* [PATCH 1/27] remove ipt_TOS.c
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
@ 2008-01-02 20:24 ` Jan Engelhardt
2008-01-02 20:25 ` Jan Engelhardt
` (26 subsequent siblings)
27 siblings, 0 replies; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:24 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit b6e9a26f05e83d8058f1dc56a45e5f5d533ad373
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 17:31:42 2008 +0100
[NETFILTER]: remove ipt_TOS.c
Commit 88c85d81f74f92371745158aebc5cbf490412002 forgot to remove the
old ipt_TOS file (whose code has been merged into xt_DSCP). Remove
it now.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
net/ipv4/netfilter/ipt_TOS.c | 82 ----------------------------------
1 files changed, 0 insertions(+), 82 deletions(-)
delete mode 100644 net/ipv4/netfilter/ipt_TOS.c
^ permalink raw reply [flat|nested] 107+ messages in thread* [PATCH 1/27] remove ipt_TOS.c
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
2008-01-02 20:24 ` [PATCH 1/27] remove ipt_TOS.c Jan Engelhardt
@ 2008-01-02 20:25 ` Jan Engelhardt
2008-01-04 14:25 ` Patrick McHardy
2008-01-02 20:25 ` [PATCH 2/27] Change semantic of mask value in xt_TOS Jan Engelhardt
` (25 subsequent siblings)
27 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:25 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit b6e9a26f05e83d8058f1dc56a45e5f5d533ad373
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 17:31:42 2008 +0100
[NETFILTER]: remove ipt_TOS.c
Commit 88c85d81f74f92371745158aebc5cbf490412002 forgot to remove the
old ipt_TOS file (whose code has been merged into xt_DSCP). Remove
it now.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
net/ipv4/netfilter/ipt_TOS.c | 82 ----------------------------------
1 files changed, 0 insertions(+), 82 deletions(-)
delete mode 100644 net/ipv4/netfilter/ipt_TOS.c
# (Pure deletions omitted)
^ permalink raw reply [flat|nested] 107+ messages in thread* [PATCH 2/27] Change semantic of mask value in xt_TOS
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
2008-01-02 20:24 ` [PATCH 1/27] remove ipt_TOS.c Jan Engelhardt
2008-01-02 20:25 ` Jan Engelhardt
@ 2008-01-02 20:25 ` Jan Engelhardt
2008-01-04 14:27 ` Patrick McHardy
2008-01-02 20:26 ` [PATCH 3/27] Properly set the TOS field " Jan Engelhardt
` (24 subsequent siblings)
27 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:25 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit 4fd5dd02c10be25f59155d127d3ea6de17703946
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 17:35:23 2008 +0100
[NETFILTER]: Change semantic of mask value in xt_TOS
This patch changes the behavior of xt_TOS v1 so that the mask value
the user supplies means "zero out these bits" rather than "keep these
bits". This is more easy on the user, as (I would assume) people keep
more bits than zeroing, so, an example:
Action: Set bit 0x01.
before (&): iptables -j TOS --set-tos 0x01/0xFE
after (&~): iptables -j TOS --set-tos 0x01/0x01
This is not too "tragic" with xt_TOS, but where larger fields are used
(e.g. proposed xt_MARK v2), `--set-xmar 0x01/0x01` vs. `--set-xmark
0x01/0xFFFFFFFE` really makes a difference. Other target(!) modules,
such as xt_TPROXY also use &~ rather than &, so let's get to a common
ground.
(Since xt_TOS has not yet left the development tree en direction to
mainline, the semantic can be changed as proposed without breaking
iptables.)
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
net/netfilter/xt_DSCP.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index fd7500e..9951e7f 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -128,7 +128,7 @@ tos_tg(struct sk_buff *skb, const struct net_device *in,
u_int8_t orig, nv;
orig = ipv4_get_dsfield(iph);
- nv = (orig & info->tos_mask) ^ info->tos_value;
+ nv = (orig & ~info->tos_mask) ^ info->tos_value;
if (orig != nv) {
if (!skb_make_writable(skb, sizeof(struct iphdr)))
^ permalink raw reply related [flat|nested] 107+ messages in thread* Re: [PATCH 2/27] Change semantic of mask value in xt_TOS
2008-01-02 20:25 ` [PATCH 2/27] Change semantic of mask value in xt_TOS Jan Engelhardt
@ 2008-01-04 14:27 ` Patrick McHardy
0 siblings, 0 replies; 107+ messages in thread
From: Patrick McHardy @ 2008-01-04 14:27 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> commit 4fd5dd02c10be25f59155d127d3ea6de17703946
> Author: Jan Engelhardt <jengelh@computergmbh.de>
> Date: Wed Jan 2 17:35:23 2008 +0100
>
> [NETFILTER]: Change semantic of mask value in xt_TOS
>
> This patch changes the behavior of xt_TOS v1 so that the mask value
> the user supplies means "zero out these bits" rather than "keep these
> bits". This is more easy on the user, as (I would assume) people keep
> more bits than zeroing, so, an example:
>
> Action: Set bit 0x01.
> before (&): iptables -j TOS --set-tos 0x01/0xFE
> after (&~): iptables -j TOS --set-tos 0x01/0x01
>
> This is not too "tragic" with xt_TOS, but where larger fields are used
> (e.g. proposed xt_MARK v2), `--set-xmar 0x01/0x01` vs. `--set-xmark
> 0x01/0xFFFFFFFE` really makes a difference. Other target(!) modules,
> such as xt_TPROXY also use &~ rather than &, so let's get to a common
> ground.
>
> (Since xt_TOS has not yet left the development tree en direction to
> mainline, the semantic can be changed as proposed without breaking
> iptables.)
Applied, thanks Jan.
^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH 3/27] Properly set the TOS field in xt_TOS
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
` (2 preceding siblings ...)
2008-01-02 20:25 ` [PATCH 2/27] Change semantic of mask value in xt_TOS Jan Engelhardt
@ 2008-01-02 20:26 ` Jan Engelhardt
2008-01-04 14:30 ` Patrick McHardy
2008-01-02 20:26 ` [PATCH 4/27] Annotate start of kernel fields in NF headers Jan Engelhardt
` (23 subsequent siblings)
27 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:26 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit 8f0c85f00df581bf4379db5c382232c8c441ca3e
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 17:35:49 2008 +0100
[NETFILTER]: Properly set the TOS field in xt_TOS
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
net/netfilter/xt_DSCP.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index 9951e7f..3d216d6 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -134,7 +134,7 @@ tos_tg(struct sk_buff *skb, const struct net_device *in,
if (!skb_make_writable(skb, sizeof(struct iphdr)))
return NF_DROP;
iph = ip_hdr(skb);
- ipv4_change_dsfield(iph, ~0, nv);
+ ipv4_change_dsfield(iph, 0, nv);
}
return XT_CONTINUE;
@@ -156,7 +156,7 @@ tos_tg6(struct sk_buff *skb, const struct net_device *in,
if (!skb_make_writable(skb, sizeof(struct iphdr)))
return NF_DROP;
iph = ipv6_hdr(skb);
- ipv6_change_dsfield(iph, ~0, nv);
+ ipv6_change_dsfield(iph, 0, nv);
}
return XT_CONTINUE;
^ permalink raw reply related [flat|nested] 107+ messages in thread* [PATCH 4/27] Annotate start of kernel fields in NF headers
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
` (3 preceding siblings ...)
2008-01-02 20:26 ` [PATCH 3/27] Properly set the TOS field " Jan Engelhardt
@ 2008-01-02 20:26 ` Jan Engelhardt
2008-01-04 14:33 ` Patrick McHardy
2008-01-02 20:26 ` [PATCH 5/27] Remove CONFIG_COMPAT code in xt_hashlimit, xt_limit Jan Engelhardt
` (22 subsequent siblings)
27 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:26 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit fbfa586f668945368dcaac07c5587bb6f0979e59
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 17:38:47 2008 +0100
[NETFILTER]: Annotate start of kernel fields in NF headers
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
include/linux/netfilter/xt_RATEEST.h | 2 ++
include/linux/netfilter/xt_connlimit.h | 2 +-
include/linux/netfilter/xt_hashlimit.h | 2 +-
include/linux/netfilter/xt_quota.h | 2 ++
include/linux/netfilter/xt_rateest.h | 2 ++
include/linux/netfilter/xt_statistic.h | 1 +
include/linux/netfilter/xt_string.h | 2 ++
include/linux/netfilter_ipv4/ipt_CLUSTERIP.h | 1 +
8 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/include/linux/netfilter/xt_RATEEST.h b/include/linux/netfilter/xt_RATEEST.h
index 670f2e4..f79e313 100644
--- a/include/linux/netfilter/xt_RATEEST.h
+++ b/include/linux/netfilter/xt_RATEEST.h
@@ -5,6 +5,8 @@ struct xt_rateest_target_info {
char name[IFNAMSIZ];
int8_t interval;
u_int8_t ewma_log;
+
+ /* Used internally by the kernel */
struct xt_rateest *est __attribute__((aligned(8)));
};
diff --git a/include/linux/netfilter/xt_connlimit.h b/include/linux/netfilter/xt_connlimit.h
index 315d2dc..7e3284b 100644
--- a/include/linux/netfilter/xt_connlimit.h
+++ b/include/linux/netfilter/xt_connlimit.h
@@ -15,7 +15,7 @@ struct xt_connlimit_info {
};
unsigned int limit, inverse;
- /* this needs to be at the end */
+ /* Used internally by the kernel */
struct xt_connlimit_data *data __attribute__((aligned(8)));
};
diff --git a/include/linux/netfilter/xt_hashlimit.h b/include/linux/netfilter/xt_hashlimit.h
index b4556b8..c19972e 100644
--- a/include/linux/netfilter/xt_hashlimit.h
+++ b/include/linux/netfilter/xt_hashlimit.h
@@ -29,9 +29,9 @@ struct hashlimit_cfg {
struct xt_hashlimit_info {
char name [IFNAMSIZ]; /* name */
struct hashlimit_cfg cfg;
- struct xt_hashlimit_htable *hinfo;
/* Used internally by the kernel */
+ struct xt_hashlimit_htable *hinfo;
union {
void *ptr;
struct xt_hashlimit_info *master;
diff --git a/include/linux/netfilter/xt_quota.h b/include/linux/netfilter/xt_quota.h
index acd7fd7..4c8368d 100644
--- a/include/linux/netfilter/xt_quota.h
+++ b/include/linux/netfilter/xt_quota.h
@@ -9,6 +9,8 @@ enum xt_quota_flags {
struct xt_quota_info {
u_int32_t flags;
u_int32_t pad;
+
+ /* Used internally by the kernel */
aligned_u64 quota;
struct xt_quota_info *master;
};
diff --git a/include/linux/netfilter/xt_rateest.h b/include/linux/netfilter/xt_rateest.h
index 51948e1..2010cb7 100644
--- a/include/linux/netfilter/xt_rateest.h
+++ b/include/linux/netfilter/xt_rateest.h
@@ -26,6 +26,8 @@ struct xt_rateest_match_info {
u_int32_t pps1;
u_int32_t bps2;
u_int32_t pps2;
+
+ /* Used internally by the kernel */
struct xt_rateest *est1 __attribute__((aligned(8)));
struct xt_rateest *est2 __attribute__((aligned(8)));
};
diff --git a/include/linux/netfilter/xt_statistic.h b/include/linux/netfilter/xt_statistic.h
index c344e99..24969af 100644
--- a/include/linux/netfilter/xt_statistic.h
+++ b/include/linux/netfilter/xt_statistic.h
@@ -23,6 +23,7 @@ struct xt_statistic_info {
struct {
u_int32_t every;
u_int32_t packet;
+ /* Used internally by the kernel */
u_int32_t count;
} nth;
} u;
diff --git a/include/linux/netfilter/xt_string.h b/include/linux/netfilter/xt_string.h
index 3b3419f..bb21dd1 100644
--- a/include/linux/netfilter/xt_string.h
+++ b/include/linux/netfilter/xt_string.h
@@ -12,6 +12,8 @@ struct xt_string_info
char pattern[XT_STRING_MAX_PATTERN_SIZE];
u_int8_t patlen;
u_int8_t invert;
+
+ /* Used internally by the kernel */
struct ts_config __attribute__((aligned(8))) *config;
};
diff --git a/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h b/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h
index daf50be..e5a3687 100644
--- a/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h
+++ b/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h
@@ -27,6 +27,7 @@ struct ipt_clusterip_tgt_info {
u_int32_t hash_mode;
u_int32_t hash_initval;
+ /* Used internally by the kernel */
struct clusterip_config *config;
};
^ permalink raw reply related [flat|nested] 107+ messages in thread* Re: [PATCH 4/27] Annotate start of kernel fields in NF headers
2008-01-02 20:26 ` [PATCH 4/27] Annotate start of kernel fields in NF headers Jan Engelhardt
@ 2008-01-04 14:33 ` Patrick McHardy
0 siblings, 0 replies; 107+ messages in thread
From: Patrick McHardy @ 2008-01-04 14:33 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> commit fbfa586f668945368dcaac07c5587bb6f0979e59
> Author: Jan Engelhardt <jengelh@computergmbh.de>
> Date: Wed Jan 2 17:38:47 2008 +0100
>
> [NETFILTER]: Annotate start of kernel fields in NF headers
> diff --git a/include/linux/netfilter/xt_statistic.h b/include/linux/netfilter/xt_statistic.h
> index c344e99..24969af 100644
> --- a/include/linux/netfilter/xt_statistic.h
> +++ b/include/linux/netfilter/xt_statistic.h
> @@ -23,6 +23,7 @@ struct xt_statistic_info {
> struct {
> u_int32_t every;
> u_int32_t packet;
> + /* Used internally by the kernel */
> u_int32_t count;
Applied and fixed the indentation above.
^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH 5/27] Remove CONFIG_COMPAT code in xt_hashlimit, xt_limit
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
` (4 preceding siblings ...)
2008-01-02 20:26 ` [PATCH 4/27] Annotate start of kernel fields in NF headers Jan Engelhardt
@ 2008-01-02 20:26 ` Jan Engelhardt
2008-01-04 14:37 ` Patrick McHardy
2008-01-02 20:27 ` [PATCH 6/27] xt_CONNMARK target, revision 1 Jan Engelhardt
` (21 subsequent siblings)
27 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:26 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit 5dc63a190ced8162bad4709daa5442cad693ef2f
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 17:40:31 2008 +0100
[NETFILTER]: Remove CONFIG_COMPAT code in xt_hashlimit, xt_limit
The kernel parts of the structures do not need to be fixed nor
compat-converted; all other fields already use fixed types, so the
compat code is not needed.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
net/netfilter/xt_hashlimit.c | 34 ---------------------
net/netfilter/xt_limit.c | 54 ----------------------------------
2 files changed, 0 insertions(+), 88 deletions(-)
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index c35d220..1b48153 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -565,41 +565,12 @@ hashlimit_mt_destroy(const struct xt_match *match, void *matchinfo)
htable_put(r->hinfo);
}
-#ifdef CONFIG_COMPAT
-struct compat_xt_hashlimit_info {
- char name[IFNAMSIZ];
- struct hashlimit_cfg cfg;
- compat_uptr_t hinfo;
- compat_uptr_t master;
-};
-
-static void hashlimit_mt_compat_from_user(void *dst, void *src)
-{
- int off = offsetof(struct compat_xt_hashlimit_info, hinfo);
-
- memcpy(dst, src, off);
- memset(dst + off, 0, sizeof(struct compat_xt_hashlimit_info) - off);
-}
-
-static int hashlimit_mt_compat_to_user(void __user *dst, void *src)
-{
- int off = offsetof(struct compat_xt_hashlimit_info, hinfo);
-
- return copy_to_user(dst, src, off) ? -EFAULT : 0;
-}
-#endif
-
static struct xt_match hashlimit_mt_reg[] __read_mostly = {
{
.name = "hashlimit",
.family = AF_INET,
.match = hashlimit_mt,
.matchsize = sizeof(struct xt_hashlimit_info),
-#ifdef CONFIG_COMPAT
- .compatsize = sizeof(struct compat_xt_hashlimit_info),
- .compat_from_user = hashlimit_mt_compat_from_user,
- .compat_to_user = hashlimit_mt_compat_to_user,
-#endif
.checkentry = hashlimit_mt_check,
.destroy = hashlimit_mt_destroy,
.me = THIS_MODULE
@@ -610,11 +581,6 @@ static struct xt_match hashlimit_mt_reg[] __read_mostly = {
.family = AF_INET6,
.match = hashlimit_mt,
.matchsize = sizeof(struct xt_hashlimit_info),
-#ifdef CONFIG_COMPAT
- .compatsize = sizeof(struct compat_xt_hashlimit_info),
- .compat_from_user = hashlimit_mt_compat_from_user,
- .compat_to_user = hashlimit_mt_compat_to_user,
-#endif
.checkentry = hashlimit_mt_check,
.destroy = hashlimit_mt_destroy,
.me = THIS_MODULE
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index 2ef0dbf..ad89a1d 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -123,50 +123,6 @@ limit_mt_check(const char *tablename, const void *inf,
return true;
}
-#ifdef CONFIG_COMPAT
-struct compat_xt_rateinfo {
- u_int32_t avg;
- u_int32_t burst;
-
- compat_ulong_t prev;
- u_int32_t credit;
- u_int32_t credit_cap, cost;
-
- u_int32_t master;
-};
-
-/* To keep the full "prev" timestamp, the upper 32 bits are stored in the
- * master pointer, which does not need to be preserved. */
-static void limit_mt_compat_from_user(void *dst, void *src)
-{
- const struct compat_xt_rateinfo *cm = src;
- struct xt_rateinfo m = {
- .avg = cm->avg,
- .burst = cm->burst,
- .prev = cm->prev | (unsigned long)cm->master << 32,
- .credit = cm->credit,
- .credit_cap = cm->credit_cap,
- .cost = cm->cost,
- };
- memcpy(dst, &m, sizeof(m));
-}
-
-static int limit_mt_compat_to_user(void __user *dst, void *src)
-{
- const struct xt_rateinfo *m = src;
- struct compat_xt_rateinfo cm = {
- .avg = m->avg,
- .burst = m->burst,
- .prev = m->prev,
- .credit = m->credit,
- .credit_cap = m->credit_cap,
- .cost = m->cost,
- .master = m->prev >> 32,
- };
- return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
-}
-#endif /* CONFIG_COMPAT */
-
static struct xt_match limit_mt_reg[] __read_mostly = {
{
.name = "limit",
@@ -174,11 +130,6 @@ static struct xt_match limit_mt_reg[] __read_mostly = {
.checkentry = limit_mt_check,
.match = limit_mt,
.matchsize = sizeof(struct xt_rateinfo),
-#ifdef CONFIG_COMPAT
- .compatsize = sizeof(struct compat_xt_rateinfo),
- .compat_from_user = limit_mt_compat_from_user,
- .compat_to_user = limit_mt_compat_to_user,
-#endif
.me = THIS_MODULE,
},
{
@@ -187,11 +138,6 @@ static struct xt_match limit_mt_reg[] __read_mostly = {
.checkentry = limit_mt_check,
.match = limit_mt,
.matchsize = sizeof(struct xt_rateinfo),
-#ifdef CONFIG_COMPAT
- .compatsize = sizeof(struct compat_xt_rateinfo),
- .compat_from_user = limit_mt_compat_from_user,
- .compat_to_user = limit_mt_compat_to_user,
-#endif
.me = THIS_MODULE,
},
};
^ permalink raw reply related [flat|nested] 107+ messages in thread* Re: [PATCH 5/27] Remove CONFIG_COMPAT code in xt_hashlimit, xt_limit
2008-01-02 20:26 ` [PATCH 5/27] Remove CONFIG_COMPAT code in xt_hashlimit, xt_limit Jan Engelhardt
@ 2008-01-04 14:37 ` Patrick McHardy
2008-01-10 23:01 ` Jan Engelhardt
0 siblings, 1 reply; 107+ messages in thread
From: Patrick McHardy @ 2008-01-04 14:37 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> commit 5dc63a190ced8162bad4709daa5442cad693ef2f
> Author: Jan Engelhardt <jengelh@computergmbh.de>
> Date: Wed Jan 2 17:40:31 2008 +0100
>
> [NETFILTER]: Remove CONFIG_COMPAT code in xt_hashlimit, xt_limit
>
> The kernel parts of the structures do not need to be fixed nor
> compat-converted; all other fields already use fixed types, so the
> compat code is not needed.
Did you test this? It definitely seems necessary since pointers have
different size and allignment requirements on 64 bit.
In the hashlimit case we have a 4 byte hole before the hinfo pointer
on 64 bit which is not present on 32 bit, limit uses an unsigned long
which has different size and also has a hole before the master pointer
on 64 bit.
^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [PATCH 5/27] Remove CONFIG_COMPAT code in xt_hashlimit, xt_limit
2008-01-04 14:37 ` Patrick McHardy
@ 2008-01-10 23:01 ` Jan Engelhardt
2008-01-11 9:36 ` Patrick McHardy
0 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-10 23:01 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
On Jan 4 2008 15:37, Patrick McHardy wrote:
>>
>> [NETFILTER]: Remove CONFIG_COMPAT code in xt_hashlimit, xt_limit
>>
>> The kernel parts of the structures do not need to be fixed nor
>> compat-converted; all other fields already use fixed types, so the
>> compat code is not needed.
>
> Did you test this? It definitely seems necessary since pointers have
> different size and allignment requirements on 64 bit.
Hm you were right. I removed the compat from hashlimit and promptly got
invalid size 64 != 52
but then again I wonder why xt_connlimit works without compat.
> In the hashlimit case we have a 4 byte hole before the hinfo pointer
> on 64 bit which is not present on 32 bit, limit uses an unsigned long
> which has different size and also has a hole before the master pointer
> on 64 bit.
>
Even if that hole was not there, it would be
64 != 56
or so, no?
^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [PATCH 5/27] Remove CONFIG_COMPAT code in xt_hashlimit, xt_limit
2008-01-10 23:01 ` Jan Engelhardt
@ 2008-01-11 9:36 ` Patrick McHardy
0 siblings, 0 replies; 107+ messages in thread
From: Patrick McHardy @ 2008-01-11 9:36 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> On Jan 4 2008 15:37, Patrick McHardy wrote:
>>> [NETFILTER]: Remove CONFIG_COMPAT code in xt_hashlimit, xt_limit
>>>
>>> The kernel parts of the structures do not need to be fixed nor
>>> compat-converted; all other fields already use fixed types, so the
>>> compat code is not needed.
>> Did you test this? It definitely seems necessary since pointers have
>> different size and allignment requirements on 64 bit.
>
> Hm you were right. I removed the compat from hashlimit and promptly got
>
> invalid size 64 != 52
>
> but then again I wonder why xt_connlimit works without compat.
Because it uses __attribute__((aligned(8)))
>
>> In the hashlimit case we have a 4 byte hole before the hinfo pointer
>> on 64 bit which is not present on 32 bit, limit uses an unsigned long
>> which has different size and also has a hole before the master pointer
>> on 64 bit.
>>
> Even if that hole was not there, it would be
>
> 64 != 56
>
> or so, no?
Additionally pointer sizes differ, which makes up for another 2*4 bytes.
^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH 6/27] xt_CONNMARK target, revision 1
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
` (5 preceding siblings ...)
2008-01-02 20:26 ` [PATCH 5/27] Remove CONFIG_COMPAT code in xt_hashlimit, xt_limit Jan Engelhardt
@ 2008-01-02 20:27 ` Jan Engelhardt
2008-01-04 14:41 ` Patrick McHardy
2008-01-02 20:27 ` [PATCH 7/27] xt_MARK target, revision 2 Jan Engelhardt
` (20 subsequent siblings)
27 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:27 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit ff3ddea4afa7f7b7735ae439bb1cd82e5413d99e
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 17:42:13 2008 +0100
[NETFILTER]: xt_CONNMARK target, revision 1
Introduces the xt_CONNMARK target revision 1. It uses fixed types, and
also uses the more expressive XOR logic. Futhermore, it allows to
selectively pick bits from both the ctmark and the nfmark in the SAVE
and RESTORE operations.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
include/linux/netfilter/xt_CONNMARK.h | 5 +
net/netfilter/xt_CONNMARK.c | 117 ++++++++++++++++++++----
2 files changed, 102 insertions(+), 20 deletions(-)
diff --git a/include/linux/netfilter/xt_CONNMARK.h b/include/linux/netfilter/xt_CONNMARK.h
index 9f74468..4e58ba4 100644
--- a/include/linux/netfilter/xt_CONNMARK.h
+++ b/include/linux/netfilter/xt_CONNMARK.h
@@ -22,4 +22,9 @@ struct xt_connmark_target_info {
u_int8_t mode;
};
+struct xt_connmark_tginfo1 {
+ u_int32_t ctmark, ctmask, nfmask;
+ u_int8_t mode;
+};
+
#endif /*_XT_CONNMARK_H_target*/
diff --git a/net/netfilter/xt_CONNMARK.c b/net/netfilter/xt_CONNMARK.c
index ec2eb34..761d34d 100644
--- a/net/netfilter/xt_CONNMARK.c
+++ b/net/netfilter/xt_CONNMARK.c
@@ -1,8 +1,10 @@
-/* This kernel module is used to modify the connection mark values, or
- * to optionally restore the skb nfmark from the connection mark
+/*
+ * xt_CONNMARK - Netfilter module to modify the connection mark values
*
- * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
- * by Henrik Nordstrom <hno@marasystems.com>
+ * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ * Copyright © CC Computer Consultants GmbH, 2007 - 2008
+ * Jan Engelhardt <jengelh@computergmbh.de>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -34,9 +36,9 @@ MODULE_ALIAS("ip6t_CONNMARK");
#include <net/netfilter/nf_conntrack_ecache.h>
static unsigned int
-connmark_tg(struct sk_buff *skb, const struct net_device *in,
- const struct net_device *out, unsigned int hooknum,
- const struct xt_target *target, const void *targinfo)
+connmark_tg_v0(struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, unsigned int hooknum,
+ const struct xt_target *target, const void *targinfo)
{
const struct xt_connmark_target_info *markinfo = targinfo;
struct nf_conn *ct;
@@ -74,10 +76,50 @@ connmark_tg(struct sk_buff *skb, const struct net_device *in,
return XT_CONTINUE;
}
+static unsigned int
+connmark_tg(struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, unsigned int hooknum,
+ const struct xt_target *target, const void *targinfo)
+{
+ const struct xt_connmark_tginfo1 *info = targinfo;
+ enum ip_conntrack_info ctinfo;
+ struct nf_conn *ct;
+ u_int32_t newmark;
+
+ ct = nf_ct_get(skb, &ctinfo);
+ if (ct == NULL)
+ return XT_CONTINUE;
+
+ switch (info->mode) {
+ case XT_CONNMARK_SET:
+ newmark = (ct->mark & ~info->ctmask) ^ info->ctmark;
+ if (ct->mark != newmark) {
+ ct->mark = newmark;
+ nf_conntrack_event_cache(IPCT_MARK, skb);
+ }
+ break;
+ case XT_CONNMARK_SAVE:
+ newmark = (ct->mark & ~info->ctmask) ^
+ (skb->mark & info->nfmask);
+ if (ct->mark != newmark) {
+ ct->mark = newmark;
+ nf_conntrack_event_cache(IPCT_MARK, skb);
+ }
+ break;
+ case XT_CONNMARK_RESTORE:
+ newmark = (skb->mark & ~info->nfmask) ^
+ (ct->mark & info->ctmask);
+ skb->mark = newmark;
+ break;
+ }
+
+ return XT_CONTINUE;
+}
+
static bool
-connmark_tg_check(const char *tablename, const void *entry,
- const struct xt_target *target, void *targinfo,
- unsigned int hook_mask)
+connmark_tg_check_v0(const char *tablename, const void *entry,
+ const struct xt_target *target, void *targinfo,
+ unsigned int hook_mask)
{
const struct xt_connmark_target_info *matchinfo = targinfo;
@@ -101,6 +143,19 @@ connmark_tg_check(const char *tablename, const void *entry,
return true;
}
+static bool
+connmark_tg_check(const char *tablename, const void *entry,
+ const struct xt_target *target, void *targinfo,
+ unsigned int hook_mask)
+{
+ if (nf_ct_l3proto_try_module_get(target->family) < 0) {
+ printk(KERN_WARNING "cannot load conntrack support for "
+ "proto=%u\n", target->family);
+ return false;
+ }
+ return true;
+}
+
static void
connmark_tg_destroy(const struct xt_target *target, void *targinfo)
{
@@ -115,7 +170,7 @@ struct compat_xt_connmark_target_info {
u_int16_t __pad2;
};
-static void connmark_tg_compat_from_user(void *dst, void *src)
+static void connmark_tg_compat_from_user_v0(void *dst, void *src)
{
const struct compat_xt_connmark_target_info *cm = src;
struct xt_connmark_target_info m = {
@@ -126,7 +181,7 @@ static void connmark_tg_compat_from_user(void *dst, void *src)
memcpy(dst, &m, sizeof(m));
}
-static int connmark_tg_compat_to_user(void __user *dst, void *src)
+static int connmark_tg_compat_to_user_v0(void __user *dst, void *src)
{
const struct xt_connmark_target_info *m = src;
struct compat_xt_connmark_target_info cm = {
@@ -141,32 +196,54 @@ static int connmark_tg_compat_to_user(void __user *dst, void *src)
static struct xt_target connmark_tg_reg[] __read_mostly = {
{
.name = "CONNMARK",
+ .revision = 0,
.family = AF_INET,
- .checkentry = connmark_tg_check,
+ .checkentry = connmark_tg_check_v0,
.destroy = connmark_tg_destroy,
- .target = connmark_tg,
+ .target = connmark_tg_v0,
.targetsize = sizeof(struct xt_connmark_target_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_connmark_target_info),
- .compat_from_user = connmark_tg_compat_from_user,
- .compat_to_user = connmark_tg_compat_to_user,
+ .compat_from_user = connmark_tg_compat_from_user_v0,
+ .compat_to_user = connmark_tg_compat_to_user_v0,
#endif
.me = THIS_MODULE
},
{
.name = "CONNMARK",
+ .revision = 0,
.family = AF_INET6,
- .checkentry = connmark_tg_check,
+ .checkentry = connmark_tg_check_v0,
.destroy = connmark_tg_destroy,
- .target = connmark_tg,
+ .target = connmark_tg_v0,
.targetsize = sizeof(struct xt_connmark_target_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_connmark_target_info),
- .compat_from_user = connmark_tg_compat_from_user,
- .compat_to_user = connmark_tg_compat_to_user,
+ .compat_from_user = connmark_tg_compat_from_user_v0,
+ .compat_to_user = connmark_tg_compat_to_user_v0,
#endif
.me = THIS_MODULE
},
+ {
+ .name = "CONNMARK",
+ .revision = 1,
+ .family = AF_INET,
+ .checkentry = connmark_tg_check,
+ .target = connmark_tg,
+ .targetsize = sizeof(struct xt_connmark_tginfo1),
+ .destroy = connmark_tg_destroy,
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "CONNMARK",
+ .revision = 1,
+ .family = AF_INET6,
+ .checkentry = connmark_tg_check,
+ .target = connmark_tg,
+ .targetsize = sizeof(struct xt_connmark_tginfo1),
+ .destroy = connmark_tg_destroy,
+ .me = THIS_MODULE,
+ },
};
static int __init connmark_tg_init(void)
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 107+ messages in thread* Re: [PATCH 6/27] xt_CONNMARK target, revision 1
2008-01-02 20:27 ` [PATCH 6/27] xt_CONNMARK target, revision 1 Jan Engelhardt
@ 2008-01-04 14:41 ` Patrick McHardy
2008-01-04 14:46 ` Jan Engelhardt
0 siblings, 1 reply; 107+ messages in thread
From: Patrick McHardy @ 2008-01-04 14:41 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> commit ff3ddea4afa7f7b7735ae439bb1cd82e5413d99e
> Author: Jan Engelhardt <jengelh@computergmbh.de>
> Date: Wed Jan 2 17:42:13 2008 +0100
>
> [NETFILTER]: xt_CONNMARK target, revision 1
>
> Introduces the xt_CONNMARK target revision 1. It uses fixed types, and
> also uses the more expressive XOR logic. Futhermore, it allows to
> selectively pick bits from both the ctmark and the nfmark in the SAVE
> and RESTORE operations.
Applied with some minor cosmetic changes:
> +static unsigned int
> +connmark_tg(struct sk_buff *skb, const struct net_device *in,
> + const struct net_device *out, unsigned int hooknum,
> + const struct xt_target *target, const void *targinfo)
> +{
> + const struct xt_connmark_tginfo1 *info = targinfo;
> + enum ip_conntrack_info ctinfo;
> + struct nf_conn *ct;
> + u_int32_t newmark;
> +
> + ct = nf_ct_get(skb, &ctinfo);
> + if (ct == NULL)
> + return XT_CONTINUE;
> +
> + switch (info->mode) {
> + case XT_CONNMARK_SET:
switch cases should not be indented deeper then the switch statement.
^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH 7/27] xt_MARK target, revision 2
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
` (6 preceding siblings ...)
2008-01-02 20:27 ` [PATCH 6/27] xt_CONNMARK target, revision 1 Jan Engelhardt
@ 2008-01-02 20:27 ` Jan Engelhardt
2008-01-04 14:46 ` Patrick McHardy
2008-01-02 20:27 ` [PATCH 8/27] xt_connmark match, revision 1 Jan Engelhardt
` (19 subsequent siblings)
27 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:27 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit bc393707289ed79d115c0ad0d53fa60301cb3f24
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 17:42:49 2008 +0100
[NETFILTER]: xt_MARK target, revision 2
Introduces the xt_MARK target revision 2. It uses fixed types, and
also uses the more expressive XOR logic.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
include/linux/netfilter/xt_MARK.h | 4 ++
net/netfilter/xt_MARK.c | 74 ++++++++++++++++++++---------
2 files changed, 56 insertions(+), 22 deletions(-)
diff --git a/include/linux/netfilter/xt_MARK.h b/include/linux/netfilter/xt_MARK.h
index b021e93..778b278 100644
--- a/include/linux/netfilter/xt_MARK.h
+++ b/include/linux/netfilter/xt_MARK.h
@@ -18,4 +18,8 @@ struct xt_mark_target_info_v1 {
u_int8_t mode;
};
+struct xt_mark_tginfo2 {
+ u_int32_t mark, mask;
+};
+
#endif /*_XT_MARK_H_target */
diff --git a/net/netfilter/xt_MARK.c b/net/netfilter/xt_MARK.c
index 57c6d55..1c3fb75 100644
--- a/net/netfilter/xt_MARK.c
+++ b/net/netfilter/xt_MARK.c
@@ -1,10 +1,13 @@
-/* This is a module which is used for setting the NFMARK field of an skb. */
-
-/* (C) 1999-2001 Marc Boucher <marc@mbsi.ca>
+/*
+ * xt_MARK - Netfilter module to modify the NFMARK field of an skb
+ *
+ * (C) 1999-2001 Marc Boucher <marc@mbsi.ca>
+ * Copyright © CC Computer Consultants GmbH, 2007 - 2008
+ * Jan Engelhardt <jengelh@computergmbh.de>
*
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
*/
#include <linux/module.h>
@@ -33,9 +36,9 @@ mark_tg_v0(struct sk_buff *skb, const struct net_device *in,
}
static unsigned int
-mark_tg(struct sk_buff *skb, const struct net_device *in,
- const struct net_device *out, unsigned int hooknum,
- const struct xt_target *target, const void *targinfo)
+mark_tg_v1(struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, unsigned int hooknum,
+ const struct xt_target *target, const void *targinfo)
{
const struct xt_mark_target_info_v1 *markinfo = targinfo;
int mark = 0;
@@ -58,6 +61,17 @@ mark_tg(struct sk_buff *skb, const struct net_device *in,
return XT_CONTINUE;
}
+static unsigned int
+mark_tg(struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, unsigned int hooknum,
+ const struct xt_target *target, const void *targinfo)
+{
+ const struct xt_mark_tginfo2 *info = targinfo;
+
+ skb->mark = (skb->mark & ~info->mask) ^ info->mark;
+ return XT_CONTINUE;
+}
+
static bool
mark_tg_check_v0(const char *tablename, const void *entry,
const struct xt_target *target, void *targinfo,
@@ -73,9 +87,9 @@ mark_tg_check_v0(const char *tablename, const void *entry,
}
static bool
-mark_tg_check(const char *tablename, const void *entry,
- const struct xt_target *target, void *targinfo,
- unsigned int hook_mask)
+mark_tg_check_v1(const char *tablename, const void *entry,
+ const struct xt_target *target, void *targinfo,
+ unsigned int hook_mask)
{
const struct xt_mark_target_info_v1 *markinfo = targinfo;
@@ -98,7 +112,7 @@ struct compat_xt_mark_target_info {
compat_ulong_t mark;
};
-static void mark_tg_compat_from_user(void *dst, void *src)
+static void mark_tg_compat_from_user_v0(void *dst, void *src)
{
const struct compat_xt_mark_target_info *cm = src;
struct xt_mark_target_info m = {
@@ -107,7 +121,7 @@ static void mark_tg_compat_from_user(void *dst, void *src)
memcpy(dst, &m, sizeof(m));
}
-static int mark_tg_compat_to_user(void __user *dst, void *src)
+static int mark_tg_compat_to_user_v0(void __user *dst, void *src)
{
const struct xt_mark_target_info *m = src;
struct compat_xt_mark_target_info cm = {
@@ -154,8 +168,8 @@ static struct xt_target mark_tg_reg[] __read_mostly = {
.targetsize = sizeof(struct xt_mark_target_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_mark_target_info),
- .compat_from_user = mark_tg_compat_from_user,
- .compat_to_user = mark_tg_compat_to_user,
+ .compat_from_user = mark_tg_compat_from_user_v0,
+ .compat_to_user = mark_tg_compat_to_user_v0,
#endif
.table = "mangle",
.me = THIS_MODULE,
@@ -164,8 +178,8 @@ static struct xt_target mark_tg_reg[] __read_mostly = {
.name = "MARK",
.family = AF_INET,
.revision = 1,
- .checkentry = mark_tg_check,
- .target = mark_tg,
+ .checkentry = mark_tg_check_v1,
+ .target = mark_tg_v1,
.targetsize = sizeof(struct xt_mark_target_info_v1),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_mark_target_info_v1),
@@ -184,8 +198,8 @@ static struct xt_target mark_tg_reg[] __read_mostly = {
.targetsize = sizeof(struct xt_mark_target_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_mark_target_info),
- .compat_from_user = mark_tg_compat_from_user,
- .compat_to_user = mark_tg_compat_to_user,
+ .compat_from_user = mark_tg_compat_from_user_v0,
+ .compat_to_user = mark_tg_compat_to_user_v0,
#endif
.table = "mangle",
.me = THIS_MODULE,
@@ -194,8 +208,8 @@ static struct xt_target mark_tg_reg[] __read_mostly = {
.name = "MARK",
.family = AF_INET6,
.revision = 1,
- .checkentry = mark_tg_check,
- .target = mark_tg,
+ .checkentry = mark_tg_check_v1,
+ .target = mark_tg_v1,
.targetsize = sizeof(struct xt_mark_target_info_v1),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_mark_target_info_v1),
@@ -205,6 +219,22 @@ static struct xt_target mark_tg_reg[] __read_mostly = {
.table = "mangle",
.me = THIS_MODULE,
},
+ {
+ .name = "MARK",
+ .revision = 2,
+ .family = AF_INET,
+ .target = mark_tg,
+ .targetsize = sizeof(struct xt_mark_tginfo2),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "MARK",
+ .revision = 2,
+ .family = AF_INET6,
+ .target = mark_tg,
+ .targetsize = sizeof(struct xt_mark_tginfo2),
+ .me = THIS_MODULE,
+ },
};
static int __init mark_tg_init(void)
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 107+ messages in thread* [PATCH 8/27] xt_connmark match, revision 1
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
` (7 preceding siblings ...)
2008-01-02 20:27 ` [PATCH 7/27] xt_MARK target, revision 2 Jan Engelhardt
@ 2008-01-02 20:27 ` Jan Engelhardt
2008-01-04 14:47 ` Patrick McHardy
2008-01-04 14:56 ` Patrick McHardy
2008-01-02 20:28 ` [PATCH 9/27] Extend nf_inet_addr with in{,6}_addr Jan Engelhardt
` (18 subsequent siblings)
27 siblings, 2 replies; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:27 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit 375972a6ff3579f150bf916621b6fe752d29f25a
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 17:52:04 2008 +0100
[NETFILTER]: xt_connmark match, revision 1
Introduces the xt_connmark match revision 1. It uses fixed types,
eventually obsoleting revision 0 some day (uses nonfixed types).
(Unfixed types like "unsigned long" do not play well with mixed
user-/kernelspace "bitness", e.g. 32/64, as is common on SPARC64,
and need extra compat code.)
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
include/linux/netfilter/xt_connmark.h | 5 ++
net/netfilter/xt_connmark.c | 84 ++++++++++++++++++++-----
2 files changed, 74 insertions(+), 15 deletions(-)
diff --git a/include/linux/netfilter/xt_connmark.h b/include/linux/netfilter/xt_connmark.h
index c592f6a..359ef86 100644
--- a/include/linux/netfilter/xt_connmark.h
+++ b/include/linux/netfilter/xt_connmark.h
@@ -15,4 +15,9 @@ struct xt_connmark_info {
u_int8_t invert;
};
+struct xt_connmark_mtinfo1 {
+ u_int32_t mark, mask;
+ u_int8_t invert;
+};
+
#endif /*_XT_CONNMARK_H*/
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 8ad875b..60d9605 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -1,8 +1,10 @@
-/* This kernel module matches connection mark values set by the
- * CONNMARK target
+/*
+ * xt_connmark - Netfilter module to match connection mark values
*
- * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
- * by Henrik Nordstrom <hno@marasystems.com>
+ * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ * Copyright © CC Computer Consultants GmbH, 2007 - 2008
+ * Jan Engelhardt <jengelh@computergmbh.de>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -37,6 +39,23 @@ connmark_mt(const struct sk_buff *skb, const struct net_device *in,
const void *matchinfo, int offset, unsigned int protoff,
bool *hotdrop)
{
+ const struct xt_connmark_mtinfo1 *info = matchinfo;
+ enum ip_conntrack_info ctinfo;
+ const struct nf_conn *ct;
+
+ ct = nf_ct_get(skb, &ctinfo);
+ if (ct == NULL)
+ return false;
+
+ return ((ct->mark & info->mask) == info->mark) ^ info->invert;
+}
+
+static bool
+connmark_mt_v0(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
+{
const struct xt_connmark_info *info = matchinfo;
const struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
@@ -49,9 +68,9 @@ connmark_mt(const struct sk_buff *skb, const struct net_device *in,
}
static bool
-connmark_mt_check(const char *tablename, const void *ip,
- const struct xt_match *match, void *matchinfo,
- unsigned int hook_mask)
+connmark_mt_check_v0(const char *tablename, const void *ip,
+ const struct xt_match *match, void *matchinfo,
+ unsigned int hook_mask)
{
const struct xt_connmark_info *cm = matchinfo;
@@ -67,6 +86,19 @@ connmark_mt_check(const char *tablename, const void *ip,
return true;
}
+static bool
+connmark_mt_check(const char *tablename, const void *ip,
+ const struct xt_match *match, void *matchinfo,
+ unsigned int hook_mask)
+{
+ if (nf_ct_l3proto_try_module_get(match->family) < 0) {
+ printk(KERN_WARNING "cannot load conntrack support for "
+ "proto=%u\n", match->family);
+ return false;
+ }
+ return true;
+}
+
static void
connmark_mt_destroy(const struct xt_match *match, void *matchinfo)
{
@@ -81,7 +113,7 @@ struct compat_xt_connmark_info {
u_int16_t __pad2;
};
-static void connmark_mt_compat_from_user(void *dst, void *src)
+static void connmark_mt_compat_from_user_v0(void *dst, void *src)
{
const struct compat_xt_connmark_info *cm = src;
struct xt_connmark_info m = {
@@ -92,7 +124,7 @@ static void connmark_mt_compat_from_user(void *dst, void *src)
memcpy(dst, &m, sizeof(m));
}
-static int connmark_mt_compat_to_user(void __user *dst, void *src)
+static int connmark_mt_compat_to_user_v0(void __user *dst, void *src)
{
const struct xt_connmark_info *m = src;
struct compat_xt_connmark_info cm = {
@@ -107,23 +139,25 @@ static int connmark_mt_compat_to_user(void __user *dst, void *src)
static struct xt_match connmark_mt_reg[] __read_mostly = {
{
.name = "connmark",
+ .revision = 0,
.family = AF_INET,
- .checkentry = connmark_mt_check,
- .match = connmark_mt,
+ .checkentry = connmark_mt_check_v0,
+ .match = connmark_mt_v0,
.destroy = connmark_mt_destroy,
.matchsize = sizeof(struct xt_connmark_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_connmark_info),
- .compat_from_user = connmark_mt_compat_from_user,
- .compat_to_user = connmark_mt_compat_to_user,
+ .compat_from_user = connmark_mt_compat_from_user_v0,
+ .compat_to_user = connmark_mt_compat_to_user_v0,
#endif
.me = THIS_MODULE
},
{
.name = "connmark",
+ .revision = 0,
.family = AF_INET6,
- .checkentry = connmark_mt_check,
- .match = connmark_mt,
+ .checkentry = connmark_mt_check_v0,
+ .match = connmark_mt_v0,
.destroy = connmark_mt_destroy,
.matchsize = sizeof(struct xt_connmark_info),
#ifdef CONFIG_COMPAT
@@ -133,6 +167,26 @@ static struct xt_match connmark_mt_reg[] __read_mostly = {
#endif
.me = THIS_MODULE
},
+ {
+ .name = "connmark",
+ .revision = 1,
+ .family = AF_INET,
+ .checkentry = connmark_mt_check,
+ .match = connmark_mt,
+ .matchsize = sizeof(struct xt_connmark_mtinfo1),
+ .destroy = connmark_mt_destroy,
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "connmark",
+ .revision = 1,
+ .family = AF_INET6,
+ .checkentry = connmark_mt_check,
+ .match = connmark_mt,
+ .matchsize = sizeof(struct xt_connmark_mtinfo1),
+ .destroy = connmark_mt_destroy,
+ .me = THIS_MODULE,
+ },
};
static int __init connmark_mt_init(void)
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 107+ messages in thread* Re: [PATCH 8/27] xt_connmark match, revision 1
2008-01-02 20:27 ` [PATCH 8/27] xt_connmark match, revision 1 Jan Engelhardt
@ 2008-01-04 14:47 ` Patrick McHardy
2008-01-04 14:56 ` Patrick McHardy
1 sibling, 0 replies; 107+ messages in thread
From: Patrick McHardy @ 2008-01-04 14:47 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> commit 375972a6ff3579f150bf916621b6fe752d29f25a
> Author: Jan Engelhardt <jengelh@computergmbh.de>
> Date: Wed Jan 2 17:52:04 2008 +0100
>
> [NETFILTER]: xt_connmark match, revision 1
>
> Introduces the xt_connmark match revision 1. It uses fixed types,
> eventually obsoleting revision 0 some day (uses nonfixed types).
> (Unfixed types like "unsigned long" do not play well with mixed
> user-/kernelspace "bitness", e.g. 32/64, as is common on SPARC64,
> and need extra compat code.)
>
> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Also applied.
^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [PATCH 8/27] xt_connmark match, revision 1
2008-01-02 20:27 ` [PATCH 8/27] xt_connmark match, revision 1 Jan Engelhardt
2008-01-04 14:47 ` Patrick McHardy
@ 2008-01-04 14:56 ` Patrick McHardy
2008-01-04 15:03 ` Jan Engelhardt
1 sibling, 1 reply; 107+ messages in thread
From: Patrick McHardy @ 2008-01-04 14:56 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> commit 375972a6ff3579f150bf916621b6fe752d29f25a
> Author: Jan Engelhardt <jengelh@computergmbh.de>
> Date: Wed Jan 2 17:52:04 2008 +0100
>
> [NETFILTER]: xt_connmark match, revision 1
>
> {
> .name = "connmark",
> + .revision = 0,
> .family = AF_INET6,
> - .checkentry = connmark_mt_check,
> - .match = connmark_mt,
> + .checkentry = connmark_mt_check_v0,
> + .match = connmark_mt_v0,
> .destroy = connmark_mt_destroy,
> .matchsize = sizeof(struct xt_connmark_info),
> #ifdef CONFIG_COMPAT
This did not compile BTW because you forgot to update the compat
functions for IPv6. Please always test compilation for all affected
cases, if you don't have a machine which needs the compat code,
simply defining CONFIG_COMPAT yourself should work.
^ permalink raw reply [flat|nested] 107+ messages in thread* Re: [PATCH 8/27] xt_connmark match, revision 1
2008-01-04 14:56 ` Patrick McHardy
@ 2008-01-04 15:03 ` Jan Engelhardt
2008-01-04 15:05 ` Patrick McHardy
0 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-04 15:03 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
On Jan 4 2008 15:56, Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> commit 375972a6ff3579f150bf916621b6fe752d29f25a
>> Author: Jan Engelhardt <jengelh@computergmbh.de>
>> Date: Wed Jan 2 17:52:04 2008 +0100
>>
>> [NETFILTER]: xt_connmark match, revision 1
>>
>> {
>> .name = "connmark",
>> + .revision = 0,
>> .family = AF_INET6,
>> - .checkentry = connmark_mt_check,
>> - .match = connmark_mt,
>> + .checkentry = connmark_mt_check_v0,
>> + .match = connmark_mt_v0,
>> .destroy = connmark_mt_destroy,
>> .matchsize = sizeof(struct xt_connmark_info),
>> #ifdef CONFIG_COMPAT
>
> This did not compile BTW because you forgot to update the compat
> functions for IPv6. Please always test compilation for all affected
> cases, if you don't have a machine which needs the compat code,
> simply defining CONFIG_COMPAT yourself should work.
>
Have you fixed it during cherrypick? (If so, thanks!)
Well at least I tested CONFIG_IPV6=n ;-)
^ permalink raw reply [flat|nested] 107+ messages in thread* Re: [PATCH 8/27] xt_connmark match, revision 1
2008-01-04 15:03 ` Jan Engelhardt
@ 2008-01-04 15:05 ` Patrick McHardy
0 siblings, 0 replies; 107+ messages in thread
From: Patrick McHardy @ 2008-01-04 15:05 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> On Jan 4 2008 15:56, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> commit 375972a6ff3579f150bf916621b6fe752d29f25a
>>> Author: Jan Engelhardt <jengelh@computergmbh.de>
>>> Date: Wed Jan 2 17:52:04 2008 +0100
>>>
>>> [NETFILTER]: xt_connmark match, revision 1
>>>
>>> {
>>> .name = "connmark",
>>> + .revision = 0,
>>> .family = AF_INET6,
>>> - .checkentry = connmark_mt_check,
>>> - .match = connmark_mt,
>>> + .checkentry = connmark_mt_check_v0,
>>> + .match = connmark_mt_v0,
>>> .destroy = connmark_mt_destroy,
>>> .matchsize = sizeof(struct xt_connmark_info),
>>> #ifdef CONFIG_COMPAT
>> This did not compile BTW because you forgot to update the compat
>> functions for IPv6. Please always test compilation for all affected
>> cases, if you don't have a machine which needs the compat code,
>> simply defining CONFIG_COMPAT yourself should work.
>>
>
> Have you fixed it during cherrypick? (If so, thanks!)
Yes, I fixed it.
> Well at least I tested CONFIG_IPV6=n ;-)
Thats at least as important since this is what regulary made
compilation fail for Linus :)
^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH 9/27] Extend nf_inet_addr with in{,6}_addr
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
` (8 preceding siblings ...)
2008-01-02 20:27 ` [PATCH 8/27] xt_connmark match, revision 1 Jan Engelhardt
@ 2008-01-02 20:28 ` Jan Engelhardt
2008-01-04 14:49 ` Patrick McHardy
2008-01-02 20:28 ` [PATCH 10/27] xt_conntrack match, revision 1 Jan Engelhardt
` (17 subsequent siblings)
27 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:28 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit 827c835ce662ee0e060b936ac4cb35a6b2e5c10a
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 17:54:52 2008 +0100
[NETFILTER]: Extend nf_inet_addr with in{,6}_addr
Extend union nf_inet_addr with struct in_addr and in6_addr. Useful
because a lot of in-kernel IPv4 and IPv6 functions use
in_addr/in6_addr.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
include/linux/netfilter.h | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index d190d56..91ece5a 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -7,6 +7,8 @@
#include <linux/skbuff.h>
#include <linux/net.h>
#include <linux/if.h>
+#include <linux/in.h>
+#include <linux/in6.h>
#include <linux/wait.h>
#include <linux/list.h>
#endif
@@ -52,6 +54,8 @@ union nf_inet_addr {
u_int32_t all[4];
__be32 ip;
__be32 ip6[4];
+ struct in_addr in;
+ struct in6_addr in6;
};
#ifdef __KERNEL__
^ permalink raw reply related [flat|nested] 107+ messages in thread* Re: [PATCH 9/27] Extend nf_inet_addr with in{,6}_addr
2008-01-02 20:28 ` [PATCH 9/27] Extend nf_inet_addr with in{,6}_addr Jan Engelhardt
@ 2008-01-04 14:49 ` Patrick McHardy
2008-01-04 15:01 ` Jan Engelhardt
0 siblings, 1 reply; 107+ messages in thread
From: Patrick McHardy @ 2008-01-04 14:49 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> commit 827c835ce662ee0e060b936ac4cb35a6b2e5c10a
> Author: Jan Engelhardt <jengelh@computergmbh.de>
> Date: Wed Jan 2 17:54:52 2008 +0100
>
> [NETFILTER]: Extend nf_inet_addr with in{,6}_addr
>
> Extend union nf_inet_addr with struct in_addr and in6_addr. Useful
> because a lot of in-kernel IPv4 and IPv6 functions use
> in_addr/in6_addr.
Also applied, thanks. Perhaps a better way would be to consistently
only use one of both types (be32 or in_addr), but for now this
seems fine.
^ permalink raw reply [flat|nested] 107+ messages in thread* Re: [PATCH 9/27] Extend nf_inet_addr with in{,6}_addr
2008-01-04 14:49 ` Patrick McHardy
@ 2008-01-04 15:01 ` Jan Engelhardt
0 siblings, 0 replies; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-04 15:01 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
On Jan 4 2008 15:49, Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> commit 827c835ce662ee0e060b936ac4cb35a6b2e5c10a
>> Author: Jan Engelhardt <jengelh@computergmbh.de>
>> Date: Wed Jan 2 17:54:52 2008 +0100
>>
>> [NETFILTER]: Extend nf_inet_addr with in{,6}_addr
>>
>> Extend union nf_inet_addr with struct in_addr and in6_addr. Useful
>> because a lot of in-kernel IPv4 and IPv6 functions use
>> in_addr/in6_addr.
>
> Also applied, thanks. Perhaps a better way would be to consistently
> only use one of both types (be32 or in_addr), but for now this
> seems fine.
>
It is because of userspace -- it uses in_addr in so many
functions, extending the union seemed like the best thing
to avoid tons of casting or compile warnings.
^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH 10/27] xt_conntrack match, revision 1
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
` (9 preceding siblings ...)
2008-01-02 20:28 ` [PATCH 9/27] Extend nf_inet_addr with in{,6}_addr Jan Engelhardt
@ 2008-01-02 20:28 ` Jan Engelhardt
2008-01-04 14:53 ` Patrick McHardy
2008-01-02 20:28 ` [PATCH 11/27] xt_hashlimit: use the new union nf_inet_addr Jan Engelhardt
` (16 subsequent siblings)
27 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:28 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit 7e6ab7f2e7eb220d2ee5ce7f744a22deb10a5144
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 17:55:31 2008 +0100
[NETFILTER]: xt_conntrack match, revision 1
Introduces the xt_conntrack match revision 1. It uses fixed types, the
new nf_inet_addr and comes with IPv6 support, thereby completely
superseding xt_state.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
include/linux/netfilter/xt_conntrack.h | 16 ++-
net/netfilter/xt_conntrack.c | 207 +++++++++++++++++++++---
net/netfilter/xt_state.c | 2 +
3 files changed, 199 insertions(+), 26 deletions(-)
diff --git a/include/linux/netfilter/xt_conntrack.h b/include/linux/netfilter/xt_conntrack.h
index 70b6f71..d2492a3 100644
--- a/include/linux/netfilter/xt_conntrack.h
+++ b/include/linux/netfilter/xt_conntrack.h
@@ -6,7 +6,9 @@
#define _XT_CONNTRACK_H
#include <linux/netfilter/nf_conntrack_tuple_common.h>
-#include <linux/in.h>
+#ifdef __KERNEL__
+# include <linux/in.h>
+#endif
#define XT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
#define XT_CONNTRACK_STATE_INVALID (1 << 0)
@@ -60,4 +62,16 @@ struct xt_conntrack_info
/* Inverse flags */
u_int8_t invflags;
};
+
+struct xt_conntrack_mtinfo1 {
+ union nf_inet_addr origsrc_addr, origsrc_mask;
+ union nf_inet_addr origdst_addr, origdst_mask;
+ union nf_inet_addr replsrc_addr, replsrc_mask;
+ union nf_inet_addr repldst_addr, repldst_mask;
+ u_int32_t expires_min, expires_max;
+ u_int16_t l4proto;
+ u_int8_t state_mask, status_mask;
+ u_int8_t match_flags, invert_flags;
+};
+
#endif /*_XT_CONNTRACK_H*/
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 3f8bfba..dc9e737 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -1,15 +1,19 @@
-/* Kernel module to match connection tracking information.
- * Superset of Rusty's minimalistic state match.
+/*
+ * xt_conntrack - Netfilter module to match connection tracking
+ * information. (Superset of Rusty's minimalistic state match.)
*
- * (C) 2001 Marc Boucher (marc@mbsi.ca).
+ * (C) 2001 Marc Boucher (marc@mbsi.ca).
+ * Copyright © CC Computer Consultants GmbH, 2007 - 2008
+ * Jan Engelhardt <jengelh@computergmbh.de>
*
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
*/
#include <linux/module.h>
#include <linux/skbuff.h>
+#include <net/ipv6.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_conntrack.h>
#include <net/netfilter/nf_conntrack.h>
@@ -18,12 +22,13 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
MODULE_DESCRIPTION("iptables connection tracking match module");
MODULE_ALIAS("ipt_conntrack");
+MODULE_ALIAS("ip6t_conntrack");
static bool
-conntrack_mt(const struct sk_buff *skb, const struct net_device *in,
- const struct net_device *out, const struct xt_match *match,
- const void *matchinfo, int offset, unsigned int protoff,
- bool *hotdrop)
+conntrack_mt_v0(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
{
const struct xt_conntrack_info *sinfo = matchinfo;
const struct nf_conn *ct;
@@ -112,6 +117,134 @@ conntrack_mt(const struct sk_buff *skb, const struct net_device *in,
}
static bool
+conntrack_addrcmp(const union nf_inet_addr *kaddr,
+ const union nf_inet_addr *uaddr,
+ const union nf_inet_addr *umask, unsigned int l3proto)
+{
+ if (l3proto == AF_INET)
+ return (kaddr->ip & umask->ip) == uaddr->ip;
+ else if (l3proto == AF_INET6)
+ return ipv6_masked_addr_cmp(&kaddr->in6, &umask->in6,
+ &uaddr->in6) == 0;
+ else
+ return false;
+}
+
+static inline bool
+conntrack_mt_origsrc(const struct nf_conn *ct,
+ const struct xt_conntrack_mtinfo1 *info,
+ unsigned int family)
+{
+ return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3,
+ &info->origsrc_addr, &info->origsrc_mask, family);
+}
+
+static inline bool
+conntrack_mt_origdst(const struct nf_conn *ct,
+ const struct xt_conntrack_mtinfo1 *info,
+ unsigned int family)
+{
+ return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3,
+ &info->origdst_addr, &info->origdst_mask, family);
+}
+
+static inline bool
+conntrack_mt_replsrc(const struct nf_conn *ct,
+ const struct xt_conntrack_mtinfo1 *info,
+ unsigned int family)
+{
+ return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3,
+ &info->replsrc_addr, &info->replsrc_mask, family);
+}
+
+static inline bool
+conntrack_mt_repldst(const struct nf_conn *ct,
+ const struct xt_conntrack_mtinfo1 *info,
+ unsigned int family)
+{
+ return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3,
+ &info->repldst_addr, &info->repldst_mask, family);
+}
+
+static bool
+conntrack_mt(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
+{
+ const struct xt_conntrack_mtinfo1 *info = matchinfo;
+ enum ip_conntrack_info ctinfo;
+ const struct nf_conn *ct;
+ unsigned int statebit;
+
+ ct = nf_ct_get(skb, &ctinfo);
+
+ if (ct == &nf_conntrack_untracked)
+ statebit = XT_CONNTRACK_STATE_UNTRACKED;
+ else if (ct != NULL)
+ statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
+ else
+ statebit = XT_CONNTRACK_STATE_INVALID;
+
+ if (info->match_flags & XT_CONNTRACK_STATE) {
+ if (ct != NULL) {
+ if (test_bit(IPS_SRC_NAT_BIT, &ct->status))
+ statebit |= XT_CONNTRACK_STATE_SNAT;
+ if (test_bit(IPS_DST_NAT_BIT, &ct->status))
+ statebit |= XT_CONNTRACK_STATE_DNAT;
+ }
+ if ((info->state_mask & statebit) ^
+ !(info->invert_flags & XT_CONNTRACK_STATE))
+ return false;
+ }
+
+ if (ct == NULL)
+ return info->match_flags & XT_CONNTRACK_STATE;
+
+ if ((info->match_flags & XT_CONNTRACK_PROTO) &&
+ ((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum ==
+ info->l4proto) ^ !(info->invert_flags & XT_CONNTRACK_PROTO)))
+ return false;
+
+ if (info->match_flags & XT_CONNTRACK_ORIGSRC)
+ if (conntrack_mt_origsrc(ct, info, match->family) ^
+ !(info->invert_flags & XT_CONNTRACK_ORIGSRC))
+ return false;
+
+ if (info->match_flags & XT_CONNTRACK_ORIGDST)
+ if (conntrack_mt_origdst(ct, info, match->family) ^
+ !(info->invert_flags & XT_CONNTRACK_ORIGDST))
+ return false;
+
+ if (info->match_flags & XT_CONNTRACK_REPLSRC)
+ if (conntrack_mt_replsrc(ct, info, match->family) ^
+ !(info->invert_flags & XT_CONNTRACK_REPLSRC))
+ return false;
+
+ if (info->match_flags & XT_CONNTRACK_REPLDST)
+ if (conntrack_mt_repldst(ct, info, match->family) ^
+ !(info->invert_flags & XT_CONNTRACK_REPLDST))
+ return false;
+
+ if ((info->match_flags & XT_CONNTRACK_STATUS) &&
+ (!!(info->status_mask & ct->status) ^
+ !(info->invert_flags & XT_CONNTRACK_STATUS)))
+ return false;
+
+ if (info->match_flags & XT_CONNTRACK_EXPIRES) {
+ unsigned long expires = 0;
+
+ if (timer_pending(&ct->timeout))
+ expires = (ct->timeout.expires - jiffies) / HZ;
+ if ((expires >= info->expires_min &&
+ expires <= info->expires_max) ^
+ !(info->invert_flags & XT_CONNTRACK_EXPIRES))
+ return false;
+ }
+ return true;
+}
+
+static bool
conntrack_mt_check(const char *tablename, const void *ip,
const struct xt_match *match, void *matchinfo,
unsigned int hook_mask)
@@ -144,7 +277,7 @@ struct compat_xt_conntrack_info
u_int8_t invflags;
};
-static void conntrack_mt_compat_from_user(void *dst, void *src)
+static void conntrack_mt_compat_from_user_v0(void *dst, void *src)
{
const struct compat_xt_conntrack_info *cm = src;
struct xt_conntrack_info m = {
@@ -161,7 +294,7 @@ static void conntrack_mt_compat_from_user(void *dst, void *src)
memcpy(dst, &m, sizeof(m));
}
-static int conntrack_mt_compat_to_user(void __user *dst, void *src)
+static int conntrack_mt_compat_to_user_v0(void __user *dst, void *src)
{
const struct xt_conntrack_info *m = src;
struct compat_xt_conntrack_info cm = {
@@ -179,29 +312,53 @@ static int conntrack_mt_compat_to_user(void __user *dst, void *src)
}
#endif
-static struct xt_match conntrack_mt_reg __read_mostly = {
- .name = "conntrack",
- .match = conntrack_mt,
- .checkentry = conntrack_mt_check,
- .destroy = conntrack_mt_destroy,
- .matchsize = sizeof(struct xt_conntrack_info),
+static struct xt_match conntrack_mt_reg[] __read_mostly = {
+ {
+ .name = "conntrack",
+ .revision = 0,
+ .family = AF_INET,
+ .match = conntrack_mt_v0,
+ .checkentry = conntrack_mt_check,
+ .destroy = conntrack_mt_destroy,
+ .matchsize = sizeof(struct xt_conntrack_info),
+ .me = THIS_MODULE,
#ifdef CONFIG_COMPAT
- .compatsize = sizeof(struct compat_xt_conntrack_info),
- .compat_from_user = conntrack_mt_compat_from_user,
- .compat_to_user = conntrack_mt_compat_to_user,
+ .compatsize = sizeof(struct compat_xt_conntrack_info),
+ .compat_from_user = conntrack_mt_compat_from_user_v0,
+ .compat_to_user = conntrack_mt_compat_to_user_v0,
#endif
- .family = AF_INET,
- .me = THIS_MODULE,
+ },
+ {
+ .name = "conntrack",
+ .revision = 1,
+ .family = AF_INET,
+ .matchsize = sizeof(struct xt_conntrack_mtinfo1),
+ .match = conntrack_mt,
+ .checkentry = conntrack_mt_check,
+ .destroy = conntrack_mt_destroy,
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "conntrack",
+ .revision = 1,
+ .family = AF_INET6,
+ .matchsize = sizeof(struct xt_conntrack_mtinfo1),
+ .match = conntrack_mt,
+ .checkentry = conntrack_mt_check,
+ .destroy = conntrack_mt_destroy,
+ .me = THIS_MODULE,
+ },
};
static int __init conntrack_mt_init(void)
{
- return xt_register_match(&conntrack_mt_reg);
+ return xt_register_matches(conntrack_mt_reg,
+ ARRAY_SIZE(conntrack_mt_reg));
}
static void __exit conntrack_mt_exit(void)
{
- xt_unregister_match(&conntrack_mt_reg);
+ xt_unregister_matches(conntrack_mt_reg, ARRAY_SIZE(conntrack_mt_reg));
}
module_init(conntrack_mt_init);
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c
index a776dc3..24804a3 100644
--- a/net/netfilter/xt_state.c
+++ b/net/netfilter/xt_state.c
@@ -81,6 +81,8 @@ static struct xt_match state_mt_reg[] __read_mostly = {
static int __init state_mt_init(void)
{
+ printk(KERN_NOTICE "xt_state is obsolete, please use "
+ "xt_conntrack instead.\n");
return xt_register_matches(state_mt_reg, ARRAY_SIZE(state_mt_reg));
}
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 107+ messages in thread* Re: [PATCH 10/27] xt_conntrack match, revision 1
2008-01-02 20:28 ` [PATCH 10/27] xt_conntrack match, revision 1 Jan Engelhardt
@ 2008-01-04 14:53 ` Patrick McHardy
2008-01-04 15:05 ` Jan Engelhardt
2008-01-15 6:48 ` Patrick McHardy
0 siblings, 2 replies; 107+ messages in thread
From: Patrick McHardy @ 2008-01-04 14:53 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> commit 7e6ab7f2e7eb220d2ee5ce7f744a22deb10a5144
> Author: Jan Engelhardt <jengelh@computergmbh.de>
> Date: Wed Jan 2 17:55:31 2008 +0100
>
> [NETFILTER]: xt_conntrack match, revision 1
>
> Introduces the xt_conntrack match revision 1. It uses fixed types, the
> new nf_inet_addr and comes with IPv6 support, thereby completely
> superseding xt_state.
Applied, but
> diff --git a/include/linux/netfilter/xt_conntrack.h b/include/linux/netfilter/xt_conntrack.h
> index 70b6f71..d2492a3 100644
> --- a/include/linux/netfilter/xt_conntrack.h
> +++ b/include/linux/netfilter/xt_conntrack.h
> @@ -6,7 +6,9 @@
> #define _XT_CONNTRACK_H
>
> #include <linux/netfilter/nf_conntrack_tuple_common.h>
> -#include <linux/in.h>
> +#ifdef __KERNEL__
> +# include <linux/in.h>
> +#endif
Is that really necessary? I would prefer the only in-kernel user of this
file to include it directly. Or simply include netfilter.h, which seems
necessary for nf_inet_addr anyway.
^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [PATCH 10/27] xt_conntrack match, revision 1
2008-01-04 14:53 ` Patrick McHardy
@ 2008-01-04 15:05 ` Jan Engelhardt
2008-01-04 15:07 ` Patrick McHardy
2008-01-15 6:48 ` Patrick McHardy
1 sibling, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-04 15:05 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
On Jan 4 2008 15:53, Patrick McHardy wrote:
>
> Applied, but
>
>> #include <linux/netfilter/nf_conntrack_tuple_common.h>
>> -#include <linux/in.h>
>> +#ifdef __KERNEL__
>> +# include <linux/in.h>
>> +#endif
>
> Is that really necessary? I would prefer the only in-kernel user of this
> file to include it directly. Or simply include netfilter.h, which seems
> necessary for nf_inet_addr anyway.
>
With this #include, we grab the definition for 'struct in_addr'.
Yes it is necessary otherwise iptables fails to compile, because
struct in_addr is already sourced from netinet/in.h. If you have
a better idea, please share it.
Perhaps doing #include <linux/in.h> in xt_conntrack.c would resolve it.
I will see to that (if you do not already will take care of that) once I
received your updated git tree.
thanks,
Jan
^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [PATCH 10/27] xt_conntrack match, revision 1
2008-01-04 15:05 ` Jan Engelhardt
@ 2008-01-04 15:07 ` Patrick McHardy
2008-01-04 15:28 ` Jan Engelhardt
0 siblings, 1 reply; 107+ messages in thread
From: Patrick McHardy @ 2008-01-04 15:07 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> On Jan 4 2008 15:53, Patrick McHardy wrote:
>> Applied, but
>>
>>> #include <linux/netfilter/nf_conntrack_tuple_common.h>
>>> -#include <linux/in.h>
>>> +#ifdef __KERNEL__
>>> +# include <linux/in.h>
>>> +#endif
>> Is that really necessary? I would prefer the only in-kernel user of this
>> file to include it directly. Or simply include netfilter.h, which seems
>> necessary for nf_inet_addr anyway.
>>
> With this #include, we grab the definition for 'struct in_addr'.
>
> Yes it is necessary otherwise iptables fails to compile, because
> struct in_addr is already sourced from netinet/in.h. If you have
> a better idea, please share it.
> Perhaps doing #include <linux/in.h> in xt_conntrack.c would resolve it.
> I will see to that (if you do not already will take care of that) once I
> received your updated git tree.
Well, netfilter.h already includes linux/in.h, so that should work
fine, no?
^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [PATCH 10/27] xt_conntrack match, revision 1
2008-01-04 15:07 ` Patrick McHardy
@ 2008-01-04 15:28 ` Jan Engelhardt
0 siblings, 0 replies; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-04 15:28 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
On Jan 4 2008 16:07, Patrick McHardy wrote:
>
> Well, netfilter.h already includes linux/in.h, so that should work
> fine, no?
>
>
Alright the following patch works both in-kernel and iptables.
(not inside any published git tree)
===
commit 8872fff3bf309627d89e9da9dd10f8ec5a648ece
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 17:55:31 2008 +0100
[NETFILTER]: xt_conntrack match, revision 1
Introduces the xt_conntrack match revision 1. It uses fixed types, the
new nf_inet_addr and comes with IPv6 support, thereby completely
superseding xt_state.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
diff --git a/include/linux/netfilter/xt_conntrack.h b/include/linux/netfilter/xt_conntrack.h
index 70b6f71..6ec4304 100644
--- a/include/linux/netfilter/xt_conntrack.h
+++ b/include/linux/netfilter/xt_conntrack.h
@@ -6,7 +6,6 @@
#define _XT_CONNTRACK_H
#include <linux/netfilter/nf_conntrack_tuple_common.h>
-#include <linux/in.h>
#define XT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
#define XT_CONNTRACK_STATE_INVALID (1 << 0)
@@ -60,4 +59,16 @@ struct xt_conntrack_info
/* Inverse flags */
u_int8_t invflags;
};
+
+struct xt_conntrack_mtinfo1 {
+ union nf_inet_addr origsrc_addr, origsrc_mask;
+ union nf_inet_addr origdst_addr, origdst_mask;
+ union nf_inet_addr replsrc_addr, replsrc_mask;
+ union nf_inet_addr repldst_addr, repldst_mask;
+ u_int32_t expires_min, expires_max;
+ u_int16_t l4proto;
+ u_int8_t state_mask, status_mask;
+ u_int8_t match_flags, invert_flags;
+};
+
#endif /*_XT_CONNTRACK_H*/
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 3f8bfba..dc9e737 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -1,15 +1,19 @@
-/* Kernel module to match connection tracking information.
- * Superset of Rusty's minimalistic state match.
+/*
+ * xt_conntrack - Netfilter module to match connection tracking
+ * information. (Superset of Rusty's minimalistic state match.)
*
- * (C) 2001 Marc Boucher (marc@mbsi.ca).
+ * (C) 2001 Marc Boucher (marc@mbsi.ca).
+ * Copyright © CC Computer Consultants GmbH, 2007 - 2008
+ * Jan Engelhardt <jengelh@computergmbh.de>
*
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
*/
#include <linux/module.h>
#include <linux/skbuff.h>
+#include <net/ipv6.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_conntrack.h>
#include <net/netfilter/nf_conntrack.h>
@@ -18,12 +22,13 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
MODULE_DESCRIPTION("iptables connection tracking match module");
MODULE_ALIAS("ipt_conntrack");
+MODULE_ALIAS("ip6t_conntrack");
static bool
-conntrack_mt(const struct sk_buff *skb, const struct net_device *in,
- const struct net_device *out, const struct xt_match *match,
- const void *matchinfo, int offset, unsigned int protoff,
- bool *hotdrop)
+conntrack_mt_v0(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
{
const struct xt_conntrack_info *sinfo = matchinfo;
const struct nf_conn *ct;
@@ -112,6 +117,134 @@ conntrack_mt(const struct sk_buff *skb, const struct net_device *in,
}
static bool
+conntrack_addrcmp(const union nf_inet_addr *kaddr,
+ const union nf_inet_addr *uaddr,
+ const union nf_inet_addr *umask, unsigned int l3proto)
+{
+ if (l3proto == AF_INET)
+ return (kaddr->ip & umask->ip) == uaddr->ip;
+ else if (l3proto == AF_INET6)
+ return ipv6_masked_addr_cmp(&kaddr->in6, &umask->in6,
+ &uaddr->in6) == 0;
+ else
+ return false;
+}
+
+static inline bool
+conntrack_mt_origsrc(const struct nf_conn *ct,
+ const struct xt_conntrack_mtinfo1 *info,
+ unsigned int family)
+{
+ return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3,
+ &info->origsrc_addr, &info->origsrc_mask, family);
+}
+
+static inline bool
+conntrack_mt_origdst(const struct nf_conn *ct,
+ const struct xt_conntrack_mtinfo1 *info,
+ unsigned int family)
+{
+ return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3,
+ &info->origdst_addr, &info->origdst_mask, family);
+}
+
+static inline bool
+conntrack_mt_replsrc(const struct nf_conn *ct,
+ const struct xt_conntrack_mtinfo1 *info,
+ unsigned int family)
+{
+ return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3,
+ &info->replsrc_addr, &info->replsrc_mask, family);
+}
+
+static inline bool
+conntrack_mt_repldst(const struct nf_conn *ct,
+ const struct xt_conntrack_mtinfo1 *info,
+ unsigned int family)
+{
+ return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3,
+ &info->repldst_addr, &info->repldst_mask, family);
+}
+
+static bool
+conntrack_mt(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
+{
+ const struct xt_conntrack_mtinfo1 *info = matchinfo;
+ enum ip_conntrack_info ctinfo;
+ const struct nf_conn *ct;
+ unsigned int statebit;
+
+ ct = nf_ct_get(skb, &ctinfo);
+
+ if (ct == &nf_conntrack_untracked)
+ statebit = XT_CONNTRACK_STATE_UNTRACKED;
+ else if (ct != NULL)
+ statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
+ else
+ statebit = XT_CONNTRACK_STATE_INVALID;
+
+ if (info->match_flags & XT_CONNTRACK_STATE) {
+ if (ct != NULL) {
+ if (test_bit(IPS_SRC_NAT_BIT, &ct->status))
+ statebit |= XT_CONNTRACK_STATE_SNAT;
+ if (test_bit(IPS_DST_NAT_BIT, &ct->status))
+ statebit |= XT_CONNTRACK_STATE_DNAT;
+ }
+ if ((info->state_mask & statebit) ^
+ !(info->invert_flags & XT_CONNTRACK_STATE))
+ return false;
+ }
+
+ if (ct == NULL)
+ return info->match_flags & XT_CONNTRACK_STATE;
+
+ if ((info->match_flags & XT_CONNTRACK_PROTO) &&
+ ((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum ==
+ info->l4proto) ^ !(info->invert_flags & XT_CONNTRACK_PROTO)))
+ return false;
+
+ if (info->match_flags & XT_CONNTRACK_ORIGSRC)
+ if (conntrack_mt_origsrc(ct, info, match->family) ^
+ !(info->invert_flags & XT_CONNTRACK_ORIGSRC))
+ return false;
+
+ if (info->match_flags & XT_CONNTRACK_ORIGDST)
+ if (conntrack_mt_origdst(ct, info, match->family) ^
+ !(info->invert_flags & XT_CONNTRACK_ORIGDST))
+ return false;
+
+ if (info->match_flags & XT_CONNTRACK_REPLSRC)
+ if (conntrack_mt_replsrc(ct, info, match->family) ^
+ !(info->invert_flags & XT_CONNTRACK_REPLSRC))
+ return false;
+
+ if (info->match_flags & XT_CONNTRACK_REPLDST)
+ if (conntrack_mt_repldst(ct, info, match->family) ^
+ !(info->invert_flags & XT_CONNTRACK_REPLDST))
+ return false;
+
+ if ((info->match_flags & XT_CONNTRACK_STATUS) &&
+ (!!(info->status_mask & ct->status) ^
+ !(info->invert_flags & XT_CONNTRACK_STATUS)))
+ return false;
+
+ if (info->match_flags & XT_CONNTRACK_EXPIRES) {
+ unsigned long expires = 0;
+
+ if (timer_pending(&ct->timeout))
+ expires = (ct->timeout.expires - jiffies) / HZ;
+ if ((expires >= info->expires_min &&
+ expires <= info->expires_max) ^
+ !(info->invert_flags & XT_CONNTRACK_EXPIRES))
+ return false;
+ }
+ return true;
+}
+
+static bool
conntrack_mt_check(const char *tablename, const void *ip,
const struct xt_match *match, void *matchinfo,
unsigned int hook_mask)
@@ -144,7 +277,7 @@ struct compat_xt_conntrack_info
u_int8_t invflags;
};
-static void conntrack_mt_compat_from_user(void *dst, void *src)
+static void conntrack_mt_compat_from_user_v0(void *dst, void *src)
{
const struct compat_xt_conntrack_info *cm = src;
struct xt_conntrack_info m = {
@@ -161,7 +294,7 @@ static void conntrack_mt_compat_from_user(void *dst, void *src)
memcpy(dst, &m, sizeof(m));
}
-static int conntrack_mt_compat_to_user(void __user *dst, void *src)
+static int conntrack_mt_compat_to_user_v0(void __user *dst, void *src)
{
const struct xt_conntrack_info *m = src;
struct compat_xt_conntrack_info cm = {
@@ -179,29 +312,53 @@ static int conntrack_mt_compat_to_user(void __user *dst, void *src)
}
#endif
-static struct xt_match conntrack_mt_reg __read_mostly = {
- .name = "conntrack",
- .match = conntrack_mt,
- .checkentry = conntrack_mt_check,
- .destroy = conntrack_mt_destroy,
- .matchsize = sizeof(struct xt_conntrack_info),
+static struct xt_match conntrack_mt_reg[] __read_mostly = {
+ {
+ .name = "conntrack",
+ .revision = 0,
+ .family = AF_INET,
+ .match = conntrack_mt_v0,
+ .checkentry = conntrack_mt_check,
+ .destroy = conntrack_mt_destroy,
+ .matchsize = sizeof(struct xt_conntrack_info),
+ .me = THIS_MODULE,
#ifdef CONFIG_COMPAT
- .compatsize = sizeof(struct compat_xt_conntrack_info),
- .compat_from_user = conntrack_mt_compat_from_user,
- .compat_to_user = conntrack_mt_compat_to_user,
+ .compatsize = sizeof(struct compat_xt_conntrack_info),
+ .compat_from_user = conntrack_mt_compat_from_user_v0,
+ .compat_to_user = conntrack_mt_compat_to_user_v0,
#endif
- .family = AF_INET,
- .me = THIS_MODULE,
+ },
+ {
+ .name = "conntrack",
+ .revision = 1,
+ .family = AF_INET,
+ .matchsize = sizeof(struct xt_conntrack_mtinfo1),
+ .match = conntrack_mt,
+ .checkentry = conntrack_mt_check,
+ .destroy = conntrack_mt_destroy,
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "conntrack",
+ .revision = 1,
+ .family = AF_INET6,
+ .matchsize = sizeof(struct xt_conntrack_mtinfo1),
+ .match = conntrack_mt,
+ .checkentry = conntrack_mt_check,
+ .destroy = conntrack_mt_destroy,
+ .me = THIS_MODULE,
+ },
};
static int __init conntrack_mt_init(void)
{
- return xt_register_match(&conntrack_mt_reg);
+ return xt_register_matches(conntrack_mt_reg,
+ ARRAY_SIZE(conntrack_mt_reg));
}
static void __exit conntrack_mt_exit(void)
{
- xt_unregister_match(&conntrack_mt_reg);
+ xt_unregister_matches(conntrack_mt_reg, ARRAY_SIZE(conntrack_mt_reg));
}
module_init(conntrack_mt_init);
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c
index a776dc3..24804a3 100644
--- a/net/netfilter/xt_state.c
+++ b/net/netfilter/xt_state.c
@@ -81,6 +81,8 @@ static struct xt_match state_mt_reg[] __read_mostly = {
static int __init state_mt_init(void)
{
+ printk(KERN_NOTICE "xt_state is obsolete, please use "
+ "xt_conntrack instead.\n");
return xt_register_matches(state_mt_reg, ARRAY_SIZE(state_mt_reg));
}
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 107+ messages in thread
* Re: [PATCH 10/27] xt_conntrack match, revision 1
2008-01-04 14:53 ` Patrick McHardy
2008-01-04 15:05 ` Jan Engelhardt
@ 2008-01-15 6:48 ` Patrick McHardy
2008-01-15 12:31 ` Jan Engelhardt
1 sibling, 1 reply; 107+ messages in thread
From: Patrick McHardy @ 2008-01-15 6:48 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> commit 7e6ab7f2e7eb220d2ee5ce7f744a22deb10a5144
>> Author: Jan Engelhardt <jengelh@computergmbh.de>
>> Date: Wed Jan 2 17:55:31 2008 +0100
>>
>> [NETFILTER]: xt_conntrack match, revision 1
>> Introduces the xt_conntrack match revision 1. It uses fixed
>> types, the
>> new nf_inet_addr and comes with IPv6 support, thereby completely
>> superseding xt_state.
>
> Applied.
This reminded me - while we're introducing new revisions, there
are two things that have always been missing from xt_conntrack
and I know of multiple patches adding this. One is port matching
for both directions, the other is matching on the direction
itself. Would you be interested in adding this? Otherwise I'm
going to take care of it myself.
^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [PATCH 10/27] xt_conntrack match, revision 1
2008-01-15 6:48 ` Patrick McHardy
@ 2008-01-15 12:31 ` Jan Engelhardt
2008-01-15 14:13 ` Patrick McHardy
0 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-15 12:31 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
On Jan 15 2008 07:48, Patrick McHardy wrote:
>
> This reminded me - while we're introducing new revisions, there
> are two things that have always been missing from xt_conntrack
> and I know of multiple patches adding this. One is port matching
> for both directions, the other is matching on the direction
> itself. Would you be interested in adding this? Otherwise I'm
> going to take care of it myself.
>
I will take care of that, yes.
While matching the direction is probably a no-brainer (just checking
a field), I would be interested in how "direction" is actually defined.
Does the first packet in a NEW ct dictate the direction? What values
does a direction have - north, south, left, right?
I did not name "inbound" and "outbound" on purpose, because routers
do not have an "in" or "out" side like most consumer desktop boxes.
^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [PATCH 10/27] xt_conntrack match, revision 1
2008-01-15 12:31 ` Jan Engelhardt
@ 2008-01-15 14:13 ` Patrick McHardy
2008-01-16 18:02 ` [NETFILTER]: xt_conntrack: add port and direction matching Jan Engelhardt
0 siblings, 1 reply; 107+ messages in thread
From: Patrick McHardy @ 2008-01-15 14:13 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> On Jan 15 2008 07:48, Patrick McHardy wrote:
>> This reminded me - while we're introducing new revisions, there
>> are two things that have always been missing from xt_conntrack
>> and I know of multiple patches adding this. One is port matching
>> for both directions, the other is matching on the direction
>> itself. Would you be interested in adding this? Otherwise I'm
>> going to take care of it myself.
>>
>
> I will take care of that, yes.
Thanks.
> While matching the direction is probably a no-brainer (just checking
> a field), I would be interested in how "direction" is actually defined.
> Does the first packet in a NEW ct dictate the direction? What values
> does a direction have - north, south, left, right?
> I did not name "inbound" and "outbound" on purpose, because routers
> do not have an "in" or "out" side like most consumer desktop boxes.
In case of xt_conntrack the directions are relative to the first
packet of the connection, as with orig-src, repl-src, ...
^ permalink raw reply [flat|nested] 107+ messages in thread
* [NETFILTER]: xt_conntrack: add port and direction matching
2008-01-15 14:13 ` Patrick McHardy
@ 2008-01-16 18:02 ` Jan Engelhardt
2008-01-17 13:52 ` Pablo Neira Ayuso
0 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-16 18:02 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
On Jan 15 2008 15:13, Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> On Jan 15 2008 07:48, Patrick McHardy wrote:
>> > This reminded me - while we're introducing new revisions, there
>> > are two things that have always been missing from xt_conntrack
>> > and I know of multiple patches adding this. One is port matching
>> > for both directions, the other is matching on the direction
>> > itself. Would you be interested in adding this? Otherwise I'm
>> > going to take care of it myself.
>> >
>>
>> I will take care of that, yes.
>
> Thanks.
>
This patch also removes the ugly #include <linux/in.h>, which is already
found in netfilter.h (which is a better place).
===
commit 17934f6d825d2a6785cd8d7811997a8620cfd528
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 16 18:58:49 2008 +0100
[NETFILTER]: xt_conntrack: add port and direction matching
Extend the xt_conntrack match revision 1 by port matching (all four
{orig,repl}{src,dst}) and by packet direction matching.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
diff --git a/include/linux/netfilter/xt_conntrack.h b/include/linux/netfilter/xt_conntrack.h
index d2492a3..9e35ccd 100644
--- a/include/linux/netfilter/xt_conntrack.h
+++ b/include/linux/netfilter/xt_conntrack.h
@@ -6,9 +6,6 @@
#define _XT_CONNTRACK_H
#include <linux/netfilter/nf_conntrack_tuple_common.h>
-#ifdef __KERNEL__
-# include <linux/in.h>
-#endif
#define XT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
#define XT_CONNTRACK_STATE_INVALID (1 << 0)
@@ -18,14 +15,21 @@
#define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
/* flags, invflags: */
-#define XT_CONNTRACK_STATE 0x01
-#define XT_CONNTRACK_PROTO 0x02
-#define XT_CONNTRACK_ORIGSRC 0x04
-#define XT_CONNTRACK_ORIGDST 0x08
-#define XT_CONNTRACK_REPLSRC 0x10
-#define XT_CONNTRACK_REPLDST 0x20
-#define XT_CONNTRACK_STATUS 0x40
-#define XT_CONNTRACK_EXPIRES 0x80
+enum {
+ XT_CONNTRACK_STATE = 1 << 0,
+ XT_CONNTRACK_PROTO = 1 << 1,
+ XT_CONNTRACK_ORIGSRC = 1 << 2,
+ XT_CONNTRACK_ORIGDST = 1 << 3,
+ XT_CONNTRACK_REPLSRC = 1 << 4,
+ XT_CONNTRACK_REPLDST = 1 << 5,
+ XT_CONNTRACK_STATUS = 1 << 6,
+ XT_CONNTRACK_EXPIRES = 1 << 7,
+ XT_CONNTRACK_ORIGSRC_PORT = 1 << 8,
+ XT_CONNTRACK_ORIGDST_PORT = 1 << 9,
+ XT_CONNTRACK_REPLSRC_PORT = 1 << 10,
+ XT_CONNTRACK_REPLDST_PORT = 1 << 11,
+ XT_CONNTRACK_DIRECTION = 1 << 12,
+};
/* This is exposed to userspace, so remains frozen in time. */
struct ip_conntrack_old_tuple
@@ -70,8 +74,10 @@ struct xt_conntrack_mtinfo1 {
union nf_inet_addr repldst_addr, repldst_mask;
u_int32_t expires_min, expires_max;
u_int16_t l4proto;
+ u_int16_t origsrc_port, origdst_port;
+ u_int16_t replsrc_port, repldst_port;
+ u_int16_t match_flags, invert_flags;
u_int8_t state_mask, status_mask;
- u_int8_t match_flags, invert_flags;
};
#endif /*_XT_CONNTRACK_H*/
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index e92190e..851cba6 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -166,6 +166,67 @@ conntrack_mt_repldst(const struct nf_conn *ct,
&info->repldst_addr, &info->repldst_mask, family);
}
+static inline bool
+ct_proto_port_check(const struct xt_conntrack_mtinfo1 *info,
+ const struct nf_conn *ct)
+{
+ const struct nf_conntrack_tuple *tuple;
+
+ tuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
+ if (info->match_flags & XT_CONNTRACK_PROTO)
+ if ((tuple->dst.protonum == info->l4proto) ^
+ !(info->invert_flags & XT_CONNTRACK_PROTO))
+ return false;
+
+ switch (tuple->dst.protonum) {
+ case IPPROTO_TCP:
+ case IPPROTO_UDP:
+ case IPPROTO_SCTP:
+ /*
+ * shortcut by using .u.all rather than
+ * .u.tcp.port + .u.udp.port!
+ */
+ if ((info->match_flags & XT_CONNTRACK_ORIGSRC_PORT) &&
+ (tuple->src.u.all != info->origsrc_port) ^
+ !(info->invert_flags & XT_CONNTRACK_ORIGSRC_PORT))
+ return false;
+ if ((info->match_flags & XT_CONNTRACK_ORIGDST_PORT) &&
+ (tuple->dst.u.all != info->origdst_port) ^
+ !(info->invert_flags & XT_CONNTRACK_ORIGDST_PORT))
+ return false;
+ break;
+ default:
+ if ((info->match_flags ^ info->invert_flags) &
+ (XT_CONNTRACK_ORIGSRC_PORT | XT_CONNTRACK_ORIGDST_PORT))
+ return false;
+ break;
+ }
+
+ tuple = &ct->tuplehash[IP_CT_DIR_REPLY].tuple;
+ switch (tuple->dst.protonum) {
+ case IPPROTO_TCP:
+ case IPPROTO_UDP:
+ case IPPROTO_SCTP:
+ /* shortcut by using ->src.all */
+ if ((info->match_flags & XT_CONNTRACK_REPLSRC_PORT) &&
+ (tuple->src.u.all != info->replsrc_port) ^
+ !(info->invert_flags & XT_CONNTRACK_REPLSRC_PORT))
+ return false;
+ if ((info->match_flags & XT_CONNTRACK_REPLDST_PORT) &&
+ (tuple->dst.u.all != info->repldst_port) ^
+ !(info->invert_flags & XT_CONNTRACK_REPLDST_PORT))
+ return false;
+ break;
+ default:
+ if ((info->match_flags ^ info->invert_flags) &
+ (XT_CONNTRACK_REPLSRC_PORT | XT_CONNTRACK_REPLDST_PORT))
+ return false;
+ break;
+ }
+
+ return true;
+}
+
static bool
conntrack_mt(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *match,
@@ -200,10 +261,11 @@ conntrack_mt(const struct sk_buff *skb, const struct net_device *in,
if (ct == NULL)
return info->match_flags & XT_CONNTRACK_STATE;
-
- if ((info->match_flags & XT_CONNTRACK_PROTO) &&
- ((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum ==
- info->l4proto) ^ !(info->invert_flags & XT_CONNTRACK_PROTO)))
+ if (!ct_proto_port_check(info, ct))
+ return false;
+ if ((info->match_flags & XT_CONNTRACK_DIRECTION) &&
+ (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) ^
+ !!(info->invert_flags & XT_CONNTRACK_DIRECTION))
return false;
if (info->match_flags & XT_CONNTRACK_ORIGSRC)
^ permalink raw reply related [flat|nested] 107+ messages in thread* Re: [NETFILTER]: xt_conntrack: add port and direction matching
2008-01-16 18:02 ` [NETFILTER]: xt_conntrack: add port and direction matching Jan Engelhardt
@ 2008-01-17 13:52 ` Pablo Neira Ayuso
2008-01-17 15:00 ` Jan Engelhardt
0 siblings, 1 reply; 107+ messages in thread
From: Pablo Neira Ayuso @ 2008-01-17 13:52 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Patrick McHardy, Netfilter Developer Mailing List
Jan Engelhardt wrote:
> + switch (tuple->dst.protonum) {
> + case IPPROTO_TCP:
> + case IPPROTO_UDP:
> + case IPPROTO_SCTP:
Minor nitpick. Add IPPROTO_UDPLITE.
--
"Los honestos son inadaptados sociales" -- Les Luthiers
^ permalink raw reply [flat|nested] 107+ messages in thread* Re: [NETFILTER]: xt_conntrack: add port and direction matching
2008-01-17 13:52 ` Pablo Neira Ayuso
@ 2008-01-17 15:00 ` Jan Engelhardt
2008-01-20 13:00 ` Patrick McHardy
0 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-17 15:00 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Patrick McHardy, Netfilter Developer Mailing List
On Jan 17 2008 14:52, Pablo Neira Ayuso wrote:
> Jan Engelhardt wrote:
>> + switch (tuple->dst.protonum) {
>> + case IPPROTO_TCP:
>> + case IPPROTO_UDP:
>> + case IPPROTO_SCTP:
>
> Minor nitpick. Add IPPROTO_UDPLITE.
Yeah that can be easily added. I wonder why Netfilter does not support
DCCP conntracking? (At least there is no dccp field in struct nf_conn
and the tuple things.)
^ permalink raw reply [flat|nested] 107+ messages in thread* Re: [NETFILTER]: xt_conntrack: add port and direction matching
2008-01-17 15:00 ` Jan Engelhardt
@ 2008-01-20 13:00 ` Patrick McHardy
2008-01-20 13:12 ` Jan Engelhardt
2008-01-21 1:14 ` Pablo Neira Ayuso
0 siblings, 2 replies; 107+ messages in thread
From: Patrick McHardy @ 2008-01-20 13:00 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Pablo Neira Ayuso, Netfilter Developer Mailing List
Jan Engelhardt wrote:
> On Jan 17 2008 14:52, Pablo Neira Ayuso wrote:
>> Jan Engelhardt wrote:
>>> + switch (tuple->dst.protonum) {
>>> + case IPPROTO_TCP:
>>> + case IPPROTO_UDP:
>>> + case IPPROTO_SCTP:
>> Minor nitpick. Add IPPROTO_UDPLITE.
>
> Yeah that can be easily added.
Another nitpick: we support masks for the addresses, ranges of ports
would be nice to have here as well. I also don't think the protocol
check is very useful in this case since all conntrack entries contain
port numbers or something similar.
> I wonder why Netfilter does not support
> DCCP conntracking? (At least there is no dccp field in struct nf_conn
> and the tuple things.)
I have an old patch for this, but it was missing proper protocol state
tracking. Perhaps I should merge it without it for now since thats
still better than no support at all.
^ permalink raw reply [flat|nested] 107+ messages in thread* Re: [NETFILTER]: xt_conntrack: add port and direction matching
2008-01-20 13:00 ` Patrick McHardy
@ 2008-01-20 13:12 ` Jan Engelhardt
2008-01-20 13:15 ` Patrick McHardy
2008-01-21 1:14 ` Pablo Neira Ayuso
1 sibling, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-20 13:12 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Pablo Neira Ayuso, Netfilter Developer Mailing List
On Jan 20 2008 14:00, Patrick McHardy wrote:
>
> Another nitpick: we support masks for the addresses, ranges of ports
> would be nice to have here as well.
Well well why don't we just add address ranges too then :p
Do we need it so badly?
> I also don't think the protocol
> check is very useful in this case since all conntrack entries contain
> port numbers or something similar.
Is IPv4-in-IPv4 or IPv6-in-IPv4 conntracked like UDP is?
The protocol check is important though, because IPPROTO_GRE is
_not_ included, since, it's not something that has a port.
^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [NETFILTER]: xt_conntrack: add port and direction matching
2008-01-20 13:12 ` Jan Engelhardt
@ 2008-01-20 13:15 ` Patrick McHardy
2008-01-20 16:48 ` Jan Engelhardt
0 siblings, 1 reply; 107+ messages in thread
From: Patrick McHardy @ 2008-01-20 13:15 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Pablo Neira Ayuso, Netfilter Developer Mailing List
Jan Engelhardt wrote:
> On Jan 20 2008 14:00, Patrick McHardy wrote:
>> Another nitpick: we support masks for the addresses, ranges of ports
>> would be nice to have here as well.
>
> Well well why don't we just add address ranges too then :p
> Do we need it so badly?
We already have masks, which is probably good enough.
>
>> I also don't think the protocol
>> check is very useful in this case since all conntrack entries contain
>> port numbers or something similar.
>
> Is IPv4-in-IPv4 or IPv6-in-IPv4 conntracked like UDP is?
Sure, by proto_generic, which uses 0 for the port numbers.
> The protocol check is important though, because IPPROTO_GRE is
> _not_ included, since, it's not something that has a port.
It has the keys, which are also just a numerical value. Don't
think of it as ports but as "layer 4 protocol keys".
^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [NETFILTER]: xt_conntrack: add port and direction matching
2008-01-20 13:15 ` Patrick McHardy
@ 2008-01-20 16:48 ` Jan Engelhardt
2008-01-20 16:55 ` Patrick McHardy
0 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-20 16:48 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Pablo Neira Ayuso, Netfilter Developer Mailing List
On Jan 20 2008 14:15, Patrick McHardy wrote:
>>
>> > I also don't think the protocol
>> > check is very useful in this case since all conntrack entries contain
>> > port numbers or something similar.
>>
>> Is IPv4-in-IPv4 or IPv6-in-IPv4 conntracked like UDP is?
>
> Sure, by proto_generic, which uses 0 for the port numbers.
See, that's another case why we have to explicitly list the protocols.
Just consider a stupid invocation of iptables:
-m conntrack --ctorigport 0
I'd rather not let that match IPv4-in-IPv4 or so.
>> The protocol check is important though, because IPPROTO_GRE is
>> _not_ included, since, it's not something that has a port.
>
> It has the keys, which are also just a numerical value. Don't
> think of it as ports but as "layer 4 protocol keys".
>
But do these keys actually get modified in NAT?
^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [NETFILTER]: xt_conntrack: add port and direction matching
2008-01-20 16:48 ` Jan Engelhardt
@ 2008-01-20 16:55 ` Patrick McHardy
0 siblings, 0 replies; 107+ messages in thread
From: Patrick McHardy @ 2008-01-20 16:55 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Pablo Neira Ayuso, Netfilter Developer Mailing List
Jan Engelhardt wrote:
> On Jan 20 2008 14:15, Patrick McHardy wrote:
>>>> I also don't think the protocol
>>>> check is very useful in this case since all conntrack entries contain
>>>> port numbers or something similar.
>>> Is IPv4-in-IPv4 or IPv6-in-IPv4 conntracked like UDP is?
>> Sure, by proto_generic, which uses 0 for the port numbers.
>
> See, that's another case why we have to explicitly list the protocols.
> Just consider a stupid invocation of iptables:
>
> -m conntrack --ctorigport 0
>
> I'd rather not let that match IPv4-in-IPv4 or so.
I prefer that to listing all the protocols explicitly. I guess
you would not object if it was named "--ctorigprotokey", but
--ctorigport is clearer for most protocols.
>>> The protocol check is important though, because IPPROTO_GRE is
>>> _not_ included, since, it's not something that has a port.
>> It has the keys, which are also just a numerical value. Don't
>> think of it as ports but as "layer 4 protocol keys".
>>
> But do these keys actually get modified in NAT?
If the protocol is known to NAT and it clashes then yes.
^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [NETFILTER]: xt_conntrack: add port and direction matching
2008-01-20 13:00 ` Patrick McHardy
2008-01-20 13:12 ` Jan Engelhardt
@ 2008-01-21 1:14 ` Pablo Neira Ayuso
2008-01-21 1:15 ` Jan Engelhardt
2008-01-21 1:19 ` Patrick McHardy
1 sibling, 2 replies; 107+ messages in thread
From: Pablo Neira Ayuso @ 2008-01-21 1:14 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Patrick McHardy, Netfilter Developer Mailing List
Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> On Jan 17 2008 14:52, Pablo Neira Ayuso wrote:
>>> Jan Engelhardt wrote:
>>>> + switch (tuple->dst.protonum) {
>>>> + case IPPROTO_TCP:
>>>> + case IPPROTO_UDP:
>>>> + case IPPROTO_SCTP:
>>> Minor nitpick. Add IPPROTO_UDPLITE.
>>
>> Yeah that can be easily added.
BTW, it would be great if we add support for layer 4 protocol state
matching, e.g. match TCP established. We can use this together with the
target that would mark certain events as volatile, e.g.
iptables -A 192.168.0.0/24 -m conntrack ! --tcp-state ESTABLISHED -j
VOLATILE
The idea behind this it that ctnetlink would ignore certain events,
thus, reducing CPU load.
--
"Los honestos son inadaptados sociales" -- Les Luthiers
^ permalink raw reply [flat|nested] 107+ messages in thread* Re: [NETFILTER]: xt_conntrack: add port and direction matching
2008-01-21 1:14 ` Pablo Neira Ayuso
@ 2008-01-21 1:15 ` Jan Engelhardt
2008-01-21 1:18 ` Pablo Neira Ayuso
2008-01-21 1:19 ` Patrick McHardy
1 sibling, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-21 1:15 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Patrick McHardy, Netfilter Developer Mailing List
On Jan 21 2008 02:14, Pablo Neira Ayuso wrote:
>
>BTW, it would be great if we add support for layer 4 protocol state
>matching, e.g. match TCP established. We can use this together with the
>target that would mark certain events as volatile, e.g.
>
>iptables -A 192.168.0.0/24 -m conntrack ! --tcp-state ESTABLISHED -j
>VOLATILE
And what's xt_VOLATILE do? (Was it hidden in your recent
xt_CONNTRACK submission?)
>The idea behind this it that ctnetlink would ignore certain events,
>thus, reducing CPU load.
^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [NETFILTER]: xt_conntrack: add port and direction matching
2008-01-21 1:15 ` Jan Engelhardt
@ 2008-01-21 1:18 ` Pablo Neira Ayuso
2008-01-21 1:31 ` Jan Engelhardt
0 siblings, 1 reply; 107+ messages in thread
From: Pablo Neira Ayuso @ 2008-01-21 1:18 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Patrick McHardy, Netfilter Developer Mailing List
Jan Engelhardt wrote:
> On Jan 21 2008 02:14, Pablo Neira Ayuso wrote:
>> BTW, it would be great if we add support for layer 4 protocol state
>> matching, e.g. match TCP established. We can use this together with the
>> target that would mark certain events as volatile, e.g.
>>
>> iptables -A 192.168.0.0/24 -m conntrack ! --tcp-state ESTABLISHED -j
>> VOLATILE
>
> And what's xt_VOLATILE do? (Was it hidden in your recent
> xt_CONNTRACK submission?)
Indeed. Just set the IPCT_VOLATILE flag to tell ctnetlink to skip that
event. It would be a very simple target. I don't know if VOLATILE would
be a nice name, perhaps CTNETLINK.
--
"Los honestos son inadaptados sociales" -- Les Luthiers
^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [NETFILTER]: xt_conntrack: add port and direction matching
2008-01-21 1:18 ` Pablo Neira Ayuso
@ 2008-01-21 1:31 ` Jan Engelhardt
0 siblings, 0 replies; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-21 1:31 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Patrick McHardy, Netfilter Developer Mailing List
On Jan 21 2008 02:18, Pablo Neira Ayuso wrote:
>>
>> And what's xt_VOLATILE do? (Was it hidden in your recent
>> xt_CONNTRACK submission?)
>
>Indeed. Just set the IPCT_VOLATILE flag to tell ctnetlink to skip that
>event. It would be a very simple target. I don't know if VOLATILE would
>be a nice name, perhaps CTNETLINK.
Oh I would not mind names all that much.
At the basic level, there is ACCEPT DROP and REJECT.
Then, in the depths of POM-nation there is TARPIT and TEE, (I'm missing COFFEE).
Elsewhere, I wrote CHAOS and DELUDE.
Most recently, I sampled up STEAL.
You see, VOLATILE is not so off after all. :-)
^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [NETFILTER]: xt_conntrack: add port and direction matching
2008-01-21 1:14 ` Pablo Neira Ayuso
2008-01-21 1:15 ` Jan Engelhardt
@ 2008-01-21 1:19 ` Patrick McHardy
1 sibling, 0 replies; 107+ messages in thread
From: Patrick McHardy @ 2008-01-21 1:19 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Jan Engelhardt, Netfilter Developer Mailing List
Pablo Neira Ayuso wrote:
> Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> On Jan 17 2008 14:52, Pablo Neira Ayuso wrote:
>>>> Jan Engelhardt wrote:
>>>>> + switch (tuple->dst.protonum) {
>>>>> + case IPPROTO_TCP:
>>>>> + case IPPROTO_UDP:
>>>>> + case IPPROTO_SCTP:
>>>> Minor nitpick. Add IPPROTO_UDPLITE.
>>> Yeah that can be easily added.
>
> BTW, it would be great if we add support for layer 4 protocol state
> matching, e.g. match TCP established. We can use this together with the
> target that would mark certain events as volatile, e.g.
>
> iptables -A 192.168.0.0/24 -m conntrack ! --tcp-state ESTABLISHED -j
> VOLATILE
>
> The idea behind this it that ctnetlink would ignore certain events,
> thus, reducing CPU load.
I guess the main question is how to do this properly without running
into compatiblity problems at the next opportunity with our crappy
userspace interface. Can we trust that a u8 is enough for all relevant
states for the forseeable future? For the purpose of avoiding
uninteresting state messages it seems like good enough ...
^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH 11/27] xt_hashlimit: use the new union nf_inet_addr
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
` (10 preceding siblings ...)
2008-01-02 20:28 ` [PATCH 10/27] xt_conntrack match, revision 1 Jan Engelhardt
@ 2008-01-02 20:28 ` Jan Engelhardt
2008-01-04 14:57 ` Patrick McHardy
2008-01-02 20:28 ` [PATCH 12/27] xt_hashlimit match, revision 1 Jan Engelhardt
` (15 subsequent siblings)
27 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:28 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit 80d12da7b0d6cce28719db2a4ced58e46f28107f
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 17:56:28 2008 +0100
[NETFILTER]: xt_hashlimit: use the new union nf_inet_addr
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
net/netfilter/xt_hashlimit.c | 34 ++++++++++++----------------------
1 files changed, 12 insertions(+), 22 deletions(-)
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 1b48153..8439ee4 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -46,18 +46,8 @@ static const struct file_operations dl_file_ops;
/* hash table crap */
struct dsthash_dst {
- union {
- struct {
- __be32 src;
- __be32 dst;
- } ip;
-#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
- struct {
- __be32 src[4];
- __be32 dst[4];
- } ip6;
-#endif
- } addr;
+ union nf_inet_addr src;
+ union nf_inet_addr dst;
__be16 src_port;
__be16 dst_port;
};
@@ -401,9 +391,9 @@ hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo,
switch (hinfo->family) {
case AF_INET:
if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_DIP)
- dst->addr.ip.dst = ip_hdr(skb)->daddr;
+ dst->dst.ip = ip_hdr(skb)->daddr;
if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_SIP)
- dst->addr.ip.src = ip_hdr(skb)->saddr;
+ dst->src.ip = ip_hdr(skb)->saddr;
if (!(hinfo->cfg.mode &
(XT_HASHLIMIT_HASH_DPT | XT_HASHLIMIT_HASH_SPT)))
@@ -413,11 +403,11 @@ hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo,
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
case AF_INET6:
if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_DIP)
- memcpy(&dst->addr.ip6.dst, &ipv6_hdr(skb)->daddr,
- sizeof(dst->addr.ip6.dst));
+ memcpy(&dst->dst.in6, &ipv6_hdr(skb)->daddr,
+ sizeof(dst->dst.in6));
if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_SIP)
- memcpy(&dst->addr.ip6.src, &ipv6_hdr(skb)->saddr,
- sizeof(dst->addr.ip6.src));
+ memcpy(&dst->src.in6, &ipv6_hdr(skb)->saddr,
+ sizeof(dst->src.in6));
if (!(hinfo->cfg.mode &
(XT_HASHLIMIT_HASH_DPT | XT_HASHLIMIT_HASH_SPT)))
@@ -642,9 +632,9 @@ static int dl_seq_real_show(struct dsthash_ent *ent, int family,
return seq_printf(s, "%ld %u.%u.%u.%u:%u->"
"%u.%u.%u.%u:%u %u %u %u\n",
(long)(ent->expires - jiffies)/HZ,
- NIPQUAD(ent->dst.addr.ip.src),
+ NIPQUAD(ent->dst.src.in),
ntohs(ent->dst.src_port),
- NIPQUAD(ent->dst.addr.ip.dst),
+ NIPQUAD(ent->dst.dst.in),
ntohs(ent->dst.dst_port),
ent->rateinfo.credit, ent->rateinfo.credit_cap,
ent->rateinfo.cost);
@@ -653,9 +643,9 @@ static int dl_seq_real_show(struct dsthash_ent *ent, int family,
return seq_printf(s, "%ld " NIP6_FMT ":%u->"
NIP6_FMT ":%u %u %u %u\n",
(long)(ent->expires - jiffies)/HZ,
- NIP6(*(struct in6_addr *)&ent->dst.addr.ip6.src),
+ NIP6(ent->dst.src.in6),
ntohs(ent->dst.src_port),
- NIP6(*(struct in6_addr *)&ent->dst.addr.ip6.dst),
+ NIP6(ent->dst.dst.in6),
ntohs(ent->dst.dst_port),
ent->rateinfo.credit, ent->rateinfo.credit_cap,
ent->rateinfo.cost);
^ permalink raw reply related [flat|nested] 107+ messages in thread* [PATCH 12/27] xt_hashlimit match, revision 1
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
` (11 preceding siblings ...)
2008-01-02 20:28 ` [PATCH 11/27] xt_hashlimit: use the new union nf_inet_addr Jan Engelhardt
@ 2008-01-02 20:28 ` Jan Engelhardt
2008-01-04 14:59 ` Patrick McHardy
2008-01-02 20:29 ` [PATCH 13/27] xt_helper: Do not bypass RCU Jan Engelhardt
` (14 subsequent siblings)
27 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:28 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit 98815424093ca5426885218bc0afa5aa18f3e86e
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 17:58:05 2008 +0100
[NETFILTER]: xt_hashlimit match, revision 1
Introduces the xt_hashlimit match revision 1. It adds support for
kernel-level inversion and grouping source and/or destination IP
addresses, allowing to limit on a per-subnet basis. While this would
technically obsolete xt_limit, xt_hashlimit is a more expensive due to
the hashbucketing.
Kernel-level inversion: Previously you had to do user-level inversion:
iptables -N foo
iptables -A foo -m hashlimit --hashlimit 5/s -j RETURN
iptables -A foo -j DROP
iptables -A INPUT -j foo
now it is simpler:
iptables -A INPUT -m hashlimit --hashlimit-over 5/s -j DROP
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
include/linux/netfilter/xt_hashlimit.h | 37 +++-
net/netfilter/xt_hashlimit.c | 311 +++++++++++++++++++++---
2 files changed, 315 insertions(+), 33 deletions(-)
diff --git a/include/linux/netfilter/xt_hashlimit.h b/include/linux/netfilter/xt_hashlimit.h
index c19972e..f15b104 100644
--- a/include/linux/netfilter/xt_hashlimit.h
+++ b/include/linux/netfilter/xt_hashlimit.h
@@ -9,13 +9,16 @@
/* details of this structure hidden by the implementation */
struct xt_hashlimit_htable;
-#define XT_HASHLIMIT_HASH_DIP 0x0001
-#define XT_HASHLIMIT_HASH_DPT 0x0002
-#define XT_HASHLIMIT_HASH_SIP 0x0004
-#define XT_HASHLIMIT_HASH_SPT 0x0008
+enum {
+ XT_HASHLIMIT_HASH_DIP = 1 << 0,
+ XT_HASHLIMIT_HASH_DPT = 1 << 1,
+ XT_HASHLIMIT_HASH_SIP = 1 << 2,
+ XT_HASHLIMIT_HASH_SPT = 1 << 3,
+ XT_HASHLIMIT_INVERT = 1 << 4,
+};
struct hashlimit_cfg {
- u_int32_t mode; /* bitmask of IPT_HASHLIMIT_HASH_* */
+ u_int32_t mode; /* bitmask of XT_HASHLIMIT_HASH_* */
u_int32_t avg; /* Average secs between packets * scale */
u_int32_t burst; /* Period multiplier for upper limit. */
@@ -37,4 +40,28 @@ struct xt_hashlimit_info {
struct xt_hashlimit_info *master;
} u;
};
+
+struct hashlimit_cfg1 {
+ u_int32_t mode; /* bitmask of XT_HASHLIMIT_HASH_* */
+ u_int32_t avg; /* Average secs between packets * scale */
+ u_int32_t burst; /* Period multiplier for upper limit. */
+
+ /* user specified */
+ u_int32_t size; /* how many buckets */
+ u_int32_t max; /* max number of entries */
+ u_int32_t gc_interval; /* gc interval */
+ u_int32_t expire; /* when do entries expire? */
+
+ u_int8_t srcmask, dstmask;
+};
+
+struct xt_hashlimit_mtinfo1 {
+ char name[IFNAMSIZ];
+ struct hashlimit_cfg1 cfg;
+
+ /* Used internally by the kernel */
+ struct xt_hashlimit_htable *hinfo __attribute__((aligned(8)));
+ struct xt_hashlimit_mtinfo1 *master;
+};
+
#endif /*_XT_HASHLIMIT_H*/
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 8439ee4..b747a74 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -1,9 +1,10 @@
-/* iptables match extension to limit the number of packets per second
- * seperately for each hashbucket (sourceip/sourceport/dstip/dstport)
+/*
+ * xt_hashlimit - Netfilter module to limit the number of packets per time
+ * seperately for each hashbucket (sourceip/sourceport/dstip/dstport)
*
- * (C) 2003-2004 by Harald Welte <laforge@netfilter.org>
- *
- * $Id: ipt_hashlimit.c 3244 2004-10-20 16:24:29Z laforge@netfilter.org $
+ * (C) 2003-2004 by Harald Welte <laforge@netfilter.org>
+ * Copyright © CC Computer Consultants GmbH, 2007 - 2008
+ * Jan Engelhardt <jengelh@computergmbh.de>
*
* Development of this code was funded by Astaro AG, http://www.astaro.com/
*/
@@ -71,7 +72,7 @@ struct xt_hashlimit_htable {
atomic_t use;
int family;
- struct hashlimit_cfg cfg; /* config */
+ struct hashlimit_cfg1 cfg; /* config */
/* used internally */
spinlock_t lock; /* lock for list_head */
@@ -174,7 +175,7 @@ dsthash_free(struct xt_hashlimit_htable *ht, struct dsthash_ent *ent)
}
static void htable_gc(unsigned long htlong);
-static int htable_create(struct xt_hashlimit_info *minfo, int family)
+static int htable_create_v0(struct xt_hashlimit_info *minfo, int family)
{
struct xt_hashlimit_htable *hinfo;
unsigned int size;
@@ -200,7 +201,18 @@ static int htable_create(struct xt_hashlimit_info *minfo, int family)
minfo->hinfo = hinfo;
/* copy match config into hashtable config */
- memcpy(&hinfo->cfg, &minfo->cfg, sizeof(hinfo->cfg));
+ hinfo->cfg.mode = minfo->cfg.mode;
+ hinfo->cfg.avg = minfo->cfg.avg;
+ hinfo->cfg.burst = hinfo->cfg.burst;
+ hinfo->cfg.max = hinfo->cfg.max;
+ hinfo->cfg.gc_interval = hinfo->cfg.gc_interval;
+ hinfo->cfg.expire = hinfo->cfg.expire;
+
+ if (family == AF_INET)
+ hinfo->cfg.srcmask = hinfo->cfg.dstmask = 32;
+ else
+ hinfo->cfg.srcmask = hinfo->cfg.dstmask = 128;
+
hinfo->cfg.size = size;
if (!hinfo->cfg.max)
hinfo->cfg.max = 8 * hinfo->cfg.size;
@@ -236,6 +248,72 @@ static int htable_create(struct xt_hashlimit_info *minfo, int family)
return 0;
}
+static int htable_create(struct xt_hashlimit_mtinfo1 *minfo,
+ unsigned int family)
+{
+ struct xt_hashlimit_htable *hinfo;
+ unsigned int size;
+ unsigned int i;
+
+ if (minfo->cfg.size) {
+ size = minfo->cfg.size;
+ } else {
+ size = (num_physpages << PAGE_SHIFT) / 16384 /
+ sizeof(struct list_head);
+ if (num_physpages > 1024 * 1024 * 1024 / PAGE_SIZE)
+ size = 8192;
+ if (size < 16)
+ size = 16;
+ }
+ /* FIXME: don't use vmalloc() here or anywhere else -HW */
+ hinfo = vmalloc(sizeof(struct xt_hashlimit_htable) +
+ sizeof(struct list_head) * size);
+ if (hinfo == NULL) {
+ printk(KERN_ERR "xt_hashlimit: unable to create hashtable\n");
+ return -1;
+ }
+ minfo->hinfo = hinfo;
+
+ /* copy match config into hashtable config */
+ memcpy(&hinfo->cfg, &minfo->cfg, sizeof(hinfo->cfg));
+ hinfo->cfg.size = size;
+ if (hinfo->cfg.max == 0)
+ hinfo->cfg.max = 8 * hinfo->cfg.size;
+ else if (hinfo->cfg.max < hinfo->cfg.size)
+ hinfo->cfg.max = hinfo->cfg.size;
+
+ for (i = 0; i < hinfo->cfg.size; i++)
+ INIT_HLIST_HEAD(&hinfo->hash[i]);
+
+ atomic_set(&hinfo->use, 1);
+ hinfo->count = 0;
+ hinfo->family = family;
+ hinfo->rnd_initialized = 0;
+ spin_lock_init(&hinfo->lock);
+ if (family == AF_INET)
+ hinfo->pde = create_proc_entry(minfo->name,
+ 0, hashlimit_procdir4);
+ else
+ hinfo->pde = create_proc_entry(minfo->name,
+ 0, hashlimit_procdir6);
+ if (hinfo->pde == NULL) {
+ vfree(hinfo);
+ return -1;
+ }
+ hinfo->pde->proc_fops = &dl_file_ops;
+ hinfo->pde->data = hinfo;
+
+ setup_timer(&hinfo->timer, htable_gc, (unsigned long)hinfo);
+ hinfo->timer.expires = jiffies + msecs_to_jiffies(hinfo->cfg.gc_interval);
+ add_timer(&hinfo->timer);
+
+ spin_lock_bh(&hashlimit_lock);
+ hlist_add_head(&hinfo->node, &hashlimit_htables);
+ spin_unlock_bh(&hashlimit_lock);
+
+ return 0;
+}
+
static bool select_all(const struct xt_hashlimit_htable *ht,
const struct dsthash_ent *he)
{
@@ -378,6 +456,46 @@ static inline void rateinfo_recalc(struct dsthash_ent *dh, unsigned long now)
dh->rateinfo.prev = now;
}
+static inline u_int32_t maskl(u_int32_t a, unsigned int l)
+{
+ return htonl(ntohl(a) & ~(~(u_int32_t)0 >> l));
+}
+
+static void hashlimit_ipv6_mask(__be32 *i, unsigned int p)
+{
+ switch (p) {
+ case 0:
+ i[0] = i[1] = 0;
+ i[2] = i[3] = 0;
+ break;
+ case 1 ... 31:
+ i[0] = maskl(i[0], p);
+ i[1] = i[2] = i[3] = 0;
+ break;
+ case 32:
+ i[1] = i[2] = i[3] = 0;
+ break;
+ case 33 ... 63:
+ i[1] = maskl(i[1], p - 32);
+ i[2] = i[3] = 0;
+ break;
+ case 64:
+ i[2] = i[3] = 0;
+ break;
+ case 65 ... 95:
+ i[2] = maskl(i[2], p - 64);
+ i[3] = 0;
+ case 96:
+ i[3] = 0;
+ break;
+ case 97 ... 127:
+ i[3] = maskl(i[3], p - 96);
+ break;
+ case 128:
+ break;
+ }
+}
+
static int
hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo,
struct dsthash_dst *dst,
@@ -390,10 +508,12 @@ hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo,
switch (hinfo->family) {
case AF_INET:
+ if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_SIP)
+ dst->src.ip = maskl(ip_hdr(skb)->saddr,
+ hinfo->cfg.srcmask);
if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_DIP)
- dst->dst.ip = ip_hdr(skb)->daddr;
- if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_SIP)
- dst->src.ip = ip_hdr(skb)->saddr;
+ dst->dst.ip = maskl(ip_hdr(skb)->daddr,
+ hinfo->cfg.dstmask);
if (!(hinfo->cfg.mode &
(XT_HASHLIMIT_HASH_DPT | XT_HASHLIMIT_HASH_SPT)))
@@ -402,12 +522,16 @@ hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo,
break;
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
case AF_INET6:
- if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_DIP)
- memcpy(&dst->dst.in6, &ipv6_hdr(skb)->daddr,
- sizeof(dst->dst.in6));
- if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_SIP)
+ if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_SIP) {
memcpy(&dst->src.in6, &ipv6_hdr(skb)->saddr,
sizeof(dst->src.in6));
+ hashlimit_ipv6_mask(dst->dst.ip6, hinfo->cfg.dstmask);
+ }
+ if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_DIP) {
+ memcpy(&dst->dst.in6, &ipv6_hdr(skb)->daddr,
+ sizeof(dst->dst.in6));
+ hashlimit_ipv6_mask(dst->src.ip6, hinfo->cfg.srcmask);
+ }
if (!(hinfo->cfg.mode &
(XT_HASHLIMIT_HASH_DPT | XT_HASHLIMIT_HASH_SPT)))
@@ -447,10 +571,10 @@ hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo,
}
static bool
-hashlimit_mt(const struct sk_buff *skb, const struct net_device *in,
- const struct net_device *out, const struct xt_match *match,
- const void *matchinfo, int offset, unsigned int protoff,
- bool *hotdrop)
+hashlimit_mt_v0(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
{
const struct xt_hashlimit_info *r =
((const struct xt_hashlimit_info *)matchinfo)->u.master;
@@ -502,9 +626,62 @@ hotdrop:
}
static bool
-hashlimit_mt_check(const char *tablename, const void *inf,
- const struct xt_match *match, void *matchinfo,
- unsigned int hook_mask)
+hashlimit_mt(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
+{
+ const struct xt_hashlimit_mtinfo1 *info = matchinfo;
+ struct xt_hashlimit_htable *hinfo = info->hinfo;
+ unsigned long now = jiffies;
+ struct dsthash_ent *dh;
+ struct dsthash_dst dst;
+
+ if (hashlimit_init_dst(hinfo, &dst, skb, protoff) < 0)
+ goto hotdrop;
+
+ spin_lock_bh(&hinfo->lock);
+ dh = dsthash_find(hinfo, &dst);
+ if (dh == NULL) {
+ dh = dsthash_alloc_init(hinfo, &dst);
+ if (dh == NULL) {
+ spin_unlock_bh(&hinfo->lock);
+ goto hotdrop;
+ }
+
+ dh->expires = jiffies + msecs_to_jiffies(hinfo->cfg.expire);
+ dh->rateinfo.prev = jiffies;
+ dh->rateinfo.credit = user2credits(hinfo->cfg.avg *
+ hinfo->cfg.burst);
+ dh->rateinfo.credit_cap = user2credits(hinfo->cfg.avg *
+ hinfo->cfg.burst);
+ dh->rateinfo.cost = user2credits(hinfo->cfg.avg);
+ } else {
+ /* update expiration timeout */
+ dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
+ rateinfo_recalc(dh, now);
+ }
+
+ if (dh->rateinfo.credit >= dh->rateinfo.cost) {
+ /* below the limit */
+ dh->rateinfo.credit -= dh->rateinfo.cost;
+ spin_unlock_bh(&hinfo->lock);
+ return !(info->cfg.mode & XT_HASHLIMIT_INVERT);
+ }
+
+ spin_unlock_bh(&hinfo->lock);
+ /* default match is underlimit - so over the limit, we need to invert */
+ return info->cfg.mode & XT_HASHLIMIT_INVERT;
+
+ hotdrop:
+ *hotdrop = true;
+ return false;
+}
+
+static bool
+hashlimit_mt_check_v0(const char *tablename, const void *inf,
+ const struct xt_match *match, void *matchinfo,
+ unsigned int hook_mask)
{
struct xt_hashlimit_info *r = matchinfo;
@@ -536,7 +713,7 @@ hashlimit_mt_check(const char *tablename, const void *inf,
* create duplicate proc files. -HW */
mutex_lock(&hlimit_mutex);
r->hinfo = htable_find_get(r->name, match->family);
- if (!r->hinfo && htable_create(r, match->family) != 0) {
+ if (!r->hinfo && htable_create_v0(r, match->family) != 0) {
mutex_unlock(&hlimit_mutex);
return false;
}
@@ -547,33 +724,111 @@ hashlimit_mt_check(const char *tablename, const void *inf,
return true;
}
+static bool
+hashlimit_mt_check(const char *tablename, const void *inf,
+ const struct xt_match *match, void *matchinfo,
+ unsigned int hook_mask)
+{
+ struct xt_hashlimit_mtinfo1 *info = matchinfo;
+
+ /* Check for overflow. */
+ if (info->cfg.burst == 0 ||
+ user2credits(info->cfg.avg * info->cfg.burst) <
+ user2credits(info->cfg.avg)) {
+ printk(KERN_ERR "xt_hashlimit: overflow, try lower: %u/%u\n",
+ info->cfg.avg, info->cfg.burst);
+ return false;
+ }
+ if (info->cfg.gc_interval == 0 || info->cfg.expire == 0)
+ return false;
+ if (info->name[sizeof(info->name)-1] != '\0')
+ return false;
+ if (match->family == AF_INET) {
+ if (info->cfg.srcmask > 32 || info->cfg.dstmask > 32)
+ return false;
+ } else {
+ if (info->cfg.srcmask > 128 || info->cfg.dstmask > 128)
+ return false;
+ }
+
+ /* This is the best we've got: We cannot release and re-grab lock,
+ * since checkentry() is called before x_tables.c grabs xt_mutex.
+ * We also cannot grab the hashtable spinlock, since htable_create will
+ * call vmalloc, and that can sleep. And we cannot just re-search
+ * the list of htable's in htable_create(), since then we would
+ * create duplicate proc files. -HW */
+ mutex_lock(&hlimit_mutex);
+ info->hinfo = htable_find_get(info->name, match->family);
+ if (!info->hinfo && htable_create(info, match->family) != 0) {
+ mutex_unlock(&hlimit_mutex);
+ return false;
+ }
+ mutex_unlock(&hlimit_mutex);
+
+ /* Ugly hack: For SMP, we only want to use one set */
+ info->master = info;
+ return true;
+}
+
static void
-hashlimit_mt_destroy(const struct xt_match *match, void *matchinfo)
+hashlimit_mt_destroy_v0(const struct xt_match *match, void *matchinfo)
{
const struct xt_hashlimit_info *r = matchinfo;
htable_put(r->hinfo);
}
+static void
+hashlimit_mt_destroy(const struct xt_match *match, void *matchinfo)
+{
+ const struct xt_hashlimit_mtinfo1 *info = matchinfo;
+
+ htable_put(info->hinfo);
+}
+
static struct xt_match hashlimit_mt_reg[] __read_mostly = {
{
.name = "hashlimit",
+ .revision = 0,
.family = AF_INET,
- .match = hashlimit_mt,
+ .match = hashlimit_mt_v0,
+ .matchsize = sizeof(struct xt_hashlimit_info),
+ .checkentry = hashlimit_mt_check_v0,
+ .destroy = hashlimit_mt_destroy_v0,
+ .me = THIS_MODULE
+ },
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+ {
+ .name = "hashlimit",
+ .revision = 0,
+ .family = AF_INET6,
+ .match = hashlimit_mt_v0,
.matchsize = sizeof(struct xt_hashlimit_info),
+ .checkentry = hashlimit_mt_check_v0,
+ .destroy = hashlimit_mt_destroy_v0,
+ .me = THIS_MODULE
+ },
+#endif
+ {
+ .name = "hashlimit",
+ .revision = 1,
+ .family = AF_INET,
+ .match = hashlimit_mt,
+ .matchsize = sizeof(struct xt_hashlimit_mtinfo1),
.checkentry = hashlimit_mt_check,
.destroy = hashlimit_mt_destroy,
- .me = THIS_MODULE
+ .me = THIS_MODULE,
},
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
{
.name = "hashlimit",
+ .revision = 1,
.family = AF_INET6,
.match = hashlimit_mt,
- .matchsize = sizeof(struct xt_hashlimit_info),
+ .matchsize = sizeof(struct xt_hashlimit_mtinfo1),
.checkentry = hashlimit_mt_check,
.destroy = hashlimit_mt_destroy,
- .me = THIS_MODULE
+ .me = THIS_MODULE,
},
#endif
};
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 107+ messages in thread* Re: [PATCH 12/27] xt_hashlimit match, revision 1
2008-01-02 20:28 ` [PATCH 12/27] xt_hashlimit match, revision 1 Jan Engelhardt
@ 2008-01-04 14:59 ` Patrick McHardy
2008-01-04 15:07 ` Jan Engelhardt
0 siblings, 1 reply; 107+ messages in thread
From: Patrick McHardy @ 2008-01-04 14:59 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> commit 98815424093ca5426885218bc0afa5aa18f3e86e
> Author: Jan Engelhardt <jengelh@computergmbh.de>
> Date: Wed Jan 2 17:58:05 2008 +0100
>
> [NETFILTER]: xt_hashlimit match, revision 1
>
> Introduces the xt_hashlimit match revision 1. It adds support for
> kernel-level inversion and grouping source and/or destination IP
> addresses, allowing to limit on a per-subnet basis. While this would
> technically obsolete xt_limit, xt_hashlimit is a more expensive due to
> the hashbucketing.
>
> Kernel-level inversion: Previously you had to do user-level inversion:
> iptables -N foo
> iptables -A foo -m hashlimit --hashlimit 5/s -j RETURN
> iptables -A foo -j DROP
> iptables -A INPUT -j foo
> now it is simpler:
> iptables -A INPUT -m hashlimit --hashlimit-over 5/s -j DROP
>
> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
>
> include/linux/netfilter/xt_hashlimit.h | 37 +++-
> net/netfilter/xt_hashlimit.c | 311 +++++++++++++++++++++---
> 2 files changed, 315 insertions(+), 33 deletions(-)
>
> diff --git a/include/linux/netfilter/xt_hashlimit.h b/include/linux/netfilter/xt_hashlimit.h
> index c19972e..f15b104 100644
> --- a/include/linux/netfilter/xt_hashlimit.h
> +++ b/include/linux/netfilter/xt_hashlimit.h
> @@ -9,13 +9,16 @@
> /* details of this structure hidden by the implementation */
> struct xt_hashlimit_htable;
>
> -#define XT_HASHLIMIT_HASH_DIP 0x0001
> -#define XT_HASHLIMIT_HASH_DPT 0x0002
> -#define XT_HASHLIMIT_HASH_SIP 0x0004
> -#define XT_HASHLIMIT_HASH_SPT 0x0008
> +enum {
> + XT_HASHLIMIT_HASH_DIP = 1 << 0,
> + XT_HASHLIMIT_HASH_DPT = 1 << 1,
> + XT_HASHLIMIT_HASH_SIP = 1 << 2,
> + XT_HASHLIMIT_HASH_SPT = 1 << 3,
> + XT_HASHLIMIT_INVERT = 1 << 4,
> +};
Do we really need a full new revision for this? It seems simply adding
the inversion flag would work fine, old userspace code will always
have it set to zero.
^ permalink raw reply [flat|nested] 107+ messages in thread* Re: [PATCH 12/27] xt_hashlimit match, revision 1
2008-01-04 14:59 ` Patrick McHardy
@ 2008-01-04 15:07 ` Jan Engelhardt
0 siblings, 0 replies; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-04 15:07 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
On Jan 4 2008 15:59, Patrick McHardy wrote:
>> -#define XT_HASHLIMIT_HASH_DIP 0x0001
>> -#define XT_HASHLIMIT_HASH_DPT 0x0002
>> -#define XT_HASHLIMIT_HASH_SIP 0x0004
>> -#define XT_HASHLIMIT_HASH_SPT 0x0008
>> +enum {
>> + XT_HASHLIMIT_HASH_DIP = 1 << 0,
>> + XT_HASHLIMIT_HASH_DPT = 1 << 1,
>> + XT_HASHLIMIT_HASH_SIP = 1 << 2,
>> + XT_HASHLIMIT_HASH_SPT = 1 << 3,
>> + XT_HASHLIMIT_INVERT = 1 << 4,
>> +};
>
>
> Do we really need a full new revision for this? It seems simply adding
> the inversion flag would work fine, old userspace code will always
> have it set to zero.
>
Yes we need a new revision, inversion is not the only thing.
The extra fields "uint8_t srcmask, dstmask" have been added to
struct hashlimit_cfg1, which is embedded in xt_hashlimit_mtinfo1.
So we have an actual struct size change to take care of.
(Yes, before I had the srcmask/dstmask idea, I did inversion-only
using revision 0.)
^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH 13/27] xt_helper: Do not bypass RCU
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
` (12 preceding siblings ...)
2008-01-02 20:28 ` [PATCH 12/27] xt_hashlimit match, revision 1 Jan Engelhardt
@ 2008-01-02 20:29 ` Jan Engelhardt
2008-01-04 15:01 ` Patrick McHardy
2008-01-02 20:29 ` [PATCH 14/27] xt_helper match, revision 1 Jan Engelhardt
` (13 subsequent siblings)
27 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:29 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit 6c922317906546b99afe859faa0c15d46d79dd37
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 18:00:29 2008 +0100
[NETFILTER]: xt_helper: Do not bypass RCU
Use the @helper variable that was just obtained.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
net/netfilter/xt_helper.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index 8e06ca1..5d063e5 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -52,8 +52,8 @@ helper_mt(const struct sk_buff *skb, const struct net_device *in,
if (info->name[0] == '\0')
ret = !ret;
else
- ret ^= !strncmp(master_help->helper->name, info->name,
- strlen(master_help->helper->name));
+ ret ^= !strncmp(helper->name, info->name,
+ strlen(helper->name));
return ret;
}
^ permalink raw reply related [flat|nested] 107+ messages in thread* [PATCH 14/27] xt_helper match, revision 1
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
` (13 preceding siblings ...)
2008-01-02 20:29 ` [PATCH 13/27] xt_helper: Do not bypass RCU Jan Engelhardt
@ 2008-01-02 20:29 ` Jan Engelhardt
2008-01-04 15:03 ` Patrick McHardy
2008-01-02 20:29 ` [PATCH 15/27] xt_length " Jan Engelhardt
` (12 subsequent siblings)
27 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:29 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit c3c5674fee490f6735136b2c9a7e39a30f25635e
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 18:01:06 2008 +0100
[NETFILTER]: xt_helper match, revision 1
Introduces the xt_helper match revision 1. It uses fixed types, and
its structure size has been adjusted.
The xt_helper revision 0 structure had an odd size of 34 bytes. I
changed this into 32 bytes, which probably plays much better with
cachelines. The invert flag is also shrunk so now there is an
additional byte available for the name as a side effect.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
include/linux/netfilter/xt_helper.h | 6 ++
net/netfilter/xt_helper.c | 95 +++++++++++++++++++++++---
2 files changed, 90 insertions(+), 11 deletions(-)
diff --git a/include/linux/netfilter/xt_helper.h b/include/linux/netfilter/xt_helper.h
index 6b42763..39dcec8 100644
--- a/include/linux/netfilter/xt_helper.h
+++ b/include/linux/netfilter/xt_helper.h
@@ -5,4 +5,10 @@ struct xt_helper_info {
int invert;
char name[30];
};
+
+struct xt_helper_mtinfo1 {
+ char name[31];
+ u_int8_t invert;
+};
+
#endif /* _XT_HELPER_H */
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index 5d063e5..9497d00 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -1,10 +1,11 @@
-/* iptables module to match on related connections */
/*
- * (C) 2001 Martin Josefsson <gandalf@wlug.westbo.se>
+ * xt_helper - Netfilter module to match on related connections
*
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
+ * (C) 2001 Martin Josefsson <gandalf@wlug.westbo.se>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
*/
#include <linux/module.h>
@@ -22,13 +23,46 @@ MODULE_DESCRIPTION("iptables helper match module");
MODULE_ALIAS("ipt_helper");
MODULE_ALIAS("ip6t_helper");
-
static bool
helper_mt(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *match,
const void *matchinfo, int offset, unsigned int protoff,
bool *hotdrop)
{
+ const struct xt_helper_mtinfo1 *info = matchinfo;
+ const struct nf_conntrack_helper *helper;
+ const struct nf_conn_help *master_help;
+ enum ip_conntrack_info ctinfo;
+ const struct nf_conn *ct;
+ bool ret = info->invert;
+
+ ct = nf_ct_get(skb, &ctinfo);
+ if (ct == NULL || ct->master == NULL)
+ return ret;
+
+ master_help = nfct_help(ct->master);
+ if (master_help == NULL)
+ return ret;
+
+ /* rcu_read_lock()ed by nf_hook_slow */
+ helper = rcu_dereference(master_help->helper);
+ if (helper == NULL)
+ return ret;
+
+ if (info->name[0] == '\0')
+ ret = !ret;
+ else
+ ret ^= strncmp(helper->name, info->name,
+ strlen(helper->name)) == 0;
+ return ret;
+}
+
+static bool
+helper_mt_v0(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
+{
const struct xt_helper_info *info = matchinfo;
const struct nf_conn *ct;
const struct nf_conn_help *master_help;
@@ -58,9 +92,9 @@ helper_mt(const struct sk_buff *skb, const struct net_device *in,
}
static bool
-helper_mt_check(const char *tablename, const void *inf,
- const struct xt_match *match, void *matchinfo,
- unsigned int hook_mask)
+helper_mt_check_v0(const char *tablename, const void *inf,
+ const struct xt_match *match, void *matchinfo,
+ unsigned int hook_mask)
{
struct xt_helper_info *info = matchinfo;
@@ -73,6 +107,23 @@ helper_mt_check(const char *tablename, const void *inf,
return true;
}
+static bool
+helper_mt_check(const char *tablename, const void *ip,
+ const struct xt_match *match, void *matchinfo,
+ unsigned int hook_mask)
+{
+ struct xt_helper_mtinfo1 *info = matchinfo;
+
+ if (nf_ct_l3proto_try_module_get(match->family) < 0) {
+ printk(KERN_WARNING "can't load conntrack support for "
+ "proto=%u\n", match->family);
+ return false;
+ }
+
+ info->name[sizeof(info->name)-1] = '\0';
+ return true;
+}
+
static void helper_mt_destroy(const struct xt_match *match, void *matchinfo)
{
nf_ct_l3proto_module_put(match->family);
@@ -81,20 +132,42 @@ static void helper_mt_destroy(const struct xt_match *match, void *matchinfo)
static struct xt_match helper_mt_reg[] __read_mostly = {
{
.name = "helper",
+ .revision = 0,
+ .family = AF_INET,
+ .checkentry = helper_mt_check_v0,
+ .match = helper_mt_v0,
+ .destroy = helper_mt_destroy,
+ .matchsize = sizeof(struct xt_helper_info),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "helper",
+ .revision = 0,
+ .family = AF_INET6,
+ .checkentry = helper_mt_check_v0,
+ .match = helper_mt_v0,
+ .destroy = helper_mt_destroy,
+ .matchsize = sizeof(struct xt_helper_info),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "helper",
+ .revision = 1,
.family = AF_INET,
.checkentry = helper_mt_check,
.match = helper_mt,
.destroy = helper_mt_destroy,
- .matchsize = sizeof(struct xt_helper_info),
+ .matchsize = sizeof(struct xt_helper_mtinfo1),
.me = THIS_MODULE,
},
{
.name = "helper",
+ .revision = 1,
.family = AF_INET6,
.checkentry = helper_mt_check,
.match = helper_mt,
.destroy = helper_mt_destroy,
- .matchsize = sizeof(struct xt_helper_info),
+ .matchsize = sizeof(struct xt_helper_mtinfo1),
.me = THIS_MODULE,
},
};
^ permalink raw reply related [flat|nested] 107+ messages in thread* Re: [PATCH 14/27] xt_helper match, revision 1
2008-01-02 20:29 ` [PATCH 14/27] xt_helper match, revision 1 Jan Engelhardt
@ 2008-01-04 15:03 ` Patrick McHardy
0 siblings, 0 replies; 107+ messages in thread
From: Patrick McHardy @ 2008-01-04 15:03 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> commit c3c5674fee490f6735136b2c9a7e39a30f25635e
> Author: Jan Engelhardt <jengelh@computergmbh.de>
> Date: Wed Jan 2 18:01:06 2008 +0100
>
> [NETFILTER]: xt_helper match, revision 1
>
> Introduces the xt_helper match revision 1. It uses fixed types, and
> its structure size has been adjusted.
>
> The xt_helper revision 0 structure had an odd size of 34 bytes. I
> changed this into 32 bytes, which probably plays much better with
> cachelines. The invert flag is also shrunk so now there is an
> additional byte available for the name as a side effect.
Is there any real advantage in doing this? There aren't any
compatibility issues, so it seems a bit pointless to add a
new revision for this minor layout change.
^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH 15/27] xt_length match, revision 1
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
` (14 preceding siblings ...)
2008-01-02 20:29 ` [PATCH 14/27] xt_helper match, revision 1 Jan Engelhardt
@ 2008-01-02 20:29 ` Jan Engelhardt
2008-01-04 15:22 ` Patrick McHardy
2008-01-02 20:30 ` [PATCH 16/27] xt_mark " Jan Engelhardt
` (11 subsequent siblings)
27 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:29 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit ad446d5b2c0b32ead9dd86b9c10356c4617eeaf5
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 18:22:16 2008 +0100
[NETFILTER]: xt_length match, revision 1
Introduce xt_length match revision 1. It adds support for layer4 and
layer5 length matching.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
include/linux/netfilter/xt_length.h | 18 +++
net/netfilter/xt_length.c | 196 +++++++++++++++++++++++++--
2 files changed, 199 insertions(+), 15 deletions(-)
diff --git a/include/linux/netfilter/xt_length.h b/include/linux/netfilter/xt_length.h
index 7c2b439..ac4eee6 100644
--- a/include/linux/netfilter/xt_length.h
+++ b/include/linux/netfilter/xt_length.h
@@ -6,4 +6,22 @@ struct xt_length_info {
u_int8_t invert;
};
+enum {
+ XT_LENGTH_INVERT = 1 << 0,
+
+ /* IP header plus payload */
+ XT_LENGTH_LAYER3 = 1 << 3,
+
+ /* TCP/UDP/etc. header plus payload */
+ XT_LENGTH_LAYER4 = 1 << 4,
+
+ /* TCP/UDP/etc. payload */
+ XT_LENGTH_LAYER5 = 1 << 5,
+};
+
+struct xt_length_mtinfo1 {
+ u_int32_t min, max;
+ u_int16_t flags;
+};
+
#endif /*_XT_LENGTH_H*/
diff --git a/net/netfilter/xt_length.c b/net/netfilter/xt_length.c
index ea54578..97ad627 100644
--- a/net/netfilter/xt_length.c
+++ b/net/netfilter/xt_length.c
@@ -1,18 +1,32 @@
-/* Kernel module to match packet length. */
-/* (C) 1999-2001 James Morris <jmorros@intercode.com.au>
+/*
+ * xt_length - Netfilter module to match packet length
*
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
+ * (C) 1999-2001 James Morris <jmorros@intercode.com.au>
+ * Copyright © CC Computer Consultants GmbH, 2007-2008
+ * Jan Engelhardt <jengelh@computergmbh.de>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
*/
-
#include <linux/module.h>
#include <linux/skbuff.h>
+#include <linux/icmp.h>
+#include <linux/ip.h>
#include <linux/ipv6.h>
+#include <linux/tcp.h>
+#include <linux/udp.h>
#include <net/ip.h>
-
-#include <linux/netfilter/xt_length.h>
+#include <net/ipv6.h>
#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_length.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#ifndef NEXTHDR_IPV4
+# define NEXTHDR_IPV4 4
+#endif
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+# define WITH_IPV6 1
+#endif
MODULE_AUTHOR("James Morris <jmorris@intercode.com.au>");
MODULE_DESCRIPTION("IP tables packet length matching module");
@@ -21,45 +35,197 @@ MODULE_ALIAS("ipt_length");
MODULE_ALIAS("ip6t_length");
static bool
+length_mt_v0(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
+{
+ const struct xt_length_info *info = matchinfo;
+ u_int16_t pktlen = ntohs(ip_hdr(skb)->tot_len);
+
+ return (pktlen >= info->min && pktlen <= info->max) ^ info->invert;
+}
+
+static bool xtlength_layer5_tcp(unsigned int *length, const struct sk_buff *skb,
+ unsigned int offset)
+{
+ const struct tcphdr *tcph;
+ struct tcphdr buf;
+
+ tcph = skb_header_pointer(skb, offset, sizeof(buf), &buf);
+ if (tcph == NULL)
+ return false;
+
+ *length = skb->len - offset - 4 * tcph->doff;
+ return true;
+}
+
+static inline bool
+xtlength_layer5(unsigned int *length, const struct sk_buff *skb,
+ unsigned int prot, unsigned int offset)
+{
+ switch (prot) {
+ case IPPROTO_TCP:
+ return xtlength_layer5_tcp(length, skb, offset);
+ case IPPROTO_UDP:
+ case IPPROTO_UDPLITE:
+ *length = skb->len - offset - sizeof(struct udphdr);
+ return true;
+ case IPPROTO_ICMP:
+ *length = skb->len - offset - sizeof(struct icmphdr);
+ return true;
+ case IPPROTO_ICMPV6:
+ *length = skb->len - offset - offsetof(struct icmp6hdr, icmp6_dataun);
+ return true;
+ case IPPROTO_AH:
+ *length = skb->len - offset - sizeof(struct ip_auth_hdr);
+ return true;
+ case IPPROTO_ESP:
+ *length = skb->len - offset - sizeof(struct ip_esp_hdr);
+ return true;
+ }
+ return false;
+}
+
+static bool
length_mt(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *match,
const void *matchinfo, int offset, unsigned int protoff,
bool *hotdrop)
{
+ const struct xt_length_mtinfo1 *info = matchinfo;
+ const struct iphdr *iph = ip_hdr(skb);
+ unsigned int len = 0;
+ bool hit = true;
+
+ if (info->flags & XT_LENGTH_LAYER3)
+ len = ntohs(iph->tot_len);
+ else if (info->flags & XT_LENGTH_LAYER4)
+ len = ntohs(iph->tot_len) - protoff;
+ else if (info->flags & XT_LENGTH_LAYER5)
+ hit = xtlength_layer5(&len, skb, iph->protocol, protoff);
+ if (!hit)
+ return false;
+
+ return (len >= info->min && len <= info->max) ^
+ !!(info->flags & XT_LENGTH_INVERT);
+}
+
+#ifdef WITH_IPV6
+static bool
+length_mt6_v0(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
+{
const struct xt_length_info *info = matchinfo;
- u_int16_t pktlen = ntohs(ip_hdr(skb)->tot_len);
+ const u_int16_t pktlen = ntohs(ipv6_hdr(skb)->payload_len) +
+ sizeof(struct ipv6hdr);
return (pktlen >= info->min && pktlen <= info->max) ^ info->invert;
}
+/*
+ * llayer4_proto - figure out the L4 protocol in an IPv6 packet
+ * @skb: skb pointer
+ * @offset: position at which L4 starts (equal to 'protoff' in IPv4 code)
+ * @hotdrop: hotdrop pointer
+ *
+ * Searches for a recognized L4 header. On success, fills in @offset and
+ * returns the protocol number. If not found, %NEXTHDR_MAX is returned.
+ * On error, @hotdrop is set.
+ */
+static unsigned int
+llayer4_proto(const struct sk_buff *skb, unsigned int *offset, bool *hotdrop)
+{
+ /*
+ * Do encapsulation first so that %NEXTHDR_TCP does not hit the TCP
+ * part in an IPv6-in-IPv6 encapsulation.
+ */
+ static const unsigned int types[] =
+ {NEXTHDR_IPV6, NEXTHDR_IPV4, NEXTHDR_ESP, NEXTHDR_AUTH,
+ NEXTHDR_ICMP, NEXTHDR_TCP, NEXTHDR_UDP};
+ unsigned int i;
+ int err;
+
+ for (i = 0; i < ARRAY_SIZE(types); ++i) {
+ err = ipv6_find_hdr(skb, offset, types[i], NULL);
+ if (err >= 0)
+ return types[i];
+ if (err != -ENOENT) {
+ *hotdrop = true;
+ break;
+ }
+ }
+
+ return NEXTHDR_MAX;
+}
+
static bool
length_mt6(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *match,
const void *matchinfo, int offset, unsigned int protoff,
bool *hotdrop)
{
- const struct xt_length_info *info = matchinfo;
- const u_int16_t pktlen = ntohs(ipv6_hdr(skb)->payload_len) +
- sizeof(struct ipv6hdr);
+ const struct xt_length_mtinfo1 *info = matchinfo;
+ const struct ipv6hdr *iph = ipv6_hdr(skb);
+ unsigned int len = 0, l4proto;
+ bool hit = true;
- return (pktlen >= info->min && pktlen <= info->max) ^ info->invert;
+ if (info->flags & XT_LENGTH_LAYER3) {
+ len = sizeof(struct ipv6hdr) + ntohs(iph->payload_len);
+ } else {
+ l4proto = llayer4_proto(skb, &protoff, hotdrop);
+ if (l4proto == NEXTHDR_MAX)
+ return false;
+ if (info->flags & XT_LENGTH_LAYER4)
+ len = skb->len - protoff;
+ else if (info->flags & XT_LENGTH_LAYER5)
+ hit = xtlength_layer5(&len, skb, l4proto, protoff);
+ }
+ if (!hit)
+ return false;
+
+ return (len >= info->min && len <= info->max) ^
+ !!(info->flags & XT_LENGTH_INVERT);
}
+#endif
static struct xt_match length_mt_reg[] __read_mostly = {
{
.name = "length",
+ .revision = 0,
.family = AF_INET,
- .match = length_mt,
+ .match = length_mt_v0,
.matchsize = sizeof(struct xt_length_info),
.me = THIS_MODULE,
},
{
+ .name = "length",
+ .revision = 1,
+ .family = AF_INET,
+ .match = length_mt,
+ .matchsize = sizeof(struct xt_length_mtinfo1),
+ .me = THIS_MODULE,
+ },
+#ifdef WITH_IPV6
+ {
.name = "length",
+ .revision = 0,
.family = AF_INET6,
- .match = length_mt6,
+ .match = length_mt6_v0,
.matchsize = sizeof(struct xt_length_info),
.me = THIS_MODULE,
},
+ {
+ .name = "length",
+ .revision = 1,
+ .family = AF_INET6,
+ .match = length_mt6,
+ .matchsize = sizeof(struct xt_length_mtinfo1),
+ .me = THIS_MODULE,
+ },
+#endif
};
static int __init length_mt_init(void)
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 107+ messages in thread* Re: [PATCH 15/27] xt_length match, revision 1
2008-01-02 20:29 ` [PATCH 15/27] xt_length " Jan Engelhardt
@ 2008-01-04 15:22 ` Patrick McHardy
2008-01-04 15:43 ` Jan Engelhardt
0 siblings, 1 reply; 107+ messages in thread
From: Patrick McHardy @ 2008-01-04 15:22 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> commit ad446d5b2c0b32ead9dd86b9c10356c4617eeaf5
> Author: Jan Engelhardt <jengelh@computergmbh.de>
> Date: Wed Jan 2 18:22:16 2008 +0100
>
> [NETFILTER]: xt_length match, revision 1
>
> Introduce xt_length match revision 1. It adds support for layer4 and
> layer5 length matching.
>
> +enum {
> + XT_LENGTH_INVERT = 1 << 0,
> +
> + /* IP header plus payload */
> + XT_LENGTH_LAYER3 = 1 << 3,
> +
> + /* TCP/UDP/etc. header plus payload */
> + XT_LENGTH_LAYER4 = 1 << 4,
> +
> + /* TCP/UDP/etc. payload */
> + XT_LENGTH_LAYER5 = 1 << 5,
This seems a bit odd, please don't leave holes.
> +++ b/net/netfilter/xt_length.c
> @@ -1,18 +1,32 @@
> -/* Kernel module to match packet length. */
> -/* (C) 1999-2001 James Morris <jmorros@intercode.com.au>
> +/*
> + * xt_length - Netfilter module to match packet length
> *
> - * This program is free software; you can redistribute it and/or modify
> - * it under the terms of the GNU General Public License version 2 as
> - * published by the Free Software Foundation.
> + * (C) 1999-2001 James Morris <jmorros@intercode.com.au>
> + * Copyright © CC Computer Consultants GmbH, 2007-2008
> + * Jan Engelhardt <jengelh@computergmbh.de>
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> */
> -
> #include <linux/module.h>
> #include <linux/skbuff.h>
> +#include <linux/icmp.h>
> +#include <linux/ip.h>
> #include <linux/ipv6.h>
> +#include <linux/tcp.h>
> +#include <linux/udp.h>
> #include <net/ip.h>
> -
> -#include <linux/netfilter/xt_length.h>
> +#include <net/ipv6.h>
> #include <linux/netfilter/x_tables.h>
> +#include <linux/netfilter/xt_length.h>
> +#include <linux/netfilter_ipv6/ip6_tables.h>
> +#ifndef NEXTHDR_IPV4
> +# define NEXTHDR_IPV4 4
This should be IPPROTO_IPIP I guess.
> +#endif
> +#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
> +# define WITH_IPV6 1
Please use the CONFIG defines directly, its only one or two chunks of
code that need them.
> +static bool xtlength_layer5_tcp(unsigned int *length, const struct sk_buff *skb,
> + unsigned int offset)
> +{
> + const struct tcphdr *tcph;
> + struct tcphdr buf;
> +
> + tcph = skb_header_pointer(skb, offset, sizeof(buf), &buf);
> + if (tcph == NULL)
> + return false;
> +
> + *length = skb->len - offset - 4 * tcph->doff;
This can underflow. The extra function also seems like overkill.
> + return true;
> +}
> +
> +static inline bool
> +xtlength_layer5(unsigned int *length, const struct sk_buff *skb,
> + unsigned int prot, unsigned int offset)
> +{
> + switch (prot) {
> + case IPPROTO_TCP:
> + return xtlength_layer5_tcp(length, skb, offset);
> + case IPPROTO_UDP:
> + case IPPROTO_UDPLITE:
> + *length = skb->len - offset - sizeof(struct udphdr);
> + return true;
> + case IPPROTO_ICMP:
> + *length = skb->len - offset - sizeof(struct icmphdr);
> + return true;
> + case IPPROTO_ICMPV6:
> + *length = skb->len - offset - offsetof(struct icmp6hdr, icmp6_dataun);
> + return true;
> + case IPPROTO_AH:
> + *length = skb->len - offset - sizeof(struct ip_auth_hdr);
> + return true;
> + case IPPROTO_ESP:
> + *length = skb->len - offset - sizeof(struct ip_esp_hdr);
> + return true;
> + }
I'm missing SCTP and DCCP. We try to consistently support at least all
protocols implemented in Linux itself. I'm also wondering what this is
actually useful for? The only useful thing I can imagine is TCP since
its useful for matching on ACKs without data, all others have fixed
sizes and can easily be implemented in userspace.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 107+ messages in thread* Re: [PATCH 15/27] xt_length match, revision 1
2008-01-04 15:22 ` Patrick McHardy
@ 2008-01-04 15:43 ` Jan Engelhardt
0 siblings, 0 replies; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-04 15:43 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
On Jan 4 2008 16:22, Patrick McHardy wrote:
>> +#ifndef NEXTHDR_IPV4
>> +# define NEXTHDR_IPV4 4
>
> This should be IPPROTO_IPIP I guess.
Or actually define NEXTHDR_IPV4 in include/net/ipv6.h I suppose.
>> + case IPPROTO_AH:
>> + *length = skb->len - offset - sizeof(struct ip_auth_hdr);
>> + return true;
>> + case IPPROTO_ESP:
>> + *length = skb->len - offset - sizeof(struct ip_esp_hdr);
>> + return true;
>> + }
>
> I'm missing SCTP and DCCP. We try to consistently support at least all
> protocols implemented in Linux itself.
>
I did not quite get yet how to parse SCTP or what could be classified as
'data', since SCTP has multiple streams (ouch). Should reread RFC.
> I'm also wondering what this is actually useful for? The only
> useful thing I can imagine is TCP since its useful for matching on
> ACKs without data,
>
What was the original xt_length v0 good for, I wonder? :)
> all others have fixed sizes and can easily be implemented in userspace.
>
You cannot reliably use xt_length v0 to match any frame combination
where there is IPv4, IPv6 or TCP, because they all have dynamic sizes.
^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH 16/27] xt_mark match, revision 1
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
` (15 preceding siblings ...)
2008-01-02 20:29 ` [PATCH 15/27] xt_length " Jan Engelhardt
@ 2008-01-02 20:30 ` Jan Engelhardt
2008-01-04 15:23 ` Patrick McHardy
2008-01-02 20:30 ` [PATCH 17/27] xt_pkttype: Add explicit check for IPv4 Jan Engelhardt
` (10 subsequent siblings)
27 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:30 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit 6b860cb2fa5704f575458cd031e3166ba30dfc17
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 18:23:04 2008 +0100
[NETFILTER]: xt_mark match, revision 1
Introduces the xt_mark match revision 1. It uses fixed types,
eventually obsoleting revision 0 some day (uses nonfixed types).
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
include/linux/netfilter/xt_mark.h | 5 ++
net/netfilter/xt_mark.c | 64 +++++++++++++++++++++-------
2 files changed, 53 insertions(+), 16 deletions(-)
diff --git a/include/linux/netfilter/xt_mark.h b/include/linux/netfilter/xt_mark.h
index 802dd48..fae74bc 100644
--- a/include/linux/netfilter/xt_mark.h
+++ b/include/linux/netfilter/xt_mark.h
@@ -6,4 +6,9 @@ struct xt_mark_info {
u_int8_t invert;
};
+struct xt_mark_mtinfo1 {
+ u_int32_t mark, mask;
+ u_int8_t invert;
+};
+
#endif /*_XT_MARK_H*/
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index ce8735e..2dd8638 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -1,10 +1,13 @@
-/* Kernel module to match NFMARK values. */
-
-/* (C) 1999-2001 Marc Boucher <marc@mbsi.ca>
+/*
+ * xt_mark - Netfilter module to match NFMARK value
+ *
+ * (C) 1999-2001 Marc Boucher <marc@mbsi.ca>
+ * Copyright © CC Computer Consultants GmbH, 2007 - 2008
+ * Jan Engelhardt <jengelh@computergmbh.de>
*
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
*/
#include <linux/module.h>
@@ -20,19 +23,30 @@ MODULE_ALIAS("ipt_mark");
MODULE_ALIAS("ip6t_mark");
static bool
+mark_mt_v0(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
+{
+ const struct xt_mark_info *info = matchinfo;
+
+ return ((skb->mark & info->mask) == info->mark) ^ info->invert;
+}
+
+static bool
mark_mt(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *match,
const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
{
- const struct xt_mark_info *info = matchinfo;
+ const struct xt_mark_mtinfo1 *info = matchinfo;
return ((skb->mark & info->mask) == info->mark) ^ info->invert;
}
static bool
-mark_mt_check(const char *tablename, const void *entry,
- const struct xt_match *match, void *matchinfo,
- unsigned int hook_mask)
+mark_mt_check_v0(const char *tablename, const void *entry,
+ const struct xt_match *match, void *matchinfo,
+ unsigned int hook_mask)
{
const struct xt_mark_info *minfo = matchinfo;
@@ -51,7 +65,7 @@ struct compat_xt_mark_info {
u_int16_t __pad2;
};
-static void mark_mt_compat_from_user(void *dst, void *src)
+static void mark_mt_compat_from_user_v0(void *dst, void *src)
{
const struct compat_xt_mark_info *cm = src;
struct xt_mark_info m = {
@@ -62,7 +76,7 @@ static void mark_mt_compat_from_user(void *dst, void *src)
memcpy(dst, &m, sizeof(m));
}
-static int mark_mt_compat_to_user(void __user *dst, void *src)
+static int mark_mt_compat_to_user_v0(void __user *dst, void *src)
{
const struct xt_mark_info *m = src;
struct compat_xt_mark_info cm = {
@@ -77,9 +91,10 @@ static int mark_mt_compat_to_user(void __user *dst, void *src)
static struct xt_match mark_mt_reg[] __read_mostly = {
{
.name = "mark",
+ .revision = 0,
.family = AF_INET,
- .checkentry = mark_mt_check,
- .match = mark_mt,
+ .checkentry = mark_mt_check_v0,
+ .match = mark_mt_v0,
.matchsize = sizeof(struct xt_mark_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_mark_info),
@@ -90,9 +105,10 @@ static struct xt_match mark_mt_reg[] __read_mostly = {
},
{
.name = "mark",
+ .revision = 0,
.family = AF_INET6,
- .checkentry = mark_mt_check,
- .match = mark_mt,
+ .checkentry = mark_mt_check_v0,
+ .match = mark_mt_v0,
.matchsize = sizeof(struct xt_mark_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_mark_info),
@@ -101,6 +117,22 @@ static struct xt_match mark_mt_reg[] __read_mostly = {
#endif
.me = THIS_MODULE,
},
+ {
+ .name = "mark",
+ .revision = 1,
+ .family = AF_INET,
+ .match = mark_mt,
+ .matchsize = sizeof(struct xt_mark_mtinfo1),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "mark",
+ .revision = 1,
+ .family = AF_INET6,
+ .match = mark_mt,
+ .matchsize = sizeof(struct xt_mark_mtinfo1),
+ .me = THIS_MODULE,
+ },
};
static int __init mark_mt_init(void)
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 107+ messages in thread* [PATCH 17/27] xt_pkttype: Add explicit check for IPv4
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
` (16 preceding siblings ...)
2008-01-02 20:30 ` [PATCH 16/27] xt_mark " Jan Engelhardt
@ 2008-01-02 20:30 ` Jan Engelhardt
2008-01-04 15:24 ` Patrick McHardy
2008-01-02 20:30 ` [PATCH 18/27] xt_pkttype IPv6 multicast address recognition Jan Engelhardt
` (9 subsequent siblings)
27 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:30 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit 7843dd922e769bfadded963e59645a2e21e6fd34
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 18:24:19 2008 +0100
[NETFILTER]: xt_pkttype: Add explicit check for IPv4
In the PACKET_LOOPBACK case, the skb data was always interpreted as
IPv4, but that is not valid for IPv6, obviously. Fix this by adding an
extra condition to check for AF_INET.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
net/netfilter/xt_pkttype.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/net/netfilter/xt_pkttype.c b/net/netfilter/xt_pkttype.c
index 2762449..080f324 100644
--- a/net/netfilter/xt_pkttype.c
+++ b/net/netfilter/xt_pkttype.c
@@ -31,7 +31,8 @@ pkttype_mt(const struct sk_buff *skb, const struct net_device *in,
const struct xt_pkttype_info *info = matchinfo;
if (skb->pkt_type == PACKET_LOOPBACK)
- type = ipv4_is_multicast(ip_hdr(skb)->daddr)
+ type = match->family == AF_INET &&
+ ipv4_is_multicast(ip_hdr(skb)->daddr)
? PACKET_MULTICAST
: PACKET_BROADCAST;
else
^ permalink raw reply related [flat|nested] 107+ messages in thread* [PATCH 18/27] xt_pkttype IPv6 multicast address recognition
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
` (17 preceding siblings ...)
2008-01-02 20:30 ` [PATCH 17/27] xt_pkttype: Add explicit check for IPv4 Jan Engelhardt
@ 2008-01-02 20:30 ` Jan Engelhardt
2008-01-04 15:26 ` Patrick McHardy
2008-01-02 20:30 ` [PATCH 19/27] xt_policy: use the new unoin nf_inet_addr Jan Engelhardt
` (8 subsequent siblings)
27 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:30 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit d952de26e263328ff6cdd04fc0c325bf0651efb4
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 18:24:43 2008 +0100
[NETFILTER]: xt_pkttype IPv6 multicast address recognition
Signed-off-by: Jan Engelhart <jengelh@computergmbh.de>
net/netfilter/xt_pkttype.c | 18 +++++++++++-------
1 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/xt_pkttype.c b/net/netfilter/xt_pkttype.c
index 080f324..cbcb8ea 100644
--- a/net/netfilter/xt_pkttype.c
+++ b/net/netfilter/xt_pkttype.c
@@ -11,6 +11,7 @@
#include <linux/if_packet.h>
#include <linux/in.h>
#include <linux/ip.h>
+#include <linux/ipv6.h>
#include <linux/netfilter/xt_pkttype.h>
#include <linux/netfilter/x_tables.h>
@@ -27,16 +28,19 @@ pkttype_mt(const struct sk_buff *skb, const struct net_device *in,
const void *matchinfo, int offset, unsigned int protoff,
bool *hotdrop)
{
- u_int8_t type;
const struct xt_pkttype_info *info = matchinfo;
+ u_int8_t type;
- if (skb->pkt_type == PACKET_LOOPBACK)
- type = match->family == AF_INET &&
- ipv4_is_multicast(ip_hdr(skb)->daddr)
- ? PACKET_MULTICAST
- : PACKET_BROADCAST;
- else
+ if (skb->pkt_type != PACKET_LOOPBACK)
type = skb->pkt_type;
+ else if (match->family == AF_INET &&
+ ipv4_is_multicast(ip_hdr(skb)->daddr))
+ type = PACKET_MULTICAST;
+ else if (match->family == AF_INET6 &&
+ ipv6_hdr(skb)->daddr.s6_addr[0] == 0xFF)
+ type = PACKET_MULTICAST;
+ else
+ type = PACKET_BROADCAST;
return (type == info->pkttype) ^ info->invert;
}
^ permalink raw reply related [flat|nested] 107+ messages in thread* [PATCH 19/27] xt_policy: use the new unoin nf_inet_addr
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
` (18 preceding siblings ...)
2008-01-02 20:30 ` [PATCH 18/27] xt_pkttype IPv6 multicast address recognition Jan Engelhardt
@ 2008-01-02 20:30 ` Jan Engelhardt
2008-01-08 15:48 ` Patrick McHardy
2008-01-02 20:30 ` [PATCH 20/27] Update modules' descriptions Jan Engelhardt
` (7 subsequent siblings)
27 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:30 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit 3ee575c6ed06528d7bde3c59b8f8898de1eafd4e
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 18:25:38 2008 +0100
[NETFILTER]: xt_policy: use the new unoin nf_inet_addr
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
include/linux/netfilter/xt_policy.h | 23 +++++++++++++++++++----
net/netfilter/xt_policy.c | 15 ++++++++-------
2 files changed, 27 insertions(+), 11 deletions(-)
diff --git a/include/linux/netfilter/xt_policy.h b/include/linux/netfilter/xt_policy.h
index 45654d3..053d8cc 100644
--- a/include/linux/netfilter/xt_policy.h
+++ b/include/linux/netfilter/xt_policy.h
@@ -27,18 +27,33 @@ struct xt_policy_spec
reqid:1;
};
+#ifndef __KERNEL__
union xt_policy_addr
{
struct in_addr a4;
struct in6_addr a6;
};
+#endif
struct xt_policy_elem
{
- union xt_policy_addr saddr;
- union xt_policy_addr smask;
- union xt_policy_addr daddr;
- union xt_policy_addr dmask;
+ union {
+#ifdef __KERNEL__
+ struct {
+ union nf_inet_addr saddr;
+ union nf_inet_addr smask;
+ union nf_inet_addr daddr;
+ union nf_inet_addr dmask;
+ };
+#else
+ struct {
+ union xt_policy_addr saddr;
+ union xt_policy_addr smask;
+ union xt_policy_addr daddr;
+ union xt_policy_addr dmask;
+ };
+#endif
+ };
__be32 spi;
u_int32_t reqid;
u_int8_t proto;
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index 46ee7e8..ae5caa1 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -13,6 +13,7 @@
#include <linux/init.h>
#include <net/xfrm.h>
+#include <linux/netfilter.h>
#include <linux/netfilter/xt_policy.h>
#include <linux/netfilter/x_tables.h>
@@ -21,14 +22,14 @@ MODULE_DESCRIPTION("Xtables IPsec policy matching module");
MODULE_LICENSE("GPL");
static inline bool
-xt_addr_cmp(const union xt_policy_addr *a1, const union xt_policy_addr *m,
- const union xt_policy_addr *a2, unsigned short family)
+xt_addr_cmp(const union nf_inet_addr *a1, const union nf_inet_addr *m,
+ const union nf_inet_addr *a2, unsigned short family)
{
switch (family) {
case AF_INET:
- return !((a1->a4.s_addr ^ a2->a4.s_addr) & m->a4.s_addr);
+ return ((a1->ip ^ a2->ip) & m->ip) == 0;
case AF_INET6:
- return !ipv6_masked_addr_cmp(&a1->a6, &m->a6, &a2->a6);
+ return ipv6_masked_addr_cmp(&a1->in6, &m->in6, &a2->in6) == 0;
}
return false;
}
@@ -38,12 +39,12 @@ match_xfrm_state(const struct xfrm_state *x, const struct xt_policy_elem *e,
unsigned short family)
{
#define MATCH_ADDR(x,y,z) (!e->match.x || \
- (xt_addr_cmp(&e->x, &e->y, (z), family) \
+ (xt_addr_cmp(&e->x, &e->y, (const union nf_inet_addr *)(z), family) \
^ e->invert.x))
#define MATCH(x,y) (!e->match.x || ((e->x == (y)) ^ e->invert.x))
- return MATCH_ADDR(saddr, smask, (union xt_policy_addr *)&x->props.saddr) &&
- MATCH_ADDR(daddr, dmask, (union xt_policy_addr *)&x->id.daddr) &&
+ return MATCH_ADDR(saddr, smask, &x->props.saddr) &&
+ MATCH_ADDR(daddr, dmask, &x->id.daddr) &&
MATCH(proto, x->id.proto) &&
MATCH(mode, x->props.mode) &&
MATCH(spi, x->id.spi) &&
^ permalink raw reply related [flat|nested] 107+ messages in thread* Re: [PATCH 19/27] xt_policy: use the new unoin nf_inet_addr
2008-01-02 20:30 ` [PATCH 19/27] xt_policy: use the new unoin nf_inet_addr Jan Engelhardt
@ 2008-01-08 15:48 ` Patrick McHardy
2008-01-08 15:54 ` Jan Engelhardt
0 siblings, 1 reply; 107+ messages in thread
From: Patrick McHardy @ 2008-01-08 15:48 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> commit 3ee575c6ed06528d7bde3c59b8f8898de1eafd4e
> Author: Jan Engelhardt <jengelh@computergmbh.de>
> Date: Wed Jan 2 18:25:38 2008 +0100
>
> [NETFILTER]: xt_policy: use the new unoin nf_inet_addr
> struct xt_policy_elem
> {
> - union xt_policy_addr saddr;
> - union xt_policy_addr smask;
> - union xt_policy_addr daddr;
> - union xt_policy_addr dmask;
> + union {
> +#ifdef __KERNEL__
> + struct {
> + union nf_inet_addr saddr;
> + union nf_inet_addr smask;
> + union nf_inet_addr daddr;
> + union nf_inet_addr dmask;
> + };
> +#else
> + struct {
> + union xt_policy_addr saddr;
> + union xt_policy_addr smask;
> + union xt_policy_addr daddr;
> + union xt_policy_addr dmask;
> + };
> +#endif
I really dislike this uglyness, but I've applied it since
there it also doesn't make much sense to leave single files
using their own address definition.
^ permalink raw reply [flat|nested] 107+ messages in thread* Re: [PATCH 19/27] xt_policy: use the new unoin nf_inet_addr
2008-01-08 15:48 ` Patrick McHardy
@ 2008-01-08 15:54 ` Jan Engelhardt
2008-01-08 15:54 ` Patrick McHardy
0 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-08 15:54 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
On Jan 8 2008 16:48, Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> commit 3ee575c6ed06528d7bde3c59b8f8898de1eafd4e
>> Author: Jan Engelhardt <jengelh@computergmbh.de>
>> Date: Wed Jan 2 18:25:38 2008 +0100
>>
>> [NETFILTER]: xt_policy: use the new unoin nf_inet_addr
>
>
>> struct xt_policy_elem
>> {
>> - union xt_policy_addr saddr;
>> - union xt_policy_addr smask;
>> - union xt_policy_addr daddr;
>> - union xt_policy_addr dmask;
>> + union {
>> +#ifdef __KERNEL__
>> + struct {
>> + union nf_inet_addr saddr;
>> + union nf_inet_addr smask;
>> + union nf_inet_addr daddr;
>> + union nf_inet_addr dmask;
>> + };
>> +#else
>> + struct {
>> + union xt_policy_addr saddr;
>> + union xt_policy_addr smask;
>> + union xt_policy_addr daddr;
>> + union xt_policy_addr dmask;
>> + };
>> +#endif
>
>
> I really dislike this uglyness, but I've applied it since
> there it also doesn't make much sense to leave single files
> using their own address definition.
>
<CES>It will all go away in a few years time</CES>
Ehrm, how will userspace actually deal with it?
^ permalink raw reply [flat|nested] 107+ messages in thread* Re: [PATCH 19/27] xt_policy: use the new unoin nf_inet_addr
2008-01-08 15:54 ` Jan Engelhardt
@ 2008-01-08 15:54 ` Patrick McHardy
2008-01-08 16:42 ` Jan Engelhardt
0 siblings, 1 reply; 107+ messages in thread
From: Patrick McHardy @ 2008-01-08 15:54 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> On Jan 8 2008 16:48, Patrick McHardy wrote:
>>>
>>> +#ifdef __KERNEL__
>>> + struct {
>>> + union nf_inet_addr saddr;
>>> + union nf_inet_addr smask;
>>> + union nf_inet_addr daddr;
>>> + union nf_inet_addr dmask;
>>> + };
>>> +#else
>>> + struct {
>>> + union xt_policy_addr saddr;
>>> + union xt_policy_addr smask;
>>> + union xt_policy_addr daddr;
>>> + union xt_policy_addr dmask;
>>> + };
>>> +#endif
>>
>> I really dislike this uglyness, but I've applied it since
>> there it also doesn't make much sense to leave single files
>> using their own address definition.
>>
>
> <CES>It will all go away in a few years time</CES>
>
> Ehrm, how will userspace actually deal with it?
I don't understand what you mean with this question.
^ permalink raw reply [flat|nested] 107+ messages in thread* Re: [PATCH 19/27] xt_policy: use the new unoin nf_inet_addr
2008-01-08 15:54 ` Patrick McHardy
@ 2008-01-08 16:42 ` Jan Engelhardt
0 siblings, 0 replies; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-08 16:42 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
On Jan 8 2008 16:54, Patrick McHardy wrote:
>> > >
>> > > +#ifdef __KERNEL__
>> > > + struct {
>> > > + union nf_inet_addr saddr;
>> > > + union nf_inet_addr smask;
>> > > + union nf_inet_addr daddr;
>> > > + union nf_inet_addr dmask;
>> > > + };
>> > > +#else
>> > > + struct {
>> > > + union xt_policy_addr saddr;
>> > > + union xt_policy_addr smask;
>> > > + union xt_policy_addr daddr;
>> > > + union xt_policy_addr dmask;
>> > > + };
>> > > +#endif
>> >
>> > I really dislike this uglyness, but I've applied it since
>> > there it also doesn't make much sense to leave single files
>> > using their own address definition.
>> >
>>
>> <CES>It will all go away in a few years time</CES>
>>
>> Ehrm, how will userspace actually deal with it?
>
>
> I don't understand what you mean with this question.
>
>
When will iptables start using the union nf_inet_addr saddr; variant?
I already figured it out myself, so don't bother. :-)
^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH 20/27] Update modules' descriptions
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
` (19 preceding siblings ...)
2008-01-02 20:30 ` [PATCH 19/27] xt_policy: use the new unoin nf_inet_addr Jan Engelhardt
@ 2008-01-02 20:30 ` Jan Engelhardt
2008-01-08 15:50 ` Patrick McHardy
2008-01-02 20:31 ` [PATCH 21/27] Convert unfixated types to fixated ones Jan Engelhardt
` (6 subsequent siblings)
27 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:30 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit 09ab883e3163255acb54221de305237368c0803d
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 18:29:57 2008 +0100
[NETFILTER]: Update modules' descriptions
Updates the MODULE_DESCRIPTION() tags for all Netfilter modules,
actually describing what the module does and not just
"netfilter XYZ target".
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 +-
net/ipv4/netfilter/ipt_ECN.c | 2 +-
net/ipv4/netfilter/ipt_LOG.c | 2 +-
net/ipv4/netfilter/ipt_MASQUERADE.c | 2 +-
net/ipv4/netfilter/ipt_NETMAP.c | 2 +-
net/ipv4/netfilter/ipt_REDIRECT.c | 2 +-
net/ipv4/netfilter/ipt_REJECT.c | 2 +-
net/ipv4/netfilter/ipt_TTL.c | 2 +-
net/ipv4/netfilter/ipt_ULOG.c | 2 +-
net/ipv4/netfilter/ipt_addrtype.c | 2 +-
net/ipv4/netfilter/ipt_ah.c | 2 +-
net/ipv4/netfilter/ipt_ecn.c | 2 +-
net/ipv4/netfilter/ipt_iprange.c | 2 +-
net/ipv4/netfilter/ipt_recent.c | 2 +-
net/ipv4/netfilter/ipt_ttl.c | 2 +-
net/ipv6/netfilter/ip6t_HL.c | 2 +-
net/ipv6/netfilter/ip6t_LOG.c | 2 +-
net/ipv6/netfilter/ip6t_REJECT.c | 2 +-
net/ipv6/netfilter/ip6t_ah.c | 2 +-
net/ipv6/netfilter/ip6t_eui64.c | 2 +-
net/ipv6/netfilter/ip6t_frag.c | 2 +-
net/ipv6/netfilter/ip6t_hbh.c | 2 +-
net/ipv6/netfilter/ip6t_hl.c | 2 +-
| 2 +-
net/ipv6/netfilter/ip6t_mh.c | 2 +-
net/ipv6/netfilter/ip6t_rt.c | 2 +-
net/netfilter/xt_CLASSIFY.c | 2 +-
net/netfilter/xt_CONNMARK.c | 2 +-
net/netfilter/xt_CONNSECMARK.c | 2 +-
net/netfilter/xt_DSCP.c | 2 +-
net/netfilter/xt_MARK.c | 2 +-
net/netfilter/xt_NFLOG.c | 2 +-
net/netfilter/xt_NFQUEUE.c | 2 +-
net/netfilter/xt_NOTRACK.c | 1 +
net/netfilter/xt_RATEEST.c | 2 +-
net/netfilter/xt_SECMARK.c | 2 +-
net/netfilter/xt_TCPMSS.c | 2 +-
net/netfilter/xt_TCPOPTSTRIP.c | 2 +-
net/netfilter/xt_TRACE.c | 1 +
| 2 +-
net/netfilter/xt_connbytes.c | 2 +-
net/netfilter/xt_connlimit.c | 2 +-
net/netfilter/xt_connmark.c | 2 +-
net/netfilter/xt_conntrack.c | 2 +-
net/netfilter/xt_dccp.c | 2 +-
net/netfilter/xt_dscp.c | 2 +-
net/netfilter/xt_esp.c | 2 +-
net/netfilter/xt_hashlimit.c | 2 +-
net/netfilter/xt_helper.c | 2 +-
net/netfilter/xt_length.c | 2 +-
net/netfilter/xt_limit.c | 2 +-
net/netfilter/xt_mac.c | 2 +-
net/netfilter/xt_mark.c | 2 +-
net/netfilter/xt_multiport.c | 2 +-
net/netfilter/xt_owner.c | 2 +-
net/netfilter/xt_physdev.c | 2 +-
net/netfilter/xt_pkttype.c | 2 +-
net/netfilter/xt_policy.c | 2 +-
net/netfilter/xt_quota.c | 1 +
net/netfilter/xt_realm.c | 2 +-
net/netfilter/xt_sctp.c | 2 +-
net/netfilter/xt_statistic.c | 2 +-
net/netfilter/xt_string.c | 2 +-
net/netfilter/xt_tcpmss.c | 2 +-
net/netfilter/xt_tcpudp.c | 2 +-
net/netfilter/xt_time.c | 2 +-
net/netfilter/xt_u32.c | 2 +-
67 files changed, 67 insertions(+), 64 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index df39ca0..0831058 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -32,7 +32,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("iptables target for CLUSTERIP");
+MODULE_DESCRIPTION("Netfilter: CLUSTERIP target");
struct clusterip_config {
struct list_head list; /* list of all configs */
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index ab41764..6fd937c 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -21,7 +21,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("iptables ECN modification module");
+MODULE_DESCRIPTION("Netfilter: Explicit Congestion Notification (ECN) flag modification");
/* set ECT codepoint from IP header.
* return false if there was an error. */
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index 5acdddf..5220e57 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -26,7 +26,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables syslog logging module");
+MODULE_DESCRIPTION("Netfilter: IPv4 packet logging to syslog");
/* Use lock to serialize, so printks don't overlap */
static DEFINE_SPINLOCK(log_lock);
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index 1cbff7b..6842315 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -25,7 +25,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables MASQUERADE target module");
+MODULE_DESCRIPTION("Netfilter: automatic-address SNAT");
/* Lock protects masq region inside conntrack */
static DEFINE_RWLOCK(masq_lock);
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c
index 5b71ef4..d8d4a44 100644
--- a/net/ipv4/netfilter/ipt_NETMAP.c
+++ b/net/ipv4/netfilter/ipt_NETMAP.c
@@ -20,7 +20,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Svenning Soerensen <svenning@post5.tele.dk>");
-MODULE_DESCRIPTION("iptables 1:1 NAT mapping of IP networks target");
+MODULE_DESCRIPTION("Netfilter: 1:1 NAT mapping of IPv4 subnets");
static bool
netmap_tg_check(const char *tablename, const void *e,
diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c
index 3d9ec5c..945fd29 100644
--- a/net/ipv4/netfilter/ipt_REDIRECT.c
+++ b/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -23,7 +23,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables REDIRECT target module");
+MODULE_DESCRIPTION("Netfilter: Connection redirection to localhost");
/* FIXME: Take multiple ranges --RR */
static bool
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index a299ceb..a1029ca 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -29,7 +29,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables REJECT target module");
+MODULE_DESCRIPTION("Netfilter: packet \"rejection\" target for IPv4");
/* Send RST reply */
static void send_reset(struct sk_buff *oldskb, int hook)
diff --git a/net/ipv4/netfilter/ipt_TTL.c b/net/ipv4/netfilter/ipt_TTL.c
index fa13cf6..515ad6e 100644
--- a/net/ipv4/netfilter/ipt_TTL.c
+++ b/net/ipv4/netfilter/ipt_TTL.c
@@ -16,7 +16,7 @@
#include <linux/netfilter_ipv4/ipt_TTL.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("IP tables TTL modification module");
+MODULE_DESCRIPTION("Netfilter: IPv4 TTL field modification target");
MODULE_LICENSE("GPL");
static unsigned int
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index 1d8e146..fefccc2 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -50,7 +50,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
-MODULE_DESCRIPTION("iptables userspace logging module");
+MODULE_DESCRIPTION("Netfilter: packet logging to netlink using ULOG");
MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_NFLOG);
#define ULOG_NL_EVENT 111 /* Harald's favorite number */
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c
index 14394c6..bc6fc5a 100644
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ b/net/ipv4/netfilter/ipt_addrtype.c
@@ -21,7 +21,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("iptables addrtype match");
+MODULE_DESCRIPTION("Netfilter: address type match for IPv4");
static inline bool match_type(const struct net_device *dev, __be32 addr,
u_int16_t mask)
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
index 2b2fb26..46025af 100644
--- a/net/ipv4/netfilter/ipt_ah.c
+++ b/net/ipv4/netfilter/ipt_ah.c
@@ -16,7 +16,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
-MODULE_DESCRIPTION("iptables AH SPI match module");
+MODULE_DESCRIPTION("Netfilter: IPv4 IPsec-AH SPI match");
#ifdef DEBUG_CONNTRACK
#define duprintf(format, args...) printk(format , ## args)
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index ea13784..99d652d 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -19,7 +19,7 @@
#include <linux/netfilter_ipv4/ipt_ecn.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("iptables ECN matching module");
+MODULE_DESCRIPTION("Netfilter: Explicit Congestion Notification (ECN) flag match for IPv4");
MODULE_LICENSE("GPL");
static inline bool match_ip(const struct sk_buff *skb,
diff --git a/net/ipv4/netfilter/ipt_iprange.c b/net/ipv4/netfilter/ipt_iprange.c
index 82208ed..d16cdb4 100644
--- a/net/ipv4/netfilter/ipt_iprange.c
+++ b/net/ipv4/netfilter/ipt_iprange.c
@@ -15,7 +15,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
-MODULE_DESCRIPTION("iptables arbitrary IP range match module");
+MODULE_DESCRIPTION("Netfilter: arbitrary IPv4 range matching");
static bool
iprange_mt(const struct sk_buff *skb, const struct net_device *in,
diff --git a/net/ipv4/netfilter/ipt_recent.c b/net/ipv4/netfilter/ipt_recent.c
index 4f3700d..117e1f8 100644
--- a/net/ipv4/netfilter/ipt_recent.c
+++ b/net/ipv4/netfilter/ipt_recent.c
@@ -30,7 +30,7 @@
#include <linux/netfilter_ipv4/ipt_recent.h>
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("IP tables recently seen matching module");
+MODULE_DESCRIPTION("Netfilter: \"recently-seen\" host matching for IPv4");
MODULE_LICENSE("GPL");
static unsigned int ip_list_tot = 100;
diff --git a/net/ipv4/netfilter/ipt_ttl.c b/net/ipv4/netfilter/ipt_ttl.c
index b18d391..514835a 100644
--- a/net/ipv4/netfilter/ipt_ttl.c
+++ b/net/ipv4/netfilter/ipt_ttl.c
@@ -15,7 +15,7 @@
#include <linux/netfilter/x_tables.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("IP tables TTL matching module");
+MODULE_DESCRIPTION("Netfilter: IPv4 TTL field match");
MODULE_LICENSE("GPL");
static bool
diff --git a/net/ipv6/netfilter/ip6t_HL.c b/net/ipv6/netfilter/ip6t_HL.c
index cefb425..cff9124 100644
--- a/net/ipv6/netfilter/ip6t_HL.c
+++ b/net/ipv6/netfilter/ip6t_HL.c
@@ -15,7 +15,7 @@
#include <linux/netfilter_ipv6/ip6t_HL.h>
MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>");
-MODULE_DESCRIPTION("IP6 tables Hop Limit modification module");
+MODULE_DESCRIPTION("Netfilter: IPv6 Hop Limit field modification target");
MODULE_LICENSE("GPL");
static unsigned int
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index 474c2b1..3a93d8a 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -26,7 +26,7 @@
#include <net/netfilter/nf_log.h>
MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>");
-MODULE_DESCRIPTION("IP6 tables LOG target module");
+MODULE_DESCRIPTION("Netfilter: IPv6 packet logging to syslog");
MODULE_LICENSE("GPL");
struct in_device;
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index a951c2c..5b92ad5 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -31,7 +31,7 @@
#include <linux/netfilter_ipv6/ip6t_REJECT.h>
MODULE_AUTHOR("Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>");
-MODULE_DESCRIPTION("IP6 tables REJECT target module");
+MODULE_DESCRIPTION("Netfilter: packet \"rejection\" target for IPv6");
MODULE_LICENSE("GPL");
/* Send RST reply */
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
index f5d08a8..9cc434d 100644
--- a/net/ipv6/netfilter/ip6t_ah.c
+++ b/net/ipv6/netfilter/ip6t_ah.c
@@ -20,7 +20,7 @@
#include <linux/netfilter_ipv6/ip6t_ah.h>
MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("IPv6 AH match");
+MODULE_DESCRIPTION("Netfilter: IPv6 IPsec-AH match");
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
/* Returns 1 if the spi is matched by the range, 0 otherwise */
diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
index 8118b12..f3ac123 100644
--- a/net/ipv6/netfilter/ip6t_eui64.c
+++ b/net/ipv6/netfilter/ip6t_eui64.c
@@ -15,7 +15,7 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
-MODULE_DESCRIPTION("IPv6 EUI64 address checking match");
+MODULE_DESCRIPTION("Netfilter: IPv6 EUI64 address match");
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
index ae8c714..f151394 100644
--- a/net/ipv6/netfilter/ip6t_frag.c
+++ b/net/ipv6/netfilter/ip6t_frag.c
@@ -19,7 +19,7 @@
#include <linux/netfilter_ipv6/ip6t_frag.h>
MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("IPv6 FRAG match");
+MODULE_DESCRIPTION("Netfilter: IPv6 fragment match");
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
/* Returns 1 if the id is matched by the range, 0 otherwise */
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index b76e27d..6544cf6 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -21,7 +21,7 @@
#include <linux/netfilter_ipv6/ip6t_opts.h>
MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("IPv6 opts match");
+MODULE_DESCRIPTION("Netfilter: IPv6 Hop-By-Hop and Destination Header match");
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
MODULE_ALIAS("ip6t_dst");
diff --git a/net/ipv6/netfilter/ip6t_hl.c b/net/ipv6/netfilter/ip6t_hl.c
index 8f2d7d0..ff26f9d 100644
--- a/net/ipv6/netfilter/ip6t_hl.c
+++ b/net/ipv6/netfilter/ip6t_hl.c
@@ -16,7 +16,7 @@
#include <linux/netfilter/x_tables.h>
MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>");
-MODULE_DESCRIPTION("IP tables Hop Limit matching module");
+MODULE_DESCRIPTION("Netfilter: IPv6 Hop Limit field match");
MODULE_LICENSE("GPL");
static bool
--git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index ae497e7..675009d 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -23,7 +23,7 @@
#include <linux/netfilter_ipv6/ip6t_ipv6header.h>
MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("IPv6 headers match");
+MODULE_DESCRIPTION("Netfilter: IPv6 header types match");
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
static bool
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c
index 618e6b9..46cbbd1 100644
--- a/net/ipv6/netfilter/ip6t_mh.c
+++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -21,7 +21,7 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv6/ip6t_mh.h>
-MODULE_DESCRIPTION("ip6t_tables match for MH");
+MODULE_DESCRIPTION("Netfilter: IPv6 Mobility Header match");
MODULE_LICENSE("GPL");
#ifdef DEBUG_IP_FIREWALL_USER
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index 038cea6..fc892fb 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -21,7 +21,7 @@
#include <linux/netfilter_ipv6/ip6t_rt.h>
MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("IPv6 RT match");
+MODULE_DESCRIPTION("Netfilter: IPv6 Routing Header match");
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
/* Returns 1 if the id is matched by the range, 0 otherwise */
diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index 8e83dd4..05d3498 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -22,7 +22,7 @@
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("iptables qdisc classification target module");
+MODULE_DESCRIPTION("Netfilter: Qdisc classification");
MODULE_ALIAS("ipt_CLASSIFY");
MODULE_ALIAS("ip6t_CLASSIFY");
diff --git a/net/netfilter/xt_CONNMARK.c b/net/netfilter/xt_CONNMARK.c
index 761d34d..c74855e 100644
--- a/net/netfilter/xt_CONNMARK.c
+++ b/net/netfilter/xt_CONNMARK.c
@@ -26,7 +26,7 @@
#include <net/checksum.h>
MODULE_AUTHOR("Henrik Nordstrom <hno@marasystems.com>");
-MODULE_DESCRIPTION("IP tables CONNMARK matching module");
+MODULE_DESCRIPTION("Netfilter: connection mark modification");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_CONNMARK");
MODULE_ALIAS("ip6t_CONNMARK");
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index 024106b..73c0d27 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -26,7 +26,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("James Morris <jmorris@redhat.com>");
-MODULE_DESCRIPTION("ip[6]tables CONNSECMARK module");
+MODULE_DESCRIPTION("Netfilter: target for copying between connection and security mark");
MODULE_ALIAS("ipt_CONNSECMARK");
MODULE_ALIAS("ip6t_CONNSECMARK");
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index 3d216d6..2eb872f 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -21,7 +21,7 @@
#include <linux/netfilter_ipv4/ipt_TOS.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("x_tables DSCP modification module");
+MODULE_DESCRIPTION("Netfilter: DSCP/TOS field modification");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_DSCP");
MODULE_ALIAS("ip6t_DSCP");
diff --git a/net/netfilter/xt_MARK.c b/net/netfilter/xt_MARK.c
index 1c3fb75..106613d 100644
--- a/net/netfilter/xt_MARK.c
+++ b/net/netfilter/xt_MARK.c
@@ -20,7 +20,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("ip[6]tables MARK modification module");
+MODULE_DESCRIPTION("Netfilter: packet mark modification");
MODULE_ALIAS("ipt_MARK");
MODULE_ALIAS("ip6t_MARK");
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
index 866facf..f2eff26 100644
--- a/net/netfilter/xt_NFLOG.c
+++ b/net/netfilter/xt_NFLOG.c
@@ -15,7 +15,7 @@
#include <net/netfilter/nf_log.h>
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("x_tables NFLOG target");
+MODULE_DESCRIPTION("Netfilter: packet logging to netlink using NFLOG");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_NFLOG");
MODULE_ALIAS("ip6t_NFLOG");
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index 16b57c2..4afab78 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -17,7 +17,7 @@
#include <linux/netfilter/xt_NFQUEUE.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("[ip,ip6,arp]_tables NFQUEUE target");
+MODULE_DESCRIPTION("Netfilter: packet forwarding to netlink");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_NFQUEUE");
MODULE_ALIAS("ip6t_NFQUEUE");
diff --git a/net/netfilter/xt_NOTRACK.c b/net/netfilter/xt_NOTRACK.c
index 95712e4..7ef517f 100644
--- a/net/netfilter/xt_NOTRACK.c
+++ b/net/netfilter/xt_NOTRACK.c
@@ -7,6 +7,7 @@
#include <linux/netfilter/x_tables.h>
#include <net/netfilter/nf_conntrack.h>
+MODULE_DESCRIPTION("Netfilter: Disabling connection tracking for packets");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_NOTRACK");
MODULE_ALIAS("ip6t_NOTRACK");
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
index c008883..9acc877 100644
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -197,7 +197,7 @@ static void __exit xt_rateest_tg_fini(void)
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("xtables rate estimator");
+MODULE_DESCRIPTION("Netfilter: packet rate estimator");
MODULE_ALIAS("ipt_RATEEST");
MODULE_ALIAS("ip6t_RATEEST");
module_init(xt_rateest_tg_init);
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 7d5439c..68e2822 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -20,7 +20,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("James Morris <jmorris@redhat.com>");
-MODULE_DESCRIPTION("ip[6]tables SECMARK modification module");
+MODULE_DESCRIPTION("Netfilter: packet security mark modification");
MODULE_ALIAS("ipt_SECMARK");
MODULE_ALIAS("ip6t_SECMARK");
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index a1bc77f..7e28ad8 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -24,7 +24,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("x_tables TCP MSS modification module");
+MODULE_DESCRIPTION("Netfilter: TCP Maximum Segment Size (MSS) adjustment");
MODULE_ALIAS("ipt_TCPMSS");
MODULE_ALIAS("ip6t_TCPMSS");
diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
index 43d6ac2..328c2cb 100644
--- a/net/netfilter/xt_TCPOPTSTRIP.c
+++ b/net/netfilter/xt_TCPOPTSTRIP.c
@@ -141,7 +141,7 @@ static void __exit tcpoptstrip_tg_exit(void)
module_init(tcpoptstrip_tg_init);
module_exit(tcpoptstrip_tg_exit);
MODULE_AUTHOR("Sven Schnelle <svens@bitebene.org>, Jan Engelhardt <jengelh@computergmbh.de>");
-MODULE_DESCRIPTION("netfilter \"TCPOPTSTRIP\" target module");
+MODULE_DESCRIPTION("Netfilter: TCP option stripping");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_TCPOPTSTRIP");
MODULE_ALIAS("ip6t_TCPOPTSTRIP");
diff --git a/net/netfilter/xt_TRACE.c b/net/netfilter/xt_TRACE.c
index 219b9d2..6862948 100644
--- a/net/netfilter/xt_TRACE.c
+++ b/net/netfilter/xt_TRACE.c
@@ -5,6 +5,7 @@
#include <linux/netfilter/x_tables.h>
+MODULE_DESCRIPTION("Netfilter: packet flow tracing");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_TRACE");
MODULE_ALIAS("ip6t_TRACE");
--git a/net/netfilter/xt_comment.c b/net/netfilter/xt_comment.c
index 4539d43..18087bc 100644
--- a/net/netfilter/xt_comment.c
+++ b/net/netfilter/xt_comment.c
@@ -10,7 +10,7 @@
#include <linux/netfilter/xt_comment.h>
MODULE_AUTHOR("Brad Fisher <brad@info-link.net>");
-MODULE_DESCRIPTION("iptables comment match module");
+MODULE_DESCRIPTION("Netfilter: No-op match which can be tagged with a comment");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_comment");
MODULE_ALIAS("ip6t_comment");
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index 7d4940a..005ee27 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -12,7 +12,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("iptables match for matching number of pkts/bytes per connection");
+MODULE_DESCRIPTION("Netfilter: Number of packets/bytes per connection matching");
MODULE_ALIAS("ipt_connbytes");
MODULE_ALIAS("ip6t_connbytes");
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 6a9e2a3..81a0b0e 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -309,7 +309,7 @@ static void __exit connlimit_mt_exit(void)
module_init(connlimit_mt_init);
module_exit(connlimit_mt_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
-MODULE_DESCRIPTION("netfilter xt_connlimit match module");
+MODULE_DESCRIPTION("Netfilter: Number of connections matching");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_connlimit");
MODULE_ALIAS("ip6t_connlimit");
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 60d9605..5c20eed 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -28,7 +28,7 @@
#include <linux/netfilter/xt_connmark.h>
MODULE_AUTHOR("Henrik Nordstrom <hno@marasystems.com>");
-MODULE_DESCRIPTION("IP tables connmark match module");
+MODULE_DESCRIPTION("Netfilter: connection mark match");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_connmark");
MODULE_ALIAS("ip6t_connmark");
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index dc9e737..5b5308e 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -20,7 +20,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("iptables connection tracking match module");
+MODULE_DESCRIPTION("Netfilter: connection tracking state match");
MODULE_ALIAS("ipt_conntrack");
MODULE_ALIAS("ip6t_conntrack");
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index ab2f7e9..e81a2a6 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -22,7 +22,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("Match for DCCP protocol packets");
+MODULE_DESCRIPTION("Netfilter: DCCP protocol packet match");
MODULE_ALIAS("ipt_dccp");
MODULE_ALIAS("ip6t_dccp");
diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c
index 834e437..6384835 100644
--- a/net/netfilter/xt_dscp.c
+++ b/net/netfilter/xt_dscp.c
@@ -18,7 +18,7 @@
#include <linux/netfilter_ipv4/ipt_tos.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("x_tables DSCP/tos matching module");
+MODULE_DESCRIPTION("Netfilter: DSCP/TOS field match");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_dscp");
MODULE_ALIAS("ip6t_dscp");
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index d7c90ac..ef9981b 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -20,7 +20,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
-MODULE_DESCRIPTION("x_tables ESP SPI match module");
+MODULE_DESCRIPTION("Netfilter: IPsec-ESP packet match");
MODULE_ALIAS("ipt_esp");
MODULE_ALIAS("ip6t_esp");
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index b747a74..48feab6 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -36,7 +36,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("iptables match for limiting per hash-bucket");
+MODULE_DESCRIPTION("Netfilter: per hash-bucket rate-limit match");
MODULE_ALIAS("ipt_hashlimit");
MODULE_ALIAS("ip6t_hashlimit");
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index 9497d00..b85b63d 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -19,7 +19,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Martin Josefsson <gandalf@netfilter.org>");
-MODULE_DESCRIPTION("iptables helper match module");
+MODULE_DESCRIPTION("Netfilter: Related connection matching");
MODULE_ALIAS("ipt_helper");
MODULE_ALIAS("ip6t_helper");
diff --git a/net/netfilter/xt_length.c b/net/netfilter/xt_length.c
index 97ad627..72e3a9e 100644
--- a/net/netfilter/xt_length.c
+++ b/net/netfilter/xt_length.c
@@ -29,7 +29,7 @@
#endif
MODULE_AUTHOR("James Morris <jmorris@intercode.com.au>");
-MODULE_DESCRIPTION("IP tables packet length matching module");
+MODULE_DESCRIPTION("Netfilter: Packet length (Layer3,4,5) match");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_length");
MODULE_ALIAS("ip6t_length");
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index ad89a1d..7e51430 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -16,7 +16,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Herve Eychenne <rv@wallfire.org>");
-MODULE_DESCRIPTION("iptables rate limit match");
+MODULE_DESCRIPTION("Netfilter: rate-limit match");
MODULE_ALIAS("ipt_limit");
MODULE_ALIAS("ip6t_limit");
diff --git a/net/netfilter/xt_mac.c b/net/netfilter/xt_mac.c
index 7d89863..62e0532 100644
--- a/net/netfilter/xt_mac.c
+++ b/net/netfilter/xt_mac.c
@@ -20,7 +20,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables mac matching module");
+MODULE_DESCRIPTION("Netfilter: MAC address match");
MODULE_ALIAS("ipt_mac");
MODULE_ALIAS("ip6t_mac");
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index 2dd8638..6c1bf56 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -18,7 +18,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("iptables mark matching module");
+MODULE_DESCRIPTION("Netfilter: packet mark match");
MODULE_ALIAS("ipt_mark");
MODULE_ALIAS("ip6t_mark");
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
index d03cc37..7e3983f 100644
--- a/net/netfilter/xt_multiport.c
+++ b/net/netfilter/xt_multiport.c
@@ -22,7 +22,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("x_tables multiple port match module");
+MODULE_DESCRIPTION("Netfilter: multiple port matching for TCP, UDP, UDP-Lite, SCTP and DCCP");
MODULE_ALIAS("ipt_multiport");
MODULE_ALIAS("ip6t_multiport");
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index 4222fa2..cf71269 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -205,7 +205,7 @@ static void __exit owner_mt_exit(void)
module_init(owner_mt_init);
module_exit(owner_mt_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
-MODULE_DESCRIPTION("netfilter \"owner\" match module");
+MODULE_DESCRIPTION("Netfilter: socket owner matching");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_owner");
MODULE_ALIAS("ip6t_owner");
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 678b683..02d0e70 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -16,7 +16,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
-MODULE_DESCRIPTION("iptables bridge physical device match module");
+MODULE_DESCRIPTION("Netfilter: Bridge physical device match");
MODULE_ALIAS("ipt_physdev");
MODULE_ALIAS("ip6t_physdev");
diff --git a/net/netfilter/xt_pkttype.c b/net/netfilter/xt_pkttype.c
index cbcb8ea..43b66c6 100644
--- a/net/netfilter/xt_pkttype.c
+++ b/net/netfilter/xt_pkttype.c
@@ -18,7 +18,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Michal Ludvig <michal@logix.cz>");
-MODULE_DESCRIPTION("IP tables match to match on linklayer packet type");
+MODULE_DESCRIPTION("Netfilter: link layer packet type match");
MODULE_ALIAS("ipt_pkttype");
MODULE_ALIAS("ip6t_pkttype");
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index ae5caa1..f263ec2 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -18,7 +18,7 @@
#include <linux/netfilter/x_tables.h>
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("Xtables IPsec policy matching module");
+MODULE_DESCRIPTION("Netfilter: IPsec policy match");
MODULE_LICENSE("GPL");
static inline bool
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index 887874b..e802be8 100644
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -11,6 +11,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Sam Johnston <samj@samj.net>");
+MODULE_DESCRIPTION("Netfilter: countdown quota match");
MODULE_ALIAS("ipt_quota");
MODULE_ALIAS("ip6t_quota");
diff --git a/net/netfilter/xt_realm.c b/net/netfilter/xt_realm.c
index 63289b4..dee61ac 100644
--- a/net/netfilter/xt_realm.c
+++ b/net/netfilter/xt_realm.c
@@ -18,7 +18,7 @@
MODULE_AUTHOR("Sampsa Ranta <sampsa@netsonic.fi>");
MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("X_tables realm match");
+MODULE_DESCRIPTION("Netfilter: Routing realm match");
MODULE_ALIAS("ipt_realm");
static bool
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index 1c8a4ee..dfdf479 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -11,7 +11,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Kiran Kumar Immidi");
-MODULE_DESCRIPTION("Match for SCTP protocol packets");
+MODULE_DESCRIPTION("Netfilter: SCTP protocol packet match");
MODULE_ALIAS("ipt_sctp");
MODULE_ALIAS("ip6t_sctp");
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c
index fb16648..cccbc56 100644
--- a/net/netfilter/xt_statistic.c
+++ b/net/netfilter/xt_statistic.c
@@ -18,7 +18,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("xtables statistical match module");
+MODULE_DESCRIPTION("Netfilter: statistics-based matching (\"Nth\", random)");
MODULE_ALIAS("ipt_statistic");
MODULE_ALIAS("ip6t_statistic");
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index aff7a11..653eb66 100644
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -16,7 +16,7 @@
#include <linux/textsearch.h>
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@eurodev.net>");
-MODULE_DESCRIPTION("IP tables string match module");
+MODULE_DESCRIPTION("Netfilter: string-based matching");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_string");
MODULE_ALIAS("ip6t_string");
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c
index 2a3e4c3..4189829 100644
--- a/net/netfilter/xt_tcpmss.c
+++ b/net/netfilter/xt_tcpmss.c
@@ -20,7 +20,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("iptables TCP MSS match module");
+MODULE_DESCRIPTION("Netfilter: TCP MSS match");
MODULE_ALIAS("ipt_tcpmss");
MODULE_ALIAS("ip6t_tcpmss");
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index 6be5f2d..56bb39a 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -10,7 +10,7 @@
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
-MODULE_DESCRIPTION("x_tables match for TCP and UDP(-Lite), supports IPv4 and IPv6");
+MODULE_DESCRIPTION("Netfilter: TCP, UDP and UDP-Lite match");
MODULE_LICENSE("GPL");
MODULE_ALIAS("xt_tcp");
MODULE_ALIAS("xt_udp");
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index 96da93c..f7c13ac 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -264,7 +264,7 @@ static void __exit time_mt_exit(void)
module_init(time_mt_init);
module_exit(time_mt_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
-MODULE_DESCRIPTION("netfilter time match");
+MODULE_DESCRIPTION("Netfilter: time-based matching");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_time");
MODULE_ALIAS("ip6t_time");
diff --git a/net/netfilter/xt_u32.c b/net/netfilter/xt_u32.c
index 3d8f5b3..71bc8a9 100644
--- a/net/netfilter/xt_u32.c
+++ b/net/netfilter/xt_u32.c
@@ -130,7 +130,7 @@ static void __exit u32_mt_exit(void)
module_init(u32_mt_init);
module_exit(u32_mt_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
-MODULE_DESCRIPTION("netfilter u32 match module");
+MODULE_DESCRIPTION("Netfilter: arbitrary byte matching");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_u32");
MODULE_ALIAS("ip6t_u32");
^ permalink raw reply related [flat|nested] 107+ messages in thread* Re: [PATCH 20/27] Update modules' descriptions
2008-01-02 20:30 ` [PATCH 20/27] Update modules' descriptions Jan Engelhardt
@ 2008-01-08 15:50 ` Patrick McHardy
2008-01-08 15:55 ` Jan Engelhardt
0 siblings, 1 reply; 107+ messages in thread
From: Patrick McHardy @ 2008-01-08 15:50 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> commit 09ab883e3163255acb54221de305237368c0803d
> Author: Jan Engelhardt <jengelh@computergmbh.de>
> Date: Wed Jan 2 18:29:57 2008 +0100
>
> [NETFILTER]: Update modules' descriptions
>
> Updates the MODULE_DESCRIPTION() tags for all Netfilter modules,
> actually describing what the module does and not just
> "netfilter XYZ target".
>
> MODULE_LICENSE("GPL");
> MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
> -MODULE_DESCRIPTION("iptables target for CLUSTERIP");
> +MODULE_DESCRIPTION("Netfilter: CLUSTERIP target");
I think the reference to iptables is actually more useful
than just netfilter. Could you resend after doing global
search and replace of Netfilter: with ip_tables/ip6_tables
etc.?
^ permalink raw reply [flat|nested] 107+ messages in thread* Re: [PATCH 20/27] Update modules' descriptions
2008-01-08 15:50 ` Patrick McHardy
@ 2008-01-08 15:55 ` Jan Engelhardt
2008-01-08 15:54 ` Patrick McHardy
0 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-08 15:55 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
On Jan 8 2008 16:50, Patrick McHardy wrote:
> Jan Engelhardt wrote:
>
> I think the reference to iptables is actually more useful
> than just netfilter. Could you resend after doing global
> search and replace of Netfilter: with ip_tables/ip6_tables
> etc.?
>
Ok! Perhaps Xtables, because that's what it actually is?
thanks,
Jan
^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [PATCH 20/27] Update modules' descriptions
2008-01-08 15:55 ` Jan Engelhardt
@ 2008-01-08 15:54 ` Patrick McHardy
2008-01-08 16:13 ` Jan Engelhardt
0 siblings, 1 reply; 107+ messages in thread
From: Patrick McHardy @ 2008-01-08 15:54 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> On Jan 8 2008 16:50, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>
>> I think the reference to iptables is actually more useful
>> than just netfilter. Could you resend after doing global
>> search and replace of Netfilter: with ip_tables/ip6_tables
>> etc.?
>>
>
> Ok! Perhaps Xtables, because that's what it actually is?
The user-visiable part is ip_tables/ip6_tables, but both
are fine with me.
^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [PATCH 20/27] Update modules' descriptions
2008-01-08 15:54 ` Patrick McHardy
@ 2008-01-08 16:13 ` Jan Engelhardt
2008-01-08 16:18 ` Patrick McHardy
0 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-08 16:13 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
On Jan 8 2008 16:54, Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> On Jan 8 2008 16:50, Patrick McHardy wrote:
>> > Jan Engelhardt wrote:
>> >
>> > I think the reference to iptables is actually more useful
>> > than just netfilter. Could you resend after doing global
>> > search and replace of Netfilter: with ip_tables/ip6_tables
>> > etc.?
>> >
>>
>> Ok! Perhaps Xtables, because that's what it actually is?
>
> The user-visiable part is ip_tables/ip6_tables, but both
> are fine with me.
commit dd12e15f544e635f5d89c7d11e228e3ad66d9ca7
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 18:29:57 2008 +0100
[NETFILTER]: Update modules' descriptions
Updates the MODULE_DESCRIPTION() tags for all Netfilter modules,
actually describing what the module does and not just
"netfilter XYZ target".
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index df39ca0..1b31f7d 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -32,7 +32,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("iptables target for CLUSTERIP");
+MODULE_DESCRIPTION("Xtables: CLUSTERIP target");
struct clusterip_config {
struct list_head list; /* list of all configs */
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index ab41764..21395bc 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -21,7 +21,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("iptables ECN modification module");
+MODULE_DESCRIPTION("Xtables: Explicit Congestion Notification (ECN) flag modification");
/* set ECT codepoint from IP header.
* return false if there was an error. */
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index 5acdddf..b38d785 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -26,7 +26,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables syslog logging module");
+MODULE_DESCRIPTION("Xtables: IPv4 packet logging to syslog");
/* Use lock to serialize, so printks don't overlap */
static DEFINE_SPINLOCK(log_lock);
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index 1cbff7b..d80fee8 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -25,7 +25,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables MASQUERADE target module");
+MODULE_DESCRIPTION("Xtables: automatic-address SNAT");
/* Lock protects masq region inside conntrack */
static DEFINE_RWLOCK(masq_lock);
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c
index 5b71ef4..6739abf 100644
--- a/net/ipv4/netfilter/ipt_NETMAP.c
+++ b/net/ipv4/netfilter/ipt_NETMAP.c
@@ -20,7 +20,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Svenning Soerensen <svenning@post5.tele.dk>");
-MODULE_DESCRIPTION("iptables 1:1 NAT mapping of IP networks target");
+MODULE_DESCRIPTION("Xtables: 1:1 NAT mapping of IPv4 subnets");
static bool
netmap_tg_check(const char *tablename, const void *e,
diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c
index 3d9ec5c..5c62924 100644
--- a/net/ipv4/netfilter/ipt_REDIRECT.c
+++ b/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -23,7 +23,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables REDIRECT target module");
+MODULE_DESCRIPTION("Xtables: Connection redirection to localhost");
/* FIXME: Take multiple ranges --RR */
static bool
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index a299ceb..e3c2ecc 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -29,7 +29,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables REJECT target module");
+MODULE_DESCRIPTION("Xtables: packet \"rejection\" target for IPv4");
/* Send RST reply */
static void send_reset(struct sk_buff *oldskb, int hook)
diff --git a/net/ipv4/netfilter/ipt_TTL.c b/net/ipv4/netfilter/ipt_TTL.c
index fa13cf6..30eed65 100644
--- a/net/ipv4/netfilter/ipt_TTL.c
+++ b/net/ipv4/netfilter/ipt_TTL.c
@@ -16,7 +16,7 @@
#include <linux/netfilter_ipv4/ipt_TTL.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("IP tables TTL modification module");
+MODULE_DESCRIPTION("Xtables: IPv4 TTL field modification target");
MODULE_LICENSE("GPL");
static unsigned int
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index 1d8e146..fa24efa 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -50,7 +50,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
-MODULE_DESCRIPTION("iptables userspace logging module");
+MODULE_DESCRIPTION("Xtables: packet logging to netlink using ULOG");
MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_NFLOG);
#define ULOG_NL_EVENT 111 /* Harald's favorite number */
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c
index 14394c6..c22e827 100644
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ b/net/ipv4/netfilter/ipt_addrtype.c
@@ -21,7 +21,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("iptables addrtype match");
+MODULE_DESCRIPTION("Xtables: address type match for IPv4");
static inline bool match_type(const struct net_device *dev, __be32 addr,
u_int16_t mask)
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
index 2b2fb26..e977989 100644
--- a/net/ipv4/netfilter/ipt_ah.c
+++ b/net/ipv4/netfilter/ipt_ah.c
@@ -16,7 +16,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
-MODULE_DESCRIPTION("iptables AH SPI match module");
+MODULE_DESCRIPTION("Xtables: IPv4 IPsec-AH SPI match");
#ifdef DEBUG_CONNTRACK
#define duprintf(format, args...) printk(format , ## args)
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index ea13784..749de82 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -19,7 +19,7 @@
#include <linux/netfilter_ipv4/ipt_ecn.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("iptables ECN matching module");
+MODULE_DESCRIPTION("Xtables: Explicit Congestion Notification (ECN) flag match for IPv4");
MODULE_LICENSE("GPL");
static inline bool match_ip(const struct sk_buff *skb,
diff --git a/net/ipv4/netfilter/ipt_iprange.c b/net/ipv4/netfilter/ipt_iprange.c
index 82208ed..9a2aba8 100644
--- a/net/ipv4/netfilter/ipt_iprange.c
+++ b/net/ipv4/netfilter/ipt_iprange.c
@@ -15,7 +15,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
-MODULE_DESCRIPTION("iptables arbitrary IP range match module");
+MODULE_DESCRIPTION("Xtables: arbitrary IPv4 range matching");
static bool
iprange_mt(const struct sk_buff *skb, const struct net_device *in,
diff --git a/net/ipv4/netfilter/ipt_recent.c b/net/ipv4/netfilter/ipt_recent.c
index 4f3700d..e3154a9 100644
--- a/net/ipv4/netfilter/ipt_recent.c
+++ b/net/ipv4/netfilter/ipt_recent.c
@@ -30,7 +30,7 @@
#include <linux/netfilter_ipv4/ipt_recent.h>
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("IP tables recently seen matching module");
+MODULE_DESCRIPTION("Xtables: \"recently-seen\" host matching for IPv4");
MODULE_LICENSE("GPL");
static unsigned int ip_list_tot = 100;
diff --git a/net/ipv4/netfilter/ipt_ttl.c b/net/ipv4/netfilter/ipt_ttl.c
index b18d391..e0b8cae 100644
--- a/net/ipv4/netfilter/ipt_ttl.c
+++ b/net/ipv4/netfilter/ipt_ttl.c
@@ -15,7 +15,7 @@
#include <linux/netfilter/x_tables.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("IP tables TTL matching module");
+MODULE_DESCRIPTION("Xtables: IPv4 TTL field match");
MODULE_LICENSE("GPL");
static bool
diff --git a/net/ipv6/netfilter/ip6t_HL.c b/net/ipv6/netfilter/ip6t_HL.c
index cefb425..d5f8fd5 100644
--- a/net/ipv6/netfilter/ip6t_HL.c
+++ b/net/ipv6/netfilter/ip6t_HL.c
@@ -15,7 +15,7 @@
#include <linux/netfilter_ipv6/ip6t_HL.h>
MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>");
-MODULE_DESCRIPTION("IP6 tables Hop Limit modification module");
+MODULE_DESCRIPTION("Xtables: IPv6 Hop Limit field modification target");
MODULE_LICENSE("GPL");
static unsigned int
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index 474c2b1..86a6138 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -26,7 +26,7 @@
#include <net/netfilter/nf_log.h>
MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>");
-MODULE_DESCRIPTION("IP6 tables LOG target module");
+MODULE_DESCRIPTION("Xtables: IPv6 packet logging to syslog");
MODULE_LICENSE("GPL");
struct in_device;
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index a951c2c..b23baa6 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -31,7 +31,7 @@
#include <linux/netfilter_ipv6/ip6t_REJECT.h>
MODULE_AUTHOR("Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>");
-MODULE_DESCRIPTION("IP6 tables REJECT target module");
+MODULE_DESCRIPTION("Xtables: packet \"rejection\" target for IPv6");
MODULE_LICENSE("GPL");
/* Send RST reply */
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
index f5d08a8..429629f 100644
--- a/net/ipv6/netfilter/ip6t_ah.c
+++ b/net/ipv6/netfilter/ip6t_ah.c
@@ -20,7 +20,7 @@
#include <linux/netfilter_ipv6/ip6t_ah.h>
MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("IPv6 AH match");
+MODULE_DESCRIPTION("Xtables: IPv6 IPsec-AH match");
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
/* Returns 1 if the spi is matched by the range, 0 otherwise */
diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
index 8118b12..ef70bf7 100644
--- a/net/ipv6/netfilter/ip6t_eui64.c
+++ b/net/ipv6/netfilter/ip6t_eui64.c
@@ -15,7 +15,7 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
-MODULE_DESCRIPTION("IPv6 EUI64 address checking match");
+MODULE_DESCRIPTION("Xtables: IPv6 EUI64 address match");
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
index ae8c714..e2bbc63 100644
--- a/net/ipv6/netfilter/ip6t_frag.c
+++ b/net/ipv6/netfilter/ip6t_frag.c
@@ -19,7 +19,7 @@
#include <linux/netfilter_ipv6/ip6t_frag.h>
MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("IPv6 FRAG match");
+MODULE_DESCRIPTION("Xtables: IPv6 fragment match");
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
/* Returns 1 if the id is matched by the range, 0 otherwise */
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index b76e27d..62e39ac 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -21,7 +21,7 @@
#include <linux/netfilter_ipv6/ip6t_opts.h>
MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("IPv6 opts match");
+MODULE_DESCRIPTION("Xtables: IPv6 Hop-By-Hop and Destination Header match");
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
MODULE_ALIAS("ip6t_dst");
diff --git a/net/ipv6/netfilter/ip6t_hl.c b/net/ipv6/netfilter/ip6t_hl.c
index 8f2d7d0..3456716 100644
--- a/net/ipv6/netfilter/ip6t_hl.c
+++ b/net/ipv6/netfilter/ip6t_hl.c
@@ -16,7 +16,7 @@
#include <linux/netfilter/x_tables.h>
MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>");
-MODULE_DESCRIPTION("IP tables Hop Limit matching module");
+MODULE_DESCRIPTION("Xtables: IPv6 Hop Limit field match");
MODULE_LICENSE("GPL");
static bool
diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index ae497e7..3a94017 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -23,7 +23,7 @@
#include <linux/netfilter_ipv6/ip6t_ipv6header.h>
MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("IPv6 headers match");
+MODULE_DESCRIPTION("Xtables: IPv6 header types match");
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
static bool
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c
index 618e6b9..e06678d 100644
--- a/net/ipv6/netfilter/ip6t_mh.c
+++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -21,7 +21,7 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv6/ip6t_mh.h>
-MODULE_DESCRIPTION("ip6t_tables match for MH");
+MODULE_DESCRIPTION("Xtables: IPv6 Mobility Header match");
MODULE_LICENSE("GPL");
#ifdef DEBUG_IP_FIREWALL_USER
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index 038cea6..12a9efe 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -21,7 +21,7 @@
#include <linux/netfilter_ipv6/ip6t_rt.h>
MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("IPv6 RT match");
+MODULE_DESCRIPTION("Xtables: IPv6 Routing Header match");
MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
/* Returns 1 if the id is matched by the range, 0 otherwise */
diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index 8e83dd4..77a52bf 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -22,7 +22,7 @@
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("iptables qdisc classification target module");
+MODULE_DESCRIPTION("Xtables: Qdisc classification");
MODULE_ALIAS("ipt_CLASSIFY");
MODULE_ALIAS("ip6t_CLASSIFY");
diff --git a/net/netfilter/xt_CONNMARK.c b/net/netfilter/xt_CONNMARK.c
index 761d34d..c268147 100644
--- a/net/netfilter/xt_CONNMARK.c
+++ b/net/netfilter/xt_CONNMARK.c
@@ -26,7 +26,7 @@
#include <net/checksum.h>
MODULE_AUTHOR("Henrik Nordstrom <hno@marasystems.com>");
-MODULE_DESCRIPTION("IP tables CONNMARK matching module");
+MODULE_DESCRIPTION("Xtables: connection mark modification");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_CONNMARK");
MODULE_ALIAS("ip6t_CONNMARK");
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index 024106b..1faa913 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -26,7 +26,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("James Morris <jmorris@redhat.com>");
-MODULE_DESCRIPTION("ip[6]tables CONNSECMARK module");
+MODULE_DESCRIPTION("Xtables: target for copying between connection and security mark");
MODULE_ALIAS("ipt_CONNSECMARK");
MODULE_ALIAS("ip6t_CONNSECMARK");
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index 3d216d6..97efd74 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -21,7 +21,7 @@
#include <linux/netfilter_ipv4/ipt_TOS.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("x_tables DSCP modification module");
+MODULE_DESCRIPTION("Xtables: DSCP/TOS field modification");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_DSCP");
MODULE_ALIAS("ip6t_DSCP");
diff --git a/net/netfilter/xt_MARK.c b/net/netfilter/xt_MARK.c
index 1c3fb75..f9ce20b 100644
--- a/net/netfilter/xt_MARK.c
+++ b/net/netfilter/xt_MARK.c
@@ -20,7 +20,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("ip[6]tables MARK modification module");
+MODULE_DESCRIPTION("Xtables: packet mark modification");
MODULE_ALIAS("ipt_MARK");
MODULE_ALIAS("ip6t_MARK");
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
index 866facf..19ae8ef 100644
--- a/net/netfilter/xt_NFLOG.c
+++ b/net/netfilter/xt_NFLOG.c
@@ -15,7 +15,7 @@
#include <net/netfilter/nf_log.h>
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("x_tables NFLOG target");
+MODULE_DESCRIPTION("Xtables: packet logging to netlink using NFLOG");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_NFLOG");
MODULE_ALIAS("ip6t_NFLOG");
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index 16b57c2..beb24d1 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -17,7 +17,7 @@
#include <linux/netfilter/xt_NFQUEUE.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("[ip,ip6,arp]_tables NFQUEUE target");
+MODULE_DESCRIPTION("Xtables: packet forwarding to netlink");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_NFQUEUE");
MODULE_ALIAS("ip6t_NFQUEUE");
diff --git a/net/netfilter/xt_NOTRACK.c b/net/netfilter/xt_NOTRACK.c
index 95712e4..6c9de61 100644
--- a/net/netfilter/xt_NOTRACK.c
+++ b/net/netfilter/xt_NOTRACK.c
@@ -7,6 +7,7 @@
#include <linux/netfilter/x_tables.h>
#include <net/netfilter/nf_conntrack.h>
+MODULE_DESCRIPTION("Xtables: Disabling connection tracking for packets");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_NOTRACK");
MODULE_ALIAS("ip6t_NOTRACK");
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
index c008883..c5ba525 100644
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -197,7 +197,7 @@ static void __exit xt_rateest_tg_fini(void)
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("xtables rate estimator");
+MODULE_DESCRIPTION("Xtables: packet rate estimator");
MODULE_ALIAS("ipt_RATEEST");
MODULE_ALIAS("ip6t_RATEEST");
module_init(xt_rateest_tg_init);
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 7d5439c..b11b3ec 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -20,7 +20,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("James Morris <jmorris@redhat.com>");
-MODULE_DESCRIPTION("ip[6]tables SECMARK modification module");
+MODULE_DESCRIPTION("Xtables: packet security mark modification");
MODULE_ALIAS("ipt_SECMARK");
MODULE_ALIAS("ip6t_SECMARK");
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index a1bc77f..60e3767 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -24,7 +24,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("x_tables TCP MSS modification module");
+MODULE_DESCRIPTION("Xtables: TCP Maximum Segment Size (MSS) adjustment");
MODULE_ALIAS("ipt_TCPMSS");
MODULE_ALIAS("ip6t_TCPMSS");
diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
index 43d6ac2..3b2aa56 100644
--- a/net/netfilter/xt_TCPOPTSTRIP.c
+++ b/net/netfilter/xt_TCPOPTSTRIP.c
@@ -141,7 +141,7 @@ static void __exit tcpoptstrip_tg_exit(void)
module_init(tcpoptstrip_tg_init);
module_exit(tcpoptstrip_tg_exit);
MODULE_AUTHOR("Sven Schnelle <svens@bitebene.org>, Jan Engelhardt <jengelh@computergmbh.de>");
-MODULE_DESCRIPTION("netfilter \"TCPOPTSTRIP\" target module");
+MODULE_DESCRIPTION("Xtables: TCP option stripping");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_TCPOPTSTRIP");
MODULE_ALIAS("ip6t_TCPOPTSTRIP");
diff --git a/net/netfilter/xt_TRACE.c b/net/netfilter/xt_TRACE.c
index 219b9d2..30dab79 100644
--- a/net/netfilter/xt_TRACE.c
+++ b/net/netfilter/xt_TRACE.c
@@ -5,6 +5,7 @@
#include <linux/netfilter/x_tables.h>
+MODULE_DESCRIPTION("Xtables: packet flow tracing");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_TRACE");
MODULE_ALIAS("ip6t_TRACE");
diff --git a/net/netfilter/xt_comment.c b/net/netfilter/xt_comment.c
index 4539d43..89f4736 100644
--- a/net/netfilter/xt_comment.c
+++ b/net/netfilter/xt_comment.c
@@ -10,7 +10,7 @@
#include <linux/netfilter/xt_comment.h>
MODULE_AUTHOR("Brad Fisher <brad@info-link.net>");
-MODULE_DESCRIPTION("iptables comment match module");
+MODULE_DESCRIPTION("Xtables: No-op match which can be tagged with a comment");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_comment");
MODULE_ALIAS("ip6t_comment");
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index 7d4940a..b15e7e2 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -12,7 +12,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("iptables match for matching number of pkts/bytes per connection");
+MODULE_DESCRIPTION("Xtables: Number of packets/bytes per connection matching");
MODULE_ALIAS("ipt_connbytes");
MODULE_ALIAS("ip6t_connbytes");
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 6a9e2a3..e00ecd9 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -309,7 +309,7 @@ static void __exit connlimit_mt_exit(void)
module_init(connlimit_mt_init);
module_exit(connlimit_mt_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
-MODULE_DESCRIPTION("netfilter xt_connlimit match module");
+MODULE_DESCRIPTION("Xtables: Number of connections matching");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_connlimit");
MODULE_ALIAS("ip6t_connlimit");
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 60d9605..d7e692a 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -28,7 +28,7 @@
#include <linux/netfilter/xt_connmark.h>
MODULE_AUTHOR("Henrik Nordstrom <hno@marasystems.com>");
-MODULE_DESCRIPTION("IP tables connmark match module");
+MODULE_DESCRIPTION("Xtables: connection mark match");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_connmark");
MODULE_ALIAS("ip6t_connmark");
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index dc9e737..e92190e 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -20,7 +20,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("iptables connection tracking match module");
+MODULE_DESCRIPTION("Xtables: connection tracking state match");
MODULE_ALIAS("ipt_conntrack");
MODULE_ALIAS("ip6t_conntrack");
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index ab2f7e9..667f45e 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -22,7 +22,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("Match for DCCP protocol packets");
+MODULE_DESCRIPTION("Xtables: DCCP protocol packet match");
MODULE_ALIAS("ipt_dccp");
MODULE_ALIAS("ip6t_dccp");
diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c
index 834e437..26f4aab 100644
--- a/net/netfilter/xt_dscp.c
+++ b/net/netfilter/xt_dscp.c
@@ -18,7 +18,7 @@
#include <linux/netfilter_ipv4/ipt_tos.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("x_tables DSCP/tos matching module");
+MODULE_DESCRIPTION("Xtables: DSCP/TOS field match");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_dscp");
MODULE_ALIAS("ip6t_dscp");
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index d7c90ac..71c7c37 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -20,7 +20,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
-MODULE_DESCRIPTION("x_tables ESP SPI match module");
+MODULE_DESCRIPTION("Xtables: IPsec-ESP packet match");
MODULE_ALIAS("ipt_esp");
MODULE_ALIAS("ip6t_esp");
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index b747a74..8c47c51 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -36,7 +36,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("iptables match for limiting per hash-bucket");
+MODULE_DESCRIPTION("Xtables: per hash-bucket rate-limit match");
MODULE_ALIAS("ipt_hashlimit");
MODULE_ALIAS("ip6t_hashlimit");
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index 9497d00..7066bfb 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -19,7 +19,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Martin Josefsson <gandalf@netfilter.org>");
-MODULE_DESCRIPTION("iptables helper match module");
+MODULE_DESCRIPTION("Xtables: Related connection matching");
MODULE_ALIAS("ipt_helper");
MODULE_ALIAS("ip6t_helper");
diff --git a/net/netfilter/xt_length.c b/net/netfilter/xt_length.c
index 97ad627..032de25 100644
--- a/net/netfilter/xt_length.c
+++ b/net/netfilter/xt_length.c
@@ -29,7 +29,7 @@
#endif
MODULE_AUTHOR("James Morris <jmorris@intercode.com.au>");
-MODULE_DESCRIPTION("IP tables packet length matching module");
+MODULE_DESCRIPTION("Xtables: Packet length (Layer3,4,5) match");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_length");
MODULE_ALIAS("ip6t_length");
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index ad89a1d..7746f22 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -16,7 +16,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Herve Eychenne <rv@wallfire.org>");
-MODULE_DESCRIPTION("iptables rate limit match");
+MODULE_DESCRIPTION("Xtables: rate-limit match");
MODULE_ALIAS("ipt_limit");
MODULE_ALIAS("ip6t_limit");
diff --git a/net/netfilter/xt_mac.c b/net/netfilter/xt_mac.c
index 7d89863..b3e96a0 100644
--- a/net/netfilter/xt_mac.c
+++ b/net/netfilter/xt_mac.c
@@ -20,7 +20,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables mac matching module");
+MODULE_DESCRIPTION("Xtables: MAC address match");
MODULE_ALIAS("ipt_mac");
MODULE_ALIAS("ip6t_mac");
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index 2dd8638..60494e1 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -18,7 +18,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("iptables mark matching module");
+MODULE_DESCRIPTION("Xtables: packet mark match");
MODULE_ALIAS("ipt_mark");
MODULE_ALIAS("ip6t_mark");
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
index d03cc37..31daa81 100644
--- a/net/netfilter/xt_multiport.c
+++ b/net/netfilter/xt_multiport.c
@@ -22,7 +22,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("x_tables multiple port match module");
+MODULE_DESCRIPTION("Xtables: multiple port matching for TCP, UDP, UDP-Lite, SCTP and DCCP");
MODULE_ALIAS("ipt_multiport");
MODULE_ALIAS("ip6t_multiport");
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index 4222fa2..d382f9c 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -205,7 +205,7 @@ static void __exit owner_mt_exit(void)
module_init(owner_mt_init);
module_exit(owner_mt_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
-MODULE_DESCRIPTION("netfilter \"owner\" match module");
+MODULE_DESCRIPTION("Xtables: socket owner matching");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_owner");
MODULE_ALIAS("ip6t_owner");
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 678b683..4ec1094 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -16,7 +16,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
-MODULE_DESCRIPTION("iptables bridge physical device match module");
+MODULE_DESCRIPTION("Xtables: Bridge physical device match");
MODULE_ALIAS("ipt_physdev");
MODULE_ALIAS("ip6t_physdev");
diff --git a/net/netfilter/xt_pkttype.c b/net/netfilter/xt_pkttype.c
index cbcb8ea..7936f7e 100644
--- a/net/netfilter/xt_pkttype.c
+++ b/net/netfilter/xt_pkttype.c
@@ -18,7 +18,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Michal Ludvig <michal@logix.cz>");
-MODULE_DESCRIPTION("IP tables match to match on linklayer packet type");
+MODULE_DESCRIPTION("Xtables: link layer packet type match");
MODULE_ALIAS("ipt_pkttype");
MODULE_ALIAS("ip6t_pkttype");
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index ae5caa1..fca63f9 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -18,7 +18,7 @@
#include <linux/netfilter/x_tables.h>
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("Xtables IPsec policy matching module");
+MODULE_DESCRIPTION("Xtables: IPsec policy match");
MODULE_LICENSE("GPL");
static inline bool
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index 887874b..3b021d0 100644
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -11,6 +11,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Sam Johnston <samj@samj.net>");
+MODULE_DESCRIPTION("Xtables: countdown quota match");
MODULE_ALIAS("ipt_quota");
MODULE_ALIAS("ip6t_quota");
diff --git a/net/netfilter/xt_realm.c b/net/netfilter/xt_realm.c
index 63289b4..7df1627 100644
--- a/net/netfilter/xt_realm.c
+++ b/net/netfilter/xt_realm.c
@@ -18,7 +18,7 @@
MODULE_AUTHOR("Sampsa Ranta <sampsa@netsonic.fi>");
MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("X_tables realm match");
+MODULE_DESCRIPTION("Xtables: Routing realm match");
MODULE_ALIAS("ipt_realm");
static bool
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index 1c8a4ee..b718ec6 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -11,7 +11,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Kiran Kumar Immidi");
-MODULE_DESCRIPTION("Match for SCTP protocol packets");
+MODULE_DESCRIPTION("Xtables: SCTP protocol packet match");
MODULE_ALIAS("ipt_sctp");
MODULE_ALIAS("ip6t_sctp");
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c
index fb16648..4313308 100644
--- a/net/netfilter/xt_statistic.c
+++ b/net/netfilter/xt_statistic.c
@@ -18,7 +18,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("xtables statistical match module");
+MODULE_DESCRIPTION("Xtables: statistics-based matching (\"Nth\", random)");
MODULE_ALIAS("ipt_statistic");
MODULE_ALIAS("ip6t_statistic");
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index aff7a11..72f694d 100644
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -16,7 +16,7 @@
#include <linux/textsearch.h>
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@eurodev.net>");
-MODULE_DESCRIPTION("IP tables string match module");
+MODULE_DESCRIPTION("Xtables: string-based matching");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_string");
MODULE_ALIAS("ip6t_string");
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c
index 2a3e4c3..d7a5b27 100644
--- a/net/netfilter/xt_tcpmss.c
+++ b/net/netfilter/xt_tcpmss.c
@@ -20,7 +20,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("iptables TCP MSS match module");
+MODULE_DESCRIPTION("Xtables: TCP MSS match");
MODULE_ALIAS("ipt_tcpmss");
MODULE_ALIAS("ip6t_tcpmss");
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index 6be5f2d..4fa3b66 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -10,7 +10,7 @@
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
-MODULE_DESCRIPTION("x_tables match for TCP and UDP(-Lite), supports IPv4 and IPv6");
+MODULE_DESCRIPTION("Xtables: TCP, UDP and UDP-Lite match");
MODULE_LICENSE("GPL");
MODULE_ALIAS("xt_tcp");
MODULE_ALIAS("xt_udp");
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index 96da93c..e9a8794 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -264,7 +264,7 @@ static void __exit time_mt_exit(void)
module_init(time_mt_init);
module_exit(time_mt_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
-MODULE_DESCRIPTION("netfilter time match");
+MODULE_DESCRIPTION("Xtables: time-based matching");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_time");
MODULE_ALIAS("ip6t_time");
diff --git a/net/netfilter/xt_u32.c b/net/netfilter/xt_u32.c
index 3d8f5b3..9b8ed39 100644
--- a/net/netfilter/xt_u32.c
+++ b/net/netfilter/xt_u32.c
@@ -130,7 +130,7 @@ static void __exit u32_mt_exit(void)
module_init(u32_mt_init);
module_exit(u32_mt_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
-MODULE_DESCRIPTION("netfilter u32 match module");
+MODULE_DESCRIPTION("Xtables: arbitrary byte matching");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_u32");
MODULE_ALIAS("ip6t_u32");
^ permalink raw reply related [flat|nested] 107+ messages in thread
* [PATCH 21/27] Convert unfixated types to fixated ones
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
` (20 preceding siblings ...)
2008-01-02 20:30 ` [PATCH 20/27] Update modules' descriptions Jan Engelhardt
@ 2008-01-02 20:31 ` Jan Engelhardt
2008-01-08 15:52 ` Patrick McHardy
2008-01-02 20:31 ` [PATCH 22/27] Rename ipt_iprange to xt_iprange Jan Engelhardt
` (5 subsequent siblings)
27 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:31 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit 69855da1bb8257b215c83a72edd0c67bd7810fa5
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 18:30:30 2008 +0100
[NETFILTER]: Convert unfixated types to fixated ones.
The use of an unfixated type like "int" is dangerous, its size may
change in future (imagine 128-bit or ILP64 compilation) -- "long"
already has this problem which is differently-sized on x86_32 and
x86_64. Switch "int" to "int32_t" to prepare against future compiler
changes.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
include/linux/netfilter/xt_connlimit.h | 2 +-
include/linux/netfilter/xt_mac.h | 4 ++--
include/linux/netfilter/xt_pkttype.h | 4 ++--
include/linux/netfilter/xt_sctp.h | 2 +-
include/linux/netfilter/xt_state.h | 2 +-
include/linux/netfilter_ipv4/ipt_LOG.h | 4 ++--
include/linux/netfilter_ipv4/ipt_SAME.h | 2 +-
include/linux/netfilter_ipv4/ipt_sctp.h | 2 +-
include/linux/netfilter_ipv6/ip6t_LOG.h | 4 ++--
9 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/include/linux/netfilter/xt_connlimit.h b/include/linux/netfilter/xt_connlimit.h
index 7e3284b..b66e2a4 100644
--- a/include/linux/netfilter/xt_connlimit.h
+++ b/include/linux/netfilter/xt_connlimit.h
@@ -13,7 +13,7 @@ struct xt_connlimit_info {
};
#endif
};
- unsigned int limit, inverse;
+ u_int32_t limit, inverse;
/* Used internally by the kernel */
struct xt_connlimit_data *data __attribute__((aligned(8)));
diff --git a/include/linux/netfilter/xt_mac.h b/include/linux/netfilter/xt_mac.h
index b892cdc..2f7f05b 100644
--- a/include/linux/netfilter/xt_mac.h
+++ b/include/linux/netfilter/xt_mac.h
@@ -2,7 +2,7 @@
#define _XT_MAC_H
struct xt_mac_info {
- unsigned char srcaddr[ETH_ALEN];
- int invert;
+ unsigned char srcaddr[ETH_ALEN];
+ int32_t invert;
};
#endif /*_XT_MAC_H*/
diff --git a/include/linux/netfilter/xt_pkttype.h b/include/linux/netfilter/xt_pkttype.h
index f265cf5..268dd73 100644
--- a/include/linux/netfilter/xt_pkttype.h
+++ b/include/linux/netfilter/xt_pkttype.h
@@ -2,7 +2,7 @@
#define _XT_PKTTYPE_H
struct xt_pkttype_info {
- int pkttype;
- int invert;
+ int32_t pkttype;
+ int32_t invert;
};
#endif /*_XT_PKTTYPE_H*/
diff --git a/include/linux/netfilter/xt_sctp.h b/include/linux/netfilter/xt_sctp.h
index dd5a4fd..48f945c 100644
--- a/include/linux/netfilter/xt_sctp.h
+++ b/include/linux/netfilter/xt_sctp.h
@@ -27,7 +27,7 @@ struct xt_sctp_info {
u_int32_t chunk_match_type;
struct xt_sctp_flag_info flag_info[XT_NUM_SCTP_FLAGS];
- int flag_count;
+ int32_t flag_count;
u_int32_t flags;
u_int32_t invflags;
diff --git a/include/linux/netfilter/xt_state.h b/include/linux/netfilter/xt_state.h
index c06f32e..7155420 100644
--- a/include/linux/netfilter/xt_state.h
+++ b/include/linux/netfilter/xt_state.h
@@ -8,6 +8,6 @@
struct xt_state_info
{
- unsigned int statemask;
+ u_int32_t statemask;
};
#endif /*_XT_STATE_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_LOG.h b/include/linux/netfilter_ipv4/ipt_LOG.h
index 90fa652..ddaf142 100644
--- a/include/linux/netfilter_ipv4/ipt_LOG.h
+++ b/include/linux/netfilter_ipv4/ipt_LOG.h
@@ -10,8 +10,8 @@
#define IPT_LOG_MASK 0x1f
struct ipt_log_info {
- unsigned char level;
- unsigned char logflags;
+ u_int8_t level;
+ u_int8_t logflags;
char prefix[30];
};
diff --git a/include/linux/netfilter_ipv4/ipt_SAME.h b/include/linux/netfilter_ipv4/ipt_SAME.h
index be6e682..0def688 100644
--- a/include/linux/netfilter_ipv4/ipt_SAME.h
+++ b/include/linux/netfilter_ipv4/ipt_SAME.h
@@ -7,7 +7,7 @@
struct ipt_same_info
{
- unsigned char info;
+ u_int8_t info;
u_int32_t rangesize;
u_int32_t ipnum;
u_int32_t *iparray;
diff --git a/include/linux/netfilter_ipv4/ipt_sctp.h b/include/linux/netfilter_ipv4/ipt_sctp.h
index 80b3dba..78b567d 100644
--- a/include/linux/netfilter_ipv4/ipt_sctp.h
+++ b/include/linux/netfilter_ipv4/ipt_sctp.h
@@ -28,7 +28,7 @@ struct ipt_sctp_info {
u_int32_t chunk_match_type;
struct ipt_sctp_flag_info flag_info[IPT_NUM_SCTP_FLAGS];
- int flag_count;
+ int32_t flag_count;
u_int32_t flags;
u_int32_t invflags;
diff --git a/include/linux/netfilter_ipv6/ip6t_LOG.h b/include/linux/netfilter_ipv6/ip6t_LOG.h
index 0d0119b..e768acc 100644
--- a/include/linux/netfilter_ipv6/ip6t_LOG.h
+++ b/include/linux/netfilter_ipv6/ip6t_LOG.h
@@ -10,8 +10,8 @@
#define IP6T_LOG_MASK 0x1f
struct ip6t_log_info {
- unsigned char level;
- unsigned char logflags;
+ u_int8_t level;
+ u_int8_t logflags;
char prefix[30];
};
^ permalink raw reply related [flat|nested] 107+ messages in thread* Re: [PATCH 21/27] Convert unfixated types to fixated ones
2008-01-02 20:31 ` [PATCH 21/27] Convert unfixated types to fixated ones Jan Engelhardt
@ 2008-01-08 15:52 ` Patrick McHardy
2008-01-08 16:14 ` Jan Engelhardt
0 siblings, 1 reply; 107+ messages in thread
From: Patrick McHardy @ 2008-01-08 15:52 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> commit 69855da1bb8257b215c83a72edd0c67bd7810fa5
> Author: Jan Engelhardt <jengelh@computergmbh.de>
> Date: Wed Jan 2 18:30:30 2008 +0100
>
> [NETFILTER]: Convert unfixated types to fixated ones.
>
> The use of an unfixated type like "int" is dangerous, its size may
> change in future (imagine 128-bit or ILP64 compilation) -- "long"
> already has this problem which is differently-sized on x86_32 and
> x86_64. Switch "int" to "int32_t" to prepare against future compiler
> changes.
If that really happens a lot of things would break, so I don't
really see the point. It also changes types like char whose
size won't ever change.
^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [PATCH 21/27] Convert unfixated types to fixated ones
2008-01-08 15:52 ` Patrick McHardy
@ 2008-01-08 16:14 ` Jan Engelhardt
0 siblings, 0 replies; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-08 16:14 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
On Jan 8 2008 16:52, Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> commit 69855da1bb8257b215c83a72edd0c67bd7810fa5
>> Author: Jan Engelhardt <jengelh@computergmbh.de>
>> Date: Wed Jan 2 18:30:30 2008 +0100
>>
>> [NETFILTER]: Convert unfixated types to fixated ones.
>>
>> The use of an unfixated type like "int" is dangerous, its size may
>> change in future (imagine 128-bit or ILP64 compilation) -- "long"
>> already has this problem which is differently-sized on x86_32 and
>> x86_64. Switch "int" to "int32_t" to prepare against future compiler
>> changes.
>
>
> If that really happens a lot of things would break, so I don't
> really see the point. It also changes types like char whose
> size won't ever change.
>
int8_t would serve as an intent annotation that the member is used
for a numeric value rather than a character. Well, never mind.
^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH 22/27] Rename ipt_iprange to xt_iprange
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
` (21 preceding siblings ...)
2008-01-02 20:31 ` [PATCH 21/27] Convert unfixated types to fixated ones Jan Engelhardt
@ 2008-01-02 20:31 ` Jan Engelhardt
2008-01-08 15:55 ` Patrick McHardy
2008-01-02 20:31 ` [PATCH 23/27] xt_iprange match, revision 1 Jan Engelhardt
` (4 subsequent siblings)
27 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:31 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit b9d3db24231f4555d13b348645e6c0b2f6eba3af
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 18:49:22 2008 +0100
[NETFILTER]: Rename ipt_iprange to xt_iprange
This patch moves ipt_iprange to xt_iprange, in preparation for adding
IPv6 support to xt_iprange.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
include/linux/netfilter/xt_iprange.h | 17 +++++++
include/linux/netfilter_ipv4/ipt_iprange.h | 6 +--
net/ipv4/netfilter/Kconfig | 10 ----
net/ipv4/netfilter/Makefile | 1 -
net/netfilter/Kconfig | 11 +++++
net/netfilter/Makefile | 1 +
.../ipt_iprange.c => netfilter/xt_iprange.c} | 27 ++++++------
7 files changed, 43 insertions(+), 30 deletions(-)
create mode 100644 include/linux/netfilter/xt_iprange.h
rename net/{ipv4/netfilter/ipt_iprange.c => netfilter/xt_iprange.c} (75%)
diff --git a/include/linux/netfilter/xt_iprange.h b/include/linux/netfilter/xt_iprange.h
new file mode 100644
index 0000000..a4299c7
--- /dev/null
+++ b/include/linux/netfilter/xt_iprange.h
@@ -0,0 +1,17 @@
+#ifndef _LINUX_NETFILTER_XT_IPRANGE_H
+#define _LINUX_NETFILTER_XT_IPRANGE_H 1
+
+enum {
+ IPRANGE_SRC = 1 << 0, /* match source IP address */
+ IPRANGE_DST = 1 << 1, /* match destination IP address */
+ IPRANGE_SRC_INV = 1 << 4, /* negate the condition */
+ IPRANGE_DST_INV = 1 << 5, /* -"- */
+};
+
+struct xt_iprange_mtinfo {
+ union nf_inet_addr src_min, src_max;
+ union nf_inet_addr dst_min, dst_max;
+ u_int8_t flags;
+};
+
+#endif /* _LINUX_NETFILTER_XT_IPRANGE_H */
diff --git a/include/linux/netfilter_ipv4/ipt_iprange.h b/include/linux/netfilter_ipv4/ipt_iprange.h
index a92fefc..5f1aebd 100644
--- a/include/linux/netfilter_ipv4/ipt_iprange.h
+++ b/include/linux/netfilter_ipv4/ipt_iprange.h
@@ -2,11 +2,7 @@
#define _IPT_IPRANGE_H
#include <linux/types.h>
-
-#define IPRANGE_SRC 0x01 /* Match source IP address */
-#define IPRANGE_DST 0x02 /* Match destination IP address */
-#define IPRANGE_SRC_INV 0x10 /* Negate the condition */
-#define IPRANGE_DST_INV 0x20 /* Negate the condition */
+#include <linux/netfilter/xt_iprange.h>
struct ipt_iprange {
/* Inclusive: network order. */
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index cface71..9d6f617 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -57,16 +57,6 @@ config IP_NF_IPTABLES
To compile it as a module, choose M here. If unsure, say N.
# The matches.
-config IP_NF_MATCH_IPRANGE
- tristate '"iprange" match support'
- depends on IP_NF_IPTABLES
- depends on NETFILTER_ADVANCED
- help
- This option makes possible to match IP addresses against IP address
- ranges.
-
- To compile it as a module, choose M here. If unsure, say N.
-
config IP_NF_MATCH_RECENT
tristate '"recent" match support'
depends on IP_NF_IPTABLES
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index fd7d4a5..0c7dc78 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -44,7 +44,6 @@ obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
-obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 96dbe9f..ac9b9c1 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -566,6 +566,17 @@ config NETFILTER_XT_MATCH_HELPER
To compile it as a module, choose M here. If unsure, say Y.
+config NETFILTER_XT_MATCH_IPRANGE
+ tristate '"iprange" address range match support'
+ depends on NETFILTER_XTABLES
+ depends on NETFILTER_ADVANCED
+ ---help---
+ This option adds a "iprange" match, which allows you to match based on
+ an IP address range. (Normal iptables only matches on single addresses
+ with an optional mask.)
+
+ If unsure, say M.
+
config NETFILTER_XT_MATCH_LENGTH
tristate '"length" match support'
depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 3b9ea8f..c910cae 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -63,6 +63,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_IPRANGE) += xt_iprange.o
obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o
obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o
diff --git a/net/ipv4/netfilter/ipt_iprange.c b/net/netfilter/xt_iprange.c
similarity index 75%
rename from net/ipv4/netfilter/ipt_iprange.c
rename to net/netfilter/xt_iprange.c
index d16cdb4..ff71868 100644
--- a/net/ipv4/netfilter/ipt_iprange.c
+++ b/net/netfilter/xt_iprange.c
@@ -1,11 +1,11 @@
/*
- * iptables module to match IP address ranges
+ * xt_iprange - Netfilter module to match IP address ranges
*
- * (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ * (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
*
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
*/
#include <linux/module.h>
#include <linux/skbuff.h>
@@ -13,15 +13,11 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4/ipt_iprange.h>
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
-MODULE_DESCRIPTION("Netfilter: arbitrary IPv4 range matching");
-
static bool
-iprange_mt(const struct sk_buff *skb, const struct net_device *in,
- const struct net_device *out, const struct xt_match *match,
- const void *matchinfo, int offset, unsigned int protoff,
- bool *hotdrop)
+iprange_mt_v0(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
{
const struct ipt_iprange_info *info = matchinfo;
const struct iphdr *iph = ip_hdr(skb);
@@ -58,7 +54,7 @@ iprange_mt(const struct sk_buff *skb, const struct net_device *in,
static struct xt_match iprange_mt_reg __read_mostly = {
.name = "iprange",
.family = AF_INET,
- .match = iprange_mt,
+ .match = iprange_mt_v0,
.matchsize = sizeof(struct ipt_iprange_info),
.me = THIS_MODULE
};
@@ -75,3 +71,6 @@ static void __exit iprange_mt_exit(void)
module_init(iprange_mt_init);
module_exit(iprange_mt_exit);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+MODULE_DESCRIPTION("Netfilter: arbitrary IPv4 range matching");
^ permalink raw reply related [flat|nested] 107+ messages in thread* Re: [PATCH 22/27] Rename ipt_iprange to xt_iprange
2008-01-02 20:31 ` [PATCH 22/27] Rename ipt_iprange to xt_iprange Jan Engelhardt
@ 2008-01-08 15:55 ` Patrick McHardy
2008-01-08 16:16 ` Jan Engelhardt
0 siblings, 1 reply; 107+ messages in thread
From: Patrick McHardy @ 2008-01-08 15:55 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> commit b9d3db24231f4555d13b348645e6c0b2f6eba3af
> Author: Jan Engelhardt <jengelh@computergmbh.de>
> Date: Wed Jan 2 18:49:22 2008 +0100
>
> [NETFILTER]: Rename ipt_iprange to xt_iprange
>
> This patch moves ipt_iprange to xt_iprange, in preparation for adding
> IPv6 support to xt_iprange.
This doesn't apply without the MODULE_DESCRIPTION patch.
^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [PATCH 22/27] Rename ipt_iprange to xt_iprange
2008-01-08 15:55 ` Patrick McHardy
@ 2008-01-08 16:16 ` Jan Engelhardt
2008-01-08 16:22 ` Patrick McHardy
2008-01-09 13:55 ` Jan Engelhardt
0 siblings, 2 replies; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-08 16:16 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
On Jan 8 2008 16:55, Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> commit b9d3db24231f4555d13b348645e6c0b2f6eba3af
>> Author: Jan Engelhardt <jengelh@computergmbh.de>
>> Date: Wed Jan 2 18:49:22 2008 +0100
>>
>> [NETFILTER]: Rename ipt_iprange to xt_iprange
>>
>> This patch moves ipt_iprange to xt_iprange, in preparation for adding
>> IPv6 support to xt_iprange.
>
>
> This doesn't apply without the MODULE_DESCRIPTION patch.
>
commit febc0e221181b2c370ee9cdd313fd2bc145cb30a
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 18:49:22 2008 +0100
[NETFILTER]: Rename ipt_iprange to xt_iprange
This patch moves ipt_iprange to xt_iprange, in preparation for adding
IPv6 support to xt_iprange.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
diff --git a/include/linux/netfilter/xt_iprange.h b/include/linux/netfilter/xt_iprange.h
new file mode 100644
index 0000000..a4299c7
--- /dev/null
+++ b/include/linux/netfilter/xt_iprange.h
@@ -0,0 +1,17 @@
+#ifndef _LINUX_NETFILTER_XT_IPRANGE_H
+#define _LINUX_NETFILTER_XT_IPRANGE_H 1
+
+enum {
+ IPRANGE_SRC = 1 << 0, /* match source IP address */
+ IPRANGE_DST = 1 << 1, /* match destination IP address */
+ IPRANGE_SRC_INV = 1 << 2, /* negate the condition */
+ IPRANGE_DST_INV = 1 << 3, /* -"- */
+};
+
+struct xt_iprange_mtinfo {
+ union nf_inet_addr src_min, src_max;
+ union nf_inet_addr dst_min, dst_max;
+ u_int8_t flags;
+};
+
+#endif /* _LINUX_NETFILTER_XT_IPRANGE_H */
diff --git a/include/linux/netfilter_ipv4/ipt_iprange.h b/include/linux/netfilter_ipv4/ipt_iprange.h
index a92fefc..5f1aebd 100644
--- a/include/linux/netfilter_ipv4/ipt_iprange.h
+++ b/include/linux/netfilter_ipv4/ipt_iprange.h
@@ -2,11 +2,7 @@
#define _IPT_IPRANGE_H
#include <linux/types.h>
-
-#define IPRANGE_SRC 0x01 /* Match source IP address */
-#define IPRANGE_DST 0x02 /* Match destination IP address */
-#define IPRANGE_SRC_INV 0x10 /* Negate the condition */
-#define IPRANGE_DST_INV 0x20 /* Negate the condition */
+#include <linux/netfilter/xt_iprange.h>
struct ipt_iprange {
/* Inclusive: network order. */
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index cface71..9d6f617 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -57,16 +57,6 @@ config IP_NF_IPTABLES
To compile it as a module, choose M here. If unsure, say N.
# The matches.
-config IP_NF_MATCH_IPRANGE
- tristate '"iprange" match support'
- depends on IP_NF_IPTABLES
- depends on NETFILTER_ADVANCED
- help
- This option makes possible to match IP addresses against IP address
- ranges.
-
- To compile it as a module, choose M here. If unsure, say N.
-
config IP_NF_MATCH_RECENT
tristate '"recent" match support'
depends on IP_NF_IPTABLES
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index fd7d4a5..0c7dc78 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -44,7 +44,6 @@ obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
-obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
diff --git a/net/ipv4/netfilter/ipt_iprange.c b/net/ipv4/netfilter/ipt_iprange.c
deleted file mode 100644
index 9a2aba8..0000000
--- a/net/ipv4/netfilter/ipt_iprange.c
+++ /dev/null
@@ -1,77 +0,0 @@
-/*
- * iptables module to match IP address ranges
- *
- * (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/ip.h>
-#include <linux/netfilter/x_tables.h>
-#include <linux/netfilter_ipv4/ipt_iprange.h>
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
-MODULE_DESCRIPTION("Xtables: arbitrary IPv4 range matching");
-
-static bool
-iprange_mt(const struct sk_buff *skb, const struct net_device *in,
- const struct net_device *out, const struct xt_match *match,
- const void *matchinfo, int offset, unsigned int protoff,
- bool *hotdrop)
-{
- const struct ipt_iprange_info *info = matchinfo;
- const struct iphdr *iph = ip_hdr(skb);
-
- if (info->flags & IPRANGE_SRC) {
- if ((ntohl(iph->saddr) < ntohl(info->src.min_ip)
- || ntohl(iph->saddr) > ntohl(info->src.max_ip))
- ^ !!(info->flags & IPRANGE_SRC_INV)) {
- pr_debug("src IP %u.%u.%u.%u NOT in range %s"
- "%u.%u.%u.%u-%u.%u.%u.%u\n",
- NIPQUAD(iph->saddr),
- info->flags & IPRANGE_SRC_INV ? "(INV) " : "",
- NIPQUAD(info->src.min_ip),
- NIPQUAD(info->src.max_ip));
- return false;
- }
- }
- if (info->flags & IPRANGE_DST) {
- if ((ntohl(iph->daddr) < ntohl(info->dst.min_ip)
- || ntohl(iph->daddr) > ntohl(info->dst.max_ip))
- ^ !!(info->flags & IPRANGE_DST_INV)) {
- pr_debug("dst IP %u.%u.%u.%u NOT in range %s"
- "%u.%u.%u.%u-%u.%u.%u.%u\n",
- NIPQUAD(iph->daddr),
- info->flags & IPRANGE_DST_INV ? "(INV) " : "",
- NIPQUAD(info->dst.min_ip),
- NIPQUAD(info->dst.max_ip));
- return false;
- }
- }
- return true;
-}
-
-static struct xt_match iprange_mt_reg __read_mostly = {
- .name = "iprange",
- .family = AF_INET,
- .match = iprange_mt,
- .matchsize = sizeof(struct ipt_iprange_info),
- .me = THIS_MODULE
-};
-
-static int __init iprange_mt_init(void)
-{
- return xt_register_match(&iprange_mt_reg);
-}
-
-static void __exit iprange_mt_exit(void)
-{
- xt_unregister_match(&iprange_mt_reg);
-}
-
-module_init(iprange_mt_init);
-module_exit(iprange_mt_exit);
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 96dbe9f..ac9b9c1 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -566,6 +566,17 @@ config NETFILTER_XT_MATCH_HELPER
To compile it as a module, choose M here. If unsure, say Y.
+config NETFILTER_XT_MATCH_IPRANGE
+ tristate '"iprange" address range match support'
+ depends on NETFILTER_XTABLES
+ depends on NETFILTER_ADVANCED
+ ---help---
+ This option adds a "iprange" match, which allows you to match based on
+ an IP address range. (Normal iptables only matches on single addresses
+ with an optional mask.)
+
+ If unsure, say M.
+
config NETFILTER_XT_MATCH_LENGTH
tristate '"length" match support'
depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 3b9ea8f..c910cae 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -63,6 +63,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_IPRANGE) += xt_iprange.o
obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o
obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o
diff --git a/net/netfilter/xt_iprange.c b/net/netfilter/xt_iprange.c
new file mode 100644
index 0000000..c57a6cf
--- /dev/null
+++ b/net/netfilter/xt_iprange.c
@@ -0,0 +1,76 @@
+/*
+ * xt_iprange - Netfilter module to match IP address ranges
+ *
+ * (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter_ipv4/ipt_iprange.h>
+
+static bool
+iprange_mt_v0(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
+{
+ const struct ipt_iprange_info *info = matchinfo;
+ const struct iphdr *iph = ip_hdr(skb);
+
+ if (info->flags & IPRANGE_SRC) {
+ if ((ntohl(iph->saddr) < ntohl(info->src.min_ip)
+ || ntohl(iph->saddr) > ntohl(info->src.max_ip))
+ ^ !!(info->flags & IPRANGE_SRC_INV)) {
+ pr_debug("src IP %u.%u.%u.%u NOT in range %s"
+ "%u.%u.%u.%u-%u.%u.%u.%u\n",
+ NIPQUAD(iph->saddr),
+ info->flags & IPRANGE_SRC_INV ? "(INV) " : "",
+ NIPQUAD(info->src.min_ip),
+ NIPQUAD(info->src.max_ip));
+ return false;
+ }
+ }
+ if (info->flags & IPRANGE_DST) {
+ if ((ntohl(iph->daddr) < ntohl(info->dst.min_ip)
+ || ntohl(iph->daddr) > ntohl(info->dst.max_ip))
+ ^ !!(info->flags & IPRANGE_DST_INV)) {
+ pr_debug("dst IP %u.%u.%u.%u NOT in range %s"
+ "%u.%u.%u.%u-%u.%u.%u.%u\n",
+ NIPQUAD(iph->daddr),
+ info->flags & IPRANGE_DST_INV ? "(INV) " : "",
+ NIPQUAD(info->dst.min_ip),
+ NIPQUAD(info->dst.max_ip));
+ return false;
+ }
+ }
+ return true;
+}
+
+static struct xt_match iprange_mt_reg __read_mostly = {
+ .name = "iprange",
+ .family = AF_INET,
+ .match = iprange_mt_v0,
+ .matchsize = sizeof(struct ipt_iprange_info),
+ .me = THIS_MODULE
+};
+
+static int __init iprange_mt_init(void)
+{
+ return xt_register_match(&iprange_mt_reg);
+}
+
+static void __exit iprange_mt_exit(void)
+{
+ xt_unregister_match(&iprange_mt_reg);
+}
+
+module_init(iprange_mt_init);
+module_exit(iprange_mt_exit);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+MODULE_DESCRIPTION("Xtables: arbitrary IPv4 range matching");
^ permalink raw reply related [flat|nested] 107+ messages in thread* Re: [PATCH 22/27] Rename ipt_iprange to xt_iprange
2008-01-08 16:16 ` Jan Engelhardt
@ 2008-01-08 16:22 ` Patrick McHardy
2008-01-08 16:25 ` Patrick McHardy
2008-01-09 13:55 ` Jan Engelhardt
1 sibling, 1 reply; 107+ messages in thread
From: Patrick McHardy @ 2008-01-08 16:22 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> commit febc0e221181b2c370ee9cdd313fd2bc145cb30a
> Author: Jan Engelhardt <jengelh@computergmbh.de>
> Date: Wed Jan 2 18:49:22 2008 +0100
>
> [NETFILTER]: Rename ipt_iprange to xt_iprange
>
> This patch moves ipt_iprange to xt_iprange, in preparation for adding
> IPv6 support to xt_iprange.
>
> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Applied, thanks.
^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [PATCH 22/27] Rename ipt_iprange to xt_iprange
2008-01-08 16:22 ` Patrick McHardy
@ 2008-01-08 16:25 ` Patrick McHardy
0 siblings, 0 replies; 107+ messages in thread
From: Patrick McHardy @ 2008-01-08 16:25 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> commit febc0e221181b2c370ee9cdd313fd2bc145cb30a
>> Author: Jan Engelhardt <jengelh@computergmbh.de>
>> Date: Wed Jan 2 18:49:22 2008 +0100
>>
>> [NETFILTER]: Rename ipt_iprange to xt_iprange
>> This patch moves ipt_iprange to xt_iprange, in preparation for
>> adding
>> IPv6 support to xt_iprange.
>> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
>
> Applied, thanks.
And added the missing Kbuild update. Please verify your other patches
were complete.
^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [PATCH 22/27] Rename ipt_iprange to xt_iprange
2008-01-08 16:16 ` Jan Engelhardt
2008-01-08 16:22 ` Patrick McHardy
@ 2008-01-09 13:55 ` Jan Engelhardt
2008-01-10 15:52 ` Patrick McHardy
1 sibling, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-09 13:55 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
On Jan 8 2008 17:16, Jan Engelhardt wrote:
>--- /dev/null
>+++ b/include/linux/netfilter/xt_iprange.h
>@@ -0,0 +1,17 @@
>+#ifndef _LINUX_NETFILTER_XT_IPRANGE_H
>+#define _LINUX_NETFILTER_XT_IPRANGE_H 1
>+
>+enum {
>+ IPRANGE_SRC = 1 << 0, /* match source IP address */
>+ IPRANGE_DST = 1 << 1, /* match destination IP address */
>+ IPRANGE_SRC_INV = 1 << 2, /* negate the condition */
>+ IPRANGE_DST_INV = 1 << 3, /* -"- */
>+};
Flag holes can be evil :-/
Please apply, thanks.
===
commit 0f91c13e8fe1389a0b6879b72da59c13182d4b76
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 9 14:53:10 2008 +0100
[NETFILTER]: xt_iprange: Need to keep old constats from ipt_iprange
ipt_iprange left a "hole" in its flags field, i.e.
#define IPRANGE_SRC 0x01 <=> IPRANGE_SRC = 1 << 0,
#define IPRANGE_DST 0x02 <=> IPRANGE_DST = 1 << 1,
#define IPRANGE_SRC_INV 0x10 <=> IPRANGE_SRC_INV = 1 << 4,
#define IPRANGE_DST_INV 0x20 <=> IPRANGE_DST_INV = 1 << 5,
We need to keep this for compat.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
diff --git a/include/linux/netfilter/xt_iprange.h b/include/linux/netfilter/xt_iprange.h
index c983a55..a4299c7 100644
--- a/include/linux/netfilter/xt_iprange.h
+++ b/include/linux/netfilter/xt_iprange.h
@@ -4,8 +4,8 @@
enum {
IPRANGE_SRC = 1 << 0, /* match source IP address */
IPRANGE_DST = 1 << 1, /* match destination IP address */
- IPRANGE_SRC_INV = 1 << 2, /* negate the condition */
- IPRANGE_DST_INV = 1 << 3, /* -"- */
+ IPRANGE_SRC_INV = 1 << 4, /* negate the condition */
+ IPRANGE_DST_INV = 1 << 5, /* -"- */
};
struct xt_iprange_mtinfo {
^ permalink raw reply related [flat|nested] 107+ messages in thread* Re: [PATCH 22/27] Rename ipt_iprange to xt_iprange
2008-01-09 13:55 ` Jan Engelhardt
@ 2008-01-10 15:52 ` Patrick McHardy
0 siblings, 0 replies; 107+ messages in thread
From: Patrick McHardy @ 2008-01-10 15:52 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> On Jan 8 2008 17:16, Jan Engelhardt wrote:
>> --- /dev/null
>> +++ b/include/linux/netfilter/xt_iprange.h
>> @@ -0,0 +1,17 @@
>> +#ifndef _LINUX_NETFILTER_XT_IPRANGE_H
>> +#define _LINUX_NETFILTER_XT_IPRANGE_H 1
>> +
>> +enum {
>> + IPRANGE_SRC = 1 << 0, /* match source IP address */
>> + IPRANGE_DST = 1 << 1, /* match destination IP address */
>> + IPRANGE_SRC_INV = 1 << 2, /* negate the condition */
>> + IPRANGE_DST_INV = 1 << 3, /* -"- */
>> +};
>
> Flag holes can be evil :-/
> Please apply, thanks.
>
> [NETFILTER]: xt_iprange: Need to keep old constats from ipt_iprange
Folded into the original patch, thanks.
^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH 23/27] xt_iprange match, revision 1
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
` (22 preceding siblings ...)
2008-01-02 20:31 ` [PATCH 22/27] Rename ipt_iprange to xt_iprange Jan Engelhardt
@ 2008-01-02 20:31 ` Jan Engelhardt
2008-01-08 15:56 ` Patrick McHardy
2008-01-02 20:33 ` [PATCH 24/27] Merge ipt_REJECT and ip6t_REJECT into xt_REJECT Jan Engelhardt
` (3 subsequent siblings)
27 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:31 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit 057131958a0e09403fc47090549fe9d25afd763c
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 18:51:10 2008 +0100
[NETFILTER]: xt_iprange match, revision 1
Adds IPv6 support to xt_iprange, making it possible to match on IPv6
address ranges with ip6tables.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
net/netfilter/xt_iprange.c | 123 +++++++++++++++++++++++++++++++++---
1 files changed, 114 insertions(+), 9 deletions(-)
diff --git a/net/netfilter/xt_iprange.c b/net/netfilter/xt_iprange.c
index ff71868..cd08f17 100644
--- a/net/netfilter/xt_iprange.c
+++ b/net/netfilter/xt_iprange.c
@@ -2,6 +2,8 @@
* xt_iprange - Netfilter module to match IP address ranges
*
* (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ * Copyright © CC Computer Consultants GmbH, 2008
+ * Contact: <jengelh@computergmbh.de>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
@@ -10,6 +12,7 @@
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
+#include <linux/ipv6.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4/ipt_iprange.h>
@@ -51,26 +54,128 @@ iprange_mt_v0(const struct sk_buff *skb, const struct net_device *in,
return true;
}
-static struct xt_match iprange_mt_reg __read_mostly = {
- .name = "iprange",
- .family = AF_INET,
- .match = iprange_mt_v0,
- .matchsize = sizeof(struct ipt_iprange_info),
- .me = THIS_MODULE
+static bool
+iprange_mt4(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
+{
+ const struct xt_iprange_mtinfo *info = matchinfo;
+ const struct iphdr *iph = ip_hdr(skb);
+ bool m;
+
+ if (info->flags & IPRANGE_SRC) {
+ m = ntohl(iph->saddr) < ntohl(info->src_min.ip);
+ m |= ntohl(iph->saddr) > ntohl(info->src_max.ip);
+ m ^= info->flags & IPRANGE_SRC_INV;
+ if (m) {
+ pr_debug("src IP " NIPQUAD_FMT " NOT in range %s"
+ NIPQUAD_FMT "-" NIPQUAD_FMT "\n",
+ NIPQUAD(iph->saddr),
+ (info->flags & IPRANGE_SRC_INV) ? "(INV) " : "",
+ NIPQUAD(info->src_max.ip),
+ NIPQUAD(info->src_max.ip));
+ return false;
+ }
+ }
+ if (info->flags & IPRANGE_DST) {
+ m = ntohl(iph->daddr) < ntohl(info->dst_min.ip);
+ m |= ntohl(iph->daddr) > ntohl(info->dst_max.ip);
+ m ^= info->flags & IPRANGE_DST_INV;
+ if (m) {
+ pr_debug("dst IP " NIPQUAD_FMT " NOT in range %s"
+ NIPQUAD_FMT "-" NIPQUAD_FMT "\n",
+ NIPQUAD(iph->daddr),
+ (info->flags & IPRANGE_DST_INV) ? "(INV) " : "",
+ NIPQUAD(info->dst_min.ip),
+ NIPQUAD(info->dst_max.ip));
+ return false;
+ }
+ }
+ return true;
+}
+
+static inline int
+iprange_ipv6_sub(const struct in6_addr *a, const struct in6_addr *b)
+{
+ unsigned int i;
+ int r;
+
+ for (i = 0; i < 4; ++i) {
+ r = a->s6_addr32[i] - b->s6_addr32[i];
+ if (r != 0)
+ return r;
+ }
+
+ return 0;
+}
+
+static bool
+iprange_mt6(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
+{
+ const struct xt_iprange_mtinfo *info = matchinfo;
+ const struct ipv6hdr *iph = ipv6_hdr(skb);
+ bool m;
+
+ if (info->flags & IPRANGE_SRC) {
+ m = iprange_ipv6_sub(&iph->saddr, &info->src_min.in6) < 0;
+ m |= iprange_ipv6_sub(&iph->saddr, &info->src_max.in6) > 0;
+ m ^= info->flags & IPRANGE_SRC_INV;
+ if (m)
+ return false;
+ }
+ if (info->flags & IPRANGE_DST) {
+ m = iprange_ipv6_sub(&iph->daddr, &info->dst_min.in6) < 0;
+ m |= iprange_ipv6_sub(&iph->daddr, &info->dst_max.in6) > 0;
+ m ^= info->flags & IPRANGE_DST_INV;
+ if (m)
+ return false;
+ }
+ return true;
+}
+
+static struct xt_match iprange_mt_reg[] __read_mostly = {
+ {
+ .name = "iprange",
+ .revision = 0,
+ .family = AF_INET,
+ .match = iprange_mt_v0,
+ .matchsize = sizeof(struct ipt_iprange_info),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "iprange",
+ .revision = 1,
+ .family = AF_INET6,
+ .match = iprange_mt4,
+ .matchsize = sizeof(struct xt_iprange_mtinfo),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "iprange",
+ .revision = 1,
+ .family = AF_INET6,
+ .match = iprange_mt6,
+ .matchsize = sizeof(struct xt_iprange_mtinfo),
+ .me = THIS_MODULE,
+ },
};
static int __init iprange_mt_init(void)
{
- return xt_register_match(&iprange_mt_reg);
+ return xt_register_matches(iprange_mt_reg, ARRAY_SIZE(iprange_mt_reg));
}
static void __exit iprange_mt_exit(void)
{
- xt_unregister_match(&iprange_mt_reg);
+ xt_unregister_matches(iprange_mt_reg, ARRAY_SIZE(iprange_mt_reg));
}
module_init(iprange_mt_init);
module_exit(iprange_mt_exit);
MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>, Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
MODULE_DESCRIPTION("Netfilter: arbitrary IPv4 range matching");
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 107+ messages in thread* Re: [PATCH 23/27] xt_iprange match, revision 1
2008-01-02 20:31 ` [PATCH 23/27] xt_iprange match, revision 1 Jan Engelhardt
@ 2008-01-08 15:56 ` Patrick McHardy
2008-01-08 16:22 ` Jan Engelhardt
0 siblings, 1 reply; 107+ messages in thread
From: Patrick McHardy @ 2008-01-08 15:56 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> commit 057131958a0e09403fc47090549fe9d25afd763c
> Author: Jan Engelhardt <jengelh@computergmbh.de>
> Date: Wed Jan 2 18:51:10 2008 +0100
>
> [NETFILTER]: xt_iprange match, revision 1
>
> Adds IPv6 support to xt_iprange, making it possible to match on IPv6
> address ranges with ip6tables.
>
> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
>
> net/netfilter/xt_iprange.c | 123 +++++++++++++++++++++++++++++++++---
> 1 files changed, 114 insertions(+), 9 deletions(-)
>
> diff --git a/net/netfilter/xt_iprange.c b/net/netfilter/xt_iprange.c
> index ff71868..cd08f17 100644
> --- a/net/netfilter/xt_iprange.c
> +++ b/net/netfilter/xt_iprange.c
> @@ -2,6 +2,8 @@
> * xt_iprange - Netfilter module to match IP address ranges
> *
> * (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> + * Copyright © CC Computer Consultants GmbH, 2008
> + * Contact: <jengelh@computergmbh.de>
This gives the impression that Jozsef doesn't want to be contacted
about this module anymore, which I don't think is true.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [PATCH 23/27] xt_iprange match, revision 1
2008-01-08 15:56 ` Patrick McHardy
@ 2008-01-08 16:22 ` Jan Engelhardt
2008-01-08 16:26 ` Patrick McHardy
0 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-08 16:22 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
On Jan 8 2008 16:56, Patrick McHardy wrote:
>> --- a/net/netfilter/xt_iprange.c
>> +++ b/net/netfilter/xt_iprange.c
>> @@ -2,6 +2,8 @@
>> * xt_iprange - Netfilter module to match IP address ranges
>> *
>> * (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
>> + * Copyright © CC Computer Consultants GmbH, 2008
>> + * Contact: <jengelh@computergmbh.de>
>
>
> This gives the impression that Jozsef doesn't want to be contacted
> about this module anymore, which I don't think is true.
>
I did not perceive it as such, but I am glad someone noticed.
commit 5f3cb516eb8e34a8c66d7bbdfad0a2cbd9115c90
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 18:51:10 2008 +0100
[NETFILTER]: xt_iprange match, revision 1
Adds IPv6 support to xt_iprange, making it possible to match on IPv6
address ranges with ip6tables.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
diff --git a/net/netfilter/xt_iprange.c b/net/netfilter/xt_iprange.c
index c57a6cf..dbea0e0 100644
--- a/net/netfilter/xt_iprange.c
+++ b/net/netfilter/xt_iprange.c
@@ -2,6 +2,7 @@
* xt_iprange - Netfilter module to match IP address ranges
*
* (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ * (C) CC Computer Consultants GmbH, 2008
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
@@ -10,6 +11,7 @@
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
+#include <linux/ipv6.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4/ipt_iprange.h>
@@ -51,26 +53,128 @@ iprange_mt_v0(const struct sk_buff *skb, const struct net_device *in,
return true;
}
-static struct xt_match iprange_mt_reg __read_mostly = {
- .name = "iprange",
- .family = AF_INET,
- .match = iprange_mt_v0,
- .matchsize = sizeof(struct ipt_iprange_info),
- .me = THIS_MODULE
+static bool
+iprange_mt4(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
+{
+ const struct xt_iprange_mtinfo *info = matchinfo;
+ const struct iphdr *iph = ip_hdr(skb);
+ bool m;
+
+ if (info->flags & IPRANGE_SRC) {
+ m = ntohl(iph->saddr) < ntohl(info->src_min.ip);
+ m |= ntohl(iph->saddr) > ntohl(info->src_max.ip);
+ m ^= info->flags & IPRANGE_SRC_INV;
+ if (m) {
+ pr_debug("src IP " NIPQUAD_FMT " NOT in range %s"
+ NIPQUAD_FMT "-" NIPQUAD_FMT "\n",
+ NIPQUAD(iph->saddr),
+ (info->flags & IPRANGE_SRC_INV) ? "(INV) " : "",
+ NIPQUAD(info->src_max.ip),
+ NIPQUAD(info->src_max.ip));
+ return false;
+ }
+ }
+ if (info->flags & IPRANGE_DST) {
+ m = ntohl(iph->daddr) < ntohl(info->dst_min.ip);
+ m |= ntohl(iph->daddr) > ntohl(info->dst_max.ip);
+ m ^= info->flags & IPRANGE_DST_INV;
+ if (m) {
+ pr_debug("dst IP " NIPQUAD_FMT " NOT in range %s"
+ NIPQUAD_FMT "-" NIPQUAD_FMT "\n",
+ NIPQUAD(iph->daddr),
+ (info->flags & IPRANGE_DST_INV) ? "(INV) " : "",
+ NIPQUAD(info->dst_min.ip),
+ NIPQUAD(info->dst_max.ip));
+ return false;
+ }
+ }
+ return true;
+}
+
+static inline int
+iprange_ipv6_sub(const struct in6_addr *a, const struct in6_addr *b)
+{
+ unsigned int i;
+ int r;
+
+ for (i = 0; i < 4; ++i) {
+ r = a->s6_addr32[i] - b->s6_addr32[i];
+ if (r != 0)
+ return r;
+ }
+
+ return 0;
+}
+
+static bool
+iprange_mt6(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
+{
+ const struct xt_iprange_mtinfo *info = matchinfo;
+ const struct ipv6hdr *iph = ipv6_hdr(skb);
+ bool m;
+
+ if (info->flags & IPRANGE_SRC) {
+ m = iprange_ipv6_sub(&iph->saddr, &info->src_min.in6) < 0;
+ m |= iprange_ipv6_sub(&iph->saddr, &info->src_max.in6) > 0;
+ m ^= info->flags & IPRANGE_SRC_INV;
+ if (m)
+ return false;
+ }
+ if (info->flags & IPRANGE_DST) {
+ m = iprange_ipv6_sub(&iph->daddr, &info->dst_min.in6) < 0;
+ m |= iprange_ipv6_sub(&iph->daddr, &info->dst_max.in6) > 0;
+ m ^= info->flags & IPRANGE_DST_INV;
+ if (m)
+ return false;
+ }
+ return true;
+}
+
+static struct xt_match iprange_mt_reg[] __read_mostly = {
+ {
+ .name = "iprange",
+ .revision = 0,
+ .family = AF_INET,
+ .match = iprange_mt_v0,
+ .matchsize = sizeof(struct ipt_iprange_info),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "iprange",
+ .revision = 1,
+ .family = AF_INET6,
+ .match = iprange_mt4,
+ .matchsize = sizeof(struct xt_iprange_mtinfo),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "iprange",
+ .revision = 1,
+ .family = AF_INET6,
+ .match = iprange_mt6,
+ .matchsize = sizeof(struct xt_iprange_mtinfo),
+ .me = THIS_MODULE,
+ },
};
static int __init iprange_mt_init(void)
{
- return xt_register_match(&iprange_mt_reg);
+ return xt_register_matches(iprange_mt_reg, ARRAY_SIZE(iprange_mt_reg));
}
static void __exit iprange_mt_exit(void)
{
- xt_unregister_match(&iprange_mt_reg);
+ xt_unregister_matches(iprange_mt_reg, ARRAY_SIZE(iprange_mt_reg));
}
module_init(iprange_mt_init);
module_exit(iprange_mt_exit);
MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>, Jan Engelhardt <jengelh@computergmbh.de>");
MODULE_DESCRIPTION("Xtables: arbitrary IPv4 range matching");
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 107+ messages in thread
* [PATCH 24/27] Merge ipt_REJECT and ip6t_REJECT into xt_REJECT
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
` (23 preceding siblings ...)
2008-01-02 20:31 ` [PATCH 23/27] xt_iprange match, revision 1 Jan Engelhardt
@ 2008-01-02 20:33 ` Jan Engelhardt
2008-01-08 15:59 ` Patrick McHardy
2008-01-02 20:34 ` [PATCH 25/27] Merge ipt_ah and ip6t_ah into xt_ah Jan Engelhardt
` (2 subsequent siblings)
27 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:33 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit 84d36d4710f680edddb67ce30202818d95dbe32c
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 20:14:28 2008 +0100
[NETFILTER]: Merge ipt_REJECT and ip6t_REJECT into xt_REJECT
Just combine the two into one. It actually brings some savings when
built as a module, as there is one file less to carry module overhead:
-rw-r--r-- root 11121 Dec 14 23:20 /lib/mod...ilter/ipt_REJECT.ko
-rw-r--r-- root 12107 Dec 14 23:20 /lib/mod...lter/ip6t_REJECT.ko
-rw-r--r-- jengelh 14665 Jan 2 16:45 xt_REJECT.ko
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
net/ipv4/netfilter/Kconfig | 11 -
net/ipv4/netfilter/Makefile | 1 -
net/ipv4/netfilter/ipt_REJECT.c | 251 ----------------
net/ipv6/netfilter/Kconfig | 11 -
net/ipv6/netfilter/Makefile | 1 -
net/ipv6/netfilter/ip6t_REJECT.c | 260 ----------------
net/netfilter/Kconfig | 10 +
net/netfilter/Makefile | 1 +
net/netfilter/xt_REJECT.c | 484 ++++++++++++++++++++++++++++++
9 files changed, 495 insertions(+), 535 deletions(-)
delete mode 100644 net/ipv4/netfilter/ipt_REJECT.c
delete mode 100644 net/ipv6/netfilter/ip6t_REJECT.c
create mode 100644 net/netfilter/xt_REJECT.c
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 9d6f617..89522bc 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -123,17 +123,6 @@ config IP_NF_FILTER
To compile it as a module, choose M here. If unsure, say N.
-config IP_NF_TARGET_REJECT
- tristate "REJECT target support"
- depends on IP_NF_FILTER
- default m if NETFILTER_ADVANCED=n
- help
- The REJECT target allows a filtering rule to specify that an ICMP
- error should be issued in response to an incoming packet, rather
- than silently being dropped.
-
- To compile it as a module, choose M here. If unsure, say N.
-
config IP_NF_TARGET_LOG
tristate "LOG target support"
depends on IP_NF_IPTABLES
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 0c7dc78..664cc2d 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -54,7 +54,6 @@ obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o
obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o
obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o
-obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
deleted file mode 100644
index a1029ca..0000000
--- a/net/ipv4/netfilter_ipv4/ipt_REJECT.c
+++ /dev/null
# Omitted pure deletion
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index a6b4a9a..5d22177 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -157,17 +157,6 @@ config IP6_NF_TARGET_LOG
To compile it as a module, choose M here. If unsure, say N.
-config IP6_NF_TARGET_REJECT
- tristate "REJECT target support"
- depends on IP6_NF_FILTER
- default m if NETFILTER_ADVANCED=n
- help
- The REJECT target allows a filtering rule to specify that an ICMPv6
- error should be issued in response to an incoming packet, rather
- than silently being dropped.
-
- To compile it as a module, choose M here. If unsure, say N.
-
config IP6_NF_MANGLE
tristate "Packet mangling"
depends on IP6_NF_IPTABLES
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index fbf2c14..2b47c2f 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -28,4 +28,3 @@ obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
# targets
obj-$(CONFIG_IP6_NF_TARGET_HL) += ip6t_HL.o
obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o
-obj-$(CONFIG_IP6_NF_TARGET_REJECT) += ip6t_REJECT.o
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
deleted file mode 100644
index 5b92ad5..0000000
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ /dev/null
# Omitted pure deletion
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index ac9b9c1..e4cd97d 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -385,6 +385,16 @@ config NETFILTER_XT_TARGET_RATEEST
To compile it as a module, choose M here. If unsure, say N.
+config NETFILTER_XT_TARGET_REJECT
+ tristate '"REJECT" target support'
+ depends on NETFILTER_XTABLES
+ default m if NETFILTER_ADVANCED=n
+ ---help---
+ The REJECT target allows a filtering rule to specify that an ICMP
+ error should be issued in response to an incoming packet, rather
+ than silently being dropped. For TCP, a TCP RST may be generated
+ to forcibly close the connection.
+
config NETFILTER_XT_TARGET_TRACE
tristate '"TRACE" target support'
depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index c910cae..255d53b 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -47,6 +47,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o
obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
obj-$(CONFIG_NETFILTER_XT_TARGET_RATEEST) += xt_RATEEST.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_REJECT) += xt_REJECT.o
obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
obj-$(CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP) += xt_TCPOPTSTRIP.o
diff --git a/net/netfilter/xt_REJECT.c b/net/netfilter/xt_REJECT.c
new file mode 100644
index 0000000..1e40614
--- /dev/null
+++ b/net/netfilter/xt_REJECT.c
@@ -0,0 +1,484 @@
+/*
+ * xt_REJECT - Netfilter module to reject packets
+ *
+ * (C) 1999-2001 Paul `Rusty' Russell
+ * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/icmp.h>
+#include <linux/icmpv6.h>
+#include <linux/ip.h>
+#include <linux/module.h>
+#include <linux/netdevice.h>
+#include <linux/skbuff.h>
+#include <linux/udp.h>
+#include <net/dst.h>
+#include <net/flow.h>
+#include <net/icmp.h>
+#include <net/ip.h>
+#include <net/ip6_checksum.h>
+#include <net/ip6_fib.h>
+#include <net/ip6_route.h>
+#include <net/ipv6.h>
+#include <net/route.h>
+#include <net/tcp.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_REJECT.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_ipv6/ip6t_REJECT.h>
+#ifdef CONFIG_BRIDGE_NETFILTER
+# include <linux/netfilter_bridge.h>
+#endif
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+# define WITH_IPV6 1
+#endif
+
+static void reject_send_reset4(struct sk_buff *oldskb, int hook)
+{
+ struct sk_buff *nskb;
+ struct iphdr *niph;
+ struct tcphdr _otcph, *oth, *tcph;
+ __be16 tmp_port;
+ __be32 tmp_addr;
+ int needs_ack;
+ unsigned int addr_type;
+
+ /* IP header checks: fragment. */
+ if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
+ return;
+
+ oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
+ sizeof(_otcph), &_otcph);
+ if (oth == NULL)
+ return;
+
+ /* No RST for RST. */
+ if (oth->rst)
+ return;
+
+ /* Check checksum */
+ if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
+ return;
+
+ /* We need a linear, writeable skb. We also need to expand
+ headroom in case hh_len of incoming interface < hh_len of
+ outgoing interface */
+ nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb),
+ GFP_ATOMIC);
+ if (!nskb)
+ return;
+
+ /* This packet will not be the same as the other: clear nf fields */
+ nf_reset(nskb);
+ nskb->mark = 0;
+ skb_init_secmark(nskb);
+
+ skb_shinfo(nskb)->gso_size = 0;
+ skb_shinfo(nskb)->gso_segs = 0;
+ skb_shinfo(nskb)->gso_type = 0;
+
+ tcph = (struct tcphdr *)(skb_network_header(nskb) + ip_hdrlen(nskb));
+
+ /* Swap source and dest */
+ niph = ip_hdr(nskb);
+ tmp_addr = niph->saddr;
+ niph->saddr = niph->daddr;
+ niph->daddr = tmp_addr;
+ tmp_port = tcph->source;
+ tcph->source = tcph->dest;
+ tcph->dest = tmp_port;
+
+ /* Truncate to length (no data) */
+ tcph->doff = sizeof(struct tcphdr)/4;
+ skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr));
+
+ if (tcph->ack) {
+ needs_ack = 0;
+ tcph->seq = oth->ack_seq;
+ tcph->ack_seq = 0;
+ } else {
+ needs_ack = 1;
+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
+ oldskb->len - ip_hdrlen(oldskb) -
+ (oth->doff << 2));
+ tcph->seq = 0;
+ }
+
+ /* Reset flags */
+ ((u_int8_t *)tcph)[13] = 0;
+ tcph->rst = 1;
+ tcph->ack = needs_ack;
+
+ tcph->window = 0;
+ tcph->urg_ptr = 0;
+
+ /* Adjust TCP checksum */
+ tcph->check = 0;
+ tcph->check = tcp_v4_check(sizeof(struct tcphdr),
+ niph->saddr, niph->daddr,
+ csum_partial(tcph,
+ sizeof(struct tcphdr), 0));
+
+ /* Set DF, id = 0 */
+ niph->frag_off = htons(IP_DF);
+ niph->id = 0;
+
+ addr_type = RTN_UNSPEC;
+ if (hook != NF_INET_FORWARD
+#ifdef CONFIG_BRIDGE_NETFILTER
+ || (nskb->nf_bridge && nskb->nf_bridge->mask & BRNF_BRIDGED)
+#endif
+ )
+ addr_type = RTN_LOCAL;
+
+ if (ip_route_me_harder(nskb, addr_type))
+ goto free_nskb;
+
+ nskb->ip_summed = CHECKSUM_NONE;
+
+ /* Adjust IP TTL */
+ niph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
+
+ /* "Never happens" */
+ if (nskb->len > dst_mtu(nskb->dst))
+ goto free_nskb;
+
+ nf_ct_attach(nskb, oldskb);
+
+ ip_local_out(nskb);
+ return;
+
+ free_nskb:
+ kfree_skb(nskb);
+}
+
+static inline void reject_send_unreach4(struct sk_buff *skb_in, int code)
+{
+ icmp_send(skb_in, ICMP_DEST_UNREACH, code, 0);
+}
+
+static unsigned int
+reject_tg(struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, unsigned int hooknum,
+ const struct xt_target *target, const void *targinfo)
+{
+ const struct ipt_reject_info *reject = targinfo;
+
+ /* Our naive response construction doesn't deal with IP
+ options, and probably shouldn't try. */
+ if (ip_hdrlen(skb) != sizeof(struct iphdr))
+ return NF_DROP;
+
+ /* WARNING: This code causes reentry within iptables.
+ This means that the iptables jump stack is now crap. We
+ must return an absolute verdict. --RR */
+ switch (reject->with) {
+ case IPT_ICMP_NET_UNREACHABLE:
+ reject_send_unreach4(skb, ICMP_NET_UNREACH);
+ break;
+ case IPT_ICMP_HOST_UNREACHABLE:
+ reject_send_unreach4(skb, ICMP_HOST_UNREACH);
+ break;
+ case IPT_ICMP_PROT_UNREACHABLE:
+ reject_send_unreach4(skb, ICMP_PROT_UNREACH);
+ break;
+ case IPT_ICMP_PORT_UNREACHABLE:
+ reject_send_unreach4(skb, ICMP_PORT_UNREACH);
+ break;
+ case IPT_ICMP_NET_PROHIBITED:
+ reject_send_unreach4(skb, ICMP_NET_ANO);
+ break;
+ case IPT_ICMP_HOST_PROHIBITED:
+ reject_send_unreach4(skb, ICMP_HOST_ANO);
+ break;
+ case IPT_ICMP_ADMIN_PROHIBITED:
+ reject_send_unreach4(skb, ICMP_PKT_FILTERED);
+ break;
+ case IPT_TCP_RESET:
+ reject_send_reset4(skb, hooknum);
+ case IPT_ICMP_ECHOREPLY:
+ /* Doesn't happen. */
+ break;
+ }
+
+ return NF_DROP;
+}
+
+static bool
+reject_tg_check(const char *tablename, const void *e_void,
+ const struct xt_target *target, void *targinfo,
+ unsigned int hook_mask)
+{
+ const struct ipt_reject_info *rejinfo = targinfo;
+ const struct ipt_entry *e = e_void;
+
+ if (rejinfo->with == IPT_ICMP_ECHOREPLY) {
+ printk("xt_REJECT: ECHOREPLY no longer supported.\n");
+ return false;
+ } else if (rejinfo->with == IPT_TCP_RESET) {
+ /* Must specify that it's a TCP packet */
+ if (e->ip.proto != IPPROTO_TCP ||
+ (e->ip.invflags & XT_INV_PROTO)) {
+ printk("xt_REJECT: TCP_RESET invalid for non-TCP\n");
+ return false;
+ }
+ }
+ return true;
+}
+
+#ifdef WITH_IPV6
+static void reject_send_reset6(struct sk_buff *oldskb)
+{
+ struct sk_buff *nskb;
+ struct tcphdr otcph, *tcph;
+ unsigned int otcplen, hh_len;
+ int tcphoff, needs_ack;
+ struct ipv6hdr *oip6h = ipv6_hdr(oldskb), *ip6h;
+ struct dst_entry *dst = NULL;
+ u8 proto;
+ struct flowi fl;
+
+ if ((!(ipv6_addr_type(&oip6h->saddr) & IPV6_ADDR_UNICAST)) ||
+ (!(ipv6_addr_type(&oip6h->daddr) & IPV6_ADDR_UNICAST))) {
+ pr_debug("ip6t_REJECT: addr is not unicast.\n");
+ return;
+ }
+
+ proto = oip6h->nexthdr;
+ tcphoff = ipv6_skip_exthdr(oldskb, ((u8*)(oip6h+1) - oldskb->data), &proto);
+
+ if ((tcphoff < 0) || (tcphoff > oldskb->len)) {
+ pr_debug("ip6t_REJECT: Can't get TCP header.\n");
+ return;
+ }
+
+ otcplen = oldskb->len - tcphoff;
+
+ /* IP header checks: fragment, too short. */
+ if (proto != IPPROTO_TCP || otcplen < sizeof(struct tcphdr)) {
+ pr_debug("ip6t_REJECT: proto(%d) != IPPROTO_TCP, "
+ "or too short. otcplen = %d\n",
+ proto, otcplen);
+ return;
+ }
+
+ if (skb_copy_bits(oldskb, tcphoff, &otcph, sizeof(struct tcphdr)))
+ BUG();
+
+ /* No RST for RST. */
+ if (otcph.rst) {
+ pr_debug("ip6t_REJECT: RST is set\n");
+ return;
+ }
+
+ /* Check checksum. */
+ if (csum_ipv6_magic(&oip6h->saddr, &oip6h->daddr, otcplen, IPPROTO_TCP,
+ skb_checksum(oldskb, tcphoff, otcplen, 0))) {
+ pr_debug("ip6t_REJECT: TCP checksum is invalid\n");
+ return;
+ }
+
+ memset(&fl, 0, sizeof(fl));
+ fl.proto = IPPROTO_TCP;
+ ipv6_addr_copy(&fl.fl6_src, &oip6h->daddr);
+ ipv6_addr_copy(&fl.fl6_dst, &oip6h->saddr);
+ fl.fl_ip_sport = otcph.dest;
+ fl.fl_ip_dport = otcph.source;
+ security_skb_classify_flow(oldskb, &fl);
+ dst = ip6_route_output(NULL, &fl);
+ if (dst == NULL)
+ return;
+ if (dst->error || xfrm_lookup(&dst, &fl, NULL, 0))
+ return;
+
+ hh_len = (dst->dev->hard_header_len + 15)&~15;
+ nskb = alloc_skb(hh_len + 15 + dst->header_len + sizeof(struct ipv6hdr)
+ + sizeof(struct tcphdr) + dst->trailer_len,
+ GFP_ATOMIC);
+
+ if (!nskb) {
+ if (net_ratelimit())
+ printk("ip6t_REJECT: Can't alloc skb\n");
+ dst_release(dst);
+ return;
+ }
+
+ nskb->dst = dst;
+
+ skb_reserve(nskb, hh_len + dst->header_len);
+
+ skb_put(nskb, sizeof(struct ipv6hdr));
+ skb_reset_network_header(nskb);
+ ip6h = ipv6_hdr(nskb);
+ ip6h->version = 6;
+ ip6h->hop_limit = dst_metric(dst, RTAX_HOPLIMIT);
+ ip6h->nexthdr = IPPROTO_TCP;
+ ipv6_addr_copy(&ip6h->saddr, &oip6h->daddr);
+ ipv6_addr_copy(&ip6h->daddr, &oip6h->saddr);
+
+ tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr));
+ /* Truncate to length (no data) */
+ tcph->doff = sizeof(struct tcphdr)/4;
+ tcph->source = otcph.dest;
+ tcph->dest = otcph.source;
+
+ if (otcph.ack) {
+ needs_ack = 0;
+ tcph->seq = otcph.ack_seq;
+ tcph->ack_seq = 0;
+ } else {
+ needs_ack = 1;
+ tcph->ack_seq = htonl(ntohl(otcph.seq) + otcph.syn + otcph.fin
+ + otcplen - (otcph.doff<<2));
+ tcph->seq = 0;
+ }
+
+ /* Reset flags */
+ ((u_int8_t *)tcph)[13] = 0;
+ tcph->rst = 1;
+ tcph->ack = needs_ack;
+ tcph->window = 0;
+ tcph->urg_ptr = 0;
+ tcph->check = 0;
+
+ /* Adjust TCP checksum */
+ tcph->check = csum_ipv6_magic(&ipv6_hdr(nskb)->saddr,
+ &ipv6_hdr(nskb)->daddr,
+ sizeof(struct tcphdr), IPPROTO_TCP,
+ csum_partial(tcph,
+ sizeof(struct tcphdr), 0));
+
+ nf_ct_attach(nskb, oldskb);
+
+ ip6_local_out(nskb);
+}
+
+static inline void
+reject_send_unreach6(struct sk_buff *skb_in, unsigned char code,
+ unsigned int hooknum)
+{
+ if (hooknum == NF_INET_LOCAL_OUT && skb_in->dev == NULL)
+ skb_in->dev = init_net.loopback_dev;
+
+ icmpv6_send(skb_in, ICMPV6_DEST_UNREACH, code, 0, NULL);
+}
+
+static unsigned int
+reject_tg6(struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, unsigned int hooknum,
+ const struct xt_target *target, const void *targinfo)
+{
+ const struct ip6t_reject_info *reject = targinfo;
+
+ pr_debug("%s: medium point\n", __FUNCTION__);
+ /* WARNING: This code causes reentry within ip6tables.
+ This means that the ip6tables jump stack is now crap. We
+ must return an absolute verdict. --RR */
+ switch (reject->with) {
+ case IP6T_ICMP6_NO_ROUTE:
+ reject_send_unreach6(skb, ICMPV6_NOROUTE, hooknum);
+ break;
+ case IP6T_ICMP6_ADM_PROHIBITED:
+ reject_send_unreach6(skb, ICMPV6_ADM_PROHIBITED, hooknum);
+ break;
+ case IP6T_ICMP6_NOT_NEIGHBOUR:
+ reject_send_unreach6(skb, ICMPV6_NOT_NEIGHBOUR, hooknum);
+ break;
+ case IP6T_ICMP6_ADDR_UNREACH:
+ reject_send_unreach6(skb, ICMPV6_ADDR_UNREACH, hooknum);
+ break;
+ case IP6T_ICMP6_PORT_UNREACH:
+ reject_send_unreach6(skb, ICMPV6_PORT_UNREACH, hooknum);
+ break;
+ case IP6T_ICMP6_ECHOREPLY:
+ /* Do nothing */
+ break;
+ case IP6T_TCP_RESET:
+ reject_send_reset6(skb);
+ break;
+ default:
+ if (net_ratelimit())
+ printk(KERN_WARNING "xt_REJECT: case %u not handled "
+ "yet in IPv6 code\n", reject->with);
+ break;
+ }
+
+ return NF_DROP;
+}
+
+static bool
+reject_tg6_check(const char *tablename, const void *entry,
+ const struct xt_target *target, void *targinfo,
+ unsigned int hook_mask)
+{
+ const struct ip6t_reject_info *rejinfo = targinfo;
+ const struct ip6t_entry *e = entry;
+
+ if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) {
+ printk(KERN_WARNING "xt_REJECT: ECHOREPLY is not supported "
+ "for IPv6.\n");
+ return false;
+ } else if (rejinfo->with == IP6T_TCP_RESET) {
+ /* Must specify that it's a TCP packet */
+ if (e->ipv6.proto != IPPROTO_TCP ||
+ (e->ipv6.invflags & XT_INV_PROTO)) {
+ printk("xt_REJECT: TCP_RESET illegal for non-TCP\n");
+ return false;
+ }
+ }
+ return true;
+}
+#endif
+
+static struct xt_target reject_tg_reg[] __read_mostly = {
+ {
+ .name = "REJECT",
+ .revision = 0,
+ .family = AF_INET,
+ .target = reject_tg,
+ .targetsize = sizeof(struct ipt_reject_info),
+ .table = "filter",
+ .hooks = (1 << NF_INET_LOCAL_IN) |
+ (1 << NF_INET_FORWARD) |
+ (1 << NF_INET_LOCAL_OUT),
+ .checkentry = reject_tg_check,
+ .me = THIS_MODULE,
+ },
+#ifdef WITH_IPV6
+ {
+ .name = "REJECT",
+ .revision = 0,
+ .family = AF_INET6,
+ .target = reject_tg6,
+ .targetsize = sizeof(struct ip6t_reject_info),
+ .table = "filter",
+ .hooks = (1 << NF_INET_LOCAL_IN) |
+ (1 << NF_INET_FORWARD) |
+ (1 << NF_INET_LOCAL_OUT),
+ .checkentry = reject_tg6_check,
+ .me = THIS_MODULE,
+ },
+#endif
+};
+
+static int __init reject_tg_init(void)
+{
+ return xt_register_targets(reject_tg_reg, ARRAY_SIZE(reject_tg_reg));
+}
+
+static void __exit reject_tg_exit(void)
+{
+ xt_unregister_targets(reject_tg_reg, ARRAY_SIZE(reject_tg_reg));
+}
+
+module_init(reject_tg_init);
+module_exit(reject_tg_exit);
+MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>, Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>");
+MODULE_DESCRIPTION("Netfilter: packet \"rejection\" target");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_REJECT");
+MODULE_ALIAS("ip6t_REJECT");
^ permalink raw reply related [flat|nested] 107+ messages in thread* Re: [PATCH 24/27] Merge ipt_REJECT and ip6t_REJECT into xt_REJECT
2008-01-02 20:33 ` [PATCH 24/27] Merge ipt_REJECT and ip6t_REJECT into xt_REJECT Jan Engelhardt
@ 2008-01-08 15:59 ` Patrick McHardy
0 siblings, 0 replies; 107+ messages in thread
From: Patrick McHardy @ 2008-01-08 15:59 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> commit 84d36d4710f680edddb67ce30202818d95dbe32c
> Author: Jan Engelhardt <jengelh@computergmbh.de>
> Date: Wed Jan 2 20:14:28 2008 +0100
>
> [NETFILTER]: Merge ipt_REJECT and ip6t_REJECT into xt_REJECT
>
> +static inline void
> +reject_send_unreach6(struct sk_buff *skb_in, unsigned char code,
> + unsigned int hooknum)
> +{
> + if (hooknum == NF_INET_LOCAL_OUT && skb_in->dev == NULL)
> + skb_in->dev = init_net.loopback_dev;
> +
> + icmpv6_send(skb_in, ICMPV6_DEST_UNREACH, code, 0, NULL);
> +}
This adds a runtime dependency on ipv6, which I just recently
got rid of for all other modules. Adding an ip_tables rule
should never cause ipv6 to be loaded. I'd suggest adding a
new function pointer to nf_afinfo for this. That might even
allow some further code unification.
^ permalink raw reply [flat|nested] 107+ messages in thread
* [PATCH 25/27] Merge ipt_ah and ip6t_ah into xt_ah
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
` (24 preceding siblings ...)
2008-01-02 20:33 ` [PATCH 24/27] Merge ipt_REJECT and ip6t_REJECT into xt_REJECT Jan Engelhardt
@ 2008-01-02 20:34 ` Jan Engelhardt
2008-01-08 16:03 ` Patrick McHardy
2008-01-02 20:34 ` [PATCH 26/27] Unknot xt_ah IPv6 logic Jan Engelhardt
2008-01-02 20:34 ` [PATCH 27/27] Update feature-removal-schedule.txt Jan Engelhardt
27 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:34 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit 11c4c687b1df11aeadd9ab76f37c4a89144d9a73
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 20:14:28 2008 +0100
[NETFILTER]: Merge ipt_ah and ip6t_ah into xt_ah
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
net/ipv4/netfilter/Kconfig | 10 --
net/ipv4/netfilter/Makefile | 1 -
net/ipv4/netfilter/ipt_ah.c | 105 ------------------
net/ipv6/netfilter/Kconfig | 9 --
net/ipv6/netfilter/Makefile | 1 -
net/ipv6/netfilter/ip6t_ah.c | 131 -----------------------
net/netfilter/Kconfig | 8 ++
net/netfilter/Makefile | 1 +
net/netfilter/xt_ah.c | 192 ++++++++++++++++++++++++++++++++++
9 files changed, 201 insertions(+), 257 deletions(-)
delete mode 100644 net/ipv4/netfilter/ipt_ah.c
delete mode 100644 net/ipv6/netfilter/ip6t_ah.c
create mode 100644 net/netfilter/xt_ah.c
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 89522bc..f5a73b8 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -80,16 +80,6 @@ config IP_NF_MATCH_ECN
To compile it as a module, choose M here. If unsure, say N.
-config IP_NF_MATCH_AH
- tristate '"ah" match support'
- depends on IP_NF_IPTABLES
- depends on NETFILTER_ADVANCED
- help
- This match extension allows you to match a range of SPIs
- inside AH header of IPSec packets.
-
- To compile it as a module, choose M here. If unsure, say N.
-
config IP_NF_MATCH_TTL
tristate '"ttl" match support'
depends on IP_NF_IPTABLES
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 664cc2d..8151c11 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -42,7 +42,6 @@ obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
# matches
obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
-obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
deleted file mode 100644
index 46025af..0000000
# Omitted pure deletion
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 5d22177..d119886 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -106,15 +106,6 @@ config IP6_NF_MATCH_IPV6HEADER
To compile it as a module, choose M here. If unsure, say N.
-config IP6_NF_MATCH_AH
- tristate '"ah" match support'
- depends on IP6_NF_IPTABLES
- depends on NETFILTER_ADVANCED
- help
- This module allows one to match AH packets.
-
- To compile it as a module, choose M here. If unsure, say N.
-
config IP6_NF_MATCH_MH
tristate '"mh" match support'
depends on IP6_NF_IPTABLES
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index 2b47c2f..6b61224 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -16,7 +16,6 @@ nf_conntrack_ipv6-objs := nf_conntrack_l3proto_ipv6.o nf_conntrack_proto_icmpv
obj-$(CONFIG_NF_CONNTRACK_IPV6) += nf_conntrack_ipv6.o
# matches
-obj-$(CONFIG_IP6_NF_MATCH_AH) += ip6t_ah.o
obj-$(CONFIG_IP6_NF_MATCH_EUI64) += ip6t_eui64.o
obj-$(CONFIG_IP6_NF_MATCH_FRAG) += ip6t_frag.o
obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
deleted file mode 100644
index 9cc434d..0000000
--- a/net/ipv6/netfilter/ip6t_ah.c
+++ /dev/null
# Omitted pure deletion
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index e4cd97d..fc117a2 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -466,6 +466,14 @@ config NETFILTER_XT_TARGET_TCPOPTSTRIP
This option adds a "TCPOPTSTRIP" target, which allows you to strip
TCP options from TCP packets.
+config NETFILTER_XT_MATCH_AH
+ tristate '"ah" Authentication Header match'
+ depends on NETFILTER_XTABLES
+ depends on NETFILTER_ADVANCED
+ ---help---
+ This match extension allows you to match a range of SPIs inside the
+ AH header of IPsec packets.
+
config NETFILTER_XT_MATCH_COMMENT
tristate '"comment" match support'
depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 255d53b..099741d 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -54,6 +54,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP) += xt_TCPOPTSTRIP.o
obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) += xt_TRACE.o
# matches
+obj-$(CONFIG_NETFILTER_XT_MATCH_AH) += xt_ah.o
obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o
obj-$(CONFIG_NETFILTER_XT_MATCH_CONNLIMIT) += xt_connlimit.o
diff --git a/net/netfilter/xt_ah.c b/net/netfilter/xt_ah.c
new file mode 100644
index 0000000..c18cc70
--- /dev/null
+++ b/net/netfilter/xt_ah.c
@@ -0,0 +1,192 @@
+/*
+ * xt_ah - Netfilter module to match AH parameters
+ *
+ * (C) 2001-2002 Andras Kis-Szabo <kisza@sch.bme.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/module.h>
+#include <linux/ip.h>
+#include <linux/ipv6.h>
+#include <linux/skbuff.h>
+#include <linux/types.h>
+#include <net/checksum.h>
+#include <net/ipv6.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter_ipv4/ipt_ah.h>
+#include <linux/netfilter_ipv6/ip6t_ah.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+# define WITH_IPV6 1
+#endif
+
+static inline bool
+spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
+{
+ bool r;
+
+ pr_debug("ah spi_match:%c 0x%x <= 0x%x <= 0x%x",
+ invert ? '!' : ' ', min, spi, max);
+ r = (spi >= min && spi <= max) ^ invert;
+ pr_debug(" result %s\n", r ? "PASS" : "FAILED");
+ return r;
+}
+
+static bool
+ah_mt4(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
+{
+ const struct ipt_ah *ahinfo = matchinfo;
+ const struct ip_auth_hdr *ah;
+ struct ip_auth_hdr ahbuf;
+
+ /* Must not be a fragment. */
+ if (offset != 0)
+ return false;
+
+ ah = skb_header_pointer(skb, protoff, sizeof(ahbuf), &ahbuf);
+ if (ah == NULL) {
+ /* We've been asked to examine this packet, and we
+ * can't. Hence, no choice but to drop.
+ */
+ pr_debug("Dropping evil AH tinygram.\n");
+ *hotdrop = true;
+ return 0;
+ }
+
+ return spi_match(ahinfo->spis[0], ahinfo->spis[1], ntohl(ah->spi),
+ ahinfo->invflags & IPT_AH_INV_SPI);
+}
+
+static bool
+ah_mt4_check(const char *tablename, const void *ip_void,
+ const struct xt_match *match, void *matchinfo,
+ unsigned int hook_mask)
+{
+ const struct ipt_ah *ahinfo = matchinfo;
+
+ /* Must specify no unknown invflags */
+ if (ahinfo->invflags & ~IPT_AH_INV_MASK) {
+ pr_debug("ipt_ah: unknown flags %X\n", ahinfo->invflags);
+ return false;
+ }
+ return true;
+}
+
+#ifdef WITH_IPV6
+static bool
+ah_mt6(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
+{
+ struct ip_auth_hdr ahbuf;
+ const struct ip_auth_hdr *ah;
+ const struct ip6t_ah *ahinfo = matchinfo;
+ unsigned int ptr;
+ unsigned int hdrlen = 0;
+ int err;
+
+ err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL);
+ if (err < 0) {
+ if (err != -ENOENT)
+ *hotdrop = true;
+ return false;
+ }
+
+ ah = skb_header_pointer(skb, ptr, sizeof(ahbuf), &ahbuf);
+ if (ah == NULL) {
+ *hotdrop = true;
+ return false;
+ }
+
+ hdrlen = (ah->hdrlen + 2) << 2;
+
+ pr_debug("IPv6 AH LEN %u %u ", hdrlen, ah->hdrlen);
+ pr_debug("RES %04X ", ah->reserved);
+ pr_debug("SPI %u %08X\n", ntohl(ah->spi), ntohl(ah->spi));
+
+ pr_debug("IPv6 AH spi %02X ",
+ spi_match(ahinfo->spis[0], ahinfo->spis[1],
+ ntohl(ah->spi),
+ !!(ahinfo->invflags & IP6T_AH_INV_SPI)));
+ pr_debug("len %02X %04X %02X ",
+ ahinfo->hdrlen, hdrlen,
+ (!ahinfo->hdrlen ||
+ (ahinfo->hdrlen == hdrlen) ^
+ !!(ahinfo->invflags & IP6T_AH_INV_LEN)));
+ pr_debug("res %02X %04X %02X\n",
+ ahinfo->hdrres, ah->reserved,
+ !(ahinfo->hdrres && ah->reserved));
+
+ return (ah != NULL)
+ &&
+ spi_match(ahinfo->spis[0], ahinfo->spis[1],
+ ntohl(ah->spi),
+ !!(ahinfo->invflags & IP6T_AH_INV_SPI))
+ &&
+ (!ahinfo->hdrlen ||
+ (ahinfo->hdrlen == hdrlen) ^
+ !!(ahinfo->invflags & IP6T_AH_INV_LEN))
+ &&
+ !(ahinfo->hdrres && ah->reserved);
+}
+
+static bool
+ah_mt6_check(const char *tablename, const void *entry,
+ const struct xt_match *match, void *matchinfo,
+ unsigned int hook_mask)
+{
+ const struct ip6t_ah *ahinfo = matchinfo;
+
+ if (ahinfo->invflags & ~IP6T_AH_INV_MASK) {
+ pr_debug("ip6t_ah: unknown flags %X\n", ahinfo->invflags);
+ return false;
+ }
+ return true;
+}
+#endif
+
+static struct xt_match ah_mt_reg[] __read_mostly = {
+ {
+ .name = "ah",
+ .revision = 0,
+ .family = AF_INET,
+ .match = ah_mt4,
+ .matchsize = sizeof(struct ipt_ah),
+ .checkentry = ah_mt4_check,
+ .me = THIS_MODULE,
+ },
+#ifdef WITH_IPV6
+ {
+ .name = "ah",
+ .revision = 0,
+ .family = AF_INET6,
+ .match = ah_mt6,
+ .matchsize = sizeof(struct ip6t_ah),
+ .checkentry = ah_mt6_check,
+ .me = THIS_MODULE,
+ },
+#endif
+};
+
+static int __init ah_mt_init(void)
+{
+ return xt_register_matches(ah_mt_reg, ARRAY_SIZE(ah_mt_reg));
+}
+
+static void __exit ah_mt_exit(void)
+{
+ xt_unregister_matches(ah_mt_reg, ARRAY_SIZE(ah_mt_reg));
+}
+
+module_init(ah_mt_init);
+module_exit(ah_mt_exit);
+MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
+MODULE_DESCRIPTION("Netfilter \"ah\" match");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_ah");
+MODULE_ALIAS("ip6t_ah");
^ permalink raw reply related [flat|nested] 107+ messages in thread* [PATCH 26/27] Unknot xt_ah IPv6 logic
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
` (25 preceding siblings ...)
2008-01-02 20:34 ` [PATCH 25/27] Merge ipt_ah and ip6t_ah into xt_ah Jan Engelhardt
@ 2008-01-02 20:34 ` Jan Engelhardt
2008-01-02 20:34 ` [PATCH 27/27] Update feature-removal-schedule.txt Jan Engelhardt
27 siblings, 0 replies; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:34 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit a892e62a4c5b0dcc41c2b9fda666db81334af64b
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 20:33:00 2008 +0100
[NETFILTER]: Unknot xt_ah IPv6 logic
Split up the big return statement in ah_mt6() into smaller ones.
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
net/netfilter/xt_ah.c | 24 +++++++++++++-----------
1 files changed, 13 insertions(+), 11 deletions(-)
diff --git a/net/netfilter/xt_ah.c b/net/netfilter/xt_ah.c
index c18cc70..2aed8c4 100644
--- a/net/netfilter/xt_ah.c
+++ b/net/netfilter/xt_ah.c
@@ -89,6 +89,7 @@ ah_mt6(const struct sk_buff *skb, const struct net_device *in,
unsigned int ptr;
unsigned int hdrlen = 0;
int err;
+ bool m;
err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL);
if (err < 0) {
@@ -122,17 +123,18 @@ ah_mt6(const struct sk_buff *skb, const struct net_device *in,
ahinfo->hdrres, ah->reserved,
!(ahinfo->hdrres && ah->reserved));
- return (ah != NULL)
- &&
- spi_match(ahinfo->spis[0], ahinfo->spis[1],
- ntohl(ah->spi),
- !!(ahinfo->invflags & IP6T_AH_INV_SPI))
- &&
- (!ahinfo->hdrlen ||
- (ahinfo->hdrlen == hdrlen) ^
- !!(ahinfo->invflags & IP6T_AH_INV_LEN))
- &&
- !(ahinfo->hdrres && ah->reserved);
+ m = spi_match(ahinfo->spis[0], ahinfo->spis[1], ntohl(ah->spi),
+ ahinfo->invflags & IP6T_AH_INV_SPI);
+ if (!m)
+ return false;
+
+ m = ahinfo->hdrlen == 0;
+ m |= ahinfo->hdrlen == hdrlen;
+ m ^= !!(ahinfo->invflags & IP6T_AH_INV_LEN);
+ if (!m)
+ return false;
+
+ return ahinfo->hdrres == 0 || ah->reserved == 0;
}
static bool
^ permalink raw reply related [flat|nested] 107+ messages in thread* [PATCH 27/27] Update feature-removal-schedule.txt
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
` (26 preceding siblings ...)
2008-01-02 20:34 ` [PATCH 26/27] Unknot xt_ah IPv6 logic Jan Engelhardt
@ 2008-01-02 20:34 ` Jan Engelhardt
2008-01-08 16:33 ` Patrick McHardy
27 siblings, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-02 20:34 UTC (permalink / raw)
To: kaber; +Cc: Netfilter Developer Mailing List
commit ff4d6f3afa5c8edb602a50abafb0ae7a2bb6132d
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 20:35:25 2008 +0100
[NETFILTER]: Update feature-removal-schedule.txt
With all the newly introduced features, there is a lot to remove
later on after a compatibility grace period of 2 years.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Documentation/feature-removal-schedule.txt | 44 ++++++++++++++++++++
1 files changed, 44 insertions(+), 0 deletions(-)
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index bdf4d19..3b89124 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
@@ -340,3 +340,47 @@ Why: This algorithm was provided for reference but always exhibited bad
responsiveness and performance and has some serious flaws. It has been
replaced by rc80211-pid.
Who: Stefano Brivio <stefano.brivio@polimi.it>
+
+---------------------------
+
+What (Why):
+ - include/linux/netfilter_ipv4/ipt_TOS.h ipt_tos.h header files
+ (superseded by xt_TOS/xt_tos target & match)
+
+ - "forwarding" header files like ipt_mac.h in
+ include/linux/netfilter_ipv4/ and include/linux/netfilter_ipv6/
+
+ - xt_CONNMARK match revision 0
+ (superseded by xt_CONNMARK match revision 1)
+
+ - xt_MARK target revisions 0 and 1
+ (superseded by xt_MARK match revision 2)
+
+ - xt_connmark match revision 0
+ (superseded by xt_connmark match revision 1)
+
+ - xt_conntrack match revision 0
+ (superseded by xt_conntrack match revision 1)
+
+ - xt_hashlimit match revision 0
+ (superseded by xt_hashlimit match revision 1)
+
+ - xt_helper match revision 0
+ (superseded by xt_helper match revision 1)
+
+ - xt_iprange match revision 0,
+ include/linux/netfilter_ipv4/ipt_iprange.h
+ (superseded by xt_iprange match revision 1)
+
+ - xt_length match revision 0
+ (superseded by xt_length match revision 1)
+
+ - xt_mark match revision 0
+ (superseded by xt_mark match revision 1)
+
+ - xt_state match revision 0
+ (obsoleted by xt_conntrack match revision 1)
+
+When: January 2009 or Linux 2.7.0, whichever comes first
+Why: Superseded by newer revisions or modules
+Who: Jan Engelhardt <jengelh@computergmbh.de>
^ permalink raw reply related [flat|nested] 107+ messages in thread* Re: [PATCH 27/27] Update feature-removal-schedule.txt
2008-01-02 20:34 ` [PATCH 27/27] Update feature-removal-schedule.txt Jan Engelhardt
@ 2008-01-08 16:33 ` Patrick McHardy
2008-01-08 16:38 ` Jan Engelhardt
2008-01-08 16:56 ` Jan Engelhardt
0 siblings, 2 replies; 107+ messages in thread
From: Patrick McHardy @ 2008-01-08 16:33 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> +What (Why):
> + - include/linux/netfilter_ipv4/ipt_TOS.h ipt_tos.h header files
> + (superseded by xt_TOS/xt_tos target & match)
> +
> + - "forwarding" header files like ipt_mac.h in
> + include/linux/netfilter_ipv4/ and include/linux/netfilter_ipv6/
> +
> + - xt_CONNMARK match revision 0
> + (superseded by xt_CONNMARK match revision 1)
> +
> + - xt_MARK target revisions 0 and 1
> + (superseded by xt_MARK match revision 2)
> +
> + - xt_connmark match revision 0
> + (superseded by xt_connmark match revision 1)
> +
> + - xt_conntrack match revision 0
> + (superseded by xt_conntrack match revision 1)
> +
> + - xt_hashlimit match revision 0
> + (superseded by xt_hashlimit match revision 1)
> +
> + - xt_helper match revision 0
> + (superseded by xt_helper match revision 1)
> +
> + - xt_iprange match revision 0,
> + include/linux/netfilter_ipv4/ipt_iprange.h
> + (superseded by xt_iprange match revision 1)
> +
> + - xt_length match revision 0
> + (superseded by xt_length match revision 1)
> +
> + - xt_mark match revision 0
> + (superseded by xt_mark match revision 1)
> +
> + - xt_state match revision 0
> + (obsoleted by xt_conntrack match revision 1)
I removed xt_state, xt_length, xt_helper since I didn't apply those
patches yet and applied the patch.
Since I've lost the overview of your kernel patches I'm going to
stop at the ones I have now. Please resend everything relevant
once I've pushed my tree to Dave. Thanks.
I'll look into the userspace patches soon.
^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [PATCH 27/27] Update feature-removal-schedule.txt
2008-01-08 16:33 ` Patrick McHardy
@ 2008-01-08 16:38 ` Jan Engelhardt
2008-01-08 16:39 ` Patrick McHardy
2008-01-08 16:56 ` Jan Engelhardt
1 sibling, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-08 16:38 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
On Jan 8 2008 17:33, Patrick McHardy wrote:
>
> I removed xt_state, xt_length, xt_helper since I didn't apply those
> patches yet and applied the patch.
xt_state has been marked obsolete by "[NETFILTER]: xt_conntrack
match, revision 1", that's what this entry refers to. (Please leave
it in.)
> Since I've lost the overview of your kernel patches I'm going to
> stop at the ones I have now. Please resend everything relevant
> once I've pushed my tree to Dave. Thanks.
>
> I'll look into the userspace patches soon.
>
^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [PATCH 27/27] Update feature-removal-schedule.txt
2008-01-08 16:38 ` Jan Engelhardt
@ 2008-01-08 16:39 ` Patrick McHardy
0 siblings, 0 replies; 107+ messages in thread
From: Patrick McHardy @ 2008-01-08 16:39 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> On Jan 8 2008 17:33, Patrick McHardy wrote:
>> I removed xt_state, xt_length, xt_helper since I didn't apply those
>> patches yet and applied the patch.
>
> xt_state has been marked obsolete by "[NETFILTER]: xt_conntrack
> match, revision 1", that's what this entry refers to. (Please leave
> it in.)
Well, I missed that and don't agree to that, so I've removed that
part of the patch now. The state match is significantly simpler,
uses a lot less memory and is used in almost every ruleset I've
ever seen. And it neither has any problems nor causes any maintenance
overhead.
^ permalink raw reply [flat|nested] 107+ messages in thread
* Re: [PATCH 27/27] Update feature-removal-schedule.txt
2008-01-08 16:33 ` Patrick McHardy
2008-01-08 16:38 ` Jan Engelhardt
@ 2008-01-08 16:56 ` Jan Engelhardt
2008-01-15 16:16 ` Patrick McHardy
1 sibling, 1 reply; 107+ messages in thread
From: Jan Engelhardt @ 2008-01-08 16:56 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
On Jan 8 2008 17:33, Patrick McHardy wrote:
>
> Since I've lost the overview of your kernel patches I'm going to
> stop at the ones I have now. Please resend everything relevant
> once I've pushed my tree to Dave.
>
You did not miss any patches, thanks.
Could you take care of this one and let it sift through ->dave->linus->;
what do you think, or same verdict as for the previous patch changing
int->int32_t?
A few xtable modules use aligned_u64, which is how I found this one.
commit 35f2e577e432b28969710bc1fd4d9a4c0875f81b
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Jan 2 17:30:18 2008 +0100
linux/types.h: Use __u64 for aligned_u64
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
diff --git a/include/linux/types.h b/include/linux/types.h
index f4f8d19..b94c0e4 100644
--- a/include/linux/types.h
+++ b/include/linux/types.h
@@ -126,7 +126,7 @@ typedef __s64 int64_t;
#endif
/* this is a special 64bit data type that is 8-byte aligned */
-#define aligned_u64 unsigned long long __attribute__((aligned(8)))
+#define aligned_u64 __u64 __attribute__((aligned(8)))
#define aligned_be64 __be64 __attribute__((aligned(8)))
#define aligned_le64 __le64 __attribute__((aligned(8)))
^ permalink raw reply related [flat|nested] 107+ messages in thread* Re: [PATCH 27/27] Update feature-removal-schedule.txt
2008-01-08 16:56 ` Jan Engelhardt
@ 2008-01-15 16:16 ` Patrick McHardy
0 siblings, 0 replies; 107+ messages in thread
From: Patrick McHardy @ 2008-01-15 16:16 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt wrote:
> Could you take care of this one and let it sift through ->dave->linus->;
> what do you think, or same verdict as for the previous patch changing
> int->int32_t?
>
> A few xtable modules use aligned_u64, which is how I found this one.
>
> commit 35f2e577e432b28969710bc1fd4d9a4c0875f81b
> Author: Jan Engelhardt <jengelh@computergmbh.de>
> Date: Wed Jan 2 17:30:18 2008 +0100
>
> linux/types.h: Use __u64 for aligned_u64
>
> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
>
> diff --git a/include/linux/types.h b/include/linux/types.h
> index f4f8d19..b94c0e4 100644
> --- a/include/linux/types.h
> +++ b/include/linux/types.h
> @@ -126,7 +126,7 @@ typedef __s64 int64_t;
> #endif
>
> /* this is a special 64bit data type that is 8-byte aligned */
> -#define aligned_u64 unsigned long long __attribute__((aligned(8)))
> +#define aligned_u64 __u64 __attribute__((aligned(8)))
> #define aligned_be64 __be64 __attribute__((aligned(8)))
> #define aligned_le64 __le64 __attribute__((aligned(8)))
Looks good to me, applied.
^ permalink raw reply [flat|nested] 107+ messages in thread