* [PATCH 2.4] cosmetic ipt_unclean update
@ 2003-10-02 14:43 Harald Welte
2003-10-03 6:26 ` David S. Miller
0 siblings, 1 reply; 2+ messages in thread
From: Harald Welte @ 2003-10-02 14:43 UTC (permalink / raw)
To: David Miller; +Cc: Netfilter Development Mailinglist
[-- Attachment #1.1: Type: text/plain, Size: 615 bytes --]
Hi Davem!
Please apply the following patchto your 2.4 tree and push it to Marcelo.
Thanks.
Author: Patrick McHardy <kaber@trash.net>
Use a pre-built table for TCP flag checks instead of individual 'if'
statemens in ipt_unclean.
--
- Harald Welte <laforge@netfilter.org> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
[-- Attachment #1.2: 55_ipt_unclean-tcp-flag-table.patch --]
[-- Type: text/plain, Size: 2180 bytes --]
# This is a BitKeeper generated patch for the following project:
# Project Name: Linux kernel tree
# This patch format is intended for GNU patch command version 2.5 or higher.
# This patch includes the following deltas:
# ChangeSet 1.1214 -> 1.1215
# net/ipv4/netfilter/ipt_unclean.c 1.8 -> 1.9
#
# The following is the BitKeeper ChangeSet Log
# --------------------------------------------
# 03/07/12 kaber@trash.net 1.1215
# [NETFILTER]: Use pre-built table for TCP flag-check in ipt_unclean.
# --------------------------------------------
#
diff -Nru a/net/ipv4/netfilter/ipt_unclean.c b/net/ipv4/netfilter/ipt_unclean.c
--- a/net/ipv4/netfilter/ipt_unclean.c Sat Jul 12 05:40:25 2003
+++ b/net/ipv4/netfilter/ipt_unclean.c Sat Jul 12 05:40:25 2003
@@ -259,6 +259,24 @@
#define TH_ECE 0x40
#define TH_CWR 0x80
+/* table of valid flag combinations - ECE and CWR are always valid */
+static u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG) + 1] =
+{
+ [TH_SYN] = 1,
+ [TH_SYN|TH_ACK] = 1,
+ [TH_RST] = 1,
+ [TH_RST|TH_ACK] = 1,
+ [TH_RST|TH_ACK|TH_PUSH] = 1,
+ [TH_FIN|TH_ACK] = 1,
+ [TH_ACK] = 1,
+ [TH_ACK|TH_PUSH] = 1,
+ [TH_ACK|TH_URG] = 1,
+ [TH_ACK|TH_URG|TH_PUSH] = 1,
+ [TH_FIN|TH_ACK|TH_PUSH] = 1,
+ [TH_FIN|TH_ACK|TH_URG] = 1,
+ [TH_FIN|TH_ACK|TH_URG|TH_PUSH] = 1
+};
+
/* TCP-specific checks. */
static int
check_tcp(const struct iphdr *iph,
@@ -330,19 +348,7 @@
/* CHECK: TCP flags. */
tcpflags = (((u_int8_t *)tcph)[13] & ~(TH_ECE|TH_CWR));
- if (tcpflags != TH_SYN
- && tcpflags != (TH_SYN|TH_ACK)
- && tcpflags != TH_RST
- && tcpflags != (TH_RST|TH_ACK)
- && tcpflags != (TH_RST|TH_ACK|TH_PUSH)
- && tcpflags != (TH_FIN|TH_ACK)
- && tcpflags != TH_ACK
- && tcpflags != (TH_ACK|TH_PUSH)
- && tcpflags != (TH_ACK|TH_URG)
- && tcpflags != (TH_ACK|TH_URG|TH_PUSH)
- && tcpflags != (TH_FIN|TH_ACK|TH_PUSH)
- && tcpflags != (TH_FIN|TH_ACK|TH_URG)
- && tcpflags != (TH_FIN|TH_ACK|TH_URG|TH_PUSH)) {
+ if (!tcp_valid_flags[tcpflags]) {
limpk("TCP flags bad: %u\n", tcpflags);
return 0;
}
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH 2.4] cosmetic ipt_unclean update
2003-10-02 14:43 [PATCH 2.4] cosmetic ipt_unclean update Harald Welte
@ 2003-10-03 6:26 ` David S. Miller
0 siblings, 0 replies; 2+ messages in thread
From: David S. Miller @ 2003-10-03 6:26 UTC (permalink / raw)
To: Harald Welte; +Cc: netfilter-devel
On Thu, 2 Oct 2003 16:43:00 +0200
Harald Welte <laforge@netfilter.org> wrote:
> Please apply the following patchto your 2.4 tree and push it to Marcelo.
Applied, thanks.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-10-03 6:26 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-10-02 14:43 [PATCH 2.4] cosmetic ipt_unclean update Harald Welte
2003-10-03 6:26 ` David S. Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.