netfilter 00/13: netfilter update

netfilter 00/13: netfilter update

[Patrick McHardy]

Hi Dave,

following is a small netfilter update for net-next-2.6, containing some
minor cleanups and typo fixes, the case insensitive search support for the
textsearch API and xtables string match from Joonwoo Park and some net-ns
fixes from Alexey Dobriyan.

Please apply, thanks.


 include/linux/netfilter/xt_string.h    |   15 +++++++++++-
 include/linux/netfilter_ipv6.h         |    4 +++
 include/linux/textsearch.h             |   13 +++++------
 include/net/netfilter/nf_conntrack.h   |    3 +-
 lib/textsearch.c                       |   14 ++++++-----
 lib/ts_bm.c                            |   26 ++++++++++++++++-----
 lib/ts_fsm.c                           |    6 ++++-
 lib/ts_kmp.c                           |   29 +++++++++++++++++------
 net/bridge/netfilter/Kconfig           |    2 +-
 net/ipv4/netfilter/Kconfig             |    3 +-
 net/ipv6/netfilter/ip6table_filter.c   |   31 ++++++++++++++++++-------
 net/ipv6/netfilter/ip6table_security.c |    6 ++--
 net/netfilter/Kconfig                  |    5 +--
 net/netfilter/nf_conntrack_core.c      |    7 +++--
 net/netfilter/nf_conntrack_netlink.c   |    2 +-
 net/netfilter/xt_string.c              |   38 ++++++++++++++++++++++++++++++-
 16 files changed, 150 insertions(+), 54 deletions(-)

Adrian Bunk (1):
      netfilter: cleanup netfilter_ipv6.h userspace header

Alexey Dobriyan (2):
      netfilter: use correct namespace in ip6table_security
      netfilter: ip6table_filter in netns for real

Joonwoo Park (7):
      textsearch: support for case insensitive searching
      textsearch: fix Boyer-Moore text search bug
      textsearch: ts_bm: support case insensitive searching in Boyer-Moore algorithm
      textsearch: ts_kmp: support case insensitive searching in Knuth-Morris-Pratt algorithm
      textsearch: ts_fsm: return error on request for case insensitive search
      textsearch: convert kmalloc + memset to kzalloc
      netfilter: fix string extension for case insensitive pattern matching

Pablo Neira Ayuso (1):
      netfilter: nf_conntrack: add allocation flag to nf_conntrack_alloc

Patrick McHardy (1):
      netfilter: ebt_nflog: fix Kconfig typo

Russ Dill (1):
      Get rid of refrences to no longer existant Fast NAT.

netfilter 01/13: use correct namespace in ip6table_security

[Patrick McHardy]

netfilter: use correct namespace in ip6table_security

Signed-off-by: Alexey Dobriyan <adobriyan@parallels.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 1efb97e64956296424507f66dd8af9861f98ad89
tree 4ccfa87e7cea14fc1353b6c8f35ecf4d75527494
parent 4b5a698ef423eebc37cfacc6d3376d6dffd5bf83
author Alexey Dobriyan <adobriyan@parallels.com> Mon, 07 Jul 2008 13:00:15 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 07 Jul 2008 13:00:15 +0200

 net/ipv6/netfilter/ip6table_security.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index 063a3d9..a07abee 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -72,7 +72,7 @@ ip6t_local_in_hook(unsigned int hook,
 		   int (*okfn)(struct sk_buff *))
 {
 	return ip6t_do_table(skb, hook, in, out,
-			     init_net.ipv6.ip6table_security);
+			     nf_local_in_net(in, out)->ipv6.ip6table_security);
 }
 
 static unsigned int
@@ -83,7 +83,7 @@ ip6t_forward_hook(unsigned int hook,
 		  int (*okfn)(struct sk_buff *))
 {
 	return ip6t_do_table(skb, hook, in, out,
-			     init_net.ipv6.ip6table_security);
+			     nf_forward_net(in, out)->ipv6.ip6table_security);
 }
 
 static unsigned int
@@ -95,7 +95,7 @@ ip6t_local_out_hook(unsigned int hook,
 {
 	/* TBD: handle short packets via raw socket */
 	return ip6t_do_table(skb, hook, in, out,
-			     init_net.ipv6.ip6table_security);
+			     nf_local_out_net(in, out)->ipv6.ip6table_security);
 }
 
 static struct nf_hook_ops ip6t_ops[] __read_mostly = {

Get rid of refrences to no longer existant Fast NAT.

[Patrick McHardy]

Get rid of refrences to no longer existant Fast NAT.

IP_ROUTE_NAT support was removed in August of 2004, but references to Fast
NAT were left in a couple of config options.

Signed-off-by: Russ Dill <Russ.Dill@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 8b373c6315ac2b28c32ba26fd24a47b28d489b0b
tree 718165eb921842684bba4015726fa485d263bb18
parent 1efb97e64956296424507f66dd8af9861f98ad89
author Russ Dill <russ.dill@gmail.com> Mon, 07 Jul 2008 13:00:15 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 07 Jul 2008 13:00:15 +0200

 net/ipv4/netfilter/Kconfig |    3 +--
 net/netfilter/Kconfig      |    5 ++---
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 6e25140..f23e60c 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -213,8 +213,7 @@ config IP_NF_TARGET_NETMAP
 	help
 	  NETMAP is an implementation of static 1:1 NAT mapping of network
 	  addresses. It maps the network address part, while keeping the host
-	  address part intact. It is similar to Fast NAT, except that
-	  Netfilter's connection tracking doesn't work well with Fast NAT.
+	  address part intact.
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index aa8d80c..316c7af 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -33,9 +33,8 @@ config NF_CONNTRACK
 	  into connections.
 
 	  This is required to do Masquerading or other kinds of Network
-	  Address Translation (except for Fast NAT).  It can also be used to
-	  enhance packet filtering (see `Connection state match support'
-	  below).
+	  Address Translation.  It can also be used to enhance packet
+	  filtering (see `Connection state match support' below).
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 

netfilter 03/13: nf_conntrack: add allocation flag to nf_conntrack_alloc

[Patrick McHardy]

netfilter: nf_conntrack: add allocation flag to nf_conntrack_alloc

ctnetlink does not need to allocate the conntrack entries with GFP_ATOMIC
as its code is executed in user context.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit fb5471afe6b8e29f1319ca85ecc830f6b8b54143
tree 87f3fb0f9a0a1f50795dcde601891c35c99228dd
parent 8b373c6315ac2b28c32ba26fd24a47b28d489b0b
author Pablo Neira Ayuso <pablo@netfilter.org> Mon, 07 Jul 2008 13:00:16 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 07 Jul 2008 13:00:16 +0200

 include/net/netfilter/nf_conntrack.h |    3 ++-
 net/netfilter/nf_conntrack_core.c    |    7 ++++---
 net/netfilter/nf_conntrack_netlink.c |    2 +-
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index d77dec7..d5d76ec 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -258,7 +258,8 @@ nf_ct_iterate_cleanup(int (*iter)(struct nf_conn *i, void *data), void *data);
 extern void nf_conntrack_free(struct nf_conn *ct);
 extern struct nf_conn *
 nf_conntrack_alloc(const struct nf_conntrack_tuple *orig,
-		   const struct nf_conntrack_tuple *repl);
+		   const struct nf_conntrack_tuple *repl,
+		   gfp_t gfp);
 
 /* It's confirmed if it is, or has been in the hash table. */
 static inline int nf_ct_is_confirmed(struct nf_conn *ct)
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index f27c992..212a088 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -464,7 +464,8 @@ static noinline int early_drop(unsigned int hash)
 }
 
 struct nf_conn *nf_conntrack_alloc(const struct nf_conntrack_tuple *orig,
-				   const struct nf_conntrack_tuple *repl)
+				   const struct nf_conntrack_tuple *repl,
+				   gfp_t gfp)
 {
 	struct nf_conn *ct = NULL;
 
@@ -489,7 +490,7 @@ struct nf_conn *nf_conntrack_alloc(const struct nf_conntrack_tuple *orig,
 		}
 	}
 
-	ct = kmem_cache_zalloc(nf_conntrack_cachep, GFP_ATOMIC);
+	ct = kmem_cache_zalloc(nf_conntrack_cachep, gfp);
 	if (ct == NULL) {
 		pr_debug("nf_conntrack_alloc: Can't alloc conntrack.\n");
 		atomic_dec(&nf_conntrack_count);
@@ -542,7 +543,7 @@ init_conntrack(const struct nf_conntrack_tuple *tuple,
 		return NULL;
 	}
 
-	ct = nf_conntrack_alloc(tuple, &repl_tuple);
+	ct = nf_conntrack_alloc(tuple, &repl_tuple, GFP_ATOMIC);
 	if (ct == NULL || IS_ERR(ct)) {
 		pr_debug("Can't allocate conntrack.\n");
 		return (struct nf_conntrack_tuple_hash *)ct;
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 63c4e1f..dd23339 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1128,7 +1128,7 @@ ctnetlink_create_conntrack(struct nlattr *cda[],
 	struct nf_conn_help *help;
 	struct nf_conntrack_helper *helper;
 
-	ct = nf_conntrack_alloc(otuple, rtuple);
+	ct = nf_conntrack_alloc(otuple, rtuple, GFP_KERNEL);
 	if (ct == NULL || IS_ERR(ct))
 		return -ENOMEM;
 

netfilter 04/13: ip6table_filter in netns for real

[Patrick McHardy]

netfilter: ip6table_filter in netns for real

One still needs to remove checks in nf_hook_slow() and nf_sockopt_find()
to test this, though.

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 92b669eedbfbca32d05723764afb243b6d8faeed
tree 9061315f95bb9a3d3a36bb14ec491ddd7d41f29c
parent fb5471afe6b8e29f1319ca85ecc830f6b8b54143
author Alexey Dobriyan <adobriyan@gmail.com> Mon, 07 Jul 2008 13:00:16 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 07 Jul 2008 13:00:16 +0200

 net/ipv6/netfilter/ip6table_filter.c |   31 ++++++++++++++++++++++---------
 1 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index f979e48..55a2c29 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -61,13 +61,25 @@ static struct xt_table packet_filter = {
 
 /* The work comes in here from netfilter.c. */
 static unsigned int
-ip6t_hook(unsigned int hook,
-	 struct sk_buff *skb,
-	 const struct net_device *in,
-	 const struct net_device *out,
-	 int (*okfn)(struct sk_buff *))
+ip6t_local_in_hook(unsigned int hook,
+		   struct sk_buff *skb,
+		   const struct net_device *in,
+		   const struct net_device *out,
+		   int (*okfn)(struct sk_buff *))
+{
+	return ip6t_do_table(skb, hook, in, out,
+			     nf_local_in_net(in, out)->ipv6.ip6table_filter);
+}
+
+static unsigned int
+ip6t_forward_hook(unsigned int hook,
+		  struct sk_buff *skb,
+		  const struct net_device *in,
+		  const struct net_device *out,
+		  int (*okfn)(struct sk_buff *))
 {
-	return ip6t_do_table(skb, hook, in, out, init_net.ipv6.ip6table_filter);
+	return ip6t_do_table(skb, hook, in, out,
+			     nf_forward_net(in, out)->ipv6.ip6table_filter);
 }
 
 static unsigned int
@@ -87,19 +99,20 @@ ip6t_local_out_hook(unsigned int hook,
 	}
 #endif
 
-	return ip6t_do_table(skb, hook, in, out, init_net.ipv6.ip6table_filter);
+	return ip6t_do_table(skb, hook, in, out,
+			     nf_local_out_net(in, out)->ipv6.ip6table_filter);
 }
 
 static struct nf_hook_ops ip6t_ops[] __read_mostly = {
 	{
-		.hook		= ip6t_hook,
+		.hook		= ip6t_local_in_hook,
 		.owner		= THIS_MODULE,
 		.pf		= PF_INET6,
 		.hooknum	= NF_INET_LOCAL_IN,
 		.priority	= NF_IP6_PRI_FILTER,
 	},
 	{
-		.hook		= ip6t_hook,
+		.hook		= ip6t_forward_hook,
 		.owner		= THIS_MODULE,
 		.pf		= PF_INET6,
 		.hooknum	= NF_INET_FORWARD,

netfilter 05/13: cleanup netfilter_ipv6.h userspace header

[Patrick McHardy]

netfilter: cleanup netfilter_ipv6.h userspace header

Kernel functions are not for userspace.

Signed-off-by: Adrian Bunk <bunk@kernel.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit fa30a357f95a548526ffe578a57ff55fb2646674
tree 61ec88d0f6bf116a21131a796d6283a504c33bbe
parent 92b669eedbfbca32d05723764afb243b6d8faeed
author Adrian Bunk <bunk@kernel.org> Mon, 07 Jul 2008 13:00:16 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 07 Jul 2008 13:00:16 +0200

 include/linux/netfilter_ipv6.h |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index fd50988..d654873 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -70,6 +70,8 @@ enum nf_ip6_hook_priorities {
 	NF_IP6_PRI_LAST = INT_MAX,
 };
 
+#ifdef  __KERNEL__
+
 #ifdef CONFIG_NETFILTER
 extern int ip6_route_me_harder(struct sk_buff *skb);
 extern __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
@@ -82,4 +84,6 @@ static inline int ipv6_netfilter_init(void) { return 0; }
 static inline void ipv6_netfilter_fini(void) { return; }
 #endif /* CONFIG_NETFILTER */
 
+#endif /* __KERNEL__ */
+
 #endif /*__LINUX_IP6_NETFILTER_H*/

netfilter 06/13: ebt_nflog: fix Kconfig typo

[Patrick McHardy]

netfilter: ebt_nflog: fix Kconfig typo

The help text should refer to nflog instead of ulog. Noticed by
Krzysztof Halasa <khc@pm.waw.pl>.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 48d88486554c27296e6f0e4b37aae3bbb37af5d2
tree 5e381318cdc2c46ed9d7e4afa58815c125d441f2
parent fa30a357f95a548526ffe578a57ff55fb2646674
author Patrick McHardy <kaber@trash.net> Mon, 07 Jul 2008 13:00:16 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 07 Jul 2008 13:00:16 +0200

 net/bridge/netfilter/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
index 540df41..9094797 100644
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -230,7 +230,7 @@ config BRIDGE_EBT_NFLOG
 	  either the old LOG target, the old ULOG target or nfnetlink_log
 	  as backend.
 
-	  This option adds the ulog watcher, that you can use in any rule
+	  This option adds the nflog watcher, that you can use in any rule
 	  in any ebtables table.
 
 	  To compile it as a module, choose M here.  If unsure, say N.

textsearch 07/13: support for case insensitive searching

[Patrick McHardy]

textsearch: support for case insensitive searching

The function textsearch_prepare has a new flag to support case
insensitive searching.

Signed-off-by: Joonwoo Park <joonwpark81@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 170f103d11a1e1186e2677fd5f75735b740c025f
tree e1ab155181637bf1ad3d39232b9cc2f40094f286
parent 48d88486554c27296e6f0e4b37aae3bbb37af5d2
author Joonwoo Park <joonwpark81@gmail.com> Mon, 07 Jul 2008 13:00:17 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 07 Jul 2008 13:00:17 +0200

 include/linux/textsearch.h |   10 +++++-----
 lib/textsearch.c           |   14 ++++++++------
 2 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/include/linux/textsearch.h b/include/linux/textsearch.h
index 6f371f2..6c34cf2 100644
--- a/include/linux/textsearch.h
+++ b/include/linux/textsearch.h
@@ -10,10 +10,8 @@
 
 struct ts_config;
 
-/**
- * TS_AUTOLOAD - Automatically load textsearch modules when needed
- */
-#define TS_AUTOLOAD	1
+#define TS_AUTOLOAD	1 /* Automatically load textsearch modules when needed */
+#define TS_IGNORECASE	2 /* Searches string case insensitively */
 
 /**
  * struct ts_state - search state
@@ -39,7 +37,7 @@ struct ts_state
 struct ts_ops
 {
 	const char		*name;
-	struct ts_config *	(*init)(const void *, unsigned int, gfp_t);
+	struct ts_config *	(*init)(const void *, unsigned int, gfp_t, int);
 	unsigned int		(*find)(struct ts_config *,
 					struct ts_state *);
 	void			(*destroy)(struct ts_config *);
@@ -52,12 +50,14 @@ struct ts_ops
 /**
  * struct ts_config - search configuration
  * @ops: operations of chosen algorithm
+ * @flags: flags
  * @get_next_block: callback to fetch the next block to search in
  * @finish: callback to finalize a search
  */
 struct ts_config
 {
 	struct ts_ops		*ops;
+	int 			flags;
 
 	/**
 	 * get_next_block - fetch next block of data
diff --git a/lib/textsearch.c b/lib/textsearch.c
index be8bda3..b451fcc 100644
--- a/lib/textsearch.c
+++ b/lib/textsearch.c
@@ -54,10 +54,13 @@
  * USAGE
  *
  *   Before a search can be performed, a configuration must be created
- *   by calling textsearch_prepare() specyfing the searching algorithm and
- *   the pattern to look for. The returned configuration may then be used
- *   for an arbitary amount of times and even in parallel as long as a
- *   separate struct ts_state variable is provided to every instance.
+ *   by calling textsearch_prepare() specifying the searching algorithm,
+ *   the pattern to look for and flags. As a flag, you can set TS_IGNORECASE
+ *   to perform case insensitive matching. But it might slow down
+ *   performance of algorithm, so you should use it at own your risk.
+ *   The returned configuration may then be used for an arbitary
+ *   amount of times and even in parallel as long as a separate struct
+ *   ts_state variable is provided to every instance.
  *
  *   The actual search is performed by either calling textsearch_find_-
  *   continuous() for linear data or by providing an own get_next_block()
@@ -89,7 +92,6 @@
  *       panic("Oh my god, dancing chickens at %d\n", pos);
  *
  *   textsearch_destroy(conf);
- *
  * ==========================================================================
  */
 
@@ -279,7 +281,7 @@ struct ts_config *textsearch_prepare(const char *algo, const void *pattern,
 	if (ops == NULL)
 		goto errout;
 
-	conf = ops->init(pattern, len, gfp_mask);
+	conf = ops->init(pattern, len, gfp_mask, flags);
 	if (IS_ERR(conf)) {
 		err = PTR_ERR(conf);
 		goto errout;

textsearch 08/13: fix Boyer-Moore text search bug

[Patrick McHardy]

textsearch: fix Boyer-Moore text search bug

The current logic has a bug which cannot find matching pattern, if the
pattern is matched from the first character of target string.
for example:
	pattern=abc, string=abcdefg
	pattern=a,   string=abcdefg
Searching algorithm should return 0 for those things.

Signed-off-by: Joonwoo Park <joonwpark81@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit ad089136c547ef33e2375e64dd13a0f09825d4d0
tree e1ab155181637bf1ad3d39232b9cc2f40094f286
parent 170f103d11a1e1186e2677fd5f75735b740c025f
author Joonwoo Park <joonwpark81@gmail.com> Mon, 07 Jul 2008 13:00:17 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 07 Jul 2008 13:00:17 +0200

 0 files changed, 0 insertions(+), 0 deletions(-)

textsearch 09/13: ts_bm: support case insensitive searching in Boyer-Moore algorithm

[Patrick McHardy]

textsearch: ts_bm: support case insensitive searching in Boyer-Moore algorithm

Add support for case insensitive search to Boyer-Moore algorithm.

Signed-off-by: Joonwoo Park <joonwpark81@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 457ff20e4a6f48e8ff049ad9323b76b9a4e110a7
tree a777e8054a470dcc262b32653e1fe795d8d66d62
parent ad089136c547ef33e2375e64dd13a0f09825d4d0
author Joonwoo Park <joonwpark81@gmail.com> Mon, 07 Jul 2008 13:00:17 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 07 Jul 2008 13:00:17 +0200

 lib/ts_bm.c |   26 ++++++++++++++++++++------
 1 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/lib/ts_bm.c b/lib/ts_bm.c
index 4a7fce7..9e66ee4 100644
--- a/lib/ts_bm.c
+++ b/lib/ts_bm.c
@@ -39,6 +39,7 @@
 #include <linux/module.h>
 #include <linux/types.h>
 #include <linux/string.h>
+#include <linux/ctype.h>
 #include <linux/textsearch.h>
 
 /* Alphabet size, use ASCII */
@@ -64,6 +65,7 @@ static unsigned int bm_find(struct ts_config *conf, struct ts_state *state)
 	unsigned int i, text_len, consumed = state->offset;
 	const u8 *text;
 	int shift = bm->patlen - 1, bs;
+	const u8 icase = conf->flags & TS_IGNORECASE;
 
 	for (;;) {
 		text_len = conf->get_next_block(consumed, &text, conf, state);
@@ -75,7 +77,9 @@ static unsigned int bm_find(struct ts_config *conf, struct ts_state *state)
 			DEBUGP("Searching in position %d (%c)\n", 
 				shift, text[shift]);
 			for (i = 0; i < bm->patlen; i++) 
-			     if (text[shift-i] != bm->pattern[bm->patlen-1-i])
+				if ((icase ? toupper(text[shift-i])
+				    : text[shift-i])
+					!= bm->pattern[bm->patlen-1-i])
 				     goto next;
 
 			/* London calling... */
@@ -111,14 +115,18 @@ static int subpattern(u8 *pattern, int i, int j, int g)
 	return ret;
 }
 
-static void compute_prefix_tbl(struct ts_bm *bm)
+static void compute_prefix_tbl(struct ts_bm *bm, int flags)
 {
 	int i, j, g;
 
 	for (i = 0; i < ASIZE; i++)
 		bm->bad_shift[i] = bm->patlen;
-	for (i = 0; i < bm->patlen - 1; i++)
+	for (i = 0; i < bm->patlen - 1; i++) {
 		bm->bad_shift[bm->pattern[i]] = bm->patlen - 1 - i;
+		if (flags & TS_IGNORECASE)
+			bm->bad_shift[tolower(bm->pattern[i])]
+			    = bm->patlen - 1 - i;
+	}
 
 	/* Compute the good shift array, used to match reocurrences 
 	 * of a subpattern */
@@ -135,10 +143,11 @@ static void compute_prefix_tbl(struct ts_bm *bm)
 }
 
 static struct ts_config *bm_init(const void *pattern, unsigned int len,
-				 gfp_t gfp_mask)
+				 gfp_t gfp_mask, int flags)
 {
 	struct ts_config *conf;
 	struct ts_bm *bm;
+	int i;
 	unsigned int prefix_tbl_len = len * sizeof(unsigned int);
 	size_t priv_size = sizeof(*bm) + len + prefix_tbl_len;
 
@@ -146,11 +155,16 @@ static struct ts_config *bm_init(const void *pattern, unsigned int len,
 	if (IS_ERR(conf))
 		return conf;
 
+	conf->flags = flags;
 	bm = ts_config_priv(conf);
 	bm->patlen = len;
 	bm->pattern = (u8 *) bm->good_shift + prefix_tbl_len;
-	memcpy(bm->pattern, pattern, len);
-	compute_prefix_tbl(bm);
+	if (flags & TS_IGNORECASE)
+		for (i = 0; i < len; i++)
+			bm->pattern[i] = toupper(((u8 *)pattern)[i]);
+	else
+		memcpy(bm->pattern, pattern, len);
+	compute_prefix_tbl(bm, flags);
 
 	return conf;
 }

textsearch 10/13: ts_kmp: support case insensitive searching in Knuth-Morris-Pratt algorithm

[Patrick McHardy]

textsearch: ts_kmp: support case insensitive searching in Knuth-Morris-Pratt algorithm

Add support for case insensitive search to Knuth-Morris-Pratt algorithm.

Signed-off-by: Joonwoo Park <joonwpark81@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit f7bf6c69848b78c6244bf9d6d963c6d685e91a58
tree fdf158caff0f667f9602dfe6071ae98e1b38fb97
parent 457ff20e4a6f48e8ff049ad9323b76b9a4e110a7
author Joonwoo Park <joonwpark81@gmail.com> Mon, 07 Jul 2008 13:00:17 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 07 Jul 2008 13:00:17 +0200

 lib/ts_kmp.c |   29 +++++++++++++++++++++--------
 1 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/lib/ts_kmp.c b/lib/ts_kmp.c
index 3ced628..632f783 100644
--- a/lib/ts_kmp.c
+++ b/lib/ts_kmp.c
@@ -33,6 +33,7 @@
 #include <linux/module.h>
 #include <linux/types.h>
 #include <linux/string.h>
+#include <linux/ctype.h>
 #include <linux/textsearch.h>
 
 struct ts_kmp
@@ -47,6 +48,7 @@ static unsigned int kmp_find(struct ts_config *conf, struct ts_state *state)
 	struct ts_kmp *kmp = ts_config_priv(conf);
 	unsigned int i, q = 0, text_len, consumed = state->offset;
 	const u8 *text;
+	const int icase = conf->flags & TS_IGNORECASE;
 
 	for (;;) {
 		text_len = conf->get_next_block(consumed, &text, conf, state);
@@ -55,9 +57,11 @@ static unsigned int kmp_find(struct ts_config *conf, struct ts_state *state)
 			break;
 
 		for (i = 0; i < text_len; i++) {
-			while (q > 0 && kmp->pattern[q] != text[i])
+			while (q > 0 && kmp->pattern[q]
+			    != (icase ? toupper(text[i]) : text[i]))
 				q = kmp->prefix_tbl[q - 1];
-			if (kmp->pattern[q] == text[i])
+			if (kmp->pattern[q]
+			    == (icase ? toupper(text[i]) : text[i]))
 				q++;
 			if (unlikely(q == kmp->pattern_len)) {
 				state->offset = consumed + i + 1;
@@ -72,24 +76,28 @@ static unsigned int kmp_find(struct ts_config *conf, struct ts_state *state)
 }
 
 static inline void compute_prefix_tbl(const u8 *pattern, unsigned int len,
-				      unsigned int *prefix_tbl)
+				      unsigned int *prefix_tbl, int flags)
 {
 	unsigned int k, q;
+	const u8 icase = flags & TS_IGNORECASE;
 
 	for (k = 0, q = 1; q < len; q++) {
-		while (k > 0 && pattern[k] != pattern[q])
+		while (k > 0 && (icase ? toupper(pattern[k]) : pattern[k])
+		    != (icase ? toupper(pattern[q]) : pattern[q]))
 			k = prefix_tbl[k-1];
-		if (pattern[k] == pattern[q])
+		if ((icase ? toupper(pattern[k]) : pattern[k])
+		    == (icase ? toupper(pattern[q]) : pattern[q]))
 			k++;
 		prefix_tbl[q] = k;
 	}
 }
 
 static struct ts_config *kmp_init(const void *pattern, unsigned int len,
-				  gfp_t gfp_mask)
+				  gfp_t gfp_mask, int flags)
 {
 	struct ts_config *conf;
 	struct ts_kmp *kmp;
+	int i;
 	unsigned int prefix_tbl_len = len * sizeof(unsigned int);
 	size_t priv_size = sizeof(*kmp) + len + prefix_tbl_len;
 
@@ -97,11 +105,16 @@ static struct ts_config *kmp_init(const void *pattern, unsigned int len,
 	if (IS_ERR(conf))
 		return conf;
 
+	conf->flags = flags;
 	kmp = ts_config_priv(conf);
 	kmp->pattern_len = len;
-	compute_prefix_tbl(pattern, len, kmp->prefix_tbl);
+	compute_prefix_tbl(pattern, len, kmp->prefix_tbl, flags);
 	kmp->pattern = (u8 *) kmp->prefix_tbl + prefix_tbl_len;
-	memcpy(kmp->pattern, pattern, len);
+	if (flags & TS_IGNORECASE)
+		for (i = 0; i < len; i++)
+			kmp->pattern[i] = toupper(((u8 *)pattern)[i]);
+	else
+		memcpy(kmp->pattern, pattern, len);
 
 	return conf;
 }

textsearch 11/13: ts_fsm: return error on request for case insensitive search

[Patrick McHardy]

textsearch: ts_fsm: return error on request for case insensitive search

For fsm text search, handle case insensitive parameter as -EINVAL.

Signed-off-by: Joonwoo Park <joonwpark81@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 9506e421d3283116e5c0648be7a6233b7b841e35
tree 13a684be9ce821b10072f9b44573a913fcb623d3
parent f7bf6c69848b78c6244bf9d6d963c6d685e91a58
author Joonwoo Park <joonwpark81@gmail.com> Mon, 07 Jul 2008 13:00:18 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 07 Jul 2008 13:00:18 +0200

 lib/ts_fsm.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/lib/ts_fsm.c b/lib/ts_fsm.c
index af575b6..5696a35 100644
--- a/lib/ts_fsm.c
+++ b/lib/ts_fsm.c
@@ -257,7 +257,7 @@ found_match:
 }
 
 static struct ts_config *fsm_init(const void *pattern, unsigned int len,
-				     gfp_t gfp_mask)
+				    gfp_t gfp_mask, int flags)
 {
 	int i, err = -EINVAL;
 	struct ts_config *conf;
@@ -269,6 +269,9 @@ static struct ts_config *fsm_init(const void *pattern, unsigned int len,
 	if (len  % sizeof(struct ts_fsm_token) || ntokens < 1)
 		goto errout;
 
+	if (flags & TS_IGNORECASE)
+		goto errout;
+
 	for (i = 0; i < ntokens; i++) {
 		struct ts_fsm_token *t = &tokens[i];
 
@@ -284,6 +287,7 @@ static struct ts_config *fsm_init(const void *pattern, unsigned int len,
 	if (IS_ERR(conf))
 		return conf;
 
+	conf->flags = flags;
 	fsm = ts_config_priv(conf);
 	fsm->ntokens = ntokens;
 	memcpy(fsm->tokens, pattern, len);

textsearch 12/13: convert kmalloc + memset to kzalloc

[Patrick McHardy]

textsearch: convert kmalloc + memset to kzalloc

convert kmalloc + memset to kzalloc for alloc_ts_config

Signed-off-by: Joonwoo Park <joonwpark81@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 1dca522180f8a6f882cdef795f49595c05467bb2
tree 857aaaea2e4ec8266bf6fc06d75ef9eee349fb43
parent 9506e421d3283116e5c0648be7a6233b7b841e35
author Joonwoo Park <joonwpark81@gmail.com> Mon, 07 Jul 2008 13:00:18 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 07 Jul 2008 13:00:18 +0200

 include/linux/textsearch.h |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

diff --git a/include/linux/textsearch.h b/include/linux/textsearch.h
index 6c34cf2..d9a85d6 100644
--- a/include/linux/textsearch.h
+++ b/include/linux/textsearch.h
@@ -162,11 +162,10 @@ static inline struct ts_config *alloc_ts_config(size_t payload,
 {
 	struct ts_config *conf;
 
-	conf = kmalloc(TS_PRIV_ALIGN(sizeof(*conf)) + payload, gfp_mask);
+	conf = kzalloc(TS_PRIV_ALIGN(sizeof(*conf)) + payload, gfp_mask);
 	if (conf == NULL)
 		return ERR_PTR(-ENOMEM);
 
-	memset(conf, 0, TS_PRIV_ALIGN(sizeof(*conf)) + payload);
 	return conf;
 }
 

netfilter 13/13: fix string extension for case insensitive pattern matching

[Patrick McHardy]

netfilter: fix string extension for case insensitive pattern matching

The flag XT_STRING_FLAG_IGNORECASE indicates case insensitive string
matching. netfilter can find cmd.exe, Cmd.exe, cMd.exe and etc easily.

A new revision 1 was added, in the meantime invert of xt_string_info
was moved into flags as a flag. If revision is 1, The flag
XT_STRING_FLAG_INVERT indicates invert matching.

Signed-off-by: Joonwoo Park <joonwpark81@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit c18236f6c1161e4a95daac6162754e90d363610d
tree cc5b5aec980ec1c85b4a845d626029d7974b3753
parent 1dca522180f8a6f882cdef795f49595c05467bb2
author Joonwoo Park <joonwpark81@gmail.com> Mon, 07 Jul 2008 13:26:48 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 07 Jul 2008 13:26:48 +0200

 include/linux/netfilter/xt_string.h |   15 +++++++++++++-
 net/netfilter/xt_string.c           |   38 +++++++++++++++++++++++++++++++++--
 2 files changed, 50 insertions(+), 3 deletions(-)

diff --git a/include/linux/netfilter/xt_string.h b/include/linux/netfilter/xt_string.h
index bb21dd1..8a6ba7b 100644
--- a/include/linux/netfilter/xt_string.h
+++ b/include/linux/netfilter/xt_string.h
@@ -4,6 +4,11 @@
 #define XT_STRING_MAX_PATTERN_SIZE 128
 #define XT_STRING_MAX_ALGO_NAME_SIZE 16
 
+enum {
+	XT_STRING_FLAG_INVERT		= 0x01,
+	XT_STRING_FLAG_IGNORECASE	= 0x02
+};
+
 struct xt_string_info
 {
 	u_int16_t from_offset;
@@ -11,7 +16,15 @@ struct xt_string_info
 	char	  algo[XT_STRING_MAX_ALGO_NAME_SIZE];
 	char 	  pattern[XT_STRING_MAX_PATTERN_SIZE];
 	u_int8_t  patlen;
-	u_int8_t  invert;
+	union {
+		struct {
+			u_int8_t  invert;
+		} v0;
+
+		struct {
+			u_int8_t  flags;
+		} v1;
+	} u;
 
 	/* Used internally by the kernel */
 	struct ts_config __attribute__((aligned(8))) *config;
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index 72f694d..4903182 100644
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -29,12 +29,16 @@ string_mt(const struct sk_buff *skb, const struct net_device *in,
 {
 	const struct xt_string_info *conf = matchinfo;
 	struct ts_state state;
+	int invert;
 
 	memset(&state, 0, sizeof(struct ts_state));
 
+	invert = (match->revision == 0 ? conf->u.v0.invert :
+				    conf->u.v1.flags & XT_STRING_FLAG_INVERT);
+
 	return (skb_find_text((struct sk_buff *)skb, conf->from_offset,
 			     conf->to_offset, conf->config, &state)
-			     != UINT_MAX) ^ conf->invert;
+			     != UINT_MAX) ^ invert;
 }
 
 #define STRING_TEXT_PRIV(m) ((struct xt_string_info *)(m))
@@ -46,6 +50,7 @@ string_mt_check(const char *tablename, const void *ip,
 {
 	struct xt_string_info *conf = matchinfo;
 	struct ts_config *ts_conf;
+	int flags = TS_AUTOLOAD;
 
 	/* Damn, can't handle this case properly with iptables... */
 	if (conf->from_offset > conf->to_offset)
@@ -54,8 +59,15 @@ string_mt_check(const char *tablename, const void *ip,
 		return false;
 	if (conf->patlen > XT_STRING_MAX_PATTERN_SIZE)
 		return false;
+	if (match->revision == 1) {
+		if (conf->u.v1.flags &
+		    ~(XT_STRING_FLAG_IGNORECASE | XT_STRING_FLAG_INVERT))
+			return false;
+		if (conf->u.v1.flags & XT_STRING_FLAG_IGNORECASE)
+			flags |= TS_IGNORECASE;
+	}
 	ts_conf = textsearch_prepare(conf->algo, conf->pattern, conf->patlen,
-				     GFP_KERNEL, TS_AUTOLOAD);
+				     GFP_KERNEL, flags);
 	if (IS_ERR(ts_conf))
 		return false;
 
@@ -72,6 +84,17 @@ static void string_mt_destroy(const struct xt_match *match, void *matchinfo)
 static struct xt_match string_mt_reg[] __read_mostly = {
 	{
 		.name 		= "string",
+		.revision	= 0,
+		.family		= AF_INET,
+		.checkentry	= string_mt_check,
+		.match 		= string_mt,
+		.destroy 	= string_mt_destroy,
+		.matchsize	= sizeof(struct xt_string_info),
+		.me 		= THIS_MODULE
+	},
+	{
+		.name 		= "string",
+		.revision	= 1,
 		.family		= AF_INET,
 		.checkentry	= string_mt_check,
 		.match 		= string_mt,
@@ -81,6 +104,17 @@ static struct xt_match string_mt_reg[] __read_mostly = {
 	},
 	{
 		.name 		= "string",
+		.revision	= 0,
+		.family		= AF_INET6,
+		.checkentry	= string_mt_check,
+		.match 		= string_mt,
+		.destroy 	= string_mt_destroy,
+		.matchsize	= sizeof(struct xt_string_info),
+		.me 		= THIS_MODULE
+	},
+	{
+		.name 		= "string",
+		.revision	= 1,
 		.family		= AF_INET6,
 		.checkentry	= string_mt_check,
 		.match 		= string_mt,

Re: Get rid of refrences to no longer existant Fast NAT.

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon,  7 Jul 2008 14:05:17 +0200 (MEST)

> Get rid of refrences to no longer existant Fast NAT.
> 
> IP_ROUTE_NAT support was removed in August of 2004, but references to Fast
> NAT were left in a couple of config options.
> 
> Signed-off-by: Russ Dill <Russ.Dill@gmail.com>
> Signed-off-by: Patrick McHardy <kaber@trash.net>

I guess this is patch 02/13, right? :-)

Re: Get rid of refrences to no longer existant Fast NAT.

[Patrick McHardy]

David Miller wrote:
> From: Patrick McHardy <kaber@trash.net>
> Date: Mon,  7 Jul 2008 14:05:17 +0200 (MEST)
> 
>> Get rid of refrences to no longer existant Fast NAT.
>>
>> IP_ROUTE_NAT support was removed in August of 2004, but references to Fast
>> NAT were left in a couple of config options.
>>
>> Signed-off-by: Russ Dill <Russ.Dill@gmail.com>
>> Signed-off-by: Patrick McHardy <kaber@trash.net>
> 
> I guess this is patch 02/13, right? :-)


Right, sorry. My scripts are not fully used to the lower case
subsystem yet :)

Re: textsearch 08/13: fix Boyer-Moore text search bug

[Patrick McHardy]

Patrick McHardy wrote:
> textsearch: fix Boyer-Moore text search bug
> 
> The current logic has a bug which cannot find matching pattern, if the
> pattern is matched from the first character of target string.
> for example:
> 	pattern=abc, string=abcdefg
> 	pattern=a,   string=abcdefg
> Searching algorithm should return 0 for those things.
> 
> Signed-off-by: Joonwoo Park <joonwpark81@gmail.com>
> Signed-off-by: Patrick McHardy <kaber@trash.net>
> 
> ---
> commit ad089136c547ef33e2375e64dd13a0f09825d4d0
> tree e1ab155181637bf1ad3d39232b9cc2f40094f286
> parent 170f103d11a1e1186e2677fd5f75735b740c025f
> author Joonwoo Park <joonwpark81@gmail.com> Mon, 07 Jul 2008 13:00:17 +0200
> committer Patrick McHardy <kaber@trash.net> Mon, 07 Jul 2008 13:00:17 +0200
> 
>  0 files changed, 0 insertions(+), 0 deletions(-)

Henrik notified my of this mistake. This one is already merged
through net-2.6.git, apparently I forgot to remove it from the
stack. Please ignore.

Re: netfilter 00/13: netfilter update

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon,  7 Jul 2008 14:05:15 +0200 (MEST)

> following is a small netfilter update for net-next-2.6, containing some
> minor cleanups and typo fixes, the case insensitive search support for the
> textsearch API and xtables string match from Joonwoo Park and some net-ns
> fixes from Alexey Dobriyan.

All applied, except patch 8 since it's in net-2.6 already, and
pushed back out to net-next-2.6

Thanks!