* [NETFILTER 01/38]: Hide a few more options under NETFILTER_ADVANCED
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 02/38]: Remove some EXPERIMENTAL dependencies Patrick McHardy
` (37 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: Hide a few more options under NETFILTER_ADVANCED
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 46cc0c9011901f2697608a11c05d43765c7a3b38
tree 65a6a7d661d466e1f5fcc5a43836a24361327e50
parent ee28d55dcb195190fb8bbef5cc8f65b21fd78b52
author Patrick McHardy <kaber@trash.net> Mon, 14 Jan 2008 06:51:07 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:23:21 +0100
net/netfilter/Kconfig | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 96dbe9f..a711b42 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -378,6 +378,7 @@ config NETFILTER_XT_TARGET_NOTRACK
config NETFILTER_XT_TARGET_RATEEST
tristate '"RATEEST" target support'
depends on NETFILTER_XTABLES
+ depends on NETFILTER_ADVANCED
help
This option adds a `RATEEST' target, which allows to measure
rates similar to TC estimators. The `rateest' match can be
@@ -676,6 +677,7 @@ config NETFILTER_XT_MATCH_QUOTA
config NETFILTER_XT_MATCH_RATEEST
tristate '"rateest" match support'
depends on NETFILTER_XTABLES
+ depends on NETFILTER_ADVANCED
select NETFILTER_XT_TARGET_RATEEST
help
This option adds a `rateest' match, which allows to match on the
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 02/38]: Remove some EXPERIMENTAL dependencies
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 01/38]: Hide a few more options under NETFILTER_ADVANCED Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 03/38]: remove ipt_TOS.c Patrick McHardy
` (36 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: Remove some EXPERIMENTAL dependencies
Most of the netfilter modules are not considered experimental anymore,
the only ones I want to keep marked as EXPERIMENTAL are:
- TCPOPTSTRIP target, which is brand new.
- SANE helper, which is quite new.
- CLUSTERIP target, which I believe hasn't had much testing despite
being in the kernel for quite a long time.
- SCTP match and conntrack protocol, which are a mess and need to
be reviewed and cleaned up before I would trust them.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 9eef50d726e834652abc7aca9740b62fbb89c124
tree 21abe009ce0e5e64be41a6a4c307fc7b30db0f08
parent 46cc0c9011901f2697608a11c05d43765c7a3b38
author Patrick McHardy <kaber@trash.net> Mon, 14 Jan 2008 06:51:08 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:23:22 +0100
net/ipv4/netfilter/Kconfig | 4 ++--
net/ipv6/netfilter/Kconfig | 12 ++++++------
net/netfilter/Kconfig | 24 ++++++++++++------------
3 files changed, 20 insertions(+), 20 deletions(-)
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index cface71..10ca307 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -229,8 +229,8 @@ config IP_NF_TARGET_NETMAP
To compile it as a module, choose M here. If unsure, say N.
config NF_NAT_SNMP_BASIC
- tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
- depends on EXPERIMENTAL && NF_NAT
+ tristate "Basic SNMP-ALG support"
+ depends on NF_NAT
depends on NETFILTER_ADVANCED
---help---
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index a6b4a9a..4fc0b02 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -2,12 +2,12 @@
# IP netfilter configuration
#
-menu "IPv6: Netfilter Configuration (EXPERIMENTAL)"
- depends on INET && IPV6 && NETFILTER && EXPERIMENTAL
+menu "IPv6: Netfilter Configuration"
+ depends on INET && IPV6 && NETFILTER
config NF_CONNTRACK_IPV6
- tristate "IPv6 connection tracking support (EXPERIMENTAL)"
- depends on INET && IPV6 && EXPERIMENTAL && NF_CONNTRACK
+ tristate "IPv6 connection tracking support"
+ depends on INET && IPV6 && NF_CONNTRACK
default m if NETFILTER_ADVANCED=n
---help---
Connection tracking keeps a record of what packets have passed
@@ -22,7 +22,7 @@ config NF_CONNTRACK_IPV6
config IP6_NF_QUEUE
tristate "IP6 Userspace queueing via NETLINK (OBSOLETE)"
- depends on INET && IPV6 && NETFILTER && EXPERIMENTAL
+ depends on INET && IPV6 && NETFILTER
depends on NETFILTER_ADVANCED
---help---
@@ -44,7 +44,7 @@ config IP6_NF_QUEUE
config IP6_NF_IPTABLES
tristate "IP6 tables support (required for filtering)"
- depends on INET && IPV6 && EXPERIMENTAL
+ depends on INET && IPV6
select NETFILTER_XTABLES
default m if NETFILTER_ADVANCED=n
help
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index a711b42..79d7143 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -76,8 +76,8 @@ config NF_CONNTRACK_SECMARK
If unsure, say 'N'.
config NF_CONNTRACK_EVENTS
- bool "Connection tracking events (EXPERIMENTAL)"
- depends on EXPERIMENTAL && NF_CONNTRACK
+ bool "Connection tracking events"
+ depends on NF_CONNTRACK
depends on NETFILTER_ADVANCED
help
If this option is enabled, the connection tracking code will
@@ -102,8 +102,8 @@ config NF_CT_PROTO_SCTP
<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
config NF_CT_PROTO_UDPLITE
- tristate 'UDP-Lite protocol connection tracking support (EXPERIMENTAL)'
- depends on EXPERIMENTAL && NF_CONNTRACK
+ tristate 'UDP-Lite protocol connection tracking support'
+ depends on NF_CONNTRACK
depends on NETFILTER_ADVANCED
help
With this option enabled, the layer 3 independent connection
@@ -144,8 +144,8 @@ config NF_CONNTRACK_FTP
To compile it as a module, choose M here. If unsure, say N.
config NF_CONNTRACK_H323
- tristate "H.323 protocol support (EXPERIMENTAL)"
- depends on EXPERIMENTAL && NF_CONNTRACK && (IPV6 || IPV6=n)
+ tristate "H.323 protocol support"
+ depends on NF_CONNTRACK && (IPV6 || IPV6=n)
depends on NETFILTER_ADVANCED
help
H.323 is a VoIP signalling protocol from ITU-T. As one of the most
@@ -180,8 +180,8 @@ config NF_CONNTRACK_IRC
To compile it as a module, choose M here. If unsure, say N.
config NF_CONNTRACK_NETBIOS_NS
- tristate "NetBIOS name service protocol support (EXPERIMENTAL)"
- depends on EXPERIMENTAL && NF_CONNTRACK
+ tristate "NetBIOS name service protocol support"
+ depends on NF_CONNTRACK
depends on NETFILTER_ADVANCED
help
NetBIOS name service requests are sent as broadcast messages from an
@@ -234,8 +234,8 @@ config NF_CONNTRACK_SANE
To compile it as a module, choose M here. If unsure, say N.
config NF_CONNTRACK_SIP
- tristate "SIP protocol support (EXPERIMENTAL)"
- depends on EXPERIMENTAL && NF_CONNTRACK
+ tristate "SIP protocol support"
+ depends on NF_CONNTRACK
default m if NETFILTER_ADVANCED=n
help
SIP is an application-layer control protocol that can establish,
@@ -259,8 +259,8 @@ config NF_CONNTRACK_TFTP
To compile it as a module, choose M here. If unsure, say N.
config NF_CT_NETLINK
- tristate 'Connection tracking netlink interface (EXPERIMENTAL)'
- depends on EXPERIMENTAL && NF_CONNTRACK
+ tristate 'Connection tracking netlink interface'
+ depends on NF_CONNTRACK
select NETFILTER_NETLINK
depends on NF_NAT=n || NF_NAT
default m if NETFILTER_ADVANCED=n
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 03/38]: remove ipt_TOS.c
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 01/38]: Hide a few more options under NETFILTER_ADVANCED Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 02/38]: Remove some EXPERIMENTAL dependencies Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 04/38]: xt_TOS: Change semantic of mask value Patrick McHardy
` (35 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: remove ipt_TOS.c
Commit 88c85d81f74f92371745158aebc5cbf490412002 forgot to remove the
old ipt_TOS file (whose code has been merged into xt_DSCP). Remove
it now.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 97522ed78f619506ef818b7a7b1160735b47c367
tree db654ff7ce108e2e277ebeeec7678c4603d60621
parent 9eef50d726e834652abc7aca9740b62fbb89c124
author Jan Engelhardt <jengelh@computergmbh.de> Mon, 14 Jan 2008 06:51:09 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:23:22 +0100
net/ipv4/netfilter/ipt_TOS.c | 82 ------------------------------------------
1 files changed, 0 insertions(+), 82 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_TOS.c b/net/ipv4/netfilter/ipt_TOS.c
deleted file mode 100644
index 1a92441..0000000
--- a/net/ipv4/netfilter/ipt_TOS.c
+++ /dev/null
@@ -1,82 +0,0 @@
-/* This is a module which is used for setting the TOS field of a packet. */
-
-/* (C) 1999-2001 Paul `Rusty' Russell
- * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/ip.h>
-#include <net/checksum.h>
-
-#include <linux/netfilter/x_tables.h>
-#include <linux/netfilter_ipv4/ipt_TOS.h>
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables TOS mangling module");
-
-static unsigned int
-tos_tg(struct sk_buff *skb, const struct net_device *in,
- const struct net_device *out, unsigned int hooknum,
- const struct xt_target *target, const void *targinfo)
-{
- const struct ipt_tos_target_info *tosinfo = targinfo;
- struct iphdr *iph = ip_hdr(skb);
-
- if ((iph->tos & IPTOS_TOS_MASK) != tosinfo->tos) {
- __u8 oldtos;
- if (!skb_make_writable(skb, sizeof(struct iphdr)))
- return NF_DROP;
- iph = ip_hdr(skb);
- oldtos = iph->tos;
- iph->tos = (iph->tos & IPTOS_PREC_MASK) | tosinfo->tos;
- csum_replace2(&iph->check, htons(oldtos), htons(iph->tos));
- }
- return XT_CONTINUE;
-}
-
-static bool
-tos_tg_check(const char *tablename, const void *e_void,
- const struct xt_target *target, void *targinfo,
- unsigned int hook_mask)
-{
- const u_int8_t tos = ((struct ipt_tos_target_info *)targinfo)->tos;
-
- if (tos != IPTOS_LOWDELAY
- && tos != IPTOS_THROUGHPUT
- && tos != IPTOS_RELIABILITY
- && tos != IPTOS_MINCOST
- && tos != IPTOS_NORMALSVC) {
- printk(KERN_WARNING "TOS: bad tos value %#x\n", tos);
- return false;
- }
- return true;
-}
-
-static struct xt_target tos_tg_reg __read_mostly = {
- .name = "TOS",
- .family = AF_INET,
- .target = tos_tg,
- .targetsize = sizeof(struct ipt_tos_target_info),
- .table = "mangle",
- .checkentry = tos_tg_check,
- .me = THIS_MODULE,
-};
-
-static int __init tos_tg_init(void)
-{
- return xt_register_target(&tos_tg_reg);
-}
-
-static void __exit tos_tg_exit(void)
-{
- xt_unregister_target(&tos_tg_reg);
-}
-
-module_init(tos_tg_init);
-module_exit(tos_tg_exit);
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 04/38]: xt_TOS: Change semantic of mask value
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (2 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 03/38]: remove ipt_TOS.c Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 05/38]: xt_TOS: Properly set the TOS field Patrick McHardy
` (34 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: xt_TOS: Change semantic of mask value
This patch changes the behavior of xt_TOS v1 so that the mask value
the user supplies means "zero out these bits" rather than "keep these
bits". This is more easy on the user, as (I would assume) people keep
more bits than zeroing, so, an example:
Action: Set bit 0x01.
before (&): iptables -j TOS --set-tos 0x01/0xFE
after (&~): iptables -j TOS --set-tos 0x01/0x01
This is not too "tragic" with xt_TOS, but where larger fields are used
(e.g. proposed xt_MARK v2), `--set-xmar 0x01/0x01` vs. `--set-xmark
0x01/0xFFFFFFFE` really makes a difference. Other target(!) modules,
such as xt_TPROXY also use &~ rather than &, so let's get to a common
ground.
(Since xt_TOS has not yet left the development tree en direction to
mainline, the semantic can be changed as proposed without breaking
iptables.)
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit b0b6c99174c0d7d9512cd84e50da2c4426e6ae06
tree 8bf104996345ef071b26c8b64fc668d033aefb77
parent 97522ed78f619506ef818b7a7b1160735b47c367
author Jan Engelhardt <jengelh@computergmbh.de> Mon, 14 Jan 2008 06:51:12 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:23:23 +0100
net/netfilter/xt_DSCP.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index fd7500e..9951e7f 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -128,7 +128,7 @@ tos_tg(struct sk_buff *skb, const struct net_device *in,
u_int8_t orig, nv;
orig = ipv4_get_dsfield(iph);
- nv = (orig & info->tos_mask) ^ info->tos_value;
+ nv = (orig & ~info->tos_mask) ^ info->tos_value;
if (orig != nv) {
if (!skb_make_writable(skb, sizeof(struct iphdr)))
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 05/38]: xt_TOS: Properly set the TOS field
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (3 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 04/38]: xt_TOS: Change semantic of mask value Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 06/38]: Annotate start of kernel fields in NF headers Patrick McHardy
` (33 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: xt_TOS: Properly set the TOS field
Fix incorrect mask value passed to ipv4_change_dsfield/ipv6_change_dsfield.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 89efd08437074cc2005dc258622866efa187c46a
tree 9614972fb51ab77899d80d89a50b363c438ff74f
parent b0b6c99174c0d7d9512cd84e50da2c4426e6ae06
author Jan Engelhardt <jengelh@computergmbh.de> Mon, 14 Jan 2008 06:51:15 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:23:23 +0100
net/netfilter/xt_DSCP.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index 9951e7f..3d216d6 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -134,7 +134,7 @@ tos_tg(struct sk_buff *skb, const struct net_device *in,
if (!skb_make_writable(skb, sizeof(struct iphdr)))
return NF_DROP;
iph = ip_hdr(skb);
- ipv4_change_dsfield(iph, ~0, nv);
+ ipv4_change_dsfield(iph, 0, nv);
}
return XT_CONTINUE;
@@ -156,7 +156,7 @@ tos_tg6(struct sk_buff *skb, const struct net_device *in,
if (!skb_make_writable(skb, sizeof(struct iphdr)))
return NF_DROP;
iph = ipv6_hdr(skb);
- ipv6_change_dsfield(iph, ~0, nv);
+ ipv6_change_dsfield(iph, 0, nv);
}
return XT_CONTINUE;
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 06/38]: Annotate start of kernel fields in NF headers
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (4 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 05/38]: xt_TOS: Properly set the TOS field Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 07/38]: xt_CONNMARK target, revision 1 Patrick McHardy
` (32 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: Annotate start of kernel fields in NF headers
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit cf9efd38322201c52e424d16a304ce9970697f8f
tree fa34f1a03d9dc898c7e446b7a74ea02c616b4d5f
parent 89efd08437074cc2005dc258622866efa187c46a
author Jan Engelhardt <jengelh@computergmbh.de> Mon, 14 Jan 2008 06:51:21 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:23:24 +0100
include/linux/netfilter/xt_RATEEST.h | 2 ++
include/linux/netfilter/xt_connlimit.h | 2 +-
include/linux/netfilter/xt_hashlimit.h | 2 +-
include/linux/netfilter/xt_quota.h | 2 ++
include/linux/netfilter/xt_rateest.h | 2 ++
include/linux/netfilter/xt_statistic.h | 1 +
include/linux/netfilter/xt_string.h | 2 ++
include/linux/netfilter_ipv4/ipt_CLUSTERIP.h | 1 +
8 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/include/linux/netfilter/xt_RATEEST.h b/include/linux/netfilter/xt_RATEEST.h
index 670f2e4..f79e313 100644
--- a/include/linux/netfilter/xt_RATEEST.h
+++ b/include/linux/netfilter/xt_RATEEST.h
@@ -5,6 +5,8 @@ struct xt_rateest_target_info {
char name[IFNAMSIZ];
int8_t interval;
u_int8_t ewma_log;
+
+ /* Used internally by the kernel */
struct xt_rateest *est __attribute__((aligned(8)));
};
diff --git a/include/linux/netfilter/xt_connlimit.h b/include/linux/netfilter/xt_connlimit.h
index 315d2dc..7e3284b 100644
--- a/include/linux/netfilter/xt_connlimit.h
+++ b/include/linux/netfilter/xt_connlimit.h
@@ -15,7 +15,7 @@ struct xt_connlimit_info {
};
unsigned int limit, inverse;
- /* this needs to be at the end */
+ /* Used internally by the kernel */
struct xt_connlimit_data *data __attribute__((aligned(8)));
};
diff --git a/include/linux/netfilter/xt_hashlimit.h b/include/linux/netfilter/xt_hashlimit.h
index b4556b8..c19972e 100644
--- a/include/linux/netfilter/xt_hashlimit.h
+++ b/include/linux/netfilter/xt_hashlimit.h
@@ -29,9 +29,9 @@ struct hashlimit_cfg {
struct xt_hashlimit_info {
char name [IFNAMSIZ]; /* name */
struct hashlimit_cfg cfg;
- struct xt_hashlimit_htable *hinfo;
/* Used internally by the kernel */
+ struct xt_hashlimit_htable *hinfo;
union {
void *ptr;
struct xt_hashlimit_info *master;
diff --git a/include/linux/netfilter/xt_quota.h b/include/linux/netfilter/xt_quota.h
index acd7fd7..4c8368d 100644
--- a/include/linux/netfilter/xt_quota.h
+++ b/include/linux/netfilter/xt_quota.h
@@ -9,6 +9,8 @@ enum xt_quota_flags {
struct xt_quota_info {
u_int32_t flags;
u_int32_t pad;
+
+ /* Used internally by the kernel */
aligned_u64 quota;
struct xt_quota_info *master;
};
diff --git a/include/linux/netfilter/xt_rateest.h b/include/linux/netfilter/xt_rateest.h
index 51948e1..2010cb7 100644
--- a/include/linux/netfilter/xt_rateest.h
+++ b/include/linux/netfilter/xt_rateest.h
@@ -26,6 +26,8 @@ struct xt_rateest_match_info {
u_int32_t pps1;
u_int32_t bps2;
u_int32_t pps2;
+
+ /* Used internally by the kernel */
struct xt_rateest *est1 __attribute__((aligned(8)));
struct xt_rateest *est2 __attribute__((aligned(8)));
};
diff --git a/include/linux/netfilter/xt_statistic.h b/include/linux/netfilter/xt_statistic.h
index c344e99..3d38bc9 100644
--- a/include/linux/netfilter/xt_statistic.h
+++ b/include/linux/netfilter/xt_statistic.h
@@ -23,6 +23,7 @@ struct xt_statistic_info {
struct {
u_int32_t every;
u_int32_t packet;
+ /* Used internally by the kernel */
u_int32_t count;
} nth;
} u;
diff --git a/include/linux/netfilter/xt_string.h b/include/linux/netfilter/xt_string.h
index 3b3419f..bb21dd1 100644
--- a/include/linux/netfilter/xt_string.h
+++ b/include/linux/netfilter/xt_string.h
@@ -12,6 +12,8 @@ struct xt_string_info
char pattern[XT_STRING_MAX_PATTERN_SIZE];
u_int8_t patlen;
u_int8_t invert;
+
+ /* Used internally by the kernel */
struct ts_config __attribute__((aligned(8))) *config;
};
diff --git a/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h b/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h
index daf50be..e5a3687 100644
--- a/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h
+++ b/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h
@@ -27,6 +27,7 @@ struct ipt_clusterip_tgt_info {
u_int32_t hash_mode;
u_int32_t hash_initval;
+ /* Used internally by the kernel */
struct clusterip_config *config;
};
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 07/38]: xt_CONNMARK target, revision 1
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (5 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 06/38]: Annotate start of kernel fields in NF headers Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 08/38]: xt_MARK target, revision 2 Patrick McHardy
` (31 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: xt_CONNMARK target, revision 1
Introduces the xt_CONNMARK target revision 1. It uses fixed types, and
also uses the more expressive XOR logic. Futhermore, it allows to
selectively pick bits from both the ctmark and the nfmark in the SAVE
and RESTORE operations.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 49f994a1775f0f3284375f00d10b2251c0070528
tree 901d577d25ce2dcf63d3b8639f59bbd9f013c637
parent cf9efd38322201c52e424d16a304ce9970697f8f
author Jan Engelhardt <jengelh@computergmbh.de> Mon, 14 Jan 2008 06:51:25 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:23:24 +0100
include/linux/netfilter/xt_CONNMARK.h | 5 +
net/netfilter/xt_CONNMARK.c | 117 +++++++++++++++++++++++++++------
2 files changed, 102 insertions(+), 20 deletions(-)
diff --git a/include/linux/netfilter/xt_CONNMARK.h b/include/linux/netfilter/xt_CONNMARK.h
index 9f74468..4e58ba4 100644
--- a/include/linux/netfilter/xt_CONNMARK.h
+++ b/include/linux/netfilter/xt_CONNMARK.h
@@ -22,4 +22,9 @@ struct xt_connmark_target_info {
u_int8_t mode;
};
+struct xt_connmark_tginfo1 {
+ u_int32_t ctmark, ctmask, nfmask;
+ u_int8_t mode;
+};
+
#endif /*_XT_CONNMARK_H_target*/
diff --git a/net/netfilter/xt_CONNMARK.c b/net/netfilter/xt_CONNMARK.c
index ec2eb34..b9bd772 100644
--- a/net/netfilter/xt_CONNMARK.c
+++ b/net/netfilter/xt_CONNMARK.c
@@ -1,8 +1,10 @@
-/* This kernel module is used to modify the connection mark values, or
- * to optionally restore the skb nfmark from the connection mark
+/*
+ * xt_CONNMARK - Netfilter module to modify the connection mark values
*
- * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
- * by Henrik Nordstrom <hno@marasystems.com>
+ * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ * Copyright © CC Computer Consultants GmbH, 2007 - 2008
+ * Jan Engelhardt <jengelh@computergmbh.de>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -34,9 +36,9 @@ MODULE_ALIAS("ip6t_CONNMARK");
#include <net/netfilter/nf_conntrack_ecache.h>
static unsigned int
-connmark_tg(struct sk_buff *skb, const struct net_device *in,
- const struct net_device *out, unsigned int hooknum,
- const struct xt_target *target, const void *targinfo)
+connmark_tg_v0(struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, unsigned int hooknum,
+ const struct xt_target *target, const void *targinfo)
{
const struct xt_connmark_target_info *markinfo = targinfo;
struct nf_conn *ct;
@@ -74,10 +76,50 @@ connmark_tg(struct sk_buff *skb, const struct net_device *in,
return XT_CONTINUE;
}
+static unsigned int
+connmark_tg(struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, unsigned int hooknum,
+ const struct xt_target *target, const void *targinfo)
+{
+ const struct xt_connmark_tginfo1 *info = targinfo;
+ enum ip_conntrack_info ctinfo;
+ struct nf_conn *ct;
+ u_int32_t newmark;
+
+ ct = nf_ct_get(skb, &ctinfo);
+ if (ct == NULL)
+ return XT_CONTINUE;
+
+ switch (info->mode) {
+ case XT_CONNMARK_SET:
+ newmark = (ct->mark & ~info->ctmask) ^ info->ctmark;
+ if (ct->mark != newmark) {
+ ct->mark = newmark;
+ nf_conntrack_event_cache(IPCT_MARK, skb);
+ }
+ break;
+ case XT_CONNMARK_SAVE:
+ newmark = (ct->mark & ~info->ctmask) ^
+ (skb->mark & info->nfmask);
+ if (ct->mark != newmark) {
+ ct->mark = newmark;
+ nf_conntrack_event_cache(IPCT_MARK, skb);
+ }
+ break;
+ case XT_CONNMARK_RESTORE:
+ newmark = (skb->mark & ~info->nfmask) ^
+ (ct->mark & info->ctmask);
+ skb->mark = newmark;
+ break;
+ }
+
+ return XT_CONTINUE;
+}
+
static bool
-connmark_tg_check(const char *tablename, const void *entry,
- const struct xt_target *target, void *targinfo,
- unsigned int hook_mask)
+connmark_tg_check_v0(const char *tablename, const void *entry,
+ const struct xt_target *target, void *targinfo,
+ unsigned int hook_mask)
{
const struct xt_connmark_target_info *matchinfo = targinfo;
@@ -101,6 +143,19 @@ connmark_tg_check(const char *tablename, const void *entry,
return true;
}
+static bool
+connmark_tg_check(const char *tablename, const void *entry,
+ const struct xt_target *target, void *targinfo,
+ unsigned int hook_mask)
+{
+ if (nf_ct_l3proto_try_module_get(target->family) < 0) {
+ printk(KERN_WARNING "cannot load conntrack support for "
+ "proto=%u\n", target->family);
+ return false;
+ }
+ return true;
+}
+
static void
connmark_tg_destroy(const struct xt_target *target, void *targinfo)
{
@@ -115,7 +170,7 @@ struct compat_xt_connmark_target_info {
u_int16_t __pad2;
};
-static void connmark_tg_compat_from_user(void *dst, void *src)
+static void connmark_tg_compat_from_user_v0(void *dst, void *src)
{
const struct compat_xt_connmark_target_info *cm = src;
struct xt_connmark_target_info m = {
@@ -126,7 +181,7 @@ static void connmark_tg_compat_from_user(void *dst, void *src)
memcpy(dst, &m, sizeof(m));
}
-static int connmark_tg_compat_to_user(void __user *dst, void *src)
+static int connmark_tg_compat_to_user_v0(void __user *dst, void *src)
{
const struct xt_connmark_target_info *m = src;
struct compat_xt_connmark_target_info cm = {
@@ -141,32 +196,54 @@ static int connmark_tg_compat_to_user(void __user *dst, void *src)
static struct xt_target connmark_tg_reg[] __read_mostly = {
{
.name = "CONNMARK",
+ .revision = 0,
.family = AF_INET,
- .checkentry = connmark_tg_check,
+ .checkentry = connmark_tg_check_v0,
.destroy = connmark_tg_destroy,
- .target = connmark_tg,
+ .target = connmark_tg_v0,
.targetsize = sizeof(struct xt_connmark_target_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_connmark_target_info),
- .compat_from_user = connmark_tg_compat_from_user,
- .compat_to_user = connmark_tg_compat_to_user,
+ .compat_from_user = connmark_tg_compat_from_user_v0,
+ .compat_to_user = connmark_tg_compat_to_user_v0,
#endif
.me = THIS_MODULE
},
{
.name = "CONNMARK",
+ .revision = 0,
.family = AF_INET6,
- .checkentry = connmark_tg_check,
+ .checkentry = connmark_tg_check_v0,
.destroy = connmark_tg_destroy,
- .target = connmark_tg,
+ .target = connmark_tg_v0,
.targetsize = sizeof(struct xt_connmark_target_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_connmark_target_info),
- .compat_from_user = connmark_tg_compat_from_user,
- .compat_to_user = connmark_tg_compat_to_user,
+ .compat_from_user = connmark_tg_compat_from_user_v0,
+ .compat_to_user = connmark_tg_compat_to_user_v0,
#endif
.me = THIS_MODULE
},
+ {
+ .name = "CONNMARK",
+ .revision = 1,
+ .family = AF_INET,
+ .checkentry = connmark_tg_check,
+ .target = connmark_tg,
+ .targetsize = sizeof(struct xt_connmark_tginfo1),
+ .destroy = connmark_tg_destroy,
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "CONNMARK",
+ .revision = 1,
+ .family = AF_INET6,
+ .checkentry = connmark_tg_check,
+ .target = connmark_tg,
+ .targetsize = sizeof(struct xt_connmark_tginfo1),
+ .destroy = connmark_tg_destroy,
+ .me = THIS_MODULE,
+ },
};
static int __init connmark_tg_init(void)
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 08/38]: xt_MARK target, revision 2
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (6 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 07/38]: xt_CONNMARK target, revision 1 Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 09/38]: xt_connmark match, revision 1 Patrick McHardy
` (30 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: xt_MARK target, revision 2
Introduces the xt_MARK target revision 2. It uses fixed types, and
also uses the more expressive XOR logic.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 158847483305cdda53fa8c786a41a9cbfa692528
tree f42c759081ada7a5b0a99b5b8e5fd244dc3b9c54
parent 49f994a1775f0f3284375f00d10b2251c0070528
author Jan Engelhardt <jengelh@computergmbh.de> Mon, 14 Jan 2008 06:51:27 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:23:25 +0100
include/linux/netfilter/xt_MARK.h | 4 ++
net/netfilter/xt_MARK.c | 74 ++++++++++++++++++++++++++-----------
2 files changed, 56 insertions(+), 22 deletions(-)
diff --git a/include/linux/netfilter/xt_MARK.h b/include/linux/netfilter/xt_MARK.h
index b021e93..778b278 100644
--- a/include/linux/netfilter/xt_MARK.h
+++ b/include/linux/netfilter/xt_MARK.h
@@ -18,4 +18,8 @@ struct xt_mark_target_info_v1 {
u_int8_t mode;
};
+struct xt_mark_tginfo2 {
+ u_int32_t mark, mask;
+};
+
#endif /*_XT_MARK_H_target */
diff --git a/net/netfilter/xt_MARK.c b/net/netfilter/xt_MARK.c
index 57c6d55..1c3fb75 100644
--- a/net/netfilter/xt_MARK.c
+++ b/net/netfilter/xt_MARK.c
@@ -1,10 +1,13 @@
-/* This is a module which is used for setting the NFMARK field of an skb. */
-
-/* (C) 1999-2001 Marc Boucher <marc@mbsi.ca>
+/*
+ * xt_MARK - Netfilter module to modify the NFMARK field of an skb
+ *
+ * (C) 1999-2001 Marc Boucher <marc@mbsi.ca>
+ * Copyright © CC Computer Consultants GmbH, 2007 - 2008
+ * Jan Engelhardt <jengelh@computergmbh.de>
*
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
*/
#include <linux/module.h>
@@ -33,9 +36,9 @@ mark_tg_v0(struct sk_buff *skb, const struct net_device *in,
}
static unsigned int
-mark_tg(struct sk_buff *skb, const struct net_device *in,
- const struct net_device *out, unsigned int hooknum,
- const struct xt_target *target, const void *targinfo)
+mark_tg_v1(struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, unsigned int hooknum,
+ const struct xt_target *target, const void *targinfo)
{
const struct xt_mark_target_info_v1 *markinfo = targinfo;
int mark = 0;
@@ -58,6 +61,17 @@ mark_tg(struct sk_buff *skb, const struct net_device *in,
return XT_CONTINUE;
}
+static unsigned int
+mark_tg(struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, unsigned int hooknum,
+ const struct xt_target *target, const void *targinfo)
+{
+ const struct xt_mark_tginfo2 *info = targinfo;
+
+ skb->mark = (skb->mark & ~info->mask) ^ info->mark;
+ return XT_CONTINUE;
+}
+
static bool
mark_tg_check_v0(const char *tablename, const void *entry,
const struct xt_target *target, void *targinfo,
@@ -73,9 +87,9 @@ mark_tg_check_v0(const char *tablename, const void *entry,
}
static bool
-mark_tg_check(const char *tablename, const void *entry,
- const struct xt_target *target, void *targinfo,
- unsigned int hook_mask)
+mark_tg_check_v1(const char *tablename, const void *entry,
+ const struct xt_target *target, void *targinfo,
+ unsigned int hook_mask)
{
const struct xt_mark_target_info_v1 *markinfo = targinfo;
@@ -98,7 +112,7 @@ struct compat_xt_mark_target_info {
compat_ulong_t mark;
};
-static void mark_tg_compat_from_user(void *dst, void *src)
+static void mark_tg_compat_from_user_v0(void *dst, void *src)
{
const struct compat_xt_mark_target_info *cm = src;
struct xt_mark_target_info m = {
@@ -107,7 +121,7 @@ static void mark_tg_compat_from_user(void *dst, void *src)
memcpy(dst, &m, sizeof(m));
}
-static int mark_tg_compat_to_user(void __user *dst, void *src)
+static int mark_tg_compat_to_user_v0(void __user *dst, void *src)
{
const struct xt_mark_target_info *m = src;
struct compat_xt_mark_target_info cm = {
@@ -154,8 +168,8 @@ static struct xt_target mark_tg_reg[] __read_mostly = {
.targetsize = sizeof(struct xt_mark_target_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_mark_target_info),
- .compat_from_user = mark_tg_compat_from_user,
- .compat_to_user = mark_tg_compat_to_user,
+ .compat_from_user = mark_tg_compat_from_user_v0,
+ .compat_to_user = mark_tg_compat_to_user_v0,
#endif
.table = "mangle",
.me = THIS_MODULE,
@@ -164,8 +178,8 @@ static struct xt_target mark_tg_reg[] __read_mostly = {
.name = "MARK",
.family = AF_INET,
.revision = 1,
- .checkentry = mark_tg_check,
- .target = mark_tg,
+ .checkentry = mark_tg_check_v1,
+ .target = mark_tg_v1,
.targetsize = sizeof(struct xt_mark_target_info_v1),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_mark_target_info_v1),
@@ -184,8 +198,8 @@ static struct xt_target mark_tg_reg[] __read_mostly = {
.targetsize = sizeof(struct xt_mark_target_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_mark_target_info),
- .compat_from_user = mark_tg_compat_from_user,
- .compat_to_user = mark_tg_compat_to_user,
+ .compat_from_user = mark_tg_compat_from_user_v0,
+ .compat_to_user = mark_tg_compat_to_user_v0,
#endif
.table = "mangle",
.me = THIS_MODULE,
@@ -194,8 +208,8 @@ static struct xt_target mark_tg_reg[] __read_mostly = {
.name = "MARK",
.family = AF_INET6,
.revision = 1,
- .checkentry = mark_tg_check,
- .target = mark_tg,
+ .checkentry = mark_tg_check_v1,
+ .target = mark_tg_v1,
.targetsize = sizeof(struct xt_mark_target_info_v1),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_mark_target_info_v1),
@@ -205,6 +219,22 @@ static struct xt_target mark_tg_reg[] __read_mostly = {
.table = "mangle",
.me = THIS_MODULE,
},
+ {
+ .name = "MARK",
+ .revision = 2,
+ .family = AF_INET,
+ .target = mark_tg,
+ .targetsize = sizeof(struct xt_mark_tginfo2),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "MARK",
+ .revision = 2,
+ .family = AF_INET6,
+ .target = mark_tg,
+ .targetsize = sizeof(struct xt_mark_tginfo2),
+ .me = THIS_MODULE,
+ },
};
static int __init mark_tg_init(void)
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 09/38]: xt_connmark match, revision 1
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (7 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 08/38]: xt_MARK target, revision 2 Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 10/38]: Extend nf_inet_addr with in{,6}_addr Patrick McHardy
` (29 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: xt_connmark match, revision 1
Introduces the xt_connmark match revision 1. It uses fixed types,
eventually obsoleting revision 0 some day (uses nonfixed types).
(Unfixed types like "unsigned long" do not play well with mixed
user-/kernelspace "bitness", e.g. 32/64, as is common on SPARC64,
and need extra compat code.)
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit e1b4563007f6a292af1b18b575f5c36f998155c0
tree ae84cf34ab573096f497fc26d8455e3730ddcf04
parent 158847483305cdda53fa8c786a41a9cbfa692528
author Jan Engelhardt <jengelh@computergmbh.de> Mon, 14 Jan 2008 06:51:29 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:23:25 +0100
include/linux/netfilter/xt_connmark.h | 5 ++
net/netfilter/xt_connmark.c | 88 +++++++++++++++++++++++++++------
2 files changed, 76 insertions(+), 17 deletions(-)
diff --git a/include/linux/netfilter/xt_connmark.h b/include/linux/netfilter/xt_connmark.h
index c592f6a..359ef86 100644
--- a/include/linux/netfilter/xt_connmark.h
+++ b/include/linux/netfilter/xt_connmark.h
@@ -15,4 +15,9 @@ struct xt_connmark_info {
u_int8_t invert;
};
+struct xt_connmark_mtinfo1 {
+ u_int32_t mark, mask;
+ u_int8_t invert;
+};
+
#endif /*_XT_CONNMARK_H*/
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 8ad875b..55c6235 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -1,8 +1,10 @@
-/* This kernel module matches connection mark values set by the
- * CONNMARK target
+/*
+ * xt_connmark - Netfilter module to match connection mark values
*
- * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
- * by Henrik Nordstrom <hno@marasystems.com>
+ * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ * Copyright © CC Computer Consultants GmbH, 2007 - 2008
+ * Jan Engelhardt <jengelh@computergmbh.de>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -37,6 +39,23 @@ connmark_mt(const struct sk_buff *skb, const struct net_device *in,
const void *matchinfo, int offset, unsigned int protoff,
bool *hotdrop)
{
+ const struct xt_connmark_mtinfo1 *info = matchinfo;
+ enum ip_conntrack_info ctinfo;
+ const struct nf_conn *ct;
+
+ ct = nf_ct_get(skb, &ctinfo);
+ if (ct == NULL)
+ return false;
+
+ return ((ct->mark & info->mask) == info->mark) ^ info->invert;
+}
+
+static bool
+connmark_mt_v0(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
+{
const struct xt_connmark_info *info = matchinfo;
const struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
@@ -49,9 +68,9 @@ connmark_mt(const struct sk_buff *skb, const struct net_device *in,
}
static bool
-connmark_mt_check(const char *tablename, const void *ip,
- const struct xt_match *match, void *matchinfo,
- unsigned int hook_mask)
+connmark_mt_check_v0(const char *tablename, const void *ip,
+ const struct xt_match *match, void *matchinfo,
+ unsigned int hook_mask)
{
const struct xt_connmark_info *cm = matchinfo;
@@ -67,6 +86,19 @@ connmark_mt_check(const char *tablename, const void *ip,
return true;
}
+static bool
+connmark_mt_check(const char *tablename, const void *ip,
+ const struct xt_match *match, void *matchinfo,
+ unsigned int hook_mask)
+{
+ if (nf_ct_l3proto_try_module_get(match->family) < 0) {
+ printk(KERN_WARNING "cannot load conntrack support for "
+ "proto=%u\n", match->family);
+ return false;
+ }
+ return true;
+}
+
static void
connmark_mt_destroy(const struct xt_match *match, void *matchinfo)
{
@@ -81,7 +113,7 @@ struct compat_xt_connmark_info {
u_int16_t __pad2;
};
-static void connmark_mt_compat_from_user(void *dst, void *src)
+static void connmark_mt_compat_from_user_v0(void *dst, void *src)
{
const struct compat_xt_connmark_info *cm = src;
struct xt_connmark_info m = {
@@ -92,7 +124,7 @@ static void connmark_mt_compat_from_user(void *dst, void *src)
memcpy(dst, &m, sizeof(m));
}
-static int connmark_mt_compat_to_user(void __user *dst, void *src)
+static int connmark_mt_compat_to_user_v0(void __user *dst, void *src)
{
const struct xt_connmark_info *m = src;
struct compat_xt_connmark_info cm = {
@@ -107,32 +139,54 @@ static int connmark_mt_compat_to_user(void __user *dst, void *src)
static struct xt_match connmark_mt_reg[] __read_mostly = {
{
.name = "connmark",
+ .revision = 0,
.family = AF_INET,
- .checkentry = connmark_mt_check,
- .match = connmark_mt,
+ .checkentry = connmark_mt_check_v0,
+ .match = connmark_mt_v0,
.destroy = connmark_mt_destroy,
.matchsize = sizeof(struct xt_connmark_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_connmark_info),
- .compat_from_user = connmark_mt_compat_from_user,
- .compat_to_user = connmark_mt_compat_to_user,
+ .compat_from_user = connmark_mt_compat_from_user_v0,
+ .compat_to_user = connmark_mt_compat_to_user_v0,
#endif
.me = THIS_MODULE
},
{
.name = "connmark",
+ .revision = 0,
.family = AF_INET6,
- .checkentry = connmark_mt_check,
- .match = connmark_mt,
+ .checkentry = connmark_mt_check_v0,
+ .match = connmark_mt_v0,
.destroy = connmark_mt_destroy,
.matchsize = sizeof(struct xt_connmark_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_connmark_info),
- .compat_from_user = connmark_mt_compat_from_user,
- .compat_to_user = connmark_mt_compat_to_user,
+ .compat_from_user = connmark_mt_compat_from_user_v0,
+ .compat_to_user = connmark_mt_compat_to_user_v0,
#endif
.me = THIS_MODULE
},
+ {
+ .name = "connmark",
+ .revision = 1,
+ .family = AF_INET,
+ .checkentry = connmark_mt_check,
+ .match = connmark_mt,
+ .matchsize = sizeof(struct xt_connmark_mtinfo1),
+ .destroy = connmark_mt_destroy,
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "connmark",
+ .revision = 1,
+ .family = AF_INET6,
+ .checkentry = connmark_mt_check,
+ .match = connmark_mt,
+ .matchsize = sizeof(struct xt_connmark_mtinfo1),
+ .destroy = connmark_mt_destroy,
+ .me = THIS_MODULE,
+ },
};
static int __init connmark_mt_init(void)
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 10/38]: Extend nf_inet_addr with in{,6}_addr
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (8 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 09/38]: xt_connmark match, revision 1 Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 11/38]: xt_conntrack match, revision 1 Patrick McHardy
` (28 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: Extend nf_inet_addr with in{,6}_addr
Extend union nf_inet_addr with struct in_addr and in6_addr. Useful
because a lot of in-kernel IPv4 and IPv6 functions use
in_addr/in6_addr.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit eecfb07f489d73875a46d4a7c9270f92596adf88
tree bd09665b0b785bc99bf7ca4bf97d3a817c42592b
parent e1b4563007f6a292af1b18b575f5c36f998155c0
author Jan Engelhardt <jengelh@computergmbh.de> Mon, 14 Jan 2008 06:51:30 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:23:25 +0100
include/linux/netfilter.h | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index c41f643..d74e79b 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -7,6 +7,8 @@
#include <linux/skbuff.h>
#include <linux/net.h>
#include <linux/if.h>
+#include <linux/in.h>
+#include <linux/in6.h>
#include <linux/wait.h>
#include <linux/list.h>
#endif
@@ -52,6 +54,8 @@ union nf_inet_addr {
u_int32_t all[4];
__be32 ip;
__be32 ip6[4];
+ struct in_addr in;
+ struct in6_addr in6;
};
#ifdef __KERNEL__
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 11/38]: xt_conntrack match, revision 1
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (9 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 10/38]: Extend nf_inet_addr with in{,6}_addr Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 12/38]: xt_mark " Patrick McHardy
` (27 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: xt_conntrack match, revision 1
Introduces the xt_conntrack match revision 1. It uses fixed types, the
new nf_inet_addr and comes with IPv6 support, thereby completely
superseding xt_state.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit b222e77b3dc12bb1765559d1aec2bc2701d5e913
tree b39e728f72f678814902b81baf51b5e4c42685d1
parent eecfb07f489d73875a46d4a7c9270f92596adf88
author Jan Engelhardt <jengelh@computergmbh.de> Mon, 14 Jan 2008 06:51:31 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:23:26 +0100
include/linux/netfilter/xt_conntrack.h | 16 ++
net/netfilter/xt_conntrack.c | 207 ++++++++++++++++++++++++++++----
2 files changed, 197 insertions(+), 26 deletions(-)
diff --git a/include/linux/netfilter/xt_conntrack.h b/include/linux/netfilter/xt_conntrack.h
index 70b6f71..d2492a3 100644
--- a/include/linux/netfilter/xt_conntrack.h
+++ b/include/linux/netfilter/xt_conntrack.h
@@ -6,7 +6,9 @@
#define _XT_CONNTRACK_H
#include <linux/netfilter/nf_conntrack_tuple_common.h>
-#include <linux/in.h>
+#ifdef __KERNEL__
+# include <linux/in.h>
+#endif
#define XT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
#define XT_CONNTRACK_STATE_INVALID (1 << 0)
@@ -60,4 +62,16 @@ struct xt_conntrack_info
/* Inverse flags */
u_int8_t invflags;
};
+
+struct xt_conntrack_mtinfo1 {
+ union nf_inet_addr origsrc_addr, origsrc_mask;
+ union nf_inet_addr origdst_addr, origdst_mask;
+ union nf_inet_addr replsrc_addr, replsrc_mask;
+ union nf_inet_addr repldst_addr, repldst_mask;
+ u_int32_t expires_min, expires_max;
+ u_int16_t l4proto;
+ u_int8_t state_mask, status_mask;
+ u_int8_t match_flags, invert_flags;
+};
+
#endif /*_XT_CONNTRACK_H*/
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 3f8bfba..dc9e737 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -1,15 +1,19 @@
-/* Kernel module to match connection tracking information.
- * Superset of Rusty's minimalistic state match.
+/*
+ * xt_conntrack - Netfilter module to match connection tracking
+ * information. (Superset of Rusty's minimalistic state match.)
*
- * (C) 2001 Marc Boucher (marc@mbsi.ca).
+ * (C) 2001 Marc Boucher (marc@mbsi.ca).
+ * Copyright © CC Computer Consultants GmbH, 2007 - 2008
+ * Jan Engelhardt <jengelh@computergmbh.de>
*
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
*/
#include <linux/module.h>
#include <linux/skbuff.h>
+#include <net/ipv6.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_conntrack.h>
#include <net/netfilter/nf_conntrack.h>
@@ -18,12 +22,13 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
MODULE_DESCRIPTION("iptables connection tracking match module");
MODULE_ALIAS("ipt_conntrack");
+MODULE_ALIAS("ip6t_conntrack");
static bool
-conntrack_mt(const struct sk_buff *skb, const struct net_device *in,
- const struct net_device *out, const struct xt_match *match,
- const void *matchinfo, int offset, unsigned int protoff,
- bool *hotdrop)
+conntrack_mt_v0(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
{
const struct xt_conntrack_info *sinfo = matchinfo;
const struct nf_conn *ct;
@@ -112,6 +117,134 @@ conntrack_mt(const struct sk_buff *skb, const struct net_device *in,
}
static bool
+conntrack_addrcmp(const union nf_inet_addr *kaddr,
+ const union nf_inet_addr *uaddr,
+ const union nf_inet_addr *umask, unsigned int l3proto)
+{
+ if (l3proto == AF_INET)
+ return (kaddr->ip & umask->ip) == uaddr->ip;
+ else if (l3proto == AF_INET6)
+ return ipv6_masked_addr_cmp(&kaddr->in6, &umask->in6,
+ &uaddr->in6) == 0;
+ else
+ return false;
+}
+
+static inline bool
+conntrack_mt_origsrc(const struct nf_conn *ct,
+ const struct xt_conntrack_mtinfo1 *info,
+ unsigned int family)
+{
+ return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3,
+ &info->origsrc_addr, &info->origsrc_mask, family);
+}
+
+static inline bool
+conntrack_mt_origdst(const struct nf_conn *ct,
+ const struct xt_conntrack_mtinfo1 *info,
+ unsigned int family)
+{
+ return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3,
+ &info->origdst_addr, &info->origdst_mask, family);
+}
+
+static inline bool
+conntrack_mt_replsrc(const struct nf_conn *ct,
+ const struct xt_conntrack_mtinfo1 *info,
+ unsigned int family)
+{
+ return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3,
+ &info->replsrc_addr, &info->replsrc_mask, family);
+}
+
+static inline bool
+conntrack_mt_repldst(const struct nf_conn *ct,
+ const struct xt_conntrack_mtinfo1 *info,
+ unsigned int family)
+{
+ return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3,
+ &info->repldst_addr, &info->repldst_mask, family);
+}
+
+static bool
+conntrack_mt(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
+{
+ const struct xt_conntrack_mtinfo1 *info = matchinfo;
+ enum ip_conntrack_info ctinfo;
+ const struct nf_conn *ct;
+ unsigned int statebit;
+
+ ct = nf_ct_get(skb, &ctinfo);
+
+ if (ct == &nf_conntrack_untracked)
+ statebit = XT_CONNTRACK_STATE_UNTRACKED;
+ else if (ct != NULL)
+ statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
+ else
+ statebit = XT_CONNTRACK_STATE_INVALID;
+
+ if (info->match_flags & XT_CONNTRACK_STATE) {
+ if (ct != NULL) {
+ if (test_bit(IPS_SRC_NAT_BIT, &ct->status))
+ statebit |= XT_CONNTRACK_STATE_SNAT;
+ if (test_bit(IPS_DST_NAT_BIT, &ct->status))
+ statebit |= XT_CONNTRACK_STATE_DNAT;
+ }
+ if ((info->state_mask & statebit) ^
+ !(info->invert_flags & XT_CONNTRACK_STATE))
+ return false;
+ }
+
+ if (ct == NULL)
+ return info->match_flags & XT_CONNTRACK_STATE;
+
+ if ((info->match_flags & XT_CONNTRACK_PROTO) &&
+ ((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum ==
+ info->l4proto) ^ !(info->invert_flags & XT_CONNTRACK_PROTO)))
+ return false;
+
+ if (info->match_flags & XT_CONNTRACK_ORIGSRC)
+ if (conntrack_mt_origsrc(ct, info, match->family) ^
+ !(info->invert_flags & XT_CONNTRACK_ORIGSRC))
+ return false;
+
+ if (info->match_flags & XT_CONNTRACK_ORIGDST)
+ if (conntrack_mt_origdst(ct, info, match->family) ^
+ !(info->invert_flags & XT_CONNTRACK_ORIGDST))
+ return false;
+
+ if (info->match_flags & XT_CONNTRACK_REPLSRC)
+ if (conntrack_mt_replsrc(ct, info, match->family) ^
+ !(info->invert_flags & XT_CONNTRACK_REPLSRC))
+ return false;
+
+ if (info->match_flags & XT_CONNTRACK_REPLDST)
+ if (conntrack_mt_repldst(ct, info, match->family) ^
+ !(info->invert_flags & XT_CONNTRACK_REPLDST))
+ return false;
+
+ if ((info->match_flags & XT_CONNTRACK_STATUS) &&
+ (!!(info->status_mask & ct->status) ^
+ !(info->invert_flags & XT_CONNTRACK_STATUS)))
+ return false;
+
+ if (info->match_flags & XT_CONNTRACK_EXPIRES) {
+ unsigned long expires = 0;
+
+ if (timer_pending(&ct->timeout))
+ expires = (ct->timeout.expires - jiffies) / HZ;
+ if ((expires >= info->expires_min &&
+ expires <= info->expires_max) ^
+ !(info->invert_flags & XT_CONNTRACK_EXPIRES))
+ return false;
+ }
+ return true;
+}
+
+static bool
conntrack_mt_check(const char *tablename, const void *ip,
const struct xt_match *match, void *matchinfo,
unsigned int hook_mask)
@@ -144,7 +277,7 @@ struct compat_xt_conntrack_info
u_int8_t invflags;
};
-static void conntrack_mt_compat_from_user(void *dst, void *src)
+static void conntrack_mt_compat_from_user_v0(void *dst, void *src)
{
const struct compat_xt_conntrack_info *cm = src;
struct xt_conntrack_info m = {
@@ -161,7 +294,7 @@ static void conntrack_mt_compat_from_user(void *dst, void *src)
memcpy(dst, &m, sizeof(m));
}
-static int conntrack_mt_compat_to_user(void __user *dst, void *src)
+static int conntrack_mt_compat_to_user_v0(void __user *dst, void *src)
{
const struct xt_conntrack_info *m = src;
struct compat_xt_conntrack_info cm = {
@@ -179,29 +312,53 @@ static int conntrack_mt_compat_to_user(void __user *dst, void *src)
}
#endif
-static struct xt_match conntrack_mt_reg __read_mostly = {
- .name = "conntrack",
- .match = conntrack_mt,
- .checkentry = conntrack_mt_check,
- .destroy = conntrack_mt_destroy,
- .matchsize = sizeof(struct xt_conntrack_info),
+static struct xt_match conntrack_mt_reg[] __read_mostly = {
+ {
+ .name = "conntrack",
+ .revision = 0,
+ .family = AF_INET,
+ .match = conntrack_mt_v0,
+ .checkentry = conntrack_mt_check,
+ .destroy = conntrack_mt_destroy,
+ .matchsize = sizeof(struct xt_conntrack_info),
+ .me = THIS_MODULE,
#ifdef CONFIG_COMPAT
- .compatsize = sizeof(struct compat_xt_conntrack_info),
- .compat_from_user = conntrack_mt_compat_from_user,
- .compat_to_user = conntrack_mt_compat_to_user,
+ .compatsize = sizeof(struct compat_xt_conntrack_info),
+ .compat_from_user = conntrack_mt_compat_from_user_v0,
+ .compat_to_user = conntrack_mt_compat_to_user_v0,
#endif
- .family = AF_INET,
- .me = THIS_MODULE,
+ },
+ {
+ .name = "conntrack",
+ .revision = 1,
+ .family = AF_INET,
+ .matchsize = sizeof(struct xt_conntrack_mtinfo1),
+ .match = conntrack_mt,
+ .checkentry = conntrack_mt_check,
+ .destroy = conntrack_mt_destroy,
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "conntrack",
+ .revision = 1,
+ .family = AF_INET6,
+ .matchsize = sizeof(struct xt_conntrack_mtinfo1),
+ .match = conntrack_mt,
+ .checkentry = conntrack_mt_check,
+ .destroy = conntrack_mt_destroy,
+ .me = THIS_MODULE,
+ },
};
static int __init conntrack_mt_init(void)
{
- return xt_register_match(&conntrack_mt_reg);
+ return xt_register_matches(conntrack_mt_reg,
+ ARRAY_SIZE(conntrack_mt_reg));
}
static void __exit conntrack_mt_exit(void)
{
- xt_unregister_match(&conntrack_mt_reg);
+ xt_unregister_matches(conntrack_mt_reg, ARRAY_SIZE(conntrack_mt_reg));
}
module_init(conntrack_mt_init);
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 12/38]: xt_mark match, revision 1
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (10 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 11/38]: xt_conntrack match, revision 1 Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 13/38]: xt_pkttype: Add explicit check for IPv4 Patrick McHardy
` (26 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: xt_mark match, revision 1
Introduces the xt_mark match revision 1. It uses fixed types,
eventually obsoleting revision 0 some day (uses nonfixed types).
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 72c54af2cbc724b17aa0b4e58718311dd70617df
tree 7ec4ce8476efa20d77432f6581faececef7a2689
parent b222e77b3dc12bb1765559d1aec2bc2701d5e913
author Jan Engelhardt <jengelh@computergmbh.de> Mon, 14 Jan 2008 06:51:34 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:17 +0100
include/linux/netfilter/xt_mark.h | 5 +++
net/netfilter/xt_mark.c | 72 +++++++++++++++++++++++++++----------
2 files changed, 57 insertions(+), 20 deletions(-)
diff --git a/include/linux/netfilter/xt_mark.h b/include/linux/netfilter/xt_mark.h
index 802dd48..fae74bc 100644
--- a/include/linux/netfilter/xt_mark.h
+++ b/include/linux/netfilter/xt_mark.h
@@ -6,4 +6,9 @@ struct xt_mark_info {
u_int8_t invert;
};
+struct xt_mark_mtinfo1 {
+ u_int32_t mark, mask;
+ u_int8_t invert;
+};
+
#endif /*_XT_MARK_H*/
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index ce8735e..5cc8cc5 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -1,10 +1,13 @@
-/* Kernel module to match NFMARK values. */
-
-/* (C) 1999-2001 Marc Boucher <marc@mbsi.ca>
+/*
+ * xt_mark - Netfilter module to match NFMARK value
+ *
+ * (C) 1999-2001 Marc Boucher <marc@mbsi.ca>
+ * Copyright © CC Computer Consultants GmbH, 2007 - 2008
+ * Jan Engelhardt <jengelh@computergmbh.de>
*
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
*/
#include <linux/module.h>
@@ -20,19 +23,30 @@ MODULE_ALIAS("ipt_mark");
MODULE_ALIAS("ip6t_mark");
static bool
+mark_mt_v0(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
+{
+ const struct xt_mark_info *info = matchinfo;
+
+ return ((skb->mark & info->mask) == info->mark) ^ info->invert;
+}
+
+static bool
mark_mt(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *match,
const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
{
- const struct xt_mark_info *info = matchinfo;
+ const struct xt_mark_mtinfo1 *info = matchinfo;
return ((skb->mark & info->mask) == info->mark) ^ info->invert;
}
static bool
-mark_mt_check(const char *tablename, const void *entry,
- const struct xt_match *match, void *matchinfo,
- unsigned int hook_mask)
+mark_mt_check_v0(const char *tablename, const void *entry,
+ const struct xt_match *match, void *matchinfo,
+ unsigned int hook_mask)
{
const struct xt_mark_info *minfo = matchinfo;
@@ -51,7 +65,7 @@ struct compat_xt_mark_info {
u_int16_t __pad2;
};
-static void mark_mt_compat_from_user(void *dst, void *src)
+static void mark_mt_compat_from_user_v0(void *dst, void *src)
{
const struct compat_xt_mark_info *cm = src;
struct xt_mark_info m = {
@@ -62,7 +76,7 @@ static void mark_mt_compat_from_user(void *dst, void *src)
memcpy(dst, &m, sizeof(m));
}
-static int mark_mt_compat_to_user(void __user *dst, void *src)
+static int mark_mt_compat_to_user_v0(void __user *dst, void *src)
{
const struct xt_mark_info *m = src;
struct compat_xt_mark_info cm = {
@@ -77,30 +91,48 @@ static int mark_mt_compat_to_user(void __user *dst, void *src)
static struct xt_match mark_mt_reg[] __read_mostly = {
{
.name = "mark",
+ .revision = 0,
.family = AF_INET,
- .checkentry = mark_mt_check,
- .match = mark_mt,
+ .checkentry = mark_mt_check_v0,
+ .match = mark_mt_v0,
.matchsize = sizeof(struct xt_mark_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_mark_info),
- .compat_from_user = mark_mt_compat_from_user,
- .compat_to_user = mark_mt_compat_to_user,
+ .compat_from_user = mark_mt_compat_from_user_v0,
+ .compat_to_user = mark_mt_compat_to_user_v0,
#endif
.me = THIS_MODULE,
},
{
.name = "mark",
+ .revision = 0,
.family = AF_INET6,
- .checkentry = mark_mt_check,
- .match = mark_mt,
+ .checkentry = mark_mt_check_v0,
+ .match = mark_mt_v0,
.matchsize = sizeof(struct xt_mark_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_mark_info),
- .compat_from_user = mark_mt_compat_from_user,
- .compat_to_user = mark_mt_compat_to_user,
+ .compat_from_user = mark_mt_compat_from_user_v0,
+ .compat_to_user = mark_mt_compat_to_user_v0,
#endif
.me = THIS_MODULE,
},
+ {
+ .name = "mark",
+ .revision = 1,
+ .family = AF_INET,
+ .match = mark_mt,
+ .matchsize = sizeof(struct xt_mark_mtinfo1),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "mark",
+ .revision = 1,
+ .family = AF_INET6,
+ .match = mark_mt,
+ .matchsize = sizeof(struct xt_mark_mtinfo1),
+ .me = THIS_MODULE,
+ },
};
static int __init mark_mt_init(void)
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 13/38]: xt_pkttype: Add explicit check for IPv4
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (11 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 12/38]: xt_mark " Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 14/38]: xt_pkttype: IPv6 multicast address recognition Patrick McHardy
` (25 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: xt_pkttype: Add explicit check for IPv4
In the PACKET_LOOPBACK case, the skb data was always interpreted as
IPv4, but that is not valid for IPv6, obviously. Fix this by adding an
extra condition to check for AF_INET.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 65196922f6f712071d1d559406348c5ba9c9810c
tree eead1feb27c9cdeeb316638e9ddb48d4f775e6b6
parent 72c54af2cbc724b17aa0b4e58718311dd70617df
author Jan Engelhardt <jengelh@computergmbh.de> Mon, 14 Jan 2008 06:51:35 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:17 +0100
net/netfilter/xt_pkttype.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/net/netfilter/xt_pkttype.c b/net/netfilter/xt_pkttype.c
index 2762449..080f324 100644
--- a/net/netfilter/xt_pkttype.c
+++ b/net/netfilter/xt_pkttype.c
@@ -31,7 +31,8 @@ pkttype_mt(const struct sk_buff *skb, const struct net_device *in,
const struct xt_pkttype_info *info = matchinfo;
if (skb->pkt_type == PACKET_LOOPBACK)
- type = ipv4_is_multicast(ip_hdr(skb)->daddr)
+ type = match->family == AF_INET &&
+ ipv4_is_multicast(ip_hdr(skb)->daddr)
? PACKET_MULTICAST
: PACKET_BROADCAST;
else
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 14/38]: xt_pkttype: IPv6 multicast address recognition
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (12 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 13/38]: xt_pkttype: Add explicit check for IPv4 Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 15/38]: xt_policy: use the new union nf_inet_addr Patrick McHardy
` (24 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: xt_pkttype: IPv6 multicast address recognition
Signed-off-by: Jan Engelhart <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 109069cb6db009d150c385451a63461fe9d5c42e
tree f12db52a8a1c5209fd7385bf1b8065c734f8e348
parent 65196922f6f712071d1d559406348c5ba9c9810c
author Jan Engelhardt <jengelh@computergmbh.de> Mon, 14 Jan 2008 06:51:37 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:18 +0100
net/netfilter/xt_pkttype.c | 18 +++++++++++-------
1 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/xt_pkttype.c b/net/netfilter/xt_pkttype.c
index 080f324..cbcb8ea 100644
--- a/net/netfilter/xt_pkttype.c
+++ b/net/netfilter/xt_pkttype.c
@@ -11,6 +11,7 @@
#include <linux/if_packet.h>
#include <linux/in.h>
#include <linux/ip.h>
+#include <linux/ipv6.h>
#include <linux/netfilter/xt_pkttype.h>
#include <linux/netfilter/x_tables.h>
@@ -27,16 +28,19 @@ pkttype_mt(const struct sk_buff *skb, const struct net_device *in,
const void *matchinfo, int offset, unsigned int protoff,
bool *hotdrop)
{
- u_int8_t type;
const struct xt_pkttype_info *info = matchinfo;
+ u_int8_t type;
- if (skb->pkt_type == PACKET_LOOPBACK)
- type = match->family == AF_INET &&
- ipv4_is_multicast(ip_hdr(skb)->daddr)
- ? PACKET_MULTICAST
- : PACKET_BROADCAST;
- else
+ if (skb->pkt_type != PACKET_LOOPBACK)
type = skb->pkt_type;
+ else if (match->family == AF_INET &&
+ ipv4_is_multicast(ip_hdr(skb)->daddr))
+ type = PACKET_MULTICAST;
+ else if (match->family == AF_INET6 &&
+ ipv6_hdr(skb)->daddr.s6_addr[0] == 0xFF)
+ type = PACKET_MULTICAST;
+ else
+ type = PACKET_BROADCAST;
return (type == info->pkttype) ^ info->invert;
}
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 15/38]: xt_policy: use the new union nf_inet_addr
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (13 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 14/38]: xt_pkttype: IPv6 multicast address recognition Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 16/38]: Update modules' descriptions Patrick McHardy
` (23 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: xt_policy: use the new union nf_inet_addr
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 9793ea135e7d8ad359f3fd35b94fe89faa0e88a3
tree 5caafc6eed4688a307996bd4a43bfad94c8ff5b4
parent 109069cb6db009d150c385451a63461fe9d5c42e
author Jan Engelhardt <jengelh@computergmbh.de> Mon, 14 Jan 2008 06:51:38 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:19 +0100
include/linux/netfilter/xt_policy.h | 23 +++++++++++++++++++----
net/netfilter/xt_policy.c | 15 ++++++++-------
2 files changed, 27 insertions(+), 11 deletions(-)
diff --git a/include/linux/netfilter/xt_policy.h b/include/linux/netfilter/xt_policy.h
index 45654d3..053d8cc 100644
--- a/include/linux/netfilter/xt_policy.h
+++ b/include/linux/netfilter/xt_policy.h
@@ -27,18 +27,33 @@ struct xt_policy_spec
reqid:1;
};
+#ifndef __KERNEL__
union xt_policy_addr
{
struct in_addr a4;
struct in6_addr a6;
};
+#endif
struct xt_policy_elem
{
- union xt_policy_addr saddr;
- union xt_policy_addr smask;
- union xt_policy_addr daddr;
- union xt_policy_addr dmask;
+ union {
+#ifdef __KERNEL__
+ struct {
+ union nf_inet_addr saddr;
+ union nf_inet_addr smask;
+ union nf_inet_addr daddr;
+ union nf_inet_addr dmask;
+ };
+#else
+ struct {
+ union xt_policy_addr saddr;
+ union xt_policy_addr smask;
+ union xt_policy_addr daddr;
+ union xt_policy_addr dmask;
+ };
+#endif
+ };
__be32 spi;
u_int32_t reqid;
u_int8_t proto;
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index 45731ca..47c2e43 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -13,6 +13,7 @@
#include <linux/init.h>
#include <net/xfrm.h>
+#include <linux/netfilter.h>
#include <linux/netfilter/xt_policy.h>
#include <linux/netfilter/x_tables.h>
@@ -21,14 +22,14 @@ MODULE_DESCRIPTION("Xtables IPsec policy matching module");
MODULE_LICENSE("GPL");
static inline bool
-xt_addr_cmp(const union xt_policy_addr *a1, const union xt_policy_addr *m,
- const union xt_policy_addr *a2, unsigned short family)
+xt_addr_cmp(const union nf_inet_addr *a1, const union nf_inet_addr *m,
+ const union nf_inet_addr *a2, unsigned short family)
{
switch (family) {
case AF_INET:
- return !((a1->a4.s_addr ^ a2->a4.s_addr) & m->a4.s_addr);
+ return ((a1->ip ^ a2->ip) & m->ip) == 0;
case AF_INET6:
- return !ipv6_masked_addr_cmp(&a1->a6, &m->a6, &a2->a6);
+ return ipv6_masked_addr_cmp(&a1->in6, &m->in6, &a2->in6) == 0;
}
return false;
}
@@ -38,12 +39,12 @@ match_xfrm_state(const struct xfrm_state *x, const struct xt_policy_elem *e,
unsigned short family)
{
#define MATCH_ADDR(x,y,z) (!e->match.x || \
- (xt_addr_cmp(&e->x, &e->y, (z), family) \
+ (xt_addr_cmp(&e->x, &e->y, (const union nf_inet_addr *)(z), family) \
^ e->invert.x))
#define MATCH(x,y) (!e->match.x || ((e->x == (y)) ^ e->invert.x))
- return MATCH_ADDR(saddr, smask, (union xt_policy_addr *)&x->props.saddr) &&
- MATCH_ADDR(daddr, dmask, (union xt_policy_addr *)&x->id.daddr) &&
+ return MATCH_ADDR(saddr, smask, &x->props.saddr) &&
+ MATCH_ADDR(daddr, dmask, &x->id.daddr) &&
MATCH(proto, x->id.proto) &&
MATCH(mode, x->props.mode) &&
MATCH(spi, x->id.spi) &&
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 16/38]: Update modules' descriptions
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (14 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 15/38]: xt_policy: use the new union nf_inet_addr Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 17/38]: Rename ipt_iprange to xt_iprange Patrick McHardy
` (22 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: Update modules' descriptions
Updates the MODULE_DESCRIPTION() tags for all Netfilter modules,
actually describing what the module does and not just
"netfilter XYZ target".
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 1834195893f1df31c850cf93281e4a88e2cfad9b
tree 4ee31ded35ae277bef8a3c123a54f58e34b383f8
parent 9793ea135e7d8ad359f3fd35b94fe89faa0e88a3
author Jan Engelhardt <jengelh@computergmbh.de> Mon, 14 Jan 2008 06:51:40 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:20 +0100
net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 +-
net/ipv4/netfilter/ipt_ECN.c | 2 +-
net/ipv4/netfilter/ipt_LOG.c | 2 +-
net/ipv4/netfilter/ipt_MASQUERADE.c | 2 +-
net/ipv4/netfilter/ipt_NETMAP.c | 2 +-
net/ipv4/netfilter/ipt_REDIRECT.c | 2 +-
net/ipv4/netfilter/ipt_REJECT.c | 2 +-
net/ipv4/netfilter/ipt_TTL.c | 2 +-
net/ipv4/netfilter/ipt_ULOG.c | 2 +-
net/ipv4/netfilter/ipt_addrtype.c | 2 +-
net/ipv4/netfilter/ipt_ah.c | 2 +-
net/ipv4/netfilter/ipt_ecn.c | 2 +-
net/ipv4/netfilter/ipt_iprange.c | 2 +-
net/ipv4/netfilter/ipt_recent.c | 2 +-
net/ipv4/netfilter/ipt_ttl.c | 2 +-
net/ipv6/netfilter/ip6t_HL.c | 2 +-
net/ipv6/netfilter/ip6t_LOG.c | 2 +-
net/ipv6/netfilter/ip6t_REJECT.c | 2 +-
net/ipv6/netfilter/ip6t_ah.c | 2 +-
net/ipv6/netfilter/ip6t_eui64.c | 2 +-
net/ipv6/netfilter/ip6t_frag.c | 2 +-
net/ipv6/netfilter/ip6t_hbh.c | 2 +-
net/ipv6/netfilter/ip6t_hl.c | 2 +-
net/ipv6/netfilter/ip6t_ipv6header.c | 2 +-
net/ipv6/netfilter/ip6t_mh.c | 2 +-
net/ipv6/netfilter/ip6t_rt.c | 2 +-
net/netfilter/xt_CLASSIFY.c | 2 +-
net/netfilter/xt_CONNMARK.c | 2 +-
net/netfilter/xt_CONNSECMARK.c | 2 +-
net/netfilter/xt_DSCP.c | 2 +-
net/netfilter/xt_MARK.c | 2 +-
net/netfilter/xt_NFLOG.c | 2 +-
net/netfilter/xt_NFQUEUE.c | 2 +-
net/netfilter/xt_NOTRACK.c | 1 +
net/netfilter/xt_RATEEST.c | 2 +-
net/netfilter/xt_SECMARK.c | 2 +-
net/netfilter/xt_TCPMSS.c | 2 +-
net/netfilter/xt_TCPOPTSTRIP.c | 2 +-
net/netfilter/xt_TRACE.c | 1 +
net/netfilter/xt_comment.c | 2 +-
net/netfilter/xt_connbytes.c | 2 +-
net/netfilter/xt_connlimit.c | 2 +-
net/netfilter/xt_connmark.c | 2 +-
net/netfilter/xt_conntrack.c | 2 +-
net/netfilter/xt_dccp.c | 2 +-
net/netfilter/xt_dscp.c | 2 +-
net/netfilter/xt_esp.c | 2 +-
net/netfilter/xt_hashlimit.c | 2 +-
net/netfilter/xt_helper.c | 2 +-
net/netfilter/xt_length.c | 2 +-
net/netfilter/xt_limit.c | 2 +-
net/netfilter/xt_mac.c | 2 +-
net/netfilter/xt_mark.c | 2 +-
net/netfilter/xt_multiport.c | 2 +-
net/netfilter/xt_owner.c | 2 +-
net/netfilter/xt_physdev.c | 2 +-
net/netfilter/xt_pkttype.c | 2 +-
net/netfilter/xt_policy.c | 2 +-
net/netfilter/xt_quota.c | 1 +
net/netfilter/xt_realm.c | 2 +-
net/netfilter/xt_sctp.c | 2 +-
net/netfilter/xt_statistic.c | 2 +-
net/netfilter/xt_string.c | 2 +-
net/netfilter/xt_tcpmss.c | 2 +-
net/netfilter/xt_tcpudp.c | 2 +-
net/netfilter/xt_time.c | 2 +-
net/netfilter/xt_u32.c | 2 +-
67 files changed, 67 insertions(+), 64 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index df39ca0..1b31f7d 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -32,7 +32,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("iptables target for CLUSTERIP");
+MODULE_DESCRIPTION("Xtables: CLUSTERIP target");
struct clusterip_config {
struct list_head list; /* list of all configs */
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index ab41764..21395bc 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -21,7 +21,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("iptables ECN modification module");
+MODULE_DESCRIPTION("Xtables: Explicit Congestion Notification (ECN) flag modification");
/* set ECT codepoint from IP header.
* return false if there was an error. */
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index 5acdddf..b38d785 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -26,7 +26,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables syslog logging module");
+MODULE_DESCRIPTION("Xtables: IPv4 packet logging to syslog");
/* Use lock to serialize, so printks don't overlap */
static DEFINE_SPINLOCK(log_lock);
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index 1cbff7b..d80fee8 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -25,7 +25,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables MASQUERADE target module");
+MODULE_DESCRIPTION("Xtables: automatic-address SNAT");
/* Lock protects masq region inside conntrack */
static DEFINE_RWLOCK(masq_lock);
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c
index 5b71ef4..6739abf 100644
--- a/net/ipv4/netfilter/ipt_NETMAP.c
+++ b/net/ipv4/netfilter/ipt_NETMAP.c
@@ -20,7 +20,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Svenning Soerensen <svenning@post5.tele.dk>");
-MODULE_DESCRIPTION("iptables 1:1 NAT mapping of IP networks target");
+MODULE_DESCRIPTION("Xtables: 1:1 NAT mapping of IPv4 subnets");
static bool
netmap_tg_check(const char *tablename, const void *e,
diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c
index 3d9ec5c..5c62924 100644
--- a/net/ipv4/netfilter/ipt_REDIRECT.c
+++ b/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -23,7 +23,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables REDIRECT target module");
+MODULE_DESCRIPTION("Xtables: Connection redirection to localhost");
/* FIXME: Take multiple ranges --RR */
static bool
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index a299ceb..e3c2ecc 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -29,7 +29,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables REJECT target module");
+MODULE_DESCRIPTION("Xtables: packet \"rejection\" target for IPv4");
/* Send RST reply */
static void send_reset(struct sk_buff *oldskb, int hook)
diff --git a/net/ipv4/netfilter/ipt_TTL.c b/net/ipv4/netfilter/ipt_TTL.c
index fa13cf6..30eed65 100644
--- a/net/ipv4/netfilter/ipt_TTL.c
+++ b/net/ipv4/netfilter/ipt_TTL.c
@@ -16,7 +16,7 @@
#include <linux/netfilter_ipv4/ipt_TTL.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("IP tables TTL modification module");
+MODULE_DESCRIPTION("Xtables: IPv4 TTL field modification target");
MODULE_LICENSE("GPL");
static unsigned int
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index 1d8e146..fa24efa 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -50,7 +50,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
-MODULE_DESCRIPTION("iptables userspace logging module");
+MODULE_DESCRIPTION("Xtables: packet logging to netlink using ULOG");
MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_NFLOG);
#define ULOG_NL_EVENT 111 /* Harald's favorite number */
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c
index 8763902..49587a4 100644
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ b/net/ipv4/netfilter/ipt_addrtype.c
@@ -21,7 +21,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("iptables addrtype match");
+MODULE_DESCRIPTION("Xtables: address type match for IPv4");
static inline bool match_type(const struct net_device *dev, __be32 addr,
u_int16_t mask)
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
index 2b2fb26..e977989 100644
--- a/net/ipv4/netfilter/ipt_ah.c
+++ b/net/ipv4/netfilter/ipt_ah.c
@@ -16,7 +16,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
-MODULE_DESCRIPTION("iptables AH SPI match module");
+MODULE_DESCRIPTION("Xtables: IPv4 IPsec-AH SPI match");
#ifdef DEBUG_CONNTRACK
#define duprintf(format, args...) printk(format , ## args)
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index ea13784..749de82 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -19,7 +19,7 @@
#include <linux/netfilter_ipv4/ipt_ecn.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("iptables ECN matching module");
+MODULE_DESCRIPTION("Xtables: Explicit Congestion Notification (ECN) flag match for IPv4");
MODULE_LICENSE("GPL");
static inline bool match_ip(const struct sk_buff *skb,
diff --git a/net/ipv4/netfilter/ipt_iprange.c b/net/ipv4/netfilter/ipt_iprange.c
index 82208ed..9a2aba8 100644
--- a/net/ipv4/netfilter/ipt_iprange.c
+++ b/net/ipv4/netfilter/ipt_iprange.c
@@ -15,7 +15,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
-MODULE_DESCRIPTION("iptables arbitrary IP range match module");
+MODULE_DESCRIPTION("Xtables: arbitrary IPv4 range matching");
static bool
iprange_mt(const struct sk_buff *skb, const struct net_device *in,
diff --git a/net/ipv4/netfilter/ipt_recent.c b/net/ipv4/netfilter/ipt_recent.c
index 4f3700d..e3154a9 100644
--- a/net/ipv4/netfilter/ipt_recent.c
+++ b/net/ipv4/netfilter/ipt_recent.c
@@ -30,7 +30,7 @@
#include <linux/netfilter_ipv4/ipt_recent.h>
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("IP tables recently seen matching module");
+MODULE_DESCRIPTION("Xtables: \"recently-seen\" host matching for IPv4");
MODULE_LICENSE("GPL");
static unsigned int ip_list_tot = 100;
diff --git a/net/ipv4/netfilter/ipt_ttl.c b/net/ipv4/netfilter/ipt_ttl.c
index b18d391..e0b8cae 100644
--- a/net/ipv4/netfilter/ipt_ttl.c
+++ b/net/ipv4/netfilter/ipt_ttl.c
@@ -15,7 +15,7 @@
#include <linux/netfilter/x_tables.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("IP tables TTL matching module");
+MODULE_DESCRIPTION("Xtables: IPv4 TTL field match");
MODULE_LICENSE("GPL");
static bool
diff --git a/net/ipv6/netfilter/ip6t_HL.c b/net/ipv6/netfilter/ip6t_HL.c
index cefb425..d5f8fd5 100644
--- a/net/ipv6/netfilter/ip6t_HL.c
+++ b/net/ipv6/netfilter/ip6t_HL.c
@@ -15,7 +15,7 @@
#include <linux/netfilter_ipv6/ip6t_HL.h>
MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>");
-MODULE_DESCRIPTION("IP6 tables Hop Limit modification module");
+MODULE_DESCRIPTION("Xtables: IPv6 Hop Limit field modification target");
MODULE_LICENSE("GPL");
static unsigned int
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index 474c2b1..86a6138 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -26,7 +26,7 @@
#include <net/netfilter/nf_log.h>
MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>");
-MODULE_DESCRIPTION("IP6 tables LOG target module");
+MODULE_DESCRIPTION("Xtables: IPv6 packet logging to syslog");
MODULE_LICENSE("GPL");
struct in_device;
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index a951c2c..b23baa6 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -31,7 +31,7 @@
#include <linux/netfilter_ipv6/ip6t_REJECT.h>
MODULE_AUTHOR("Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>");
-MODULE_DESCRIPTION("IP6 tables REJECT target module");
+MODULE_DESCRIPTION("Xtables: packet \"rejection\" target for IPv6");
MODULE_LICENSE("GPL");
/* Send RST reply */
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
index f5d08a8..429629f 100644
--- a/net/ipv6/netfilter/ip6t_ah.c
+++ b/net/ipv6/netfilter/ip6t_ah.c
@@ -20,7 +20,7 @@
#include <linux/netfilter_ipv6/ip6t_ah.h>
MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("IPv6 AH match");
+MODULE_DESCRIPTION("Xtables: IPv6 IPsec-AH match");
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
/* Returns 1 if the spi is matched by the range, 0 otherwise */
diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
index dd9e67d..8f331f1 100644
--- a/net/ipv6/netfilter/ip6t_eui64.c
+++ b/net/ipv6/netfilter/ip6t_eui64.c
@@ -15,7 +15,7 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
-MODULE_DESCRIPTION("IPv6 EUI64 address checking match");
+MODULE_DESCRIPTION("Xtables: IPv6 EUI64 address match");
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
index ae8c714..e2bbc63 100644
--- a/net/ipv6/netfilter/ip6t_frag.c
+++ b/net/ipv6/netfilter/ip6t_frag.c
@@ -19,7 +19,7 @@
#include <linux/netfilter_ipv6/ip6t_frag.h>
MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("IPv6 FRAG match");
+MODULE_DESCRIPTION("Xtables: IPv6 fragment match");
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
/* Returns 1 if the id is matched by the range, 0 otherwise */
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index b76e27d..62e39ac 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -21,7 +21,7 @@
#include <linux/netfilter_ipv6/ip6t_opts.h>
MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("IPv6 opts match");
+MODULE_DESCRIPTION("Xtables: IPv6 Hop-By-Hop and Destination Header match");
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
MODULE_ALIAS("ip6t_dst");
diff --git a/net/ipv6/netfilter/ip6t_hl.c b/net/ipv6/netfilter/ip6t_hl.c
index 8f2d7d0..3456716 100644
--- a/net/ipv6/netfilter/ip6t_hl.c
+++ b/net/ipv6/netfilter/ip6t_hl.c
@@ -16,7 +16,7 @@
#include <linux/netfilter/x_tables.h>
MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>");
-MODULE_DESCRIPTION("IP tables Hop Limit matching module");
+MODULE_DESCRIPTION("Xtables: IPv6 Hop Limit field match");
MODULE_LICENSE("GPL");
static bool
diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index ae497e7..3a94017 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -23,7 +23,7 @@
#include <linux/netfilter_ipv6/ip6t_ipv6header.h>
MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("IPv6 headers match");
+MODULE_DESCRIPTION("Xtables: IPv6 header types match");
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
static bool
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c
index 618e6b9..e06678d 100644
--- a/net/ipv6/netfilter/ip6t_mh.c
+++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -21,7 +21,7 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv6/ip6t_mh.h>
-MODULE_DESCRIPTION("ip6t_tables match for MH");
+MODULE_DESCRIPTION("Xtables: IPv6 Mobility Header match");
MODULE_LICENSE("GPL");
#ifdef DEBUG_IP_FIREWALL_USER
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index 038cea6..12a9efe 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -21,7 +21,7 @@
#include <linux/netfilter_ipv6/ip6t_rt.h>
MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("IPv6 RT match");
+MODULE_DESCRIPTION("Xtables: IPv6 Routing Header match");
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
/* Returns 1 if the id is matched by the range, 0 otherwise */
diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index 8e83dd4..77a52bf 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -22,7 +22,7 @@
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("iptables qdisc classification target module");
+MODULE_DESCRIPTION("Xtables: Qdisc classification");
MODULE_ALIAS("ipt_CLASSIFY");
MODULE_ALIAS("ip6t_CLASSIFY");
diff --git a/net/netfilter/xt_CONNMARK.c b/net/netfilter/xt_CONNMARK.c
index b9bd772..5fecfb4 100644
--- a/net/netfilter/xt_CONNMARK.c
+++ b/net/netfilter/xt_CONNMARK.c
@@ -26,7 +26,7 @@
#include <net/checksum.h>
MODULE_AUTHOR("Henrik Nordstrom <hno@marasystems.com>");
-MODULE_DESCRIPTION("IP tables CONNMARK matching module");
+MODULE_DESCRIPTION("Xtables: connection mark modification");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_CONNMARK");
MODULE_ALIAS("ip6t_CONNMARK");
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index 024106b..1faa913 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -26,7 +26,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("James Morris <jmorris@redhat.com>");
-MODULE_DESCRIPTION("ip[6]tables CONNSECMARK module");
+MODULE_DESCRIPTION("Xtables: target for copying between connection and security mark");
MODULE_ALIAS("ipt_CONNSECMARK");
MODULE_ALIAS("ip6t_CONNSECMARK");
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index 3d216d6..97efd74 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -21,7 +21,7 @@
#include <linux/netfilter_ipv4/ipt_TOS.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("x_tables DSCP modification module");
+MODULE_DESCRIPTION("Xtables: DSCP/TOS field modification");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_DSCP");
MODULE_ALIAS("ip6t_DSCP");
diff --git a/net/netfilter/xt_MARK.c b/net/netfilter/xt_MARK.c
index 1c3fb75..f9ce20b 100644
--- a/net/netfilter/xt_MARK.c
+++ b/net/netfilter/xt_MARK.c
@@ -20,7 +20,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("ip[6]tables MARK modification module");
+MODULE_DESCRIPTION("Xtables: packet mark modification");
MODULE_ALIAS("ipt_MARK");
MODULE_ALIAS("ip6t_MARK");
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
index 866facf..19ae8ef 100644
--- a/net/netfilter/xt_NFLOG.c
+++ b/net/netfilter/xt_NFLOG.c
@@ -15,7 +15,7 @@
#include <net/netfilter/nf_log.h>
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("x_tables NFLOG target");
+MODULE_DESCRIPTION("Xtables: packet logging to netlink using NFLOG");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_NFLOG");
MODULE_ALIAS("ip6t_NFLOG");
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index 16b57c2..beb24d1 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -17,7 +17,7 @@
#include <linux/netfilter/xt_NFQUEUE.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("[ip,ip6,arp]_tables NFQUEUE target");
+MODULE_DESCRIPTION("Xtables: packet forwarding to netlink");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_NFQUEUE");
MODULE_ALIAS("ip6t_NFQUEUE");
diff --git a/net/netfilter/xt_NOTRACK.c b/net/netfilter/xt_NOTRACK.c
index 95712e4..6c9de61 100644
--- a/net/netfilter/xt_NOTRACK.c
+++ b/net/netfilter/xt_NOTRACK.c
@@ -7,6 +7,7 @@
#include <linux/netfilter/x_tables.h>
#include <net/netfilter/nf_conntrack.h>
+MODULE_DESCRIPTION("Xtables: Disabling connection tracking for packets");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_NOTRACK");
MODULE_ALIAS("ip6t_NOTRACK");
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
index c008883..c5ba525 100644
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -197,7 +197,7 @@ static void __exit xt_rateest_tg_fini(void)
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("xtables rate estimator");
+MODULE_DESCRIPTION("Xtables: packet rate estimator");
MODULE_ALIAS("ipt_RATEEST");
MODULE_ALIAS("ip6t_RATEEST");
module_init(xt_rateest_tg_init);
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 7d5439c..b11b3ec 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -20,7 +20,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("James Morris <jmorris@redhat.com>");
-MODULE_DESCRIPTION("ip[6]tables SECMARK modification module");
+MODULE_DESCRIPTION("Xtables: packet security mark modification");
MODULE_ALIAS("ipt_SECMARK");
MODULE_ALIAS("ip6t_SECMARK");
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index a1bc77f..60e3767 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -24,7 +24,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("x_tables TCP MSS modification module");
+MODULE_DESCRIPTION("Xtables: TCP Maximum Segment Size (MSS) adjustment");
MODULE_ALIAS("ipt_TCPMSS");
MODULE_ALIAS("ip6t_TCPMSS");
diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
index 43d6ac2..3b2aa56 100644
--- a/net/netfilter/xt_TCPOPTSTRIP.c
+++ b/net/netfilter/xt_TCPOPTSTRIP.c
@@ -141,7 +141,7 @@ static void __exit tcpoptstrip_tg_exit(void)
module_init(tcpoptstrip_tg_init);
module_exit(tcpoptstrip_tg_exit);
MODULE_AUTHOR("Sven Schnelle <svens@bitebene.org>, Jan Engelhardt <jengelh@computergmbh.de>");
-MODULE_DESCRIPTION("netfilter \"TCPOPTSTRIP\" target module");
+MODULE_DESCRIPTION("Xtables: TCP option stripping");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_TCPOPTSTRIP");
MODULE_ALIAS("ip6t_TCPOPTSTRIP");
diff --git a/net/netfilter/xt_TRACE.c b/net/netfilter/xt_TRACE.c
index 219b9d2..30dab79 100644
--- a/net/netfilter/xt_TRACE.c
+++ b/net/netfilter/xt_TRACE.c
@@ -5,6 +5,7 @@
#include <linux/netfilter/x_tables.h>
+MODULE_DESCRIPTION("Xtables: packet flow tracing");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_TRACE");
MODULE_ALIAS("ip6t_TRACE");
diff --git a/net/netfilter/xt_comment.c b/net/netfilter/xt_comment.c
index 4539d43..89f4736 100644
--- a/net/netfilter/xt_comment.c
+++ b/net/netfilter/xt_comment.c
@@ -10,7 +10,7 @@
#include <linux/netfilter/xt_comment.h>
MODULE_AUTHOR("Brad Fisher <brad@info-link.net>");
-MODULE_DESCRIPTION("iptables comment match module");
+MODULE_DESCRIPTION("Xtables: No-op match which can be tagged with a comment");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_comment");
MODULE_ALIAS("ip6t_comment");
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index 7d4940a..b15e7e2 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -12,7 +12,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("iptables match for matching number of pkts/bytes per connection");
+MODULE_DESCRIPTION("Xtables: Number of packets/bytes per connection matching");
MODULE_ALIAS("ipt_connbytes");
MODULE_ALIAS("ip6t_connbytes");
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 6a9e2a3..e00ecd9 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -309,7 +309,7 @@ static void __exit connlimit_mt_exit(void)
module_init(connlimit_mt_init);
module_exit(connlimit_mt_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
-MODULE_DESCRIPTION("netfilter xt_connlimit match module");
+MODULE_DESCRIPTION("Xtables: Number of connections matching");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_connlimit");
MODULE_ALIAS("ip6t_connlimit");
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 55c6235..aaa1b96 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -28,7 +28,7 @@
#include <linux/netfilter/xt_connmark.h>
MODULE_AUTHOR("Henrik Nordstrom <hno@marasystems.com>");
-MODULE_DESCRIPTION("IP tables connmark match module");
+MODULE_DESCRIPTION("Xtables: connection mark match");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_connmark");
MODULE_ALIAS("ip6t_connmark");
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index dc9e737..e92190e 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -20,7 +20,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("iptables connection tracking match module");
+MODULE_DESCRIPTION("Xtables: connection tracking state match");
MODULE_ALIAS("ipt_conntrack");
MODULE_ALIAS("ip6t_conntrack");
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index ab2f7e9..667f45e 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -22,7 +22,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("Match for DCCP protocol packets");
+MODULE_DESCRIPTION("Xtables: DCCP protocol packet match");
MODULE_ALIAS("ipt_dccp");
MODULE_ALIAS("ip6t_dccp");
diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c
index 834e437..26f4aab 100644
--- a/net/netfilter/xt_dscp.c
+++ b/net/netfilter/xt_dscp.c
@@ -18,7 +18,7 @@
#include <linux/netfilter_ipv4/ipt_tos.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("x_tables DSCP/tos matching module");
+MODULE_DESCRIPTION("Xtables: DSCP/TOS field match");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_dscp");
MODULE_ALIAS("ip6t_dscp");
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index d7c90ac..71c7c37 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -20,7 +20,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
-MODULE_DESCRIPTION("x_tables ESP SPI match module");
+MODULE_DESCRIPTION("Xtables: IPsec-ESP packet match");
MODULE_ALIAS("ipt_esp");
MODULE_ALIAS("ip6t_esp");
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index c35d220..d479ca9 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -35,7 +35,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("iptables match for limiting per hash-bucket");
+MODULE_DESCRIPTION("Xtables: per hash-bucket rate-limit match");
MODULE_ALIAS("ipt_hashlimit");
MODULE_ALIAS("ip6t_hashlimit");
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index 5d063e5..dada290 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -18,7 +18,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Martin Josefsson <gandalf@netfilter.org>");
-MODULE_DESCRIPTION("iptables helper match module");
+MODULE_DESCRIPTION("Xtables: Related connection matching");
MODULE_ALIAS("ipt_helper");
MODULE_ALIAS("ip6t_helper");
diff --git a/net/netfilter/xt_length.c b/net/netfilter/xt_length.c
index ea54578..b8640f9 100644
--- a/net/netfilter/xt_length.c
+++ b/net/netfilter/xt_length.c
@@ -15,7 +15,7 @@
#include <linux/netfilter/x_tables.h>
MODULE_AUTHOR("James Morris <jmorris@intercode.com.au>");
-MODULE_DESCRIPTION("IP tables packet length matching module");
+MODULE_DESCRIPTION("Xtables: Packet length (Layer3,4,5) match");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_length");
MODULE_ALIAS("ip6t_length");
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index 2ef0dbf..aad9ab8 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -16,7 +16,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Herve Eychenne <rv@wallfire.org>");
-MODULE_DESCRIPTION("iptables rate limit match");
+MODULE_DESCRIPTION("Xtables: rate-limit match");
MODULE_ALIAS("ipt_limit");
MODULE_ALIAS("ip6t_limit");
diff --git a/net/netfilter/xt_mac.c b/net/netfilter/xt_mac.c
index 7d89863..b3e96a0 100644
--- a/net/netfilter/xt_mac.c
+++ b/net/netfilter/xt_mac.c
@@ -20,7 +20,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables mac matching module");
+MODULE_DESCRIPTION("Xtables: MAC address match");
MODULE_ALIAS("ipt_mac");
MODULE_ALIAS("ip6t_mac");
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index 5cc8cc5..9f78f61 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -18,7 +18,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("iptables mark matching module");
+MODULE_DESCRIPTION("Xtables: packet mark match");
MODULE_ALIAS("ipt_mark");
MODULE_ALIAS("ip6t_mark");
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
index d03cc37..31daa81 100644
--- a/net/netfilter/xt_multiport.c
+++ b/net/netfilter/xt_multiport.c
@@ -22,7 +22,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("x_tables multiple port match module");
+MODULE_DESCRIPTION("Xtables: multiple port matching for TCP, UDP, UDP-Lite, SCTP and DCCP");
MODULE_ALIAS("ipt_multiport");
MODULE_ALIAS("ip6t_multiport");
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index 4222fa2..d382f9c 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -205,7 +205,7 @@ static void __exit owner_mt_exit(void)
module_init(owner_mt_init);
module_exit(owner_mt_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
-MODULE_DESCRIPTION("netfilter \"owner\" match module");
+MODULE_DESCRIPTION("Xtables: socket owner matching");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_owner");
MODULE_ALIAS("ip6t_owner");
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 678b683..4ec1094 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -16,7 +16,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
-MODULE_DESCRIPTION("iptables bridge physical device match module");
+MODULE_DESCRIPTION("Xtables: Bridge physical device match");
MODULE_ALIAS("ipt_physdev");
MODULE_ALIAS("ip6t_physdev");
diff --git a/net/netfilter/xt_pkttype.c b/net/netfilter/xt_pkttype.c
index cbcb8ea..7936f7e 100644
--- a/net/netfilter/xt_pkttype.c
+++ b/net/netfilter/xt_pkttype.c
@@ -18,7 +18,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Michal Ludvig <michal@logix.cz>");
-MODULE_DESCRIPTION("IP tables match to match on linklayer packet type");
+MODULE_DESCRIPTION("Xtables: link layer packet type match");
MODULE_ALIAS("ipt_pkttype");
MODULE_ALIAS("ip6t_pkttype");
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index 47c2e43..9e918ad 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -18,7 +18,7 @@
#include <linux/netfilter/x_tables.h>
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("Xtables IPsec policy matching module");
+MODULE_DESCRIPTION("Xtables: IPsec policy match");
MODULE_LICENSE("GPL");
static inline bool
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index 887874b..3b021d0 100644
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -11,6 +11,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Sam Johnston <samj@samj.net>");
+MODULE_DESCRIPTION("Xtables: countdown quota match");
MODULE_ALIAS("ipt_quota");
MODULE_ALIAS("ip6t_quota");
diff --git a/net/netfilter/xt_realm.c b/net/netfilter/xt_realm.c
index 63289b4..7df1627 100644
--- a/net/netfilter/xt_realm.c
+++ b/net/netfilter/xt_realm.c
@@ -18,7 +18,7 @@
MODULE_AUTHOR("Sampsa Ranta <sampsa@netsonic.fi>");
MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("X_tables realm match");
+MODULE_DESCRIPTION("Xtables: Routing realm match");
MODULE_ALIAS("ipt_realm");
static bool
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index 1c8a4ee..b718ec6 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -11,7 +11,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Kiran Kumar Immidi");
-MODULE_DESCRIPTION("Match for SCTP protocol packets");
+MODULE_DESCRIPTION("Xtables: SCTP protocol packet match");
MODULE_ALIAS("ipt_sctp");
MODULE_ALIAS("ip6t_sctp");
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c
index fb16648..4313308 100644
--- a/net/netfilter/xt_statistic.c
+++ b/net/netfilter/xt_statistic.c
@@ -18,7 +18,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("xtables statistical match module");
+MODULE_DESCRIPTION("Xtables: statistics-based matching (\"Nth\", random)");
MODULE_ALIAS("ipt_statistic");
MODULE_ALIAS("ip6t_statistic");
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index aff7a11..72f694d 100644
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -16,7 +16,7 @@
#include <linux/textsearch.h>
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@eurodev.net>");
-MODULE_DESCRIPTION("IP tables string match module");
+MODULE_DESCRIPTION("Xtables: string-based matching");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_string");
MODULE_ALIAS("ip6t_string");
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c
index 2a3e4c3..d7a5b27 100644
--- a/net/netfilter/xt_tcpmss.c
+++ b/net/netfilter/xt_tcpmss.c
@@ -20,7 +20,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("iptables TCP MSS match module");
+MODULE_DESCRIPTION("Xtables: TCP MSS match");
MODULE_ALIAS("ipt_tcpmss");
MODULE_ALIAS("ip6t_tcpmss");
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index 6be5f2d..4fa3b66 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -10,7 +10,7 @@
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
-MODULE_DESCRIPTION("x_tables match for TCP and UDP(-Lite), supports IPv4 and IPv6");
+MODULE_DESCRIPTION("Xtables: TCP, UDP and UDP-Lite match");
MODULE_LICENSE("GPL");
MODULE_ALIAS("xt_tcp");
MODULE_ALIAS("xt_udp");
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index 96da93c..e9a8794 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -264,7 +264,7 @@ static void __exit time_mt_exit(void)
module_init(time_mt_init);
module_exit(time_mt_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
-MODULE_DESCRIPTION("netfilter time match");
+MODULE_DESCRIPTION("Xtables: time-based matching");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_time");
MODULE_ALIAS("ip6t_time");
diff --git a/net/netfilter/xt_u32.c b/net/netfilter/xt_u32.c
index 3d8f5b3..9b8ed39 100644
--- a/net/netfilter/xt_u32.c
+++ b/net/netfilter/xt_u32.c
@@ -130,7 +130,7 @@ static void __exit u32_mt_exit(void)
module_init(u32_mt_init);
module_exit(u32_mt_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
-MODULE_DESCRIPTION("netfilter u32 match module");
+MODULE_DESCRIPTION("Xtables: arbitrary byte matching");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_u32");
MODULE_ALIAS("ip6t_u32");
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 17/38]: Rename ipt_iprange to xt_iprange
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (15 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 16/38]: Update modules' descriptions Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 18/38]: xt_iprange match, revision 1 Patrick McHardy
` (21 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: Rename ipt_iprange to xt_iprange
This patch moves ipt_iprange to xt_iprange, in preparation for adding
IPv6 support to xt_iprange.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit bb44619d743106e32849e7a6d98464506c73f9f5
tree 82054d5467d270e3d18dbbbe29c7f9b948592662
parent 1834195893f1df31c850cf93281e4a88e2cfad9b
author Jan Engelhardt <jengelh@computergmbh.de> Mon, 14 Jan 2008 06:51:41 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:21 +0100
include/linux/netfilter/Kbuild | 1 +
include/linux/netfilter/xt_iprange.h | 17 +++++++++++++++++
include/linux/netfilter_ipv4/ipt_iprange.h | 6 +-----
net/ipv4/netfilter/Kconfig | 10 ----------
net/ipv4/netfilter/Makefile | 1 -
net/netfilter/Kconfig | 11 +++++++++++
net/netfilter/Makefile | 1 +
net/netfilter/xt_iprange.c | 27 +++++++++++++--------------
8 files changed, 44 insertions(+), 30 deletions(-)
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index ac9e642..91fef0c 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -21,6 +21,7 @@ header-y += xt_dccp.h
header-y += xt_dscp.h
header-y += xt_esp.h
header-y += xt_hashlimit.h
+header-y += xt_iprange.h
header-y += xt_helper.h
header-y += xt_length.h
header-y += xt_limit.h
diff --git a/include/linux/netfilter/xt_iprange.h b/include/linux/netfilter/xt_iprange.h
new file mode 100644
index 0000000..a4299c7
--- /dev/null
+++ b/include/linux/netfilter/xt_iprange.h
@@ -0,0 +1,17 @@
+#ifndef _LINUX_NETFILTER_XT_IPRANGE_H
+#define _LINUX_NETFILTER_XT_IPRANGE_H 1
+
+enum {
+ IPRANGE_SRC = 1 << 0, /* match source IP address */
+ IPRANGE_DST = 1 << 1, /* match destination IP address */
+ IPRANGE_SRC_INV = 1 << 4, /* negate the condition */
+ IPRANGE_DST_INV = 1 << 5, /* -"- */
+};
+
+struct xt_iprange_mtinfo {
+ union nf_inet_addr src_min, src_max;
+ union nf_inet_addr dst_min, dst_max;
+ u_int8_t flags;
+};
+
+#endif /* _LINUX_NETFILTER_XT_IPRANGE_H */
diff --git a/include/linux/netfilter_ipv4/ipt_iprange.h b/include/linux/netfilter_ipv4/ipt_iprange.h
index a92fefc..5f1aebd 100644
--- a/include/linux/netfilter_ipv4/ipt_iprange.h
+++ b/include/linux/netfilter_ipv4/ipt_iprange.h
@@ -2,11 +2,7 @@
#define _IPT_IPRANGE_H
#include <linux/types.h>
-
-#define IPRANGE_SRC 0x01 /* Match source IP address */
-#define IPRANGE_DST 0x02 /* Match destination IP address */
-#define IPRANGE_SRC_INV 0x10 /* Negate the condition */
-#define IPRANGE_DST_INV 0x20 /* Negate the condition */
+#include <linux/netfilter/xt_iprange.h>
struct ipt_iprange {
/* Inclusive: network order. */
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 10ca307..9a077cb 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -57,16 +57,6 @@ config IP_NF_IPTABLES
To compile it as a module, choose M here. If unsure, say N.
# The matches.
-config IP_NF_MATCH_IPRANGE
- tristate '"iprange" match support'
- depends on IP_NF_IPTABLES
- depends on NETFILTER_ADVANCED
- help
- This option makes possible to match IP addresses against IP address
- ranges.
-
- To compile it as a module, choose M here. If unsure, say N.
-
config IP_NF_MATCH_RECENT
tristate '"recent" match support'
depends on IP_NF_IPTABLES
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index fd7d4a5..0c7dc78 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -44,7 +44,6 @@ obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
-obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 79d7143..daf5b88 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -567,6 +567,17 @@ config NETFILTER_XT_MATCH_HELPER
To compile it as a module, choose M here. If unsure, say Y.
+config NETFILTER_XT_MATCH_IPRANGE
+ tristate '"iprange" address range match support'
+ depends on NETFILTER_XTABLES
+ depends on NETFILTER_ADVANCED
+ ---help---
+ This option adds a "iprange" match, which allows you to match based on
+ an IP address range. (Normal iptables only matches on single addresses
+ with an optional mask.)
+
+ If unsure, say M.
+
config NETFILTER_XT_MATCH_LENGTH
tristate '"length" match support'
depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 3b9ea8f..c910cae 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -63,6 +63,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_IPRANGE) += xt_iprange.o
obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o
obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o
diff --git a/net/ipv4/netfilter/ipt_iprange.c b/net/netfilter/xt_iprange.c
similarity index 75%
rename from net/ipv4/netfilter/ipt_iprange.c
rename to net/netfilter/xt_iprange.c
index 9a2aba8..c57a6cf 100644
--- a/net/ipv4/netfilter/ipt_iprange.c
+++ b/net/netfilter/xt_iprange.c
@@ -1,11 +1,11 @@
/*
- * iptables module to match IP address ranges
+ * xt_iprange - Netfilter module to match IP address ranges
*
- * (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ * (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
*
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
*/
#include <linux/module.h>
#include <linux/skbuff.h>
@@ -13,15 +13,11 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4/ipt_iprange.h>
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
-MODULE_DESCRIPTION("Xtables: arbitrary IPv4 range matching");
-
static bool
-iprange_mt(const struct sk_buff *skb, const struct net_device *in,
- const struct net_device *out, const struct xt_match *match,
- const void *matchinfo, int offset, unsigned int protoff,
- bool *hotdrop)
+iprange_mt_v0(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
{
const struct ipt_iprange_info *info = matchinfo;
const struct iphdr *iph = ip_hdr(skb);
@@ -58,7 +54,7 @@ iprange_mt(const struct sk_buff *skb, const struct net_device *in,
static struct xt_match iprange_mt_reg __read_mostly = {
.name = "iprange",
.family = AF_INET,
- .match = iprange_mt,
+ .match = iprange_mt_v0,
.matchsize = sizeof(struct ipt_iprange_info),
.me = THIS_MODULE
};
@@ -75,3 +71,6 @@ static void __exit iprange_mt_exit(void)
module_init(iprange_mt_init);
module_exit(iprange_mt_exit);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+MODULE_DESCRIPTION("Xtables: arbitrary IPv4 range matching");
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 18/38]: xt_iprange match, revision 1
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (16 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 17/38]: Rename ipt_iprange to xt_iprange Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 19/38]: Update feature-removal-schedule.txt Patrick McHardy
` (20 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: xt_iprange match, revision 1
Adds IPv6 support to xt_iprange, making it possible to match on IPv6
address ranges with ip6tables.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit ba17e28b907c34daf0278e6c3c5d3413a3082649
tree 1f576e5bb0a1e44a911e0a7ddbcd11f9fcabc131
parent bb44619d743106e32849e7a6d98464506c73f9f5
author Jan Engelhardt <jengelh@computergmbh.de> Mon, 14 Jan 2008 06:51:43 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:22 +0100
net/netfilter/xt_iprange.c | 122 +++++++++++++++++++++++++++++++++++++++++---
1 files changed, 113 insertions(+), 9 deletions(-)
diff --git a/net/netfilter/xt_iprange.c b/net/netfilter/xt_iprange.c
index c57a6cf..dbea0e0 100644
--- a/net/netfilter/xt_iprange.c
+++ b/net/netfilter/xt_iprange.c
@@ -2,6 +2,7 @@
* xt_iprange - Netfilter module to match IP address ranges
*
* (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ * (C) CC Computer Consultants GmbH, 2008
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
@@ -10,6 +11,7 @@
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
+#include <linux/ipv6.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4/ipt_iprange.h>
@@ -51,26 +53,128 @@ iprange_mt_v0(const struct sk_buff *skb, const struct net_device *in,
return true;
}
-static struct xt_match iprange_mt_reg __read_mostly = {
- .name = "iprange",
- .family = AF_INET,
- .match = iprange_mt_v0,
- .matchsize = sizeof(struct ipt_iprange_info),
- .me = THIS_MODULE
+static bool
+iprange_mt4(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
+{
+ const struct xt_iprange_mtinfo *info = matchinfo;
+ const struct iphdr *iph = ip_hdr(skb);
+ bool m;
+
+ if (info->flags & IPRANGE_SRC) {
+ m = ntohl(iph->saddr) < ntohl(info->src_min.ip);
+ m |= ntohl(iph->saddr) > ntohl(info->src_max.ip);
+ m ^= info->flags & IPRANGE_SRC_INV;
+ if (m) {
+ pr_debug("src IP " NIPQUAD_FMT " NOT in range %s"
+ NIPQUAD_FMT "-" NIPQUAD_FMT "\n",
+ NIPQUAD(iph->saddr),
+ (info->flags & IPRANGE_SRC_INV) ? "(INV) " : "",
+ NIPQUAD(info->src_max.ip),
+ NIPQUAD(info->src_max.ip));
+ return false;
+ }
+ }
+ if (info->flags & IPRANGE_DST) {
+ m = ntohl(iph->daddr) < ntohl(info->dst_min.ip);
+ m |= ntohl(iph->daddr) > ntohl(info->dst_max.ip);
+ m ^= info->flags & IPRANGE_DST_INV;
+ if (m) {
+ pr_debug("dst IP " NIPQUAD_FMT " NOT in range %s"
+ NIPQUAD_FMT "-" NIPQUAD_FMT "\n",
+ NIPQUAD(iph->daddr),
+ (info->flags & IPRANGE_DST_INV) ? "(INV) " : "",
+ NIPQUAD(info->dst_min.ip),
+ NIPQUAD(info->dst_max.ip));
+ return false;
+ }
+ }
+ return true;
+}
+
+static inline int
+iprange_ipv6_sub(const struct in6_addr *a, const struct in6_addr *b)
+{
+ unsigned int i;
+ int r;
+
+ for (i = 0; i < 4; ++i) {
+ r = a->s6_addr32[i] - b->s6_addr32[i];
+ if (r != 0)
+ return r;
+ }
+
+ return 0;
+}
+
+static bool
+iprange_mt6(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
+{
+ const struct xt_iprange_mtinfo *info = matchinfo;
+ const struct ipv6hdr *iph = ipv6_hdr(skb);
+ bool m;
+
+ if (info->flags & IPRANGE_SRC) {
+ m = iprange_ipv6_sub(&iph->saddr, &info->src_min.in6) < 0;
+ m |= iprange_ipv6_sub(&iph->saddr, &info->src_max.in6) > 0;
+ m ^= info->flags & IPRANGE_SRC_INV;
+ if (m)
+ return false;
+ }
+ if (info->flags & IPRANGE_DST) {
+ m = iprange_ipv6_sub(&iph->daddr, &info->dst_min.in6) < 0;
+ m |= iprange_ipv6_sub(&iph->daddr, &info->dst_max.in6) > 0;
+ m ^= info->flags & IPRANGE_DST_INV;
+ if (m)
+ return false;
+ }
+ return true;
+}
+
+static struct xt_match iprange_mt_reg[] __read_mostly = {
+ {
+ .name = "iprange",
+ .revision = 0,
+ .family = AF_INET,
+ .match = iprange_mt_v0,
+ .matchsize = sizeof(struct ipt_iprange_info),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "iprange",
+ .revision = 1,
+ .family = AF_INET6,
+ .match = iprange_mt4,
+ .matchsize = sizeof(struct xt_iprange_mtinfo),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "iprange",
+ .revision = 1,
+ .family = AF_INET6,
+ .match = iprange_mt6,
+ .matchsize = sizeof(struct xt_iprange_mtinfo),
+ .me = THIS_MODULE,
+ },
};
static int __init iprange_mt_init(void)
{
- return xt_register_match(&iprange_mt_reg);
+ return xt_register_matches(iprange_mt_reg, ARRAY_SIZE(iprange_mt_reg));
}
static void __exit iprange_mt_exit(void)
{
- xt_unregister_match(&iprange_mt_reg);
+ xt_unregister_matches(iprange_mt_reg, ARRAY_SIZE(iprange_mt_reg));
}
module_init(iprange_mt_init);
module_exit(iprange_mt_exit);
MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>, Jan Engelhardt <jengelh@computergmbh.de>");
MODULE_DESCRIPTION("Xtables: arbitrary IPv4 range matching");
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 19/38]: Update feature-removal-schedule.txt
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (17 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 18/38]: xt_iprange match, revision 1 Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 16:15 ` Jones Desougi
2008-01-15 6:19 ` [NETFILTER 20/38]: {ip,ip6}_tables: remove some inlines Patrick McHardy
` (19 subsequent siblings)
38 siblings, 1 reply; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: Update feature-removal-schedule.txt
With all the newly introduced features, there is a lot to remove
later on after a compatibility grace period of 2 years.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 733218e65d16da88f06073a62c017e6f9864ea1a
tree 5f55577f77ed3690b77302699c78b056db173a4b
parent ba17e28b907c34daf0278e6c3c5d3413a3082649
author Jan Engelhardt <jengelh@computergmbh.de> Mon, 14 Jan 2008 06:51:44 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:23 +0100
Documentation/feature-removal-schedule.txt | 32 ++++++++++++++++++++++++++++
1 files changed, 32 insertions(+), 0 deletions(-)
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index bdf4d19..51913bd 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
@@ -340,3 +340,35 @@ Why: This algorithm was provided for reference but always exhibited bad
responsiveness and performance and has some serious flaws. It has been
replaced by rc80211-pid.
Who: Stefano Brivio <stefano.brivio@polimi.it>
+
+---------------------------
+
+What (Why):
+ - include/linux/netfilter_ipv4/ipt_TOS.h ipt_tos.h header files
+ (superseded by xt_TOS/xt_tos target & match)
+
+ - "forwarding" header files like ipt_mac.h in
+ include/linux/netfilter_ipv4/ and include/linux/netfilter_ipv6/
+
+ - xt_CONNMARK match revision 0
+ (superseded by xt_CONNMARK match revision 1)
+
+ - xt_MARK target revisions 0 and 1
+ (superseded by xt_MARK match revision 2)
+
+ - xt_connmark match revision 0
+ (superseded by xt_connmark match revision 1)
+
+ - xt_conntrack match revision 0
+ (superseded by xt_conntrack match revision 1)
+
+ - xt_iprange match revision 0,
+ include/linux/netfilter_ipv4/ipt_iprange.h
+ (superseded by xt_iprange match revision 1)
+
+ - xt_mark match revision 0
+ (superseded by xt_mark match revision 1)
+
+When: January 2009 or Linux 2.7.0, whichever comes first
+Why: Superseded by newer revisions or modules
+Who: Jan Engelhardt <jengelh@computergmbh.de>
^ permalink raw reply related [flat|nested] 44+ messages in thread* Re: [NETFILTER 19/38]: Update feature-removal-schedule.txt
2008-01-15 6:19 ` [NETFILTER 19/38]: Update feature-removal-schedule.txt Patrick McHardy
@ 2008-01-15 16:15 ` Jones Desougi
2008-01-15 16:40 ` Patrick McHardy
0 siblings, 1 reply; 44+ messages in thread
From: Jones Desougi @ 2008-01-15 16:15 UTC (permalink / raw)
To: kaber; +Cc: davem, kaber, netfilter-devel
> With all the newly introduced features, there is a lot to remove
> later on after a compatibility grace period of 2 years.
...
> +When: January 2009 or Linux 2.7.0, whichever comes first
January 2009 is one year into the future though, not two.
^ permalink raw reply [flat|nested] 44+ messages in thread
* Re: [NETFILTER 19/38]: Update feature-removal-schedule.txt
2008-01-15 16:15 ` Jones Desougi
@ 2008-01-15 16:40 ` Patrick McHardy
2008-01-15 16:54 ` Jan Engelhardt
0 siblings, 1 reply; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 16:40 UTC (permalink / raw)
To: Jones Desougi; +Cc: davem, netfilter-devel
Jones Desougi wrote:
>> With all the newly introduced features, there is a lot to remove
>> later on after a compatibility grace period of 2 years.
> ...
>> +When: January 2009 or Linux 2.7.0, whichever comes first
>
> January 2009 is one year into the future though, not two.
Yes, I noticed this myself. We can extend it if it seems to early
at that time. But it can't hurt to announce a shorter timeframe :)
^ permalink raw reply [flat|nested] 44+ messages in thread
* Re: [NETFILTER 19/38]: Update feature-removal-schedule.txt
2008-01-15 16:40 ` Patrick McHardy
@ 2008-01-15 16:54 ` Jan Engelhardt
2008-01-15 16:59 ` Patrick McHardy
0 siblings, 1 reply; 44+ messages in thread
From: Jan Engelhardt @ 2008-01-15 16:54 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Jones Desougi, davem, netfilter-devel
On Jan 15 2008 17:40, Patrick McHardy wrote:
> Jones Desougi wrote:
>> > With all the newly introduced features, there is a lot to remove
>> > later on after a compatibility grace period of 2 years.
>> ...
>> > +When: January 2009 or Linux 2.7.0, whichever comes first
>>
>> January 2009 is one year into the future though, not two.
Integer overflow on my behalf :p
> Yes, I noticed this myself. We can extend it if it seems to early
> at that time. But it can't hurt to announce a shorter timeframe :)
If the iptables patches get applied now (and a new version be
released soon), an implicit 2 months extra time can be gained. That
would also empty my patch queue there.
^ permalink raw reply [flat|nested] 44+ messages in thread
* Re: [NETFILTER 19/38]: Update feature-removal-schedule.txt
2008-01-15 16:54 ` Jan Engelhardt
@ 2008-01-15 16:59 ` Patrick McHardy
0 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 16:59 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Jones Desougi, davem, netfilter-devel
Jan Engelhardt wrote:
> If the iptables patches get applied now (and a new version be
> released soon), an implicit 2 months extra time can be gained. That
> would also empty my patch queue there.
The best way would be if you resend everything that is relevant
to the patches merged upstream and stuff like the autoconf
patches etc., so I don't have to wade through one or two month
of old emails trying to figure out which patches to apply.
I'll be slow applying things until Saturday though.
^ permalink raw reply [flat|nested] 44+ messages in thread
* [NETFILTER 20/38]: {ip,ip6}_tables: remove some inlines
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (18 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 19/38]: Update feature-removal-schedule.txt Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 21/38]: ipt_REJECT: properly handle IP options Patrick McHardy
` (18 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: {ip,ip6}_tables: remove some inlines
This patch removes inlines except those which are used
by packet matching code and thus are performance-critical.
Before:
$ size */*/*/ip*tables*.o
text data bss dec hex filename
6402 500 16 6918 1b06 net/ipv4/netfilter/ip_tables.o
7130 500 16 7646 1dde net/ipv6/netfilter/ip6_tables.o
After:
$ size */*/*/ip*tables*.o
text data bss dec hex filename
6307 500 16 6823 1aa7 net/ipv4/netfilter/ip_tables.o
7010 500 16 7526 1d66 net/ipv6/netfilter/ip6_tables.o
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 672b1bb962284718abf7cc88055ca2bb4378c7bc
tree e7f3315a0d24d50219338934f3538172e404cae0
parent 733218e65d16da88f06073a62c017e6f9864ea1a
author Denys Vlasenko <vda.linux@googlemail.com> Mon, 14 Jan 2008 06:51:46 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:23 +0100
net/ipv4/netfilter/ip_tables.c | 47 ++++++++++++++++++++++-----------------
net/ipv6/netfilter/ip6_tables.c | 42 +++++++++++++++++++----------------
2 files changed, 50 insertions(+), 39 deletions(-)
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index f5b66ec..982b7f9 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -75,6 +75,7 @@ do { \
Hence the start of any table is given by get_table() below. */
/* Returns whether matches rule or not. */
+/* Performance critical - called for every packet */
static inline bool
ip_packet_match(const struct iphdr *ip,
const char *indev,
@@ -153,7 +154,7 @@ ip_packet_match(const struct iphdr *ip,
return true;
}
-static inline bool
+static bool
ip_checkentry(const struct ipt_ip *ip)
{
if (ip->flags & ~IPT_F_MASK) {
@@ -183,8 +184,9 @@ ipt_error(struct sk_buff *skb,
return NF_DROP;
}
-static inline
-bool do_match(struct ipt_entry_match *m,
+/* Performance critical - called for every packet */
+static inline bool
+do_match(struct ipt_entry_match *m,
const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
@@ -199,6 +201,7 @@ bool do_match(struct ipt_entry_match *m,
return false;
}
+/* Performance critical */
static inline struct ipt_entry *
get_entry(void *base, unsigned int offset)
{
@@ -206,6 +209,7 @@ get_entry(void *base, unsigned int offset)
}
/* All zeroes == unconditional rule. */
+/* Mildly perf critical (only if packet tracing is on) */
static inline int
unconditional(const struct ipt_ip *ip)
{
@@ -221,7 +225,7 @@ unconditional(const struct ipt_ip *ip)
#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
-static const char *hooknames[] = {
+static const char *const hooknames[] = {
[NF_INET_PRE_ROUTING] = "PREROUTING",
[NF_INET_LOCAL_IN] = "INPUT",
[NF_INET_FORWARD] = "FORWARD",
@@ -235,7 +239,7 @@ enum nf_ip_trace_comments {
NF_IP_TRACE_COMMENT_POLICY,
};
-static const char *comments[] = {
+static const char *const comments[] = {
[NF_IP_TRACE_COMMENT_RULE] = "rule",
[NF_IP_TRACE_COMMENT_RETURN] = "return",
[NF_IP_TRACE_COMMENT_POLICY] = "policy",
@@ -251,6 +255,7 @@ static struct nf_loginfo trace_loginfo = {
},
};
+/* Mildly perf critical (only if packet tracing is on) */
static inline int
get_chainname_rulenum(struct ipt_entry *s, struct ipt_entry *e,
char *hookname, char **chainname,
@@ -567,7 +572,7 @@ mark_source_chains(struct xt_table_info *newinfo,
return 1;
}
-static inline int
+static int
cleanup_match(struct ipt_entry_match *m, unsigned int *i)
{
if (i && (*i)-- == 0)
@@ -579,7 +584,7 @@ cleanup_match(struct ipt_entry_match *m, unsigned int *i)
return 0;
}
-static inline int
+static int
check_entry(struct ipt_entry *e, const char *name)
{
struct ipt_entry_target *t;
@@ -600,7 +605,8 @@ check_entry(struct ipt_entry *e, const char *name)
return 0;
}
-static inline int check_match(struct ipt_entry_match *m, const char *name,
+static int
+check_match(struct ipt_entry_match *m, const char *name,
const struct ipt_ip *ip,
unsigned int hookmask, unsigned int *i)
{
@@ -623,7 +629,7 @@ static inline int check_match(struct ipt_entry_match *m, const char *name,
return ret;
}
-static inline int
+static int
find_check_match(struct ipt_entry_match *m,
const char *name,
const struct ipt_ip *ip,
@@ -652,7 +658,7 @@ err:
return ret;
}
-static inline int check_target(struct ipt_entry *e, const char *name)
+static int check_target(struct ipt_entry *e, const char *name)
{
struct ipt_entry_target *t;
struct xt_target *target;
@@ -673,7 +679,7 @@ static inline int check_target(struct ipt_entry *e, const char *name)
return ret;
}
-static inline int
+static int
find_check_entry(struct ipt_entry *e, const char *name, unsigned int size,
unsigned int *i)
{
@@ -717,7 +723,7 @@ find_check_entry(struct ipt_entry *e, const char *name, unsigned int size,
return ret;
}
-static inline int
+static int
check_entry_size_and_hooks(struct ipt_entry *e,
struct xt_table_info *newinfo,
unsigned char *base,
@@ -760,7 +766,7 @@ check_entry_size_and_hooks(struct ipt_entry *e,
return 0;
}
-static inline int
+static int
cleanup_entry(struct ipt_entry *e, unsigned int *i)
{
struct ipt_entry_target *t;
@@ -916,7 +922,7 @@ get_counters(const struct xt_table_info *t,
}
}
-static inline struct xt_counters * alloc_counters(struct xt_table *table)
+static struct xt_counters * alloc_counters(struct xt_table *table)
{
unsigned int countersize;
struct xt_counters *counters;
@@ -1304,7 +1310,7 @@ do_replace(void __user *user, unsigned int len)
/* We're lazy, and add to the first CPU; overflow works its fey magic
* and everything is OK. */
-static inline int
+static int
add_counter_to_entry(struct ipt_entry *e,
const struct xt_counters addme[],
unsigned int *i)
@@ -1465,7 +1471,7 @@ out:
return ret;
}
-static inline int
+static int
compat_find_calc_match(struct ipt_entry_match *m,
const char *name,
const struct ipt_ip *ip,
@@ -1489,7 +1495,7 @@ compat_find_calc_match(struct ipt_entry_match *m,
return 0;
}
-static inline int
+static int
compat_release_match(struct ipt_entry_match *m, unsigned int *i)
{
if (i && (*i)-- == 0)
@@ -1499,7 +1505,7 @@ compat_release_match(struct ipt_entry_match *m, unsigned int *i)
return 0;
}
-static inline int
+static int
compat_release_entry(struct compat_ipt_entry *e, unsigned int *i)
{
struct ipt_entry_target *t;
@@ -1514,7 +1520,7 @@ compat_release_entry(struct compat_ipt_entry *e, unsigned int *i)
return 0;
}
-static inline int
+static int
check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
struct xt_table_info *newinfo,
unsigned int *size,
@@ -1637,7 +1643,8 @@ compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
return ret;
}
-static inline int compat_check_entry(struct ipt_entry *e, const char *name,
+static int
+compat_check_entry(struct ipt_entry *e, const char *name,
unsigned int *i)
{
int j, ret;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 4ed16d2..dd7860f 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -90,6 +90,7 @@ ip6t_ext_hdr(u8 nexthdr)
}
/* Returns whether matches rule or not. */
+/* Performance critical - called for every packet */
static inline bool
ip6_packet_match(const struct sk_buff *skb,
const char *indev,
@@ -182,7 +183,7 @@ ip6_packet_match(const struct sk_buff *skb,
}
/* should be ip6 safe */
-static inline bool
+static bool
ip6_checkentry(const struct ip6t_ip6 *ipv6)
{
if (ipv6->flags & ~IP6T_F_MASK) {
@@ -212,8 +213,9 @@ ip6t_error(struct sk_buff *skb,
return NF_DROP;
}
-static inline
-bool do_match(struct ip6t_entry_match *m,
+/* Performance critical - called for every packet */
+static inline bool
+do_match(struct ip6t_entry_match *m,
const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
@@ -236,6 +238,7 @@ get_entry(void *base, unsigned int offset)
}
/* All zeroes == unconditional rule. */
+/* Mildly perf critical (only if packet tracing is on) */
static inline int
unconditional(const struct ip6t_ip6 *ipv6)
{
@@ -251,7 +254,7 @@ unconditional(const struct ip6t_ip6 *ipv6)
#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
/* This cries for unification! */
-static const char *hooknames[] = {
+static const char *const hooknames[] = {
[NF_INET_PRE_ROUTING] = "PREROUTING",
[NF_INET_LOCAL_IN] = "INPUT",
[NF_INET_FORWARD] = "FORWARD",
@@ -265,7 +268,7 @@ enum nf_ip_trace_comments {
NF_IP6_TRACE_COMMENT_POLICY,
};
-static const char *comments[] = {
+static const char *const comments[] = {
[NF_IP6_TRACE_COMMENT_RULE] = "rule",
[NF_IP6_TRACE_COMMENT_RETURN] = "return",
[NF_IP6_TRACE_COMMENT_POLICY] = "policy",
@@ -281,6 +284,7 @@ static struct nf_loginfo trace_loginfo = {
},
};
+/* Mildly perf critical (only if packet tracing is on) */
static inline int
get_chainname_rulenum(struct ip6t_entry *s, struct ip6t_entry *e,
char *hookname, char **chainname,
@@ -595,7 +599,7 @@ mark_source_chains(struct xt_table_info *newinfo,
return 1;
}
-static inline int
+static int
cleanup_match(struct ip6t_entry_match *m, unsigned int *i)
{
if (i && (*i)-- == 0)
@@ -607,7 +611,7 @@ cleanup_match(struct ip6t_entry_match *m, unsigned int *i)
return 0;
}
-static inline int
+static int
check_entry(struct ip6t_entry *e, const char *name)
{
struct ip6t_entry_target *t;
@@ -628,7 +632,7 @@ check_entry(struct ip6t_entry *e, const char *name)
return 0;
}
-static inline int check_match(struct ip6t_entry_match *m, const char *name,
+static int check_match(struct ip6t_entry_match *m, const char *name,
const struct ip6t_ip6 *ipv6,
unsigned int hookmask, unsigned int *i)
{
@@ -651,7 +655,7 @@ static inline int check_match(struct ip6t_entry_match *m, const char *name,
return ret;
}
-static inline int
+static int
find_check_match(struct ip6t_entry_match *m,
const char *name,
const struct ip6t_ip6 *ipv6,
@@ -680,7 +684,7 @@ err:
return ret;
}
-static inline int check_target(struct ip6t_entry *e, const char *name)
+static int check_target(struct ip6t_entry *e, const char *name)
{
struct ip6t_entry_target *t;
struct xt_target *target;
@@ -701,7 +705,7 @@ static inline int check_target(struct ip6t_entry *e, const char *name)
return ret;
}
-static inline int
+static int
find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
unsigned int *i)
{
@@ -745,7 +749,7 @@ find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
return ret;
}
-static inline int
+static int
check_entry_size_and_hooks(struct ip6t_entry *e,
struct xt_table_info *newinfo,
unsigned char *base,
@@ -788,7 +792,7 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
return 0;
}
-static inline int
+static int
cleanup_entry(struct ip6t_entry *e, unsigned int *i)
{
struct ip6t_entry_target *t;
@@ -944,7 +948,7 @@ get_counters(const struct xt_table_info *t,
}
}
-static inline struct xt_counters *alloc_counters(struct xt_table *table)
+static struct xt_counters *alloc_counters(struct xt_table *table)
{
unsigned int countersize;
struct xt_counters *counters;
@@ -1494,7 +1498,7 @@ out:
return ret;
}
-static inline int
+static int
compat_find_calc_match(struct ip6t_entry_match *m,
const char *name,
const struct ip6t_ip6 *ipv6,
@@ -1518,7 +1522,7 @@ compat_find_calc_match(struct ip6t_entry_match *m,
return 0;
}
-static inline int
+static int
compat_release_match(struct ip6t_entry_match *m, unsigned int *i)
{
if (i && (*i)-- == 0)
@@ -1528,7 +1532,7 @@ compat_release_match(struct ip6t_entry_match *m, unsigned int *i)
return 0;
}
-static inline int
+static int
compat_release_entry(struct compat_ip6t_entry *e, unsigned int *i)
{
struct ip6t_entry_target *t;
@@ -1543,7 +1547,7 @@ compat_release_entry(struct compat_ip6t_entry *e, unsigned int *i)
return 0;
}
-static inline int
+static int
check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
struct xt_table_info *newinfo,
unsigned int *size,
@@ -1666,7 +1670,7 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
return ret;
}
-static inline int compat_check_entry(struct ip6t_entry *e, const char *name,
+static int compat_check_entry(struct ip6t_entry *e, const char *name,
unsigned int *i)
{
int j, ret;
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 21/38]: ipt_REJECT: properly handle IP options
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (19 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 20/38]: {ip,ip6}_tables: remove some inlines Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 22/38]: nf_conntrack_{tcp,sctp}: mark state table const Patrick McHardy
` (17 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: ipt_REJECT: properly handle IP options
The current TCP RST construction reuses the old packet and can't
deal with IP options as a consequence of that. Construct the
RST from scratch instead.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit e98b968b91b444bb9af1547818b9601419150dba
tree ce141bf2b369601e6160e59b9adae3449887ee34
parent 672b1bb962284718abf7cc88055ca2bb4378c7bc
author Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:24 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:24 +0100
net/ipv4/netfilter/ipt_REJECT.c | 102 ++++++++++++++-------------------------
1 files changed, 37 insertions(+), 65 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index e3c2ecc..22606e2 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -35,11 +35,8 @@ MODULE_DESCRIPTION("Xtables: packet \"rejection\" target for IPv4");
static void send_reset(struct sk_buff *oldskb, int hook)
{
struct sk_buff *nskb;
- struct iphdr *niph;
+ struct iphdr *oiph, *niph;
struct tcphdr _otcph, *oth, *tcph;
- __be16 tmp_port;
- __be32 tmp_addr;
- int needs_ack;
unsigned int addr_type;
/* IP header checks: fragment. */
@@ -58,69 +55,47 @@ static void send_reset(struct sk_buff *oldskb, int hook)
/* Check checksum */
if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
return;
+ oiph = ip_hdr(oldskb);
- /* We need a linear, writeable skb. We also need to expand
- headroom in case hh_len of incoming interface < hh_len of
- outgoing interface */
- nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb),
- GFP_ATOMIC);
+ nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct tcphdr) +
+ LL_MAX_HEADER, GFP_ATOMIC);
if (!nskb)
return;
- /* This packet will not be the same as the other: clear nf fields */
- nf_reset(nskb);
- nskb->mark = 0;
- skb_init_secmark(nskb);
-
- skb_shinfo(nskb)->gso_size = 0;
- skb_shinfo(nskb)->gso_segs = 0;
- skb_shinfo(nskb)->gso_type = 0;
-
- tcph = (struct tcphdr *)(skb_network_header(nskb) + ip_hdrlen(nskb));
-
- /* Swap source and dest */
- niph = ip_hdr(nskb);
- tmp_addr = niph->saddr;
- niph->saddr = niph->daddr;
- niph->daddr = tmp_addr;
- tmp_port = tcph->source;
- tcph->source = tcph->dest;
- tcph->dest = tmp_port;
-
- /* Truncate to length (no data) */
- tcph->doff = sizeof(struct tcphdr)/4;
- skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr));
-
- if (tcph->ack) {
- needs_ack = 0;
+ skb_reserve(nskb, LL_MAX_HEADER);
+
+ skb_reset_network_header(nskb);
+ niph = (struct iphdr *)skb_put(nskb, sizeof(struct iphdr));
+ niph->version = 4;
+ niph->ihl = sizeof(struct iphdr) / 4;
+ niph->tos = 0;
+ niph->id = 0;
+ niph->frag_off = htons(IP_DF);
+ niph->protocol = IPPROTO_TCP;
+ niph->check = 0;
+ niph->saddr = oiph->daddr;
+ niph->daddr = oiph->saddr;
+
+ tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr));
+ memset(tcph, 0, sizeof(*tcph));
+ tcph->source = oth->dest;
+ tcph->dest = oth->source;
+ tcph->doff = sizeof(struct tcphdr) / 4;
+
+ if (oth->ack)
tcph->seq = oth->ack_seq;
- tcph->ack_seq = 0;
- } else {
- needs_ack = 1;
+ else {
tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
oldskb->len - ip_hdrlen(oldskb) -
(oth->doff << 2));
- tcph->seq = 0;
+ tcph->ack = 1;
}
- /* Reset flags */
- ((u_int8_t *)tcph)[13] = 0;
- tcph->rst = 1;
- tcph->ack = needs_ack;
-
- tcph->window = 0;
- tcph->urg_ptr = 0;
-
- /* Adjust TCP checksum */
- tcph->check = 0;
- tcph->check = tcp_v4_check(sizeof(struct tcphdr),
- niph->saddr, niph->daddr,
- csum_partial(tcph,
- sizeof(struct tcphdr), 0));
-
- /* Set DF, id = 0 */
- niph->frag_off = htons(IP_DF);
- niph->id = 0;
+ tcph->rst = 1;
+ tcph->check = tcp_v4_check(sizeof(struct tcphdr),
+ niph->saddr, niph->daddr,
+ csum_partial(tcph,
+ sizeof(struct tcphdr), 0));
addr_type = RTN_UNSPEC;
if (hook != NF_INET_FORWARD
@@ -130,14 +105,16 @@ static void send_reset(struct sk_buff *oldskb, int hook)
)
addr_type = RTN_LOCAL;
+ /* ip_route_me_harder expects skb->dst to be set */
+ dst_hold(oldskb->dst);
+ nskb->dst = oldskb->dst;
+
if (ip_route_me_harder(nskb, addr_type))
goto free_nskb;
+ niph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
nskb->ip_summed = CHECKSUM_NONE;
- /* Adjust IP TTL */
- niph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
-
/* "Never happens" */
if (nskb->len > dst_mtu(nskb->dst))
goto free_nskb;
@@ -163,11 +140,6 @@ reject_tg(struct sk_buff *skb, const struct net_device *in,
{
const struct ipt_reject_info *reject = targinfo;
- /* Our naive response construction doesn't deal with IP
- options, and probably shouldn't try. */
- if (ip_hdrlen(skb) != sizeof(struct iphdr))
- return NF_DROP;
-
/* WARNING: This code causes reentry within iptables.
This means that the iptables jump stack is now crap. We
must return an absolute verdict. --RR */
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 22/38]: nf_conntrack_{tcp,sctp}: mark state table const
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (20 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 21/38]: ipt_REJECT: properly handle IP options Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 23/38]: nf_conntrack_{tcp,sctp}: shrink state table Patrick McHardy
` (16 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: nf_conntrack_{tcp,sctp}: mark state table const
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 644ca177a54fc8a0e3745955475cccad5c799aae
tree db5a1a2d5518c94a46a898c02c71a0d800e874b6
parent e98b968b91b444bb9af1547818b9601419150dba
author Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:24 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:24 +0100
net/netfilter/nf_conntrack_proto_sctp.c | 2 +-
net/netfilter/nf_conntrack_proto_tcp.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 9296fd2..47c1dbe 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -110,7 +110,7 @@ cookie echoed to closed.
*/
/* SCTP conntrack state transitions */
-static enum sctp_conntrack sctp_conntracks[2][9][SCTP_CONNTRACK_MAX] = {
+static const enum sctp_conntrack sctp_conntracks[2][9][SCTP_CONNTRACK_MAX] = {
{
/* ORIGINAL */
/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA */
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 1d496b9..be19bd9 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -149,7 +149,7 @@ enum tcp_bit_set {
* if they are invalid
* or we do not support the request (simultaneous open)
*/
-static enum tcp_conntrack tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
+static const enum tcp_conntrack tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
{
/* ORIGINAL */
/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 23/38]: nf_conntrack_{tcp,sctp}: shrink state table
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (21 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 22/38]: nf_conntrack_{tcp,sctp}: mark state table const Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 24/38]: nf_conntrack_tcp: remove timeout indirection Patrick McHardy
` (15 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: nf_conntrack_{tcp,sctp}: shrink state table
The TCP and SCTP conntrack state transition tables only holds
small numbers, but gcc uses 4 byte per entry for the enum. Switching
to an u8 reduces the size from 480 to 120 bytes for TCP and from
576 to 144 bytes for SCTP.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 310e65023fa9efc6b18c32f3146cc6c24e6b2c33
tree 1cbfef8fbfb6372a12d204531c8b3a83c8f85c3f
parent 644ca177a54fc8a0e3745955475cccad5c799aae
author Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:25 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:25 +0100
net/netfilter/nf_conntrack_proto_sctp.c | 2 +-
net/netfilter/nf_conntrack_proto_tcp.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 47c1dbe..9a5ec53 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -110,7 +110,7 @@ cookie echoed to closed.
*/
/* SCTP conntrack state transitions */
-static const enum sctp_conntrack sctp_conntracks[2][9][SCTP_CONNTRACK_MAX] = {
+static const u8 sctp_conntracks[2][9][SCTP_CONNTRACK_MAX] = {
{
/* ORIGINAL */
/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA */
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index be19bd9..dbd8f84 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -149,7 +149,7 @@ enum tcp_bit_set {
* if they are invalid
* or we do not support the request (simultaneous open)
*/
-static const enum tcp_conntrack tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
+static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
{
/* ORIGINAL */
/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 24/38]: nf_conntrack_tcp: remove timeout indirection
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (22 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 23/38]: nf_conntrack_{tcp,sctp}: shrink state table Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 25/38]: nf_conntrack_sctp: basic cleanups Patrick McHardy
` (14 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: nf_conntrack_tcp: remove timeout indirection
Instead of keeping pointers to the timeout values in a table, simply
put the timeout values in the table directly.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit e11744f0b9408e74f920463e52d59460e9c2b2b2
tree 7a75dea3fedc59c8ae32106fb1aae3a95bf3dfe9
parent 310e65023fa9efc6b18c32f3146cc6c24e6b2c33
author Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:25 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:25 +0100
net/netfilter/nf_conntrack_proto_tcp.c | 67 +++++++++++++-------------------
1 files changed, 28 insertions(+), 39 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index dbd8f84..64c9b91 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -64,32 +64,21 @@ static const char *tcp_conntrack_names[] = {
#define HOURS * 60 MINS
#define DAYS * 24 HOURS
-static unsigned int nf_ct_tcp_timeout_syn_sent __read_mostly = 2 MINS;
-static unsigned int nf_ct_tcp_timeout_syn_recv __read_mostly = 60 SECS;
-static unsigned int nf_ct_tcp_timeout_established __read_mostly = 5 DAYS;
-static unsigned int nf_ct_tcp_timeout_fin_wait __read_mostly = 2 MINS;
-static unsigned int nf_ct_tcp_timeout_close_wait __read_mostly = 60 SECS;
-static unsigned int nf_ct_tcp_timeout_last_ack __read_mostly = 30 SECS;
-static unsigned int nf_ct_tcp_timeout_time_wait __read_mostly = 2 MINS;
-static unsigned int nf_ct_tcp_timeout_close __read_mostly = 10 SECS;
-
/* RFC1122 says the R2 limit should be at least 100 seconds.
Linux uses 15 packets as limit, which corresponds
to ~13-30min depending on RTO. */
static unsigned int nf_ct_tcp_timeout_max_retrans __read_mostly = 5 MINS;
-static unsigned int * tcp_timeouts[] = {
- NULL, /* TCP_CONNTRACK_NONE */
- &nf_ct_tcp_timeout_syn_sent, /* TCP_CONNTRACK_SYN_SENT, */
- &nf_ct_tcp_timeout_syn_recv, /* TCP_CONNTRACK_SYN_RECV, */
- &nf_ct_tcp_timeout_established, /* TCP_CONNTRACK_ESTABLISHED, */
- &nf_ct_tcp_timeout_fin_wait, /* TCP_CONNTRACK_FIN_WAIT, */
- &nf_ct_tcp_timeout_close_wait, /* TCP_CONNTRACK_CLOSE_WAIT, */
- &nf_ct_tcp_timeout_last_ack, /* TCP_CONNTRACK_LAST_ACK, */
- &nf_ct_tcp_timeout_time_wait, /* TCP_CONNTRACK_TIME_WAIT, */
- &nf_ct_tcp_timeout_close, /* TCP_CONNTRACK_CLOSE, */
- NULL, /* TCP_CONNTRACK_LISTEN */
- };
+static unsigned int tcp_timeouts[TCP_CONNTRACK_MAX] __read_mostly = {
+ [TCP_CONNTRACK_SYN_SENT] = 2 MINS,
+ [TCP_CONNTRACK_SYN_RECV] = 60 SECS,
+ [TCP_CONNTRACK_ESTABLISHED] = 5 DAYS,
+ [TCP_CONNTRACK_FIN_WAIT] = 2 MINS,
+ [TCP_CONNTRACK_CLOSE_WAIT] = 60 SECS,
+ [TCP_CONNTRACK_LAST_ACK] = 30 SECS,
+ [TCP_CONNTRACK_TIME_WAIT] = 2 MINS,
+ [TCP_CONNTRACK_CLOSE] = 10 SECS,
+};
#define sNO TCP_CONNTRACK_NONE
#define sSS TCP_CONNTRACK_SYN_SENT
@@ -941,8 +930,8 @@ static int tcp_packet(struct nf_conn *conntrack,
|| new_state == TCP_CONNTRACK_CLOSE))
conntrack->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT;
timeout = conntrack->proto.tcp.retrans >= nf_ct_tcp_max_retrans
- && *tcp_timeouts[new_state] > nf_ct_tcp_timeout_max_retrans
- ? nf_ct_tcp_timeout_max_retrans : *tcp_timeouts[new_state];
+ && tcp_timeouts[new_state] > nf_ct_tcp_timeout_max_retrans
+ ? nf_ct_tcp_timeout_max_retrans : tcp_timeouts[new_state];
write_unlock_bh(&tcp_lock);
nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, skb);
@@ -1163,56 +1152,56 @@ static struct ctl_table_header *tcp_sysctl_header;
static struct ctl_table tcp_sysctl_table[] = {
{
.procname = "nf_conntrack_tcp_timeout_syn_sent",
- .data = &nf_ct_tcp_timeout_syn_sent,
+ .data = &tcp_timeouts[TCP_CONNTRACK_SYN_SENT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_timeout_syn_recv",
- .data = &nf_ct_tcp_timeout_syn_recv,
+ .data = &tcp_timeouts[TCP_CONNTRACK_SYN_RECV],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_timeout_established",
- .data = &nf_ct_tcp_timeout_established,
+ .data = &tcp_timeouts[TCP_CONNTRACK_ESTABLISHED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_timeout_fin_wait",
- .data = &nf_ct_tcp_timeout_fin_wait,
+ .data = &tcp_timeouts[TCP_CONNTRACK_FIN_WAIT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_timeout_close_wait",
- .data = &nf_ct_tcp_timeout_close_wait,
+ .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE_WAIT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_timeout_last_ack",
- .data = &nf_ct_tcp_timeout_last_ack,
+ .data = &tcp_timeouts[TCP_CONNTRACK_LAST_ACK],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_timeout_time_wait",
- .data = &nf_ct_tcp_timeout_time_wait,
+ .data = &tcp_timeouts[TCP_CONNTRACK_TIME_WAIT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_tcp_timeout_close",
- .data = &nf_ct_tcp_timeout_close,
+ .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
@@ -1257,56 +1246,56 @@ static struct ctl_table tcp_sysctl_table[] = {
static struct ctl_table tcp_compat_sysctl_table[] = {
{
.procname = "ip_conntrack_tcp_timeout_syn_sent",
- .data = &nf_ct_tcp_timeout_syn_sent,
+ .data = &tcp_timeouts[TCP_CONNTRACK_SYN_SENT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_timeout_syn_recv",
- .data = &nf_ct_tcp_timeout_syn_recv,
+ .data = &tcp_timeouts[TCP_CONNTRACK_SYN_RECV],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_timeout_established",
- .data = &nf_ct_tcp_timeout_established,
+ .data = &tcp_timeouts[TCP_CONNTRACK_ESTABLISHED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_timeout_fin_wait",
- .data = &nf_ct_tcp_timeout_fin_wait,
+ .data = &tcp_timeouts[TCP_CONNTRACK_FIN_WAIT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_timeout_close_wait",
- .data = &nf_ct_tcp_timeout_close_wait,
+ .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE_WAIT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_timeout_last_ack",
- .data = &nf_ct_tcp_timeout_last_ack,
+ .data = &tcp_timeouts[TCP_CONNTRACK_LAST_ACK],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_timeout_time_wait",
- .data = &nf_ct_tcp_timeout_time_wait,
+ .data = &tcp_timeouts[TCP_CONNTRACK_TIME_WAIT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_tcp_timeout_close",
- .data = &nf_ct_tcp_timeout_close,
+ .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 25/38]: nf_conntrack_sctp: basic cleanups
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (23 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 24/38]: nf_conntrack_tcp: remove timeout indirection Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 26/38]: nf_conntrack_sctp: use proper types for bitops Patrick McHardy
` (13 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: nf_conntrack_sctp: basic cleanups
Reindent switch cases properly, get rid of weird constructs like "!(x == y)",
put logical operations on the end of the line instead of the next line, get
rid of superfluous braces.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 2138af0660d4043c80aa13caa07e50ebeb1996d9
tree 4bebb98df91217146aea4a55f4df6ed84122addd
parent e11744f0b9408e74f920463e52d59460e9c2b2b2
author Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:26 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:26 +0100
net/netfilter/nf_conntrack_proto_sctp.c | 140 ++++++++++++++++---------------
1 files changed, 72 insertions(+), 68 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 9a5ec53..689cc50 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -206,28 +206,26 @@ static int do_basic_checks(struct nf_conn *conntrack,
for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
pr_debug("Chunk Num: %d Type: %d\n", count, sch->type);
- if (sch->type == SCTP_CID_INIT
- || sch->type == SCTP_CID_INIT_ACK
- || sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
+ if (sch->type == SCTP_CID_INIT ||
+ sch->type == SCTP_CID_INIT_ACK ||
+ sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
flag = 1;
- }
/*
* Cookie Ack/Echo chunks not the first OR
* Init / Init Ack / Shutdown compl chunks not the only chunks
* OR zero-length.
*/
- if (((sch->type == SCTP_CID_COOKIE_ACK
- || sch->type == SCTP_CID_COOKIE_ECHO
- || flag)
- && count !=0) || !sch->length) {
+ if (((sch->type == SCTP_CID_COOKIE_ACK ||
+ sch->type == SCTP_CID_COOKIE_ECHO ||
+ flag) &&
+ count != 0) || !sch->length) {
pr_debug("Basic checks failed\n");
return 1;
}
- if (map) {
+ if (map)
set_bit(sch->type, (void *)map);
- }
}
pr_debug("Basic checks passed\n");
@@ -243,39 +241,48 @@ static int new_state(enum ip_conntrack_dir dir,
pr_debug("Chunk type: %d\n", chunk_type);
switch (chunk_type) {
- case SCTP_CID_INIT:
- pr_debug("SCTP_CID_INIT\n");
- i = 0; break;
- case SCTP_CID_INIT_ACK:
- pr_debug("SCTP_CID_INIT_ACK\n");
- i = 1; break;
- case SCTP_CID_ABORT:
- pr_debug("SCTP_CID_ABORT\n");
- i = 2; break;
- case SCTP_CID_SHUTDOWN:
- pr_debug("SCTP_CID_SHUTDOWN\n");
- i = 3; break;
- case SCTP_CID_SHUTDOWN_ACK:
- pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
- i = 4; break;
- case SCTP_CID_ERROR:
- pr_debug("SCTP_CID_ERROR\n");
- i = 5; break;
- case SCTP_CID_COOKIE_ECHO:
- pr_debug("SCTP_CID_COOKIE_ECHO\n");
- i = 6; break;
- case SCTP_CID_COOKIE_ACK:
- pr_debug("SCTP_CID_COOKIE_ACK\n");
- i = 7; break;
- case SCTP_CID_SHUTDOWN_COMPLETE:
- pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
- i = 8; break;
- default:
- /* Other chunks like DATA, SACK, HEARTBEAT and
- its ACK do not cause a change in state */
- pr_debug("Unknown chunk type, Will stay in %s\n",
- sctp_conntrack_names[cur_state]);
- return cur_state;
+ case SCTP_CID_INIT:
+ pr_debug("SCTP_CID_INIT\n");
+ i = 0;
+ break;
+ case SCTP_CID_INIT_ACK:
+ pr_debug("SCTP_CID_INIT_ACK\n");
+ i = 1;
+ break;
+ case SCTP_CID_ABORT:
+ pr_debug("SCTP_CID_ABORT\n");
+ i = 2;
+ break;
+ case SCTP_CID_SHUTDOWN:
+ pr_debug("SCTP_CID_SHUTDOWN\n");
+ i = 3;
+ break;
+ case SCTP_CID_SHUTDOWN_ACK:
+ pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
+ i = 4;
+ break;
+ case SCTP_CID_ERROR:
+ pr_debug("SCTP_CID_ERROR\n");
+ i = 5;
+ break;
+ case SCTP_CID_COOKIE_ECHO:
+ pr_debug("SCTP_CID_COOKIE_ECHO\n");
+ i = 6;
+ break;
+ case SCTP_CID_COOKIE_ACK:
+ pr_debug("SCTP_CID_COOKIE_ACK\n");
+ i = 7;
+ break;
+ case SCTP_CID_SHUTDOWN_COMPLETE:
+ pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
+ i = 8;
+ break;
+ default:
+ /* Other chunks like DATA, SACK, HEARTBEAT and
+ its ACK do not cause a change in state */
+ pr_debug("Unknown chunk type, Will stay in %s\n",
+ sctp_conntrack_names[cur_state]);
+ return cur_state;
}
pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n",
@@ -307,12 +314,12 @@ static int sctp_packet(struct nf_conn *conntrack,
return -1;
/* Check the verification tag (Sec 8.5) */
- if (!test_bit(SCTP_CID_INIT, (void *)map)
- && !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, (void *)map)
- && !test_bit(SCTP_CID_COOKIE_ECHO, (void *)map)
- && !test_bit(SCTP_CID_ABORT, (void *)map)
- && !test_bit(SCTP_CID_SHUTDOWN_ACK, (void *)map)
- && (sh->vtag != conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)])) {
+ if (!test_bit(SCTP_CID_INIT, (void *)map) &&
+ !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, (void *)map) &&
+ !test_bit(SCTP_CID_COOKIE_ECHO, (void *)map) &&
+ !test_bit(SCTP_CID_ABORT, (void *)map) &&
+ !test_bit(SCTP_CID_SHUTDOWN_ACK, (void *)map) &&
+ sh->vtag != conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)]) {
pr_debug("Verification tag check failed\n");
return -1;
}
@@ -330,24 +337,22 @@ static int sctp_packet(struct nf_conn *conntrack,
}
} else if (sch->type == SCTP_CID_ABORT) {
/* Sec 8.5.1 (B) */
- if (!(sh->vtag == conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)])
- && !(sh->vtag == conntrack->proto.sctp.vtag
- [1 - CTINFO2DIR(ctinfo)])) {
+ if (sh->vtag != conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)] &&
+ sh->vtag != conntrack->proto.sctp.vtag[1 - CTINFO2DIR(ctinfo)]) {
write_unlock_bh(&sctp_lock);
return -1;
}
} else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
/* Sec 8.5.1 (C) */
- if (!(sh->vtag == conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)])
- && !(sh->vtag == conntrack->proto.sctp.vtag
- [1 - CTINFO2DIR(ctinfo)]
- && (sch->flags & 1))) {
+ if (sh->vtag != conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)] &&
+ sh->vtag != conntrack->proto.sctp.vtag[1 - CTINFO2DIR(ctinfo)] &&
+ (sch->flags & 1)) {
write_unlock_bh(&sctp_lock);
return -1;
}
} else if (sch->type == SCTP_CID_COOKIE_ECHO) {
/* Sec 8.5.1 (D) */
- if (!(sh->vtag == conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)])) {
+ if (sh->vtag != conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)]) {
write_unlock_bh(&sctp_lock);
return -1;
}
@@ -366,15 +371,15 @@ static int sctp_packet(struct nf_conn *conntrack,
}
/* If it is an INIT or an INIT ACK note down the vtag */
- if (sch->type == SCTP_CID_INIT
- || sch->type == SCTP_CID_INIT_ACK) {
+ if (sch->type == SCTP_CID_INIT ||
+ sch->type == SCTP_CID_INIT_ACK) {
sctp_inithdr_t _inithdr, *ih;
ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
sizeof(_inithdr), &_inithdr);
if (ih == NULL) {
- write_unlock_bh(&sctp_lock);
- return -1;
+ write_unlock_bh(&sctp_lock);
+ return -1;
}
pr_debug("Setting vtag %x for dir %d\n",
ih->init_tag, !CTINFO2DIR(ctinfo));
@@ -389,9 +394,9 @@ static int sctp_packet(struct nf_conn *conntrack,
nf_ct_refresh_acct(conntrack, ctinfo, skb, *sctp_timeouts[newconntrack]);
- if (oldsctpstate == SCTP_CONNTRACK_COOKIE_ECHOED
- && CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY
- && newconntrack == SCTP_CONNTRACK_ESTABLISHED) {
+ if (oldsctpstate == SCTP_CONNTRACK_COOKIE_ECHOED &&
+ CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY &&
+ newconntrack == SCTP_CONNTRACK_ESTABLISHED) {
pr_debug("Setting assured bit\n");
set_bit(IPS_ASSURED_BIT, &conntrack->status);
nf_conntrack_event_cache(IPCT_STATUS, skb);
@@ -418,11 +423,10 @@ static int sctp_new(struct nf_conn *conntrack, const struct sk_buff *skb,
return 0;
/* If an OOTB packet has any of these chunks discard (Sec 8.4) */
- if ((test_bit (SCTP_CID_ABORT, (void *)map))
- || (test_bit (SCTP_CID_SHUTDOWN_COMPLETE, (void *)map))
- || (test_bit (SCTP_CID_COOKIE_ACK, (void *)map))) {
+ if (test_bit (SCTP_CID_ABORT, (void *)map) ||
+ test_bit (SCTP_CID_SHUTDOWN_COMPLETE, (void *)map) ||
+ test_bit (SCTP_CID_COOKIE_ACK, (void *)map))
return 0;
- }
newconntrack = SCTP_CONNTRACK_MAX;
for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 26/38]: nf_conntrack_sctp: use proper types for bitops
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (24 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 25/38]: nf_conntrack_sctp: basic cleanups Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 27/38]: nf_conntrack_sctp: reduce line length Patrick McHardy
` (12 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: nf_conntrack_sctp: use proper types for bitops
Use unsigned long instead of char for the bitmap and removed lots
of casts.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 7b4d31af2b7c66345df8c9147468076c6cb8ab8e
tree 6818c02035633d2a911a7fd414bea3009de56119
parent 2138af0660d4043c80aa13caa07e50ebeb1996d9
author Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:26 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:26 +0100
net/netfilter/nf_conntrack_proto_sctp.c | 24 ++++++++++++------------
1 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 689cc50..5166bb3 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -195,7 +195,7 @@ for ((offset) = (dataoff) + sizeof(sctp_sctphdr_t), (count) = 0; \
static int do_basic_checks(struct nf_conn *conntrack,
const struct sk_buff *skb,
unsigned int dataoff,
- char *map)
+ unsigned long *map)
{
u_int32_t offset, count;
sctp_chunkhdr_t _sch, *sch;
@@ -225,7 +225,7 @@ static int do_basic_checks(struct nf_conn *conntrack,
}
if (map)
- set_bit(sch->type, (void *)map);
+ set_bit(sch->type, map);
}
pr_debug("Basic checks passed\n");
@@ -304,7 +304,7 @@ static int sctp_packet(struct nf_conn *conntrack,
sctp_sctphdr_t _sctph, *sh;
sctp_chunkhdr_t _sch, *sch;
u_int32_t offset, count;
- char map[256 / sizeof (char)] = {0};
+ unsigned long map[256 / sizeof(unsigned long)] = { 0 };
sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
if (sh == NULL)
@@ -314,11 +314,11 @@ static int sctp_packet(struct nf_conn *conntrack,
return -1;
/* Check the verification tag (Sec 8.5) */
- if (!test_bit(SCTP_CID_INIT, (void *)map) &&
- !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, (void *)map) &&
- !test_bit(SCTP_CID_COOKIE_ECHO, (void *)map) &&
- !test_bit(SCTP_CID_ABORT, (void *)map) &&
- !test_bit(SCTP_CID_SHUTDOWN_ACK, (void *)map) &&
+ if (!test_bit(SCTP_CID_INIT, map) &&
+ !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
+ !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
+ !test_bit(SCTP_CID_ABORT, map) &&
+ !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
sh->vtag != conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)]) {
pr_debug("Verification tag check failed\n");
return -1;
@@ -413,7 +413,7 @@ static int sctp_new(struct nf_conn *conntrack, const struct sk_buff *skb,
sctp_sctphdr_t _sctph, *sh;
sctp_chunkhdr_t _sch, *sch;
u_int32_t offset, count;
- char map[256 / sizeof (char)] = {0};
+ unsigned long map[256 / sizeof(unsigned long)] = { 0 };
sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
if (sh == NULL)
@@ -423,9 +423,9 @@ static int sctp_new(struct nf_conn *conntrack, const struct sk_buff *skb,
return 0;
/* If an OOTB packet has any of these chunks discard (Sec 8.4) */
- if (test_bit (SCTP_CID_ABORT, (void *)map) ||
- test_bit (SCTP_CID_SHUTDOWN_COMPLETE, (void *)map) ||
- test_bit (SCTP_CID_COOKIE_ACK, (void *)map))
+ if (test_bit(SCTP_CID_ABORT, map) ||
+ test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
+ test_bit(SCTP_CID_COOKIE_ACK, map))
return 0;
newconntrack = SCTP_CONNTRACK_MAX;
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 27/38]: nf_conntrack_sctp: reduce line length
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (25 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 26/38]: nf_conntrack_sctp: use proper types for bitops Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 28/38]: nf_conntrack_sctp: reduce line length further Patrick McHardy
` (11 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: nf_conntrack_sctp: reduce line length
Reduce the length of some overly long lines by renaming all
"conntrack" variables to "ct".
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 1880ca6a51b7d8404a574db37e9fe1ad4349a580
tree fca5c1d067d27d65a9013be777e7cc3fce21ac6f
parent 7b4d31af2b7c66345df8c9147468076c6cb8ab8e
author Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:27 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:27 +0100
net/netfilter/nf_conntrack_proto_sctp.c | 43 +++++++++++++++----------------
1 files changed, 21 insertions(+), 22 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 5166bb3..84e37e9 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -173,13 +173,12 @@ static int sctp_print_tuple(struct seq_file *s,
}
/* Print out the private part of the conntrack. */
-static int sctp_print_conntrack(struct seq_file *s,
- const struct nf_conn *conntrack)
+static int sctp_print_conntrack(struct seq_file *s, const struct nf_conn *ct)
{
enum sctp_conntrack state;
read_lock_bh(&sctp_lock);
- state = conntrack->proto.sctp.state;
+ state = ct->proto.sctp.state;
read_unlock_bh(&sctp_lock);
return seq_printf(s, "%s ", sctp_conntrack_names[state]);
@@ -192,7 +191,7 @@ for ((offset) = (dataoff) + sizeof(sctp_sctphdr_t), (count) = 0; \
(offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
/* Some validity checks to make sure the chunks are fine */
-static int do_basic_checks(struct nf_conn *conntrack,
+static int do_basic_checks(struct nf_conn *ct,
const struct sk_buff *skb,
unsigned int dataoff,
unsigned long *map)
@@ -293,7 +292,7 @@ static int new_state(enum ip_conntrack_dir dir,
}
/* Returns verdict for packet, or -1 for invalid. */
-static int sctp_packet(struct nf_conn *conntrack,
+static int sctp_packet(struct nf_conn *ct,
const struct sk_buff *skb,
unsigned int dataoff,
enum ip_conntrack_info ctinfo,
@@ -310,7 +309,7 @@ static int sctp_packet(struct nf_conn *conntrack,
if (sh == NULL)
return -1;
- if (do_basic_checks(conntrack, skb, dataoff, map) != 0)
+ if (do_basic_checks(ct, skb, dataoff, map) != 0)
return -1;
/* Check the verification tag (Sec 8.5) */
@@ -319,7 +318,7 @@ static int sctp_packet(struct nf_conn *conntrack,
!test_bit(SCTP_CID_COOKIE_ECHO, map) &&
!test_bit(SCTP_CID_ABORT, map) &&
!test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
- sh->vtag != conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)]) {
+ sh->vtag != ct->proto.sctp.vtag[CTINFO2DIR(ctinfo)]) {
pr_debug("Verification tag check failed\n");
return -1;
}
@@ -337,28 +336,28 @@ static int sctp_packet(struct nf_conn *conntrack,
}
} else if (sch->type == SCTP_CID_ABORT) {
/* Sec 8.5.1 (B) */
- if (sh->vtag != conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)] &&
- sh->vtag != conntrack->proto.sctp.vtag[1 - CTINFO2DIR(ctinfo)]) {
+ if (sh->vtag != ct->proto.sctp.vtag[CTINFO2DIR(ctinfo)] &&
+ sh->vtag != ct->proto.sctp.vtag[1 - CTINFO2DIR(ctinfo)]) {
write_unlock_bh(&sctp_lock);
return -1;
}
} else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
/* Sec 8.5.1 (C) */
- if (sh->vtag != conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)] &&
- sh->vtag != conntrack->proto.sctp.vtag[1 - CTINFO2DIR(ctinfo)] &&
+ if (sh->vtag != ct->proto.sctp.vtag[CTINFO2DIR(ctinfo)] &&
+ sh->vtag != ct->proto.sctp.vtag[1 - CTINFO2DIR(ctinfo)] &&
(sch->flags & 1)) {
write_unlock_bh(&sctp_lock);
return -1;
}
} else if (sch->type == SCTP_CID_COOKIE_ECHO) {
/* Sec 8.5.1 (D) */
- if (sh->vtag != conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)]) {
+ if (sh->vtag != ct->proto.sctp.vtag[CTINFO2DIR(ctinfo)]) {
write_unlock_bh(&sctp_lock);
return -1;
}
}
- oldsctpstate = conntrack->proto.sctp.state;
+ oldsctpstate = ct->proto.sctp.state;
newconntrack = new_state(CTINFO2DIR(ctinfo), oldsctpstate, sch->type);
/* Invalid */
@@ -383,22 +382,22 @@ static int sctp_packet(struct nf_conn *conntrack,
}
pr_debug("Setting vtag %x for dir %d\n",
ih->init_tag, !CTINFO2DIR(ctinfo));
- conntrack->proto.sctp.vtag[!CTINFO2DIR(ctinfo)] = ih->init_tag;
+ ct->proto.sctp.vtag[!CTINFO2DIR(ctinfo)] = ih->init_tag;
}
- conntrack->proto.sctp.state = newconntrack;
+ ct->proto.sctp.state = newconntrack;
if (oldsctpstate != newconntrack)
nf_conntrack_event_cache(IPCT_PROTOINFO, skb);
write_unlock_bh(&sctp_lock);
}
- nf_ct_refresh_acct(conntrack, ctinfo, skb, *sctp_timeouts[newconntrack]);
+ nf_ct_refresh_acct(ct, ctinfo, skb, *sctp_timeouts[newconntrack]);
if (oldsctpstate == SCTP_CONNTRACK_COOKIE_ECHOED &&
CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY &&
newconntrack == SCTP_CONNTRACK_ESTABLISHED) {
pr_debug("Setting assured bit\n");
- set_bit(IPS_ASSURED_BIT, &conntrack->status);
+ set_bit(IPS_ASSURED_BIT, &ct->status);
nf_conntrack_event_cache(IPCT_STATUS, skb);
}
@@ -406,7 +405,7 @@ static int sctp_packet(struct nf_conn *conntrack,
}
/* Called when a new connection for this protocol found. */
-static int sctp_new(struct nf_conn *conntrack, const struct sk_buff *skb,
+static int sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
unsigned int dataoff)
{
enum sctp_conntrack newconntrack;
@@ -419,7 +418,7 @@ static int sctp_new(struct nf_conn *conntrack, const struct sk_buff *skb,
if (sh == NULL)
return 0;
- if (do_basic_checks(conntrack, skb, dataoff, map) != 0)
+ if (do_basic_checks(ct, skb, dataoff, map) != 0)
return 0;
/* If an OOTB packet has any of these chunks discard (Sec 8.4) */
@@ -454,7 +453,7 @@ static int sctp_new(struct nf_conn *conntrack, const struct sk_buff *skb,
pr_debug("Setting vtag %x for new conn\n",
ih->init_tag);
- conntrack->proto.sctp.vtag[IP_CT_DIR_REPLY] =
+ ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
ih->init_tag;
} else {
/* Sec 8.5.1 (A) */
@@ -466,10 +465,10 @@ static int sctp_new(struct nf_conn *conntrack, const struct sk_buff *skb,
else {
pr_debug("Setting vtag %x for new conn OOTB\n",
sh->vtag);
- conntrack->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
+ ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
}
- conntrack->proto.sctp.state = newconntrack;
+ ct->proto.sctp.state = newconntrack;
}
return 1;
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 28/38]: nf_conntrack_sctp: reduce line length further
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (26 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 27/38]: nf_conntrack_sctp: reduce line length Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 29/38]: nf_conntrack_sctp: consolidate sctp_packet() error paths Patrick McHardy
` (10 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: nf_conntrack_sctp: reduce line length further
Eliminate a few lines over 80 characters by using a local variable to
hold the conntrack direction instead of using CTINFO2DIR everywhere.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 813e62c43db7ec9a71df93147f422c0aa9b8fe67
tree 18269f6b89a5fc02b9418a56410c21a36924edb9
parent 1880ca6a51b7d8404a574db37e9fe1ad4349a580
author Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:27 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:27 +0100
net/netfilter/nf_conntrack_proto_sctp.c | 23 ++++++++++++-----------
1 files changed, 12 insertions(+), 11 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 84e37e9..fdabef5 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -300,6 +300,7 @@ static int sctp_packet(struct nf_conn *ct,
unsigned int hooknum)
{
enum sctp_conntrack newconntrack, oldsctpstate;
+ enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
sctp_sctphdr_t _sctph, *sh;
sctp_chunkhdr_t _sch, *sch;
u_int32_t offset, count;
@@ -318,7 +319,7 @@ static int sctp_packet(struct nf_conn *ct,
!test_bit(SCTP_CID_COOKIE_ECHO, map) &&
!test_bit(SCTP_CID_ABORT, map) &&
!test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
- sh->vtag != ct->proto.sctp.vtag[CTINFO2DIR(ctinfo)]) {
+ sh->vtag != ct->proto.sctp.vtag[dir]) {
pr_debug("Verification tag check failed\n");
return -1;
}
@@ -336,35 +337,35 @@ static int sctp_packet(struct nf_conn *ct,
}
} else if (sch->type == SCTP_CID_ABORT) {
/* Sec 8.5.1 (B) */
- if (sh->vtag != ct->proto.sctp.vtag[CTINFO2DIR(ctinfo)] &&
- sh->vtag != ct->proto.sctp.vtag[1 - CTINFO2DIR(ctinfo)]) {
+ if (sh->vtag != ct->proto.sctp.vtag[dir] &&
+ sh->vtag != ct->proto.sctp.vtag[!dir]) {
write_unlock_bh(&sctp_lock);
return -1;
}
} else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
/* Sec 8.5.1 (C) */
- if (sh->vtag != ct->proto.sctp.vtag[CTINFO2DIR(ctinfo)] &&
- sh->vtag != ct->proto.sctp.vtag[1 - CTINFO2DIR(ctinfo)] &&
+ if (sh->vtag != ct->proto.sctp.vtag[dir] &&
+ sh->vtag != ct->proto.sctp.vtag[!dir] &&
(sch->flags & 1)) {
write_unlock_bh(&sctp_lock);
return -1;
}
} else if (sch->type == SCTP_CID_COOKIE_ECHO) {
/* Sec 8.5.1 (D) */
- if (sh->vtag != ct->proto.sctp.vtag[CTINFO2DIR(ctinfo)]) {
+ if (sh->vtag != ct->proto.sctp.vtag[dir]) {
write_unlock_bh(&sctp_lock);
return -1;
}
}
oldsctpstate = ct->proto.sctp.state;
- newconntrack = new_state(CTINFO2DIR(ctinfo), oldsctpstate, sch->type);
+ newconntrack = new_state(dir, oldsctpstate, sch->type);
/* Invalid */
if (newconntrack == SCTP_CONNTRACK_MAX) {
pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
"conntrack=%u\n",
- CTINFO2DIR(ctinfo), sch->type, oldsctpstate);
+ dir, sch->type, oldsctpstate);
write_unlock_bh(&sctp_lock);
return -1;
}
@@ -381,8 +382,8 @@ static int sctp_packet(struct nf_conn *ct,
return -1;
}
pr_debug("Setting vtag %x for dir %d\n",
- ih->init_tag, !CTINFO2DIR(ctinfo));
- ct->proto.sctp.vtag[!CTINFO2DIR(ctinfo)] = ih->init_tag;
+ ih->init_tag, !dir);
+ ct->proto.sctp.vtag[!dir] = ih->init_tag;
}
ct->proto.sctp.state = newconntrack;
@@ -394,7 +395,7 @@ static int sctp_packet(struct nf_conn *ct,
nf_ct_refresh_acct(ct, ctinfo, skb, *sctp_timeouts[newconntrack]);
if (oldsctpstate == SCTP_CONNTRACK_COOKIE_ECHOED &&
- CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY &&
+ dir == IP_CT_DIR_REPLY &&
newconntrack == SCTP_CONNTRACK_ESTABLISHED) {
pr_debug("Setting assured bit\n");
set_bit(IPS_ASSURED_BIT, &ct->status);
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 29/38]: nf_conntrack_sctp: consolidate sctp_packet() error paths
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (27 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 28/38]: nf_conntrack_sctp: reduce line length further Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 30/38]: nf_conntrack_sctp: rename "newconntrack" variable Patrick McHardy
` (9 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: nf_conntrack_sctp: consolidate sctp_packet() error paths
Consolidate error paths and use proper symbolic return value instead
of magic values.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 55c98e3af141112533dfc4365b9b03997893a33f
tree d1ca354781c0848cef5964e1bf0e69fe8ceab627
parent 813e62c43db7ec9a71df93147f422c0aa9b8fe67
author Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:27 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:27 +0100
net/netfilter/nf_conntrack_proto_sctp.c | 46 +++++++++++++------------------
1 files changed, 20 insertions(+), 26 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index fdabef5..e52b6b9 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -291,7 +291,7 @@ static int new_state(enum ip_conntrack_dir dir,
return sctp_conntracks[dir][i][cur_state];
}
-/* Returns verdict for packet, or -1 for invalid. */
+/* Returns verdict for packet, or -NF_ACCEPT for invalid. */
static int sctp_packet(struct nf_conn *ct,
const struct sk_buff *skb,
unsigned int dataoff,
@@ -308,10 +308,10 @@ static int sctp_packet(struct nf_conn *ct,
sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
if (sh == NULL)
- return -1;
+ goto out;
if (do_basic_checks(ct, skb, dataoff, map) != 0)
- return -1;
+ goto out;
/* Check the verification tag (Sec 8.5) */
if (!test_bit(SCTP_CID_INIT, map) &&
@@ -321,7 +321,7 @@ static int sctp_packet(struct nf_conn *ct,
!test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
sh->vtag != ct->proto.sctp.vtag[dir]) {
pr_debug("Verification tag check failed\n");
- return -1;
+ goto out;
}
oldsctpstate = newconntrack = SCTP_CONNTRACK_MAX;
@@ -331,31 +331,23 @@ static int sctp_packet(struct nf_conn *ct,
/* Special cases of Verification tag check (Sec 8.5.1) */
if (sch->type == SCTP_CID_INIT) {
/* Sec 8.5.1 (A) */
- if (sh->vtag != 0) {
- write_unlock_bh(&sctp_lock);
- return -1;
- }
+ if (sh->vtag != 0)
+ goto out_unlock;
} else if (sch->type == SCTP_CID_ABORT) {
/* Sec 8.5.1 (B) */
if (sh->vtag != ct->proto.sctp.vtag[dir] &&
- sh->vtag != ct->proto.sctp.vtag[!dir]) {
- write_unlock_bh(&sctp_lock);
- return -1;
- }
+ sh->vtag != ct->proto.sctp.vtag[!dir])
+ goto out_unlock;
} else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
/* Sec 8.5.1 (C) */
if (sh->vtag != ct->proto.sctp.vtag[dir] &&
sh->vtag != ct->proto.sctp.vtag[!dir] &&
- (sch->flags & 1)) {
- write_unlock_bh(&sctp_lock);
- return -1;
- }
+ (sch->flags & 1))
+ goto out_unlock;
} else if (sch->type == SCTP_CID_COOKIE_ECHO) {
/* Sec 8.5.1 (D) */
- if (sh->vtag != ct->proto.sctp.vtag[dir]) {
- write_unlock_bh(&sctp_lock);
- return -1;
- }
+ if (sh->vtag != ct->proto.sctp.vtag[dir])
+ goto out_unlock;
}
oldsctpstate = ct->proto.sctp.state;
@@ -366,8 +358,7 @@ static int sctp_packet(struct nf_conn *ct,
pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
"conntrack=%u\n",
dir, sch->type, oldsctpstate);
- write_unlock_bh(&sctp_lock);
- return -1;
+ goto out_unlock;
}
/* If it is an INIT or an INIT ACK note down the vtag */
@@ -377,10 +368,8 @@ static int sctp_packet(struct nf_conn *ct,
ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
sizeof(_inithdr), &_inithdr);
- if (ih == NULL) {
- write_unlock_bh(&sctp_lock);
- return -1;
- }
+ if (ih == NULL)
+ goto out_unlock;
pr_debug("Setting vtag %x for dir %d\n",
ih->init_tag, !dir);
ct->proto.sctp.vtag[!dir] = ih->init_tag;
@@ -403,6 +392,11 @@ static int sctp_packet(struct nf_conn *ct,
}
return NF_ACCEPT;
+
+out_unlock:
+ write_unlock_bh(&sctp_lock);
+out:
+ return -NF_ACCEPT;
}
/* Called when a new connection for this protocol found. */
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 30/38]: nf_conntrack_sctp: rename "newconntrack" variable
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (28 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 29/38]: nf_conntrack_sctp: consolidate sctp_packet() error paths Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 31/38]: nf_conntrack_sctp: don't take sctp_lock once per chunk Patrick McHardy
` (8 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: nf_conntrack_sctp: rename "newconntrack" variable
The name is misleading, it holds the new connection state, so rename it
to "newstate". Also rename "oldsctpstate" to "oldstate" for consistency.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 426d981e95c0171858e0e4658373986717739fa5
tree 2b13b2c192919d8c5f155d1d4ba18cdb0069082b
parent 55c98e3af141112533dfc4365b9b03997893a33f
author Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:28 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:28 +0100
net/netfilter/nf_conntrack_proto_sctp.c | 42 ++++++++++++++++---------------
1 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index e52b6b9..7baabc0 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -231,9 +231,9 @@ static int do_basic_checks(struct nf_conn *ct,
return count == 0;
}
-static int new_state(enum ip_conntrack_dir dir,
- enum sctp_conntrack cur_state,
- int chunk_type)
+static int sctp_new_state(enum ip_conntrack_dir dir,
+ enum sctp_conntrack cur_state,
+ int chunk_type)
{
int i;
@@ -299,7 +299,7 @@ static int sctp_packet(struct nf_conn *ct,
int pf,
unsigned int hooknum)
{
- enum sctp_conntrack newconntrack, oldsctpstate;
+ enum sctp_conntrack new_state, old_state;
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
sctp_sctphdr_t _sctph, *sh;
sctp_chunkhdr_t _sch, *sch;
@@ -324,7 +324,7 @@ static int sctp_packet(struct nf_conn *ct,
goto out;
}
- oldsctpstate = newconntrack = SCTP_CONNTRACK_MAX;
+ old_state = new_state = SCTP_CONNTRACK_MAX;
for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
write_lock_bh(&sctp_lock);
@@ -350,14 +350,14 @@ static int sctp_packet(struct nf_conn *ct,
goto out_unlock;
}
- oldsctpstate = ct->proto.sctp.state;
- newconntrack = new_state(dir, oldsctpstate, sch->type);
+ old_state = ct->proto.sctp.state;
+ new_state = sctp_new_state(dir, old_state, sch->type);
/* Invalid */
- if (newconntrack == SCTP_CONNTRACK_MAX) {
+ if (new_state == SCTP_CONNTRACK_MAX) {
pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
"conntrack=%u\n",
- dir, sch->type, oldsctpstate);
+ dir, sch->type, old_state);
goto out_unlock;
}
@@ -375,17 +375,17 @@ static int sctp_packet(struct nf_conn *ct,
ct->proto.sctp.vtag[!dir] = ih->init_tag;
}
- ct->proto.sctp.state = newconntrack;
- if (oldsctpstate != newconntrack)
+ ct->proto.sctp.state = new_state;
+ if (old_state != new_state)
nf_conntrack_event_cache(IPCT_PROTOINFO, skb);
write_unlock_bh(&sctp_lock);
}
- nf_ct_refresh_acct(ct, ctinfo, skb, *sctp_timeouts[newconntrack]);
+ nf_ct_refresh_acct(ct, ctinfo, skb, *sctp_timeouts[new_state]);
- if (oldsctpstate == SCTP_CONNTRACK_COOKIE_ECHOED &&
+ if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
dir == IP_CT_DIR_REPLY &&
- newconntrack == SCTP_CONNTRACK_ESTABLISHED) {
+ new_state == SCTP_CONNTRACK_ESTABLISHED) {
pr_debug("Setting assured bit\n");
set_bit(IPS_ASSURED_BIT, &ct->status);
nf_conntrack_event_cache(IPCT_STATUS, skb);
@@ -403,7 +403,7 @@ out:
static int sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
unsigned int dataoff)
{
- enum sctp_conntrack newconntrack;
+ enum sctp_conntrack new_state;
sctp_sctphdr_t _sctph, *sh;
sctp_chunkhdr_t _sch, *sch;
u_int32_t offset, count;
@@ -422,15 +422,15 @@ static int sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
test_bit(SCTP_CID_COOKIE_ACK, map))
return 0;
- newconntrack = SCTP_CONNTRACK_MAX;
+ new_state = SCTP_CONNTRACK_MAX;
for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
/* Don't need lock here: this conntrack not in circulation yet */
- newconntrack = new_state(IP_CT_DIR_ORIGINAL,
- SCTP_CONNTRACK_NONE, sch->type);
+ new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
+ SCTP_CONNTRACK_NONE, sch->type);
/* Invalid: delete conntrack */
- if (newconntrack == SCTP_CONNTRACK_NONE ||
- newconntrack == SCTP_CONNTRACK_MAX) {
+ if (new_state == SCTP_CONNTRACK_NONE ||
+ new_state == SCTP_CONNTRACK_MAX) {
pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
return 0;
}
@@ -463,7 +463,7 @@ static int sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
}
- ct->proto.sctp.state = newconntrack;
+ ct->proto.sctp.state = new_state;
}
return 1;
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 31/38]: nf_conntrack_sctp: don't take sctp_lock once per chunk
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (29 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 30/38]: nf_conntrack_sctp: rename "newconntrack" variable Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 32/38]: nf_conntrack_sctp: remove unused ttag field from conntrack data Patrick McHardy
` (7 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: nf_conntrack_sctp: don't take sctp_lock once per chunk
Don't take and release the lock once per SCTP chunk, simply hold it
the entire time while iterating through the chunks.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit febaa2eab0d9efc458d9cbefef7fa7f9859250d1
tree b8062780663c6d45112f973ae2d8b51da74969b8
parent 426d981e95c0171858e0e4658373986717739fa5
author Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:28 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:28 +0100
net/netfilter/nf_conntrack_proto_sctp.c | 5 ++---
1 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 7baabc0..177e8f6 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -325,9 +325,8 @@ static int sctp_packet(struct nf_conn *ct,
}
old_state = new_state = SCTP_CONNTRACK_MAX;
+ write_lock_bh(&sctp_lock);
for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
- write_lock_bh(&sctp_lock);
-
/* Special cases of Verification tag check (Sec 8.5.1) */
if (sch->type == SCTP_CID_INIT) {
/* Sec 8.5.1 (A) */
@@ -378,8 +377,8 @@ static int sctp_packet(struct nf_conn *ct,
ct->proto.sctp.state = new_state;
if (old_state != new_state)
nf_conntrack_event_cache(IPCT_PROTOINFO, skb);
- write_unlock_bh(&sctp_lock);
}
+ write_unlock_bh(&sctp_lock);
nf_ct_refresh_acct(ct, ctinfo, skb, *sctp_timeouts[new_state]);
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 32/38]: nf_conntrack_sctp: remove unused ttag field from conntrack data
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (30 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 31/38]: nf_conntrack_sctp: don't take sctp_lock once per chunk Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 33/38]: nf_conntrack_sctp: replace magic value by symbolic constant Patrick McHardy
` (6 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: nf_conntrack_sctp: remove unused ttag field from conntrack data
Spotted by Pablo Neira Ayuso <pablo@netfilter.org>.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 5c06ef38713fa6bc6cb80f7834464e4761a383dc
tree 9e8564b679a5a4a95e0e98c02e0c2040a5f3248e
parent febaa2eab0d9efc458d9cbefef7fa7f9859250d1
author Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:29 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:29 +0100
include/linux/netfilter/nf_conntrack_sctp.h | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)
diff --git a/include/linux/netfilter/nf_conntrack_sctp.h b/include/linux/netfilter/nf_conntrack_sctp.h
index 5cf2c11..768f78c 100644
--- a/include/linux/netfilter/nf_conntrack_sctp.h
+++ b/include/linux/netfilter/nf_conntrack_sctp.h
@@ -21,7 +21,6 @@ struct ip_ct_sctp
enum sctp_conntrack state;
__be32 vtag[IP_CT_DIR_MAX];
- u_int32_t ttag[IP_CT_DIR_MAX];
};
#endif /* _NF_CONNTRACK_SCTP_H */
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 33/38]: nf_conntrack_sctp: replace magic value by symbolic constant
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (31 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 32/38]: nf_conntrack_sctp: remove unused ttag field from conntrack data Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 34/38]: nf_conntrack_sctp: remove timeout indirection Patrick McHardy
` (5 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: nf_conntrack_sctp: replace magic value by symbolic constant
Use SCTP_CHUNK_FLAG_T instead of 0x1.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 07f97b30ff30a5ce17377199ae32176b5dab5b08
tree 72dc2a95665128b415c457c3db4ab18d56ce149c
parent 5c06ef38713fa6bc6cb80f7834464e4761a383dc
author Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:29 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:29 +0100
net/netfilter/nf_conntrack_proto_sctp.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 177e8f6..14b1c02 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -341,7 +341,7 @@ static int sctp_packet(struct nf_conn *ct,
/* Sec 8.5.1 (C) */
if (sh->vtag != ct->proto.sctp.vtag[dir] &&
sh->vtag != ct->proto.sctp.vtag[!dir] &&
- (sch->flags & 1))
+ sch->flags & SCTP_CHUNK_FLAG_T)
goto out_unlock;
} else if (sch->type == SCTP_CID_COOKIE_ECHO) {
/* Sec 8.5.1 (D) */
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 34/38]: nf_conntrack_sctp: remove timeout indirection
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (32 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 33/38]: nf_conntrack_sctp: replace magic value by symbolic constant Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 35/38]: kill nf_sysctl.c Patrick McHardy
` (4 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: nf_conntrack_sctp: remove timeout indirection
Instead of keeping pointers to the timeout values in a table, simply
put the timeout values in the table directly.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 918cc347b331a901245021bd85c1cb3c7ff54482
tree a7aa2f2d554107ce90f7c4e4da77711ce954e235
parent 07f97b30ff30a5ce17377199ae32176b5dab5b08
author Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:30 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:30 +0100
net/netfilter/nf_conntrack_proto_sctp.c | 57 +++++++++++++------------------
1 files changed, 24 insertions(+), 33 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 14b1c02..21d29e7 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -49,24 +49,15 @@ static const char *sctp_conntrack_names[] = {
#define HOURS * 60 MINS
#define DAYS * 24 HOURS
-static unsigned int nf_ct_sctp_timeout_closed __read_mostly = 10 SECS;
-static unsigned int nf_ct_sctp_timeout_cookie_wait __read_mostly = 3 SECS;
-static unsigned int nf_ct_sctp_timeout_cookie_echoed __read_mostly = 3 SECS;
-static unsigned int nf_ct_sctp_timeout_established __read_mostly = 5 DAYS;
-static unsigned int nf_ct_sctp_timeout_shutdown_sent __read_mostly = 300 SECS / 1000;
-static unsigned int nf_ct_sctp_timeout_shutdown_recd __read_mostly = 300 SECS / 1000;
-static unsigned int nf_ct_sctp_timeout_shutdown_ack_sent __read_mostly = 3 SECS;
-
-static unsigned int * sctp_timeouts[]
-= { NULL, /* SCTP_CONNTRACK_NONE */
- &nf_ct_sctp_timeout_closed, /* SCTP_CONNTRACK_CLOSED */
- &nf_ct_sctp_timeout_cookie_wait, /* SCTP_CONNTRACK_COOKIE_WAIT */
- &nf_ct_sctp_timeout_cookie_echoed, /* SCTP_CONNTRACK_COOKIE_ECHOED */
- &nf_ct_sctp_timeout_established, /* SCTP_CONNTRACK_ESTABLISHED */
- &nf_ct_sctp_timeout_shutdown_sent, /* SCTP_CONNTRACK_SHUTDOWN_SENT */
- &nf_ct_sctp_timeout_shutdown_recd, /* SCTP_CONNTRACK_SHUTDOWN_RECD */
- &nf_ct_sctp_timeout_shutdown_ack_sent /* SCTP_CONNTRACK_SHUTDOWN_ACK_SENT */
- };
+static unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] __read_mostly = {
+ [SCTP_CONNTRACK_CLOSED] = 10 SECS,
+ [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS,
+ [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS,
+ [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS,
+ [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000,
+ [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000,
+ [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS,
+};
#define sNO SCTP_CONNTRACK_NONE
#define sCL SCTP_CONNTRACK_CLOSED
@@ -380,7 +371,7 @@ static int sctp_packet(struct nf_conn *ct,
}
write_unlock_bh(&sctp_lock);
- nf_ct_refresh_acct(ct, ctinfo, skb, *sctp_timeouts[new_state]);
+ nf_ct_refresh_acct(ct, ctinfo, skb, sctp_timeouts[new_state]);
if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
dir == IP_CT_DIR_REPLY &&
@@ -474,49 +465,49 @@ static struct ctl_table_header *sctp_sysctl_header;
static struct ctl_table sctp_sysctl_table[] = {
{
.procname = "nf_conntrack_sctp_timeout_closed",
- .data = &nf_ct_sctp_timeout_closed,
+ .data = &sctp_timeouts[SCTP_CONNTRACK_CLOSED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_sctp_timeout_cookie_wait",
- .data = &nf_ct_sctp_timeout_cookie_wait,
+ .data = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_WAIT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_sctp_timeout_cookie_echoed",
- .data = &nf_ct_sctp_timeout_cookie_echoed,
+ .data = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_ECHOED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_sctp_timeout_established",
- .data = &nf_ct_sctp_timeout_established,
+ .data = &sctp_timeouts[SCTP_CONNTRACK_ESTABLISHED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_sctp_timeout_shutdown_sent",
- .data = &nf_ct_sctp_timeout_shutdown_sent,
+ .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_sctp_timeout_shutdown_recd",
- .data = &nf_ct_sctp_timeout_shutdown_recd,
+ .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent",
- .data = &nf_ct_sctp_timeout_shutdown_ack_sent,
+ .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
@@ -530,49 +521,49 @@ static struct ctl_table sctp_sysctl_table[] = {
static struct ctl_table sctp_compat_sysctl_table[] = {
{
.procname = "ip_conntrack_sctp_timeout_closed",
- .data = &nf_ct_sctp_timeout_closed,
+ .data = &sctp_timeouts[SCTP_CONNTRACK_CLOSED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_sctp_timeout_cookie_wait",
- .data = &nf_ct_sctp_timeout_cookie_wait,
+ .data = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_WAIT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_sctp_timeout_cookie_echoed",
- .data = &nf_ct_sctp_timeout_cookie_echoed,
+ .data = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_ECHOED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_sctp_timeout_established",
- .data = &nf_ct_sctp_timeout_established,
+ .data = &sctp_timeouts[SCTP_CONNTRACK_ESTABLISHED],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_sctp_timeout_shutdown_sent",
- .data = &nf_ct_sctp_timeout_shutdown_sent,
+ .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_sctp_timeout_shutdown_recd",
- .data = &nf_ct_sctp_timeout_shutdown_recd,
+ .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
},
{
.procname = "ip_conntrack_sctp_timeout_shutdown_ack_sent",
- .data = &nf_ct_sctp_timeout_shutdown_ack_sent,
+ .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT],
.maxlen = sizeof(unsigned int),
.mode = 0644,
.proc_handler = &proc_dointvec_jiffies,
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 35/38]: kill nf_sysctl.c
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (33 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 34/38]: nf_conntrack_sctp: remove timeout indirection Patrick McHardy
@ 2008-01-15 6:19 ` Patrick McHardy
2008-01-15 6:20 ` [NETFILTER 36/38]: nf_conntrack: clean up a few header files Patrick McHardy
` (3 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:19 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: kill nf_sysctl.c
Since there now is generic support for shared sysctl paths, the only
remains are the net/netfilter and net/ipv4/netfilter paths. Move them
to net/netfilter/core.c and net/ipv4/netfilter.c and kill nf_sysctl.c.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit b243ece57ad7c480af162ff7cc857b8aa2b0c409
tree 693c714dbe16fa64247a5bfa7d2ef6da944952bd
parent 918cc347b331a901245021bd85c1cb3c7ff54482
author Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:30 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:30 +0100
net/ipv4/netfilter.c | 10 ++++++++++
net/netfilter/Makefile | 1 -
net/netfilter/core.c | 9 +++++++++
net/netfilter/nf_sysctl.c | 25 -------------------------
4 files changed, 19 insertions(+), 26 deletions(-)
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index 0ed843e..6322155 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -211,3 +211,13 @@ static void ipv4_netfilter_fini(void)
module_init(ipv4_netfilter_init);
module_exit(ipv4_netfilter_fini);
+
+#ifdef CONFIG_SYSCTL
+struct ctl_path nf_net_ipv4_netfilter_sysctl_path[] = {
+ { .procname = "net", .ctl_name = CTL_NET, },
+ { .procname = "ipv4", .ctl_name = NET_IPV4, },
+ { .procname = "netfilter", .ctl_name = NET_IPV4_NETFILTER, },
+ { }
+};
+EXPORT_SYMBOL_GPL(nf_net_ipv4_netfilter_sysctl_path);
+#endif /* CONFIG_SYSCTL */
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index c910cae..ea75083 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -4,7 +4,6 @@ nf_conntrack-y := nf_conntrack_core.o nf_conntrack_standalone.o nf_conntrack_exp
nf_conntrack-$(CONFIG_NF_CONNTRACK_EVENTS) += nf_conntrack_ecache.o
obj-$(CONFIG_NETFILTER) = netfilter.o
-obj-$(CONFIG_SYSCTL) += nf_sysctl.o
obj-$(CONFIG_NETFILTER_NETLINK) += nfnetlink.o
obj-$(CONFIG_NETFILTER_NETLINK_QUEUE) += nfnetlink_queue.o
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index e026344..c4065b8 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -272,3 +272,12 @@ void __init netfilter_init(void)
if (netfilter_log_init() < 0)
panic("cannot initialize nf_log");
}
+
+#ifdef CONFIG_SYSCTL
+struct ctl_path nf_net_netfilter_sysctl_path[] = {
+ { .procname = "net", .ctl_name = CTL_NET, },
+ { .procname = "netfilter", .ctl_name = NET_NETFILTER, },
+ { }
+};
+EXPORT_SYMBOL_GPL(nf_net_netfilter_sysctl_path);
+#endif /* CONFIG_SYSCTL */
diff --git a/net/netfilter/nf_sysctl.c b/net/netfilter/nf_sysctl.c
deleted file mode 100644
index d9fcc89..0000000
--- a/net/netfilter/nf_sysctl.c
+++ /dev/null
@@ -1,25 +0,0 @@
-/* nf_sysctl.c netfilter sysctl registration/unregistation
- *
- * Copyright (c) 2006 Patrick McHardy <kaber@trash.net>
- */
-#include <linux/module.h>
-#include <linux/sysctl.h>
-#include <linux/string.h>
-#include <linux/slab.h>
-
-/* net/netfilter */
-struct ctl_path nf_net_netfilter_sysctl_path[] = {
- { .procname = "net", .ctl_name = CTL_NET, },
- { .procname = "netfilter", .ctl_name = NET_NETFILTER, },
- { }
-};
-EXPORT_SYMBOL_GPL(nf_net_netfilter_sysctl_path);
-
-/* net/ipv4/netfilter */
-struct ctl_path nf_net_ipv4_netfilter_sysctl_path[] = {
- { .procname = "net", .ctl_name = CTL_NET, },
- { .procname = "ipv4", .ctl_name = NET_IPV4, },
- { .procname = "netfilter", .ctl_name = NET_IPV4_NETFILTER, },
- { }
-};
-EXPORT_SYMBOL_GPL(nf_net_ipv4_netfilter_sysctl_path);
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 36/38]: nf_conntrack: clean up a few header files
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (34 preceding siblings ...)
2008-01-15 6:19 ` [NETFILTER 35/38]: kill nf_sysctl.c Patrick McHardy
@ 2008-01-15 6:20 ` Patrick McHardy
2008-01-15 6:20 ` [NETFILTER 37/38]: nf_conntrack: remove print_conntrack function from l3protos Patrick McHardy
` (2 subsequent siblings)
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:20 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: nf_conntrack: clean up a few header files
- Remove declarations of non-existing variables and functions
- Move helper init/cleanup function declarations to nf_conntrack_helper.h
- Remove unneeded __nf_conntrack_attach declaration and make it static
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit acb619184a16c40b0f24fa7a66464a7494421b1f
tree 5f4365cd37acae2d1ebc55f3a79bf6368612a827
parent b243ece57ad7c480af162ff7cc857b8aa2b0c409
author Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:30 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:30 +0100
include/net/netfilter/nf_conntrack.h | 7 -------
include/net/netfilter/nf_conntrack_core.h | 12 ------------
include/net/netfilter/nf_conntrack_helper.h | 4 ++++
net/netfilter/nf_conntrack_core.c | 5 ++---
4 files changed, 6 insertions(+), 22 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 4ac5ab1..857d899 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -223,8 +223,6 @@ extern void nf_conntrack_tcp_update(struct sk_buff *skb,
/* Fake conntrack entry for untracked connections */
extern struct nf_conn nf_conntrack_untracked;
-extern int nf_ct_no_defrag;
-
/* Iterate over all conntracks: if iter returns true, it's deleted. */
extern void
nf_ct_iterate_cleanup(int (*iter)(struct nf_conn *i, void *data), void *data);
@@ -264,10 +262,5 @@ do { \
local_bh_enable(); \
} while (0)
-extern int
-nf_conntrack_register_cache(u_int32_t features, const char *name, size_t size);
-extern void
-nf_conntrack_unregister_cache(u_int32_t features);
-
#endif /* __KERNEL__ */
#endif /* _NF_CONNTRACK_H */
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index a532e7b..7ad0828 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -30,16 +30,6 @@ extern void nf_conntrack_cleanup(void);
extern int nf_conntrack_proto_init(void);
extern void nf_conntrack_proto_fini(void);
-extern int nf_conntrack_helper_init(void);
-extern void nf_conntrack_helper_fini(void);
-
-struct nf_conntrack_l3proto;
-extern struct nf_conntrack_l3proto *nf_ct_find_l3proto(u_int16_t pf);
-/* Like above, but you already have conntrack read lock. */
-extern struct nf_conntrack_l3proto *__nf_ct_find_l3proto(u_int16_t l3proto);
-
-struct nf_conntrack_l4proto;
-
extern int
nf_ct_get_tuple(const struct sk_buff *skb,
unsigned int nhoff,
@@ -76,8 +66,6 @@ static inline int nf_conntrack_confirm(struct sk_buff *skb)
return ret;
}
-extern void __nf_conntrack_attach(struct sk_buff *nskb, struct sk_buff *skb);
-
int
print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple,
struct nf_conntrack_l3proto *l3proto,
diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h
index d7b2d54..2f3af00 100644
--- a/include/net/netfilter/nf_conntrack_helper.h
+++ b/include/net/netfilter/nf_conntrack_helper.h
@@ -58,4 +58,8 @@ static inline struct nf_conn_help *nfct_help(const struct nf_conn *ct)
{
return nf_ct_ext_find(ct, NF_CT_EXT_HELPER);
}
+
+extern int nf_conntrack_helper_init(void);
+extern void nf_conntrack_helper_fini(void);
+
#endif /*_NF_CONNTRACK_HELPER_H*/
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 2556407..078fff0 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -861,7 +861,7 @@ EXPORT_SYMBOL_GPL(nf_ct_port_nlattr_to_tuple);
#endif
/* Used by ipt_REJECT and ip6t_REJECT. */
-void __nf_conntrack_attach(struct sk_buff *nskb, struct sk_buff *skb)
+static void nf_conntrack_attach(struct sk_buff *nskb, struct sk_buff *skb)
{
struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
@@ -878,7 +878,6 @@ void __nf_conntrack_attach(struct sk_buff *nskb, struct sk_buff *skb)
nskb->nfctinfo = ctinfo;
nf_conntrack_get(nskb->nfct);
}
-EXPORT_SYMBOL_GPL(__nf_conntrack_attach);
static inline int
do_iter(const struct nf_conntrack_tuple_hash *i,
@@ -1122,7 +1121,7 @@ int __init nf_conntrack_init(void)
goto out_fini_expect;
/* For use by REJECT target */
- rcu_assign_pointer(ip_ct_attach, __nf_conntrack_attach);
+ rcu_assign_pointer(ip_ct_attach, nf_conntrack_attach);
rcu_assign_pointer(nf_ct_destroy, destroy_conntrack);
/* Set up fake conntrack:
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 37/38]: nf_conntrack: remove print_conntrack function from l3protos
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (35 preceding siblings ...)
2008-01-15 6:20 ` [NETFILTER 36/38]: nf_conntrack: clean up a few header files Patrick McHardy
@ 2008-01-15 6:20 ` Patrick McHardy
2008-01-15 6:20 ` [NETFILTER 38/38]: nf_conntrack: make print_conntrack function optional for l4protos Patrick McHardy
2008-01-15 7:50 ` [NETFILTER 00/38]: Netfilter update David Miller
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:20 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: nf_conntrack: remove print_conntrack function from l3protos
Its unused and unlikely to ever be used.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 254624c5e171625a66d68b7ff457940b131de765
tree e17da32e0596fe4a1fb9bb46deaedd9158b7c469
parent acb619184a16c40b0f24fa7a66464a7494421b1f
author Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:31 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:31 +0100
include/net/netfilter/nf_conntrack_l3proto.h | 3 ---
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 7 -------
.../netfilter/nf_conntrack_l3proto_ipv4_compat.c | 3 ---
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 7 -------
net/netfilter/nf_conntrack_l3proto_generic.c | 7 -------
net/netfilter/nf_conntrack_standalone.c | 3 ---
6 files changed, 0 insertions(+), 30 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h
index 875c6d4..d5526bc 100644
--- a/include/net/netfilter/nf_conntrack_l3proto.h
+++ b/include/net/netfilter/nf_conntrack_l3proto.h
@@ -42,9 +42,6 @@ struct nf_conntrack_l3proto
int (*print_tuple)(struct seq_file *s,
const struct nf_conntrack_tuple *);
- /* Print out the private part of the conntrack. */
- int (*print_conntrack)(struct seq_file *s, const struct nf_conn *);
-
/* Returns verdict for packet, or -1 for invalid. */
int (*packet)(struct nf_conn *conntrack,
const struct sk_buff *skb,
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 78e6495..ac3d61d 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -56,12 +56,6 @@ static int ipv4_print_tuple(struct seq_file *s,
NIPQUAD(tuple->dst.u3.ip));
}
-static int ipv4_print_conntrack(struct seq_file *s,
- const struct nf_conn *conntrack)
-{
- return 0;
-}
-
/* Returns new sk_buff, or NULL */
static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user)
{
@@ -403,7 +397,6 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 __read_mostly = {
.pkt_to_tuple = ipv4_pkt_to_tuple,
.invert_tuple = ipv4_invert_tuple,
.print_tuple = ipv4_print_tuple,
- .print_conntrack = ipv4_print_conntrack,
.get_l4proto = ipv4_get_l4proto,
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
.tuple_to_nlattr = ipv4_tuple_to_nlattr,
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
index 741f3df..acde995 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
@@ -121,9 +121,6 @@ static int ct_seq_show(struct seq_file *s, void *v)
? (long)(ct->timeout.expires - jiffies)/HZ : 0) != 0)
return -ENOSPC;
- if (l3proto->print_conntrack(s, ct))
- return -ENOSPC;
-
if (l4proto->print_conntrack(s, ct))
return -ENOSPC;
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 97a5530..cf42f5c 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -60,12 +60,6 @@ static int ipv6_print_tuple(struct seq_file *s,
NIP6(*((struct in6_addr *)tuple->dst.u3.ip6)));
}
-static int ipv6_print_conntrack(struct seq_file *s,
- const struct nf_conn *conntrack)
-{
- return 0;
-}
-
/*
* Based on ipv6_skip_exthdr() in net/ipv6/exthdr.c
*
@@ -376,7 +370,6 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv6 __read_mostly = {
.pkt_to_tuple = ipv6_pkt_to_tuple,
.invert_tuple = ipv6_invert_tuple,
.print_tuple = ipv6_print_tuple,
- .print_conntrack = ipv6_print_conntrack,
.get_l4proto = ipv6_get_l4proto,
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
.tuple_to_nlattr = ipv6_tuple_to_nlattr,
diff --git a/net/netfilter/nf_conntrack_l3proto_generic.c b/net/netfilter/nf_conntrack_l3proto_generic.c
index 991c52c..8e914e5 100644
--- a/net/netfilter/nf_conntrack_l3proto_generic.c
+++ b/net/netfilter/nf_conntrack_l3proto_generic.c
@@ -55,12 +55,6 @@ static int generic_print_tuple(struct seq_file *s,
return 0;
}
-static int generic_print_conntrack(struct seq_file *s,
- const struct nf_conn *conntrack)
-{
- return 0;
-}
-
static int generic_get_l4proto(const struct sk_buff *skb, unsigned int nhoff,
unsigned int *dataoff, u_int8_t *protonum)
{
@@ -75,7 +69,6 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_generic __read_mostly = {
.pkt_to_tuple = generic_pkt_to_tuple,
.invert_tuple = generic_invert_tuple,
.print_tuple = generic_print_tuple,
- .print_conntrack = generic_print_conntrack,
.get_l4proto = generic_get_l4proto,
};
EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_generic);
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 2ad4933..d54ca78 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -142,9 +142,6 @@ static int ct_seq_show(struct seq_file *s, void *v)
? (long)(conntrack->timeout.expires - jiffies)/HZ : 0) != 0)
return -ENOSPC;
- if (l3proto->print_conntrack(s, conntrack))
- return -ENOSPC;
-
if (l4proto->print_conntrack(s, conntrack))
return -ENOSPC;
^ permalink raw reply related [flat|nested] 44+ messages in thread* [NETFILTER 38/38]: nf_conntrack: make print_conntrack function optional for l4protos
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (36 preceding siblings ...)
2008-01-15 6:20 ` [NETFILTER 37/38]: nf_conntrack: remove print_conntrack function from l3protos Patrick McHardy
@ 2008-01-15 6:20 ` Patrick McHardy
2008-01-15 7:50 ` [NETFILTER 00/38]: Netfilter update David Miller
38 siblings, 0 replies; 44+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:20 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
[NETFILTER]: nf_conntrack: make print_conntrack function optional for l4protos
Allows to remove five empty implementations.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 1b92cbe78d5e84fcc50ab1f890f23628dbd36f69
tree c336f72850df23d7eaa8be943697aebb3a23f56f
parent 254624c5e171625a66d68b7ff457940b131de765
author Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:31 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:53:31 +0100
.../netfilter/nf_conntrack_l3proto_ipv4_compat.c | 2 +-
net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 8 --------
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 8 --------
net/netfilter/nf_conntrack_proto_generic.c | 8 --------
net/netfilter/nf_conntrack_proto_udp.c | 9 ---------
net/netfilter/nf_conntrack_proto_udplite.c | 9 ---------
net/netfilter/nf_conntrack_standalone.c | 2 +-
7 files changed, 2 insertions(+), 44 deletions(-)
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
index acde995..543c02b 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
@@ -121,7 +121,7 @@ static int ct_seq_show(struct seq_file *s, void *v)
? (long)(ct->timeout.expires - jiffies)/HZ : 0) != 0)
return -ENOSPC;
- if (l4proto->print_conntrack(s, ct))
+ if (l4proto->print_conntrack && l4proto->print_conntrack(s, ct))
return -ENOSPC;
if (print_tuple(s, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index cd0d669..4004a04 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -74,13 +74,6 @@ static int icmp_print_tuple(struct seq_file *s,
ntohs(tuple->src.u.icmp.id));
}
-/* Print out the private part of the conntrack. */
-static int icmp_print_conntrack(struct seq_file *s,
- const struct nf_conn *conntrack)
-{
- return 0;
-}
-
/* Returns verdict for packet, or -1 for invalid. */
static int icmp_packet(struct nf_conn *ct,
const struct sk_buff *skb,
@@ -309,7 +302,6 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp __read_mostly =
.pkt_to_tuple = icmp_pkt_to_tuple,
.invert_tuple = icmp_invert_tuple,
.print_tuple = icmp_print_tuple,
- .print_conntrack = icmp_print_conntrack,
.packet = icmp_packet,
.new = icmp_new,
.error = icmp_error,
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 02d60df..da924c6 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -75,13 +75,6 @@ static int icmpv6_print_tuple(struct seq_file *s,
ntohs(tuple->src.u.icmp.id));
}
-/* Print out the private part of the conntrack. */
-static int icmpv6_print_conntrack(struct seq_file *s,
- const struct nf_conn *conntrack)
-{
- return 0;
-}
-
/* Returns verdict for packet, or -1 for invalid. */
static int icmpv6_packet(struct nf_conn *ct,
const struct sk_buff *skb,
@@ -275,7 +268,6 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 __read_mostly =
.pkt_to_tuple = icmpv6_pkt_to_tuple,
.invert_tuple = icmpv6_invert_tuple,
.print_tuple = icmpv6_print_tuple,
- .print_conntrack = icmpv6_print_conntrack,
.packet = icmpv6_packet,
.new = icmpv6_new,
.error = icmpv6_error,
diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
index 13f8191..22c5dcb 100644
--- a/net/netfilter/nf_conntrack_proto_generic.c
+++ b/net/netfilter/nf_conntrack_proto_generic.c
@@ -40,13 +40,6 @@ static int generic_print_tuple(struct seq_file *s,
return 0;
}
-/* Print out the private part of the conntrack. */
-static int generic_print_conntrack(struct seq_file *s,
- const struct nf_conn *state)
-{
- return 0;
-}
-
/* Returns verdict for packet, or -1 for invalid. */
static int packet(struct nf_conn *conntrack,
const struct sk_buff *skb,
@@ -104,7 +97,6 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_generic __read_mostly =
.pkt_to_tuple = generic_pkt_to_tuple,
.invert_tuple = generic_invert_tuple,
.print_tuple = generic_print_tuple,
- .print_conntrack = generic_print_conntrack,
.packet = packet,
.new = new,
#ifdef CONFIG_SYSCTL
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
index 7ac6073..3848754 100644
--- a/net/netfilter/nf_conntrack_proto_udp.c
+++ b/net/netfilter/nf_conntrack_proto_udp.c
@@ -60,13 +60,6 @@ static int udp_print_tuple(struct seq_file *s,
ntohs(tuple->dst.u.udp.port));
}
-/* Print out the private part of the conntrack. */
-static int udp_print_conntrack(struct seq_file *s,
- const struct nf_conn *conntrack)
-{
- return 0;
-}
-
/* Returns verdict for packet, and may modify conntracktype */
static int udp_packet(struct nf_conn *conntrack,
const struct sk_buff *skb,
@@ -193,7 +186,6 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 __read_mostly =
.pkt_to_tuple = udp_pkt_to_tuple,
.invert_tuple = udp_invert_tuple,
.print_tuple = udp_print_tuple,
- .print_conntrack = udp_print_conntrack,
.packet = udp_packet,
.new = udp_new,
.error = udp_error,
@@ -221,7 +213,6 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 __read_mostly =
.pkt_to_tuple = udp_pkt_to_tuple,
.invert_tuple = udp_invert_tuple,
.print_tuple = udp_print_tuple,
- .print_conntrack = udp_print_conntrack,
.packet = udp_packet,
.new = udp_new,
.error = udp_error,
diff --git a/net/netfilter/nf_conntrack_proto_udplite.c b/net/netfilter/nf_conntrack_proto_udplite.c
index 6518bcd..070056d 100644
--- a/net/netfilter/nf_conntrack_proto_udplite.c
+++ b/net/netfilter/nf_conntrack_proto_udplite.c
@@ -59,13 +59,6 @@ static int udplite_print_tuple(struct seq_file *s,
ntohs(tuple->dst.u.udp.port));
}
-/* Print out the private part of the conntrack. */
-static int udplite_print_conntrack(struct seq_file *s,
- const struct nf_conn *conntrack)
-{
- return 0;
-}
-
/* Returns verdict for packet, and may modify conntracktype */
static int udplite_packet(struct nf_conn *conntrack,
const struct sk_buff *skb,
@@ -198,7 +191,6 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 __read_mostly =
.pkt_to_tuple = udplite_pkt_to_tuple,
.invert_tuple = udplite_invert_tuple,
.print_tuple = udplite_print_tuple,
- .print_conntrack = udplite_print_conntrack,
.packet = udplite_packet,
.new = udplite_new,
.error = udplite_error,
@@ -222,7 +214,6 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 __read_mostly =
.pkt_to_tuple = udplite_pkt_to_tuple,
.invert_tuple = udplite_invert_tuple,
.print_tuple = udplite_print_tuple,
- .print_conntrack = udplite_print_conntrack,
.packet = udplite_packet,
.new = udplite_new,
.error = udplite_error,
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index d54ca78..696074a 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -142,7 +142,7 @@ static int ct_seq_show(struct seq_file *s, void *v)
? (long)(conntrack->timeout.expires - jiffies)/HZ : 0) != 0)
return -ENOSPC;
- if (l4proto->print_conntrack(s, conntrack))
+ if (l4proto->print_conntrack && l4proto->print_conntrack(s, conntrack))
return -ENOSPC;
if (print_tuple(s, &conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
^ permalink raw reply related [flat|nested] 44+ messages in thread* Re: [NETFILTER 00/38]: Netfilter update
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
` (37 preceding siblings ...)
2008-01-15 6:20 ` [NETFILTER 38/38]: nf_conntrack: make print_conntrack function optional for l4protos Patrick McHardy
@ 2008-01-15 7:50 ` David Miller
38 siblings, 0 replies; 44+ messages in thread
From: David Miller @ 2008-01-15 7:50 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
From: Patrick McHardy <kaber@trash.net>
Date: Tue, 15 Jan 2008 07:19:12 +0100 (MET)
> following is another netfilter update. The diffstat contains mostly
> noise from a MODULE_DESCRIPTION update, the main changes are:
>
> - removal of EXPERIMENTAL dependencies for all but a few selected modules
>
> - Updates from Jan for multiple matches and targets to use fixed types,
> scheduling of the old version for removal in 2009
>
> - IPv6 support for a few more matches and targets
>
> - SCTP conntrack cleanup
>
> - REJECT target conversion to construct TCP RSTs from scratch to properly
> deal with IP options
>
> - Minor cleanups and optimizations
>
> Please apply, thanks.
All applied, thanks Patrick.
^ permalink raw reply [flat|nested] 44+ messages in thread