc
->
scheduler
->
name
);
else
#endif
seq_printf
(
seq
,
"%s %08X:%04X %s "
,
seq_printf
(
seq
,
"%s %08X:%04X %s
%s
"
,
ip_vs_proto_name
(
svc
->
protocol
),
ntohl
(
svc
->
addr
.
ip
),
ntohs
(
svc
->
port
),
svc
->
scheduler
->
name
);
svc
->
scheduler
->
name
,
(
svc
->
flags
&
IP_VS_SVC_F_ONEPACKET
)
?
"ops "
:
""
);
}
else
{
seq_printf
(
seq
,
"FWM %08X %s "
,
svc
->
fwmark
,
svc
->
scheduler
->
name
);
seq_printf
(
seq
,
"FWM %08X %s %s"
,
svc
->
fwmark
,
svc
->
scheduler
->
name
,
(
svc
->
flags
&
IP_VS_SVC_F_ONEPACKET
)
?
"ops "
:
""
);
}
if
(
svc
->
flags
&
IP_VS_SVC_F_PERSISTENT
)
...
...
net/netfilter/nf_conntrack_acct.c
浏览文件 @
e490c1de
...
...
@@ -17,13 +17,7 @@
#include <net/netfilter/nf_conntrack_extend.h>
#include <net/netfilter/nf_conntrack_acct.h>
#ifdef CONFIG_NF_CT_ACCT
#define NF_CT_ACCT_DEFAULT 1
#else
#define NF_CT_ACCT_DEFAULT 0
#endif
static
int
nf_ct_acct
__read_mostly
=
NF_CT_ACCT_DEFAULT
;
static
int
nf_ct_acct
__read_mostly
;
module_param_named
(
acct
,
nf_ct_acct
,
bool
,
0644
);
MODULE_PARM_DESC
(
acct
,
"Enable connection tracking flow accounting."
);
...
...
@@ -114,12 +108,6 @@ int nf_conntrack_acct_init(struct net *net)
net
->
ct
.
sysctl_acct
=
nf_ct_acct
;
if
(
net_eq
(
net
,
&
init_net
))
{
#ifdef CONFIG_NF_CT_ACCT
printk
(
KERN_WARNING
"CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use
\n
"
);
printk
(
KERN_WARNING
"nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or
\n
"
);
printk
(
KERN_WARNING
"sysctl net.netfilter.nf_conntrack_acct=1 to enable it.
\n
"
);
#endif
ret
=
nf_ct_extend_register
(
&
acct_extend
);
if
(
ret
<
0
)
{
printk
(
KERN_ERR
"nf_conntrack_acct: Unable to register extension
\n
"
);
...
...
net/netfilter/xt_IDLETIMER.c
浏览文件 @
e490c1de
...
...
@@ -36,6 +36,7 @@
#include <linux/netfilter.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_IDLETIMER.h>
#include <linux/kdev_t.h>
#include <linux/kobject.h>
#include <linux/workqueue.h>
#include <linux/sysfs.h>
...
...
net/netfilter/xt_connbytes.c
浏览文件 @
e490c1de
...
...
@@ -112,6 +112,16 @@ static int connbytes_mt_check(const struct xt_mtchk_param *par)
if
(
ret
<
0
)
pr_info
(
"cannot load conntrack support for proto=%u
\n
"
,
par
->
family
);
/*
* This filter cannot function correctly unless connection tracking
* accounting is enabled, so complain in the hope that someone notices.
*/
if
(
!
nf_ct_acct_enabled
(
par
->
net
))
{
pr_warning
(
"Forcing CT accounting to be enabled
\n
"
);
nf_ct_set_acct
(
par
->
net
,
true
);
}
return
ret
;
}
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录