Changeset 17421
- Timestamp:
- 08/05/11 13:04:51 (23 months ago)
- Location:
- src/linux/x86/linux-2.6.39
- Files:
-
- 3 edited
-
include/linux/netfilter_ipv4/ip_tables.h (modified) (1 diff)
-
net/ipv4/netfilter/ip_tables.c (modified) (9 diffs)
-
net/netfilter/nf_conntrack_proto_tcp.c (modified) (3 diffs)
Legend:
- Unmodified
- Added
- Removed
-
src/linux/x86/linux-2.6.39/include/linux/netfilter_ipv4/ip_tables.h
r17211 r17421 94 94 #define IPT_F_GOTO 0x02 /* Set if jump is a goto */ 95 95 #define IPT_F_MASK 0x03 /* All possible flag bits mask. */ 96 #define IPT_F_NO_DEF_MATCH 0x80 /* Internal: no default match rules present */ 96 97 97 98 /* Values for "inv" field in struct ipt_ip. */ -
src/linux/x86/linux-2.6.39/net/ipv4/netfilter/ip_tables.c
r17211 r17421 91 91 #define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg))) 92 92 93 if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr, 93 if (ipinfo->flags & IPT_F_NO_DEF_MATCH) 94 return true; 95 96 if (FWINV(ipinfo->smsk.s_addr && 97 (ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr, 94 98 IPT_INV_SRCIP) || 95 FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr, 99 FWINV(ipinfo->smsk.s_addr && 100 (ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr, 96 101 IPT_INV_DSTIP)) { 97 102 dprintf("Source or dest mismatch.\n"); … … 142 147 143 148 return true; 149 } 150 151 static void 152 ip_checkdefault(struct ipt_ip *ip) 153 { 154 static const char iface_mask[IFNAMSIZ] = {}; 155 156 if (ip->invflags || ip->flags & IPT_F_FRAG) 157 return; 158 159 if (memcmp(ip->iniface_mask, iface_mask, IFNAMSIZ) != 0) 160 return; 161 162 if (memcmp(ip->outiface_mask, iface_mask, IFNAMSIZ) != 0) 163 return; 164 165 if (ip->proto) 166 return; 167 168 ip->flags |= IPT_F_NO_DEF_MATCH; 144 169 } 145 170 … … 294 319 } 295 320 321 static bool 322 ipt_handle_default_rule(struct ipt_entry *e, unsigned int *verdict) 323 { 324 struct xt_entry_target *t; 325 struct xt_standard_target *st; 326 327 if (e->target_offset != sizeof(struct ipt_entry)) 328 return false; 329 330 if (!(e->ip.flags & IPT_F_NO_DEF_MATCH)) 331 return false; 332 333 t = ipt_get_target(e); 334 if (t->u.kernel.target->target) 335 return false; 336 337 st = (struct xt_standard_target *) t; 338 if (st->verdict == XT_RETURN) 339 return false; 340 341 if (st->verdict >= 0) 342 return false; 343 344 *verdict = (unsigned)(-st->verdict) - 1; 345 return true; 346 } 347 296 348 /* Returns one of the generic firewall policies, like NF_ACCEPT. */ 297 349 unsigned int … … 317 369 indev = in ? in->name : nulldevname; 318 370 outdev = out ? out->name : nulldevname; 371 372 IP_NF_ASSERT(table->valid_hooks & (1 << hook)); 373 xt_info_rdlock_bh(); 374 private = table->private; 375 cpu = smp_processor_id(); 376 table_base = private->entries[cpu]; 377 jumpstack = (struct ipt_entry **)private->jumpstack[cpu]; 378 stackptr = per_cpu_ptr(private->stackptr, cpu); 379 origptr = *stackptr; 380 381 e = get_entry(table_base, private->hook_entry[hook]); 382 if (ipt_handle_default_rule(e, &verdict)) { 383 ADD_COUNTER(e->counters, skb->len, 1); 384 xt_info_rdunlock_bh(); 385 return verdict; 386 } 387 319 388 /* We handle fragments by dealing with the first fragment as 320 389 * if it was a normal packet. All other fragments are treated … … 330 399 acpar.family = NFPROTO_IPV4; 331 400 acpar.hooknum = hook; 332 333 IP_NF_ASSERT(table->valid_hooks & (1 << hook));334 xt_info_rdlock_bh();335 private = table->private;336 cpu = smp_processor_id();337 table_base = private->entries[cpu];338 jumpstack = (struct ipt_entry **)private->jumpstack[cpu];339 stackptr = per_cpu_ptr(private->stackptr, cpu);340 origptr = *stackptr;341 342 e = get_entry(table_base, private->hook_entry[hook]);343 401 344 402 pr_debug("Entering %s(hook %u); sp at %u (UF %p)\n", … … 567 625 568 626 static int 569 check_entry( conststruct ipt_entry *e, const char *name)627 check_entry(struct ipt_entry *e, const char *name) 570 628 { 571 629 const struct xt_entry_target *t; … … 575 633 return -EINVAL; 576 634 } 635 636 ip_checkdefault(&e->ip); 577 637 578 638 if (e->target_offset + sizeof(struct xt_entry_target) > … … 937 997 int ret = 0; 938 998 const void *loc_cpu_entry; 999 u8 flags; 939 1000 940 1001 counters = alloc_counters(table); … … 964 1025 &counters[num], 965 1026 sizeof(counters[num])) != 0) { 1027 ret = -EFAULT; 1028 goto free_counters; 1029 } 1030 1031 flags = e->ip.flags & IPT_F_MASK; 1032 if (copy_to_user(userptr + off 1033 + offsetof(struct ipt_entry, ip.flags), 1034 &flags, sizeof(flags)) != 0) { 966 1035 ret = -EFAULT; 967 1036 goto free_counters; -
src/linux/x86/linux-2.6.39/net/netfilter/nf_conntrack_proto_tcp.c
r17211 r17421 29 29 #include <net/netfilter/ipv4/nf_conntrack_ipv4.h> 30 30 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h> 31 32 /* Do not check the TCP window for incoming packets */ 33 static int nf_ct_tcp_no_window_check __read_mostly = 1; 31 34 32 35 /* "Be conservative in what you do, … … 525 528 bool res; 526 529 530 if (nf_ct_tcp_no_window_check) 531 return true; 532 527 533 /* 528 534 * Get the required data from the packet. … … 1322 1328 }, 1323 1329 { 1330 .procname = "nf_conntrack_tcp_no_window_check", 1331 .data = &nf_ct_tcp_no_window_check, 1332 .maxlen = sizeof(unsigned int), 1333 .mode = 0644, 1334 .proc_handler = proc_dointvec, 1335 }, 1336 { 1324 1337 .procname = "nf_conntrack_tcp_be_liberal", 1325 1338 .data = &nf_ct_tcp_be_liberal,
Note: See TracChangeset
for help on using the changeset viewer.
