apfs/linux-apfs
0
0
Fork 0
mirror of https://github.com/linux-apfs/linux-apfs.git synced 2026-05-01 15:00:59 -07:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6

Browse Source
This commit is contained in:
David S. Miller
2009-12-03 13:23:12 -08:00
parent 55dbabee63 3666ed1c48
commit 424eff9751
32 changed files with 251 additions and 255 deletions
Download Patch File Download Diff File Expand all files Collapse all files
net/netfilter/nf_conntrack_core.c
+10 -4
View File
@@ -512,11 +512,17 @@ static noinline int early_drop(struct net *net, unsigned int hash)
cnt++;
}
if (ct && unlikely(nf_ct_is_dying(ct) ||
!atomic_inc_not_zero(&ct->ct_general.use)))
ct = NULL;
if (ct || cnt >= NF_CT_EVICTION_RANGE)
if (ct != NULL) {
if (likely(!nf_ct_is_dying(ct) &&
atomic_inc_not_zero(&ct->ct_general.use)))
break;
else
ct = NULL;
}
if (cnt >= NF_CT_EVICTION_RANGE)
break;
hash = (hash + 1) % nf_conntrack_htable_size;
}
rcu_read_unlock();
net/netfilter/nf_conntrack_proto_tcp.c
+40 -9
View File
@@ -896,23 +896,54 @@ static int tcp_packet(struct nf_conn *ct,
/* b) This SYN/ACK acknowledges a SYN that we earlier
* ignored as invalid. This means that the client and
* the server are both in sync, while the firewall is
* not. We kill this session and block the SYN/ACK so
* that the client cannot but retransmit its SYN and
* thus initiate a clean new session.
* not. We get in sync from the previously annotated
* values.
*/
spin_unlock_bh(&ct->lock);
if (LOG_INVALID(net, IPPROTO_TCP))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
"nf_ct_tcp: killing out of sync session ");
nf_ct_kill(ct);
return NF_DROP;
old_state = TCP_CONNTRACK_SYN_SENT;
new_state = TCP_CONNTRACK_SYN_RECV;
ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_end =
ct->proto.tcp.last_end;
ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_maxend =
ct->proto.tcp.last_end;
ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_maxwin =
ct->proto.tcp.last_win == 0 ?
1 : ct->proto.tcp.last_win;
ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_scale =
ct->proto.tcp.last_wscale;
ct->proto.tcp.seen[ct->proto.tcp.last_dir].flags =
ct->proto.tcp.last_flags;
memset(&ct->proto.tcp.seen[dir], 0,
sizeof(struct ip_ct_tcp_state));
break;
}
ct->proto.tcp.last_index = index;
ct->proto.tcp.last_dir = dir;
ct->proto.tcp.last_seq = ntohl(th->seq);
ct->proto.tcp.last_end =
segment_seq_plus_len(ntohl(th->seq), skb->len, dataoff, th);
ct->proto.tcp.last_win = ntohs(th->window);
/* a) This is a SYN in ORIGINAL. The client and the server
* may be in sync but we are not. In that case, we annotate
* the TCP options and let the packet go through. If it is a
* valid SYN packet, the server will reply with a SYN/ACK, and
* then we'll get in sync. Otherwise, the server ignores it. */
if (index == TCP_SYN_SET && dir == IP_CT_DIR_ORIGINAL) {
struct ip_ct_tcp_state seen = {};
ct->proto.tcp.last_flags =
ct->proto.tcp.last_wscale = 0;
tcp_options(skb, dataoff, th, &seen);
if (seen.flags & IP_CT_TCP_FLAG_WINDOW_SCALE) {
ct->proto.tcp.last_flags |=
IP_CT_TCP_FLAG_WINDOW_SCALE;
ct->proto.tcp.last_wscale = seen.td_scale;
}
if (seen.flags & IP_CT_TCP_FLAG_SACK_PERM) {
ct->proto.tcp.last_flags |=
IP_CT_TCP_FLAG_SACK_PERM;
}
}
spin_unlock_bh(&ct->lock);
if (LOG_INVALID(net, IPPROTO_TCP))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
net/netfilter/nfnetlink_log.c
+1 -2
View File
@@ -666,8 +666,7 @@ nfulnl_rcv_nl_event(struct notifier_block *this,
{
struct netlink_notify *n = ptr;
if (event == NETLINK_URELEASE &&
n->protocol == NETLINK_NETFILTER && n->pid) {
if (event == NETLINK_URELEASE && n->protocol == NETLINK_NETFILTER) {
int i;
/* destroy all instances for this pid */
net/netfilter/nfnetlink_queue.c
+1 -2
View File
@@ -574,8 +574,7 @@ nfqnl_rcv_nl_event(struct notifier_block *this,
{
struct netlink_notify *n = ptr;
if (event == NETLINK_URELEASE &&
n->protocol == NETLINK_NETFILTER && n->pid) {
if (event == NETLINK_URELEASE && n->protocol == NETLINK_NETFILTER) {
int i;
/* destroy all instances for this pid */
net/netfilter/xt_conntrack.c
+17 -44
View File
@@ -113,7 +113,8 @@ ct_proto_port_check(const struct xt_conntrack_mtinfo2 *info,
}
static bool
conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par,
u16 state_mask, u16 status_mask)
{
const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
enum ip_conntrack_info ctinfo;
@@ -136,7 +137,7 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
if (test_bit(IPS_DST_NAT_BIT, &ct->status))
statebit |= XT_CONNTRACK_STATE_DNAT;
}
if (!!(info->state_mask & statebit) ^
if (!!(state_mask & statebit) ^
!(info->invert_flags & XT_CONNTRACK_STATE))
return false;
}
@@ -172,7 +173,7 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return false;
if ((info->match_flags & XT_CONNTRACK_STATUS) &&
(!!(info->status_mask & ct->status) ^
(!!(status_mask & ct->status) ^
!(info->invert_flags & XT_CONNTRACK_STATUS)))
return false;
@@ -192,11 +193,17 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
static bool
conntrack_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
{
const struct xt_conntrack_mtinfo2 *const *info = par->matchinfo;
struct xt_match_param newpar = *par;
const struct xt_conntrack_mtinfo1 *info = par->matchinfo;
newpar.matchinfo = *info;
return conntrack_mt(skb, &newpar);
return conntrack_mt(skb, par, info->state_mask, info->status_mask);
}
static bool
conntrack_mt_v2(const struct sk_buff *skb, const struct xt_match_param *par)
{
const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
return conntrack_mt(skb, par, info->state_mask, info->status_mask);
}
static bool conntrack_mt_check(const struct xt_mtchk_param *par)
@@ -209,45 +216,11 @@ static bool conntrack_mt_check(const struct xt_mtchk_param *par)
return true;
}
static bool conntrack_mt_check_v1(const struct xt_mtchk_param *par)
{
struct xt_conntrack_mtinfo1 *info = par->matchinfo;
struct xt_conntrack_mtinfo2 *up;
int ret = conntrack_mt_check(par);
if (ret < 0)
return ret;
up = kmalloc(sizeof(*up), GFP_KERNEL);
if (up == NULL) {
nf_ct_l3proto_module_put(par->family);
return -ENOMEM;
}
/*
* The strategy here is to minimize the overhead of v1 matching,
* by prebuilding a v2 struct and putting the pointer into the
* v1 dataspace.
*/
memcpy(up, info, offsetof(typeof(*info), state_mask));
up->state_mask = info->state_mask;
up->status_mask = info->status_mask;
*(void **)info = up;
return true;
}
static void conntrack_mt_destroy(const struct xt_mtdtor_param *par)
{
nf_ct_l3proto_module_put(par->family);
}
static void conntrack_mt_destroy_v1(const struct xt_mtdtor_param *par)
{
struct xt_conntrack_mtinfo2 **info = par->matchinfo;
kfree(*info);
conntrack_mt_destroy(par);
}
static struct xt_match conntrack_mt_reg[] __read_mostly = {
{
.name = "conntrack",
@@ -255,8 +228,8 @@ static struct xt_match conntrack_mt_reg[] __read_mostly = {
.family = NFPROTO_UNSPEC,
.matchsize = sizeof(struct xt_conntrack_mtinfo1),
.match = conntrack_mt_v1,
.checkentry = conntrack_mt_check_v1,
.destroy = conntrack_mt_destroy_v1,
.checkentry = conntrack_mt_check,
.destroy = conntrack_mt_destroy,
.me = THIS_MODULE,
},
{
@@ -264,7 +237,7 @@ static struct xt_match conntrack_mt_reg[] __read_mostly = {
.revision = 2,
.family = NFPROTO_UNSPEC,
.matchsize = sizeof(struct xt_conntrack_mtinfo2),
.match = conntrack_mt,
.match = conntrack_mt_v2,
.checkentry = conntrack_mt_check,
.destroy = conntrack_mt_destroy,
.me = THIS_MODULE,
net/netfilter/xt_socket.c
+4 -2
View File
@@ -192,7 +192,8 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
.revision = 0,
.family = NFPROTO_IPV4,
.match = socket_mt_v0,
.hooks = 1 << NF_INET_PRE_ROUTING,
.hooks = (1 << NF_INET_PRE_ROUTING) |
(1 << NF_INET_LOCAL_IN),
.me = THIS_MODULE,
},
{
@@ -201,7 +202,8 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
.family = NFPROTO_IPV4,
.match = socket_mt_v1,
.matchsize = sizeof(struct xt_socket_mtinfo1),
.hooks = 1 << NF_INET_PRE_ROUTING,
.hooks = (1 << NF_INET_PRE_ROUTING) |
(1 << NF_INET_LOCAL_IN),
.me = THIS_MODULE,
},
};