From: Patrick McHardy <kaber@trash.net>
To: davem@davemloft.net
Cc: netdev@vger.kernel.org, Patrick McHardy <kaber@trash.net>,
netfilter-devel@vger.kernel.org
Subject: netfilter 07/31: xtables: remove xt_conntrack v0
Date: Thu, 10 Sep 2009 18:11:55 +0200 (MEST) [thread overview]
Message-ID: <20090910161151.31179.41974.sendpatchset@x2.localnet> (raw)
In-Reply-To: <20090910161142.31179.5256.sendpatchset@x2.localnet>
commit 9e05ec4b1804a1ba51f61fe169aef9b86edcd3f7
Author: Jan Engelhardt <jengelh@medozas.de>
Date: Fri Jun 12 18:56:14 2009 +0200
netfilter: xtables: remove xt_conntrack v0
Superseded by xt_conntrack v1 (v2.6.24-2921-g64eb12f).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index 54f9357..6746473 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
@@ -238,9 +238,6 @@ What (Why):
- "forwarding" header files like ipt_mac.h in
include/linux/netfilter_ipv4/ and include/linux/netfilter_ipv6/
- - xt_conntrack match revision 0
- (superseded by xt_conntrack match revision 1)
-
- xt_iprange match revision 0,
include/linux/netfilter_ipv4/ipt_iprange.h
(superseded by xt_iprange match revision 1)
diff --git a/include/linux/netfilter/xt_conntrack.h b/include/linux/netfilter/xt_conntrack.h
index 7ae0533..54f47a2 100644
--- a/include/linux/netfilter/xt_conntrack.h
+++ b/include/linux/netfilter/xt_conntrack.h
@@ -32,42 +32,6 @@ enum {
XT_CONNTRACK_DIRECTION = 1 << 12,
};
-/* This is exposed to userspace, so remains frozen in time. */
-struct ip_conntrack_old_tuple
-{
- struct {
- __be32 ip;
- union {
- __u16 all;
- } u;
- } src;
-
- struct {
- __be32 ip;
- union {
- __u16 all;
- } u;
-
- /* The protocol. */
- __u16 protonum;
- } dst;
-};
-
-struct xt_conntrack_info
-{
- unsigned int statemask, statusmask;
-
- struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX];
- struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX];
-
- unsigned long expires_min, expires_max;
-
- /* Flags word */
- __u8 flags;
- /* Inverse flags */
- __u8 invflags;
-};
-
struct xt_conntrack_mtinfo1 {
union nf_inet_addr origsrc_addr, origsrc_mask;
union nf_inet_addr origdst_addr, origdst_mask;
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index fc58180..6dc4652 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -19,101 +19,12 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_DESCRIPTION("Xtables: connection tracking state match");
MODULE_ALIAS("ipt_conntrack");
MODULE_ALIAS("ip6t_conntrack");
static bool
-conntrack_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
-{
- const struct xt_conntrack_info *sinfo = par->matchinfo;
- const struct nf_conn *ct;
- enum ip_conntrack_info ctinfo;
- unsigned int statebit;
-
- ct = nf_ct_get(skb, &ctinfo);
-
-#define FWINV(bool, invflg) ((bool) ^ !!(sinfo->invflags & (invflg)))
-
- if (ct == &nf_conntrack_untracked)
- statebit = XT_CONNTRACK_STATE_UNTRACKED;
- else if (ct)
- statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
- else
- statebit = XT_CONNTRACK_STATE_INVALID;
-
- if (sinfo->flags & XT_CONNTRACK_STATE) {
- if (ct) {
- if (test_bit(IPS_SRC_NAT_BIT, &ct->status))
- statebit |= XT_CONNTRACK_STATE_SNAT;
- if (test_bit(IPS_DST_NAT_BIT, &ct->status))
- statebit |= XT_CONNTRACK_STATE_DNAT;
- }
- if (FWINV((statebit & sinfo->statemask) == 0,
- XT_CONNTRACK_STATE))
- return false;
- }
-
- if (ct == NULL) {
- if (sinfo->flags & ~XT_CONNTRACK_STATE)
- return false;
- return true;
- }
-
- if (sinfo->flags & XT_CONNTRACK_PROTO &&
- FWINV(nf_ct_protonum(ct) !=
- sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum,
- XT_CONNTRACK_PROTO))
- return false;
-
- if (sinfo->flags & XT_CONNTRACK_ORIGSRC &&
- FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip &
- sinfo->sipmsk[IP_CT_DIR_ORIGINAL].s_addr) !=
- sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip,
- XT_CONNTRACK_ORIGSRC))
- return false;
-
- if (sinfo->flags & XT_CONNTRACK_ORIGDST &&
- FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.ip &
- sinfo->dipmsk[IP_CT_DIR_ORIGINAL].s_addr) !=
- sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip,
- XT_CONNTRACK_ORIGDST))
- return false;
-
- if (sinfo->flags & XT_CONNTRACK_REPLSRC &&
- FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip &
- sinfo->sipmsk[IP_CT_DIR_REPLY].s_addr) !=
- sinfo->tuple[IP_CT_DIR_REPLY].src.ip,
- XT_CONNTRACK_REPLSRC))
- return false;
-
- if (sinfo->flags & XT_CONNTRACK_REPLDST &&
- FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip &
- sinfo->dipmsk[IP_CT_DIR_REPLY].s_addr) !=
- sinfo->tuple[IP_CT_DIR_REPLY].dst.ip,
- XT_CONNTRACK_REPLDST))
- return false;
-
- if (sinfo->flags & XT_CONNTRACK_STATUS &&
- FWINV((ct->status & sinfo->statusmask) == 0,
- XT_CONNTRACK_STATUS))
- return false;
-
- if(sinfo->flags & XT_CONNTRACK_EXPIRES) {
- unsigned long expires = timer_pending(&ct->timeout) ?
- (ct->timeout.expires - jiffies)/HZ : 0;
-
- if (FWINV(!(expires >= sinfo->expires_min &&
- expires <= sinfo->expires_max),
- XT_CONNTRACK_EXPIRES))
- return false;
- }
- return true;
-#undef FWINV
-}
-
-static bool
conntrack_addrcmp(const union nf_inet_addr *kaddr,
const union nf_inet_addr *uaddr,
const union nf_inet_addr *umask, unsigned int l3proto)
@@ -337,73 +248,9 @@ static void conntrack_mt_destroy_v1(const struct xt_mtdtor_param *par)
conntrack_mt_destroy(par);
}
-#ifdef CONFIG_COMPAT
-struct compat_xt_conntrack_info
-{
- compat_uint_t statemask;
- compat_uint_t statusmask;
- struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX];
- struct in_addr sipmsk[IP_CT_DIR_MAX];
- struct in_addr dipmsk[IP_CT_DIR_MAX];
- compat_ulong_t expires_min;
- compat_ulong_t expires_max;
- u_int8_t flags;
- u_int8_t invflags;
-};
-
-static void conntrack_mt_compat_from_user_v0(void *dst, void *src)
-{
- const struct compat_xt_conntrack_info *cm = src;
- struct xt_conntrack_info m = {
- .statemask = cm->statemask,
- .statusmask = cm->statusmask,
- .expires_min = cm->expires_min,
- .expires_max = cm->expires_max,
- .flags = cm->flags,
- .invflags = cm->invflags,
- };
- memcpy(m.tuple, cm->tuple, sizeof(m.tuple));
- memcpy(m.sipmsk, cm->sipmsk, sizeof(m.sipmsk));
- memcpy(m.dipmsk, cm->dipmsk, sizeof(m.dipmsk));
- memcpy(dst, &m, sizeof(m));
-}
-
-static int conntrack_mt_compat_to_user_v0(void __user *dst, void *src)
-{
- const struct xt_conntrack_info *m = src;
- struct compat_xt_conntrack_info cm = {
- .statemask = m->statemask,
- .statusmask = m->statusmask,
- .expires_min = m->expires_min,
- .expires_max = m->expires_max,
- .flags = m->flags,
- .invflags = m->invflags,
- };
- memcpy(cm.tuple, m->tuple, sizeof(cm.tuple));
- memcpy(cm.sipmsk, m->sipmsk, sizeof(cm.sipmsk));
- memcpy(cm.dipmsk, m->dipmsk, sizeof(cm.dipmsk));
- return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
-}
-#endif
-
static struct xt_match conntrack_mt_reg[] __read_mostly = {
{
.name = "conntrack",
- .revision = 0,
- .family = NFPROTO_IPV4,
- .match = conntrack_mt_v0,
- .checkentry = conntrack_mt_check,
- .destroy = conntrack_mt_destroy,
- .matchsize = sizeof(struct xt_conntrack_info),
- .me = THIS_MODULE,
-#ifdef CONFIG_COMPAT
- .compatsize = sizeof(struct compat_xt_conntrack_info),
- .compat_from_user = conntrack_mt_compat_from_user_v0,
- .compat_to_user = conntrack_mt_compat_to_user_v0,
-#endif
- },
- {
- .name = "conntrack",
.revision = 1,
.family = NFPROTO_UNSPEC,
.matchsize = sizeof(struct xt_conntrack_mtinfo1),
next prev parent reply other threads:[~2009-09-10 16:11 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-09-10 16:11 netfilter 00/31: netfilter 2.6.32 update Patrick McHardy
2009-09-10 16:11 ` netfilter 01/31: nf_conntrack: add SCTP support for SO_ORIGINAL_DST Patrick McHardy
2009-09-10 16:11 ` netfilter 02/31: ebtables: Use %pM conversion specifier Patrick McHardy
2009-09-10 16:11 ` netfilter 03/31: xtables: remove xt_TOS v0 Patrick McHardy
2009-09-10 16:11 ` netfilter 04/31: xtables: remove xt_CONNMARK v0 Patrick McHardy
2009-09-10 16:11 ` netfilter 05/31: xtables: remove xt_MARK v0, v1 Patrick McHardy
2009-09-10 16:11 ` netfilter 06/31: xtables: remove xt_connmark v0 Patrick McHardy
2009-09-10 16:11 ` Patrick McHardy [this message]
2009-09-10 16:11 ` netfilter 08/31: xtables: remove xt_iprange v0 Patrick McHardy
2009-09-10 16:11 ` netfilter 09/31: xtables: remove xt_mark v0 Patrick McHardy
2009-09-10 16:11 ` netfilter 10/31: xtables: remove xt_owner v0 Patrick McHardy
2009-09-10 16:12 ` netfilter 11/31: xtables: remove redirecting header files Patrick McHardy
2009-09-10 16:12 ` netfilter 12/31: conntrack: switch hook PFs to nfproto Patrick McHardy
2009-09-10 16:12 ` netfilter 13/31: xtables: " Patrick McHardy
2009-09-10 16:12 ` netfilter 14/31: xtables: switch table AFs " Patrick McHardy
2009-09-10 16:12 ` netfilter 15/31: xtables: realign struct xt_target_param Patrick McHardy
2009-09-10 16:12 ` netfilter 16/31: iptables: remove unused datalen variable Patrick McHardy
2009-09-10 16:12 ` netfilter 17/31: xtables: use memcmp in unconditional check Patrick McHardy
2009-09-10 16:12 ` netfilter 18/31: xtables: ignore unassigned hooks in check_entry_size_and_hooks Patrick McHardy
2009-09-10 16:12 ` netfilter 19/31: xtables: check for unconditionality of policies Patrick McHardy
2009-09-10 16:12 ` netfilter 20/31: xtables: check for standard verdicts in policies Patrick McHardy
2009-09-10 16:12 ` netfilter 21/31: xtables: mark initial tables constant Patrick McHardy
2009-09-10 16:12 ` netfilter 22/31: nf_nat: fix inverted logic for persistent NAT mappings Patrick McHardy
2009-09-10 16:12 ` netfilter 23/31: bridge: refcount fix Patrick McHardy
2009-09-10 16:12 ` netfilter 24/31: nf_conntrack: log packets dropped by helpers Patrick McHardy
2009-09-10 16:12 ` netlink 25/31: constify nlmsghdr arguments Patrick McHardy
2009-09-10 16:12 ` netfilter 26/31: nfnetlink: constify message attributes and headers Patrick McHardy
2009-09-10 16:12 ` ipvs 27/31: Use atomic operations atomicly Patrick McHardy
2009-09-10 16:12 ` netfilter 28/31: nf_conntrack: netns fix re reliable conntrack event delivery Patrick McHardy
2009-09-10 16:12 ` netfilter 29/31: ip6t_eui: fix read outside array bounds Patrick McHardy
2009-09-10 16:12 ` IPVS 30/31: Add handling of incoming ICMPV6 messages Patrick McHardy
2009-09-10 16:12 ` netfilter 31/31: ebt_ulog: fix checkentry return value Patrick McHardy
2009-09-11 1:25 ` netfilter 00/31: netfilter 2.6.32 update David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090910161151.31179.41974.sendpatchset@x2.localnet \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.