OpenE2K
/
linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 

Pablo Neira Ayuso says:

====================
Netfilter/IPVS updates for net-next

The following patchset contains Netfilter/IPVS updates for your net-next
tree. Basically, a new extension for ip6tables, simplification work of
nf_tables that saves us 500 LoC, allow raw table registration before
defragmentation, conversion of the SNMP helper to use the ASN.1 code
generator, unique 64-bit handle for all nf_tables objects and fixes to
address fallout from previous nf-next batch.  More specifically, they
are:

1) Seven patches to remove family abstraction layer (struct nft_af_info)
   in nf_tables, this simplifies our codebase and it saves us 64 bytes per
   net namespace.

2) Add IPv6 segment routing header matching for ip6tables, from Ahmed
   Abdelsalam.

3) Allow to register iptable_raw table before defragmentation, some
   people do not want to waste cycles on defragmenting traffic that is
   going to be dropped, hence add a new module parameter to enable this
   behaviour in iptables and ip6tables. From Subash Abhinov
   Kasiviswanathan. This patch needed a couple of follow up patches to
   get things tidy from Arnd Bergmann.

4) SNMP helper uses the ASN.1 code generator, from Taehee Yoo. Several
   patches for this helper to prepare this change are also part of this
   patch series.

5) Add 64-bit handles to uniquely objects in nf_tables, from Harsha
   Sharma.

6) Remove log message that several netfilter subsystems print at
   boot/load time.

7) Restore x_tables module autoloading, that got broken in a previous
   patch to allow singleton NAT hook callback registration per hook
   spot, from Florian Westphal. Moreover, return EBUSY to report that
   the singleton NAT hook slot is already in instead.

8) Several fixes for the new nf_tables flowtable representation,
   including incorrect error check after nf_tables_flowtable_lookup(),
   missing Kconfig dependencies that lead to build breakage and missing
   initialization of priority and hooknum in flowtable object.

9) Missing NETFILTER_FAMILY_ARP dependency in Kconfig for the clusterip
   target. This is due to recent updates in the core to shrink the hook
   array size and compile it out if no specific family is enabled via
   .config file. Patch from Florian Westphal.

10) Remove duplicated include header files, from Wei Yongjun.

11) Sparse warning fix for the NFPROTO_INET handling from the core
    due to missing static function definition, also from Wei Yongjun.

12) Restore ICMPv6 Parameter Problem error reporting when
    defragmentation fails, from Subash Abhinov Kasiviswanathan.

13) Remove obsolete owner field initialization from struct
    file_operations, patch from Alexey Dobriyan.

14) Use boolean datatype where needed in the Netfilter codebase, from
    Gustavo A. R. Silva.

15) Remove double semicolon in dynset nf_tables expression, from
    Luis de Bethencourt.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
David S. Miller 2018-01-21 11:35:34 -05:00
parent ea9722e265 e553116652
commit cbcbeedbfd
62 changed files with 1239 additions and 2224 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
include/net/netfilter/nf_tables.h
View File

@ -143,22 +143,22 @@ static inline void nft_data_debug(const struct nft_data *data)
* struct nft_ctx - nf_tables rule/set context
*
* @net: net namespace
* @afi: address family info
* @table: the table the chain is contained in
* @chain: the chain the rule is contained in
* @nla: netlink attributes
* @portid: netlink portID of the original message
* @seq: netlink sequence number
* @family: protocol family
* @report: notify via unicast netlink message
*/
struct nft_ctx {
struct net *net;
struct nft_af_info *afi;
struct nft_table *table;
struct nft_chain *chain;
const struct nlattr * const *nla;
u32 portid;
u32 seq;
u8 family;
bool report;
};
@ -374,6 +374,7 @@ void nft_unregister_set(struct nft_set_type *type);
* @list: table set list node
* @bindings: list of set bindings
* @name: name of the set
* @handle: unique handle of the set
* @ktype: key type (numeric type defined by userspace, not used in the kernel)
* @dtype: data type (verdict or numeric type defined by userspace)
* @objtype: object type (see NFT_OBJECT_* definitions)
@ -396,6 +397,7 @@ struct nft_set {
struct list_head list;
struct list_head bindings;
char *name;
u64 handle;
u32 ktype;
u32 dtype;
u32 objtype;
@ -946,9 +948,11 @@ unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv);
* @objects: stateful objects in the table
* @flowtables: flow tables in the table
* @hgenerator: handle generator state
* @handle: table handle
* @use: number of chain references to this table
* @flags: table flag (see enum nft_table_flags)
* @genmask: generation mask
* @afinfo: address family info
* @name: name of the table
*/
struct nft_table {
@ -958,38 +962,14 @@ struct nft_table {
struct list_head objects;
struct list_head flowtables;
u64 hgenerator;
u64 handle;
u32 use;
u16 flags:14,
u16 family:6,
flags:8,
genmask:2;
char *name;
};
enum nft_af_flags {
NFT_AF_NEEDS_DEV = (1 << 0),
};
/**
* struct nft_af_info - nf_tables address family info
*
* @list: used internally
* @family: address family
* @nhooks: number of hooks in this family
* @owner: module owner
* @tables: used internally
* @flags: family flags
*/
struct nft_af_info {
struct list_head list;
int family;
unsigned int nhooks;
struct module *owner;
struct list_head tables;
u32 flags;
};
int nft_register_afinfo(struct net *, struct nft_af_info *);
void nft_unregister_afinfo(struct net *, struct nft_af_info *);
int nft_register_chain_type(const struct nf_chain_type *);
void nft_unregister_chain_type(const struct nf_chain_type *);
@ -1007,9 +987,9 @@ int nft_verdict_dump(struct sk_buff *skb, int type,
* @name: name of this stateful object
* @genmask: generation mask
* @use: number of references to this stateful object
* @data: object data, layout depends on type
* @handle: unique object handle
* @ops: object operations
* @data: pointer to object data
* @data: object data, layout depends on type
*/
struct nft_object {
struct list_head list;
@ -1017,6 +997,7 @@ struct nft_object {
struct nft_table *table;
u32 genmask:2,
use:30;
u64 handle;
/* runtime data below here */
const struct nft_object_ops *ops ____cacheline_aligned;
unsigned char data[]
@ -1098,6 +1079,7 @@ void nft_unregister_obj(struct nft_object_type *obj_type);
* @ops_len: number of hooks in array
* @genmask: generation mask
* @use: number of references to this flow table
* @handle: unique object handle
* @data: rhashtable and garbage collector
* @ops: array of hooks
*/
@ -1110,6 +1092,7 @@ struct nft_flowtable {
int ops_len;
u32 genmask:2,
use:30;
u64 handle;
/* runtime data below here */
struct nf_hook_ops *ops ____cacheline_aligned;
struct nf_flowtable data;
@ -1154,9 +1137,6 @@ void nft_trace_init(struct nft_traceinfo *info, const struct nft_pktinfo *pkt,
void nft_trace_notify(struct nft_traceinfo *info);
#define MODULE_ALIAS_NFT_FAMILY(family) \
MODULE_ALIAS("nft-afinfo-" __stringify(family))
#define MODULE_ALIAS_NFT_CHAIN(family, name) \
MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)

8
include/net/netns/nftables.h
View File

@ -7,14 +7,8 @@
struct nft_af_info;
struct netns_nftables {
struct list_head af_info;
struct list_head tables;
struct list_head commit_list;
struct nft_af_info *ipv4;
struct nft_af_info *ipv6;
struct nft_af_info *inet;
struct nft_af_info *arp;
struct nft_af_info *bridge;
struct nft_af_info *netdev;
unsigned int base_seq;
u8 gencursor;
};

10
include/uapi/linux/netfilter/nf_tables.h
View File

@ -174,6 +174,8 @@ enum nft_table_attributes {
NFTA_TABLE_NAME,
NFTA_TABLE_FLAGS,
NFTA_TABLE_USE,
NFTA_TABLE_HANDLE,
NFTA_TABLE_PAD,
__NFTA_TABLE_MAX
};
#define NFTA_TABLE_MAX (__NFTA_TABLE_MAX - 1)
@ -317,6 +319,7 @@ enum nft_set_desc_attributes {
* @NFTA_SET_GC_INTERVAL: garbage collection interval (NLA_U32)
* @NFTA_SET_USERDATA: user data (NLA_BINARY)
* @NFTA_SET_OBJ_TYPE: stateful object type (NLA_U32: NFT_OBJECT_*)
* @NFTA_SET_HANDLE: set handle (NLA_U64)
*/
enum nft_set_attributes {
NFTA_SET_UNSPEC,
@ -335,6 +338,7 @@ enum nft_set_attributes {
NFTA_SET_USERDATA,
NFTA_SET_PAD,
NFTA_SET_OBJ_TYPE,
NFTA_SET_HANDLE,
__NFTA_SET_MAX
};
#define NFTA_SET_MAX (__NFTA_SET_MAX - 1)
@ -1314,6 +1318,7 @@ enum nft_ct_helper_attributes {
* @NFTA_OBJ_TYPE: stateful object type (NLA_U32)
* @NFTA_OBJ_DATA: stateful object data (NLA_NESTED)
* @NFTA_OBJ_USE: number of references to this expression (NLA_U32)
* @NFTA_OBJ_HANDLE: object handle (NLA_U64)
*/
enum nft_object_attributes {
NFTA_OBJ_UNSPEC,
@ -1322,6 +1327,8 @@ enum nft_object_attributes {
NFTA_OBJ_TYPE,
NFTA_OBJ_DATA,
NFTA_OBJ_USE,
NFTA_OBJ_HANDLE,
NFTA_OBJ_PAD,
__NFTA_OBJ_MAX
};
#define NFTA_OBJ_MAX (__NFTA_OBJ_MAX - 1)
@ -1333,6 +1340,7 @@ enum nft_object_attributes {
* @NFTA_FLOWTABLE_NAME: name of this flow table (NLA_STRING)
* @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32)
* @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32)
* @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64)
*/
enum nft_flowtable_attributes {
NFTA_FLOWTABLE_UNSPEC,
@ -1340,6 +1348,8 @@ enum nft_flowtable_attributes {
NFTA_FLOWTABLE_NAME,
NFTA_FLOWTABLE_HOOK,
NFTA_FLOWTABLE_USE,
NFTA_FLOWTABLE_HANDLE,
NFTA_FLOWTABLE_PAD,
__NFTA_FLOWTABLE_MAX
};
#define NFTA_FLOWTABLE_MAX (__NFTA_FLOWTABLE_MAX - 1)

1
include/uapi/linux/netfilter_ipv4.h
View File

@ -57,6 +57,7 @@
enum nf_ip_hook_priorities {
NF_IP_PRI_FIRST = INT_MIN,
NF_IP_PRI_RAW_BEFORE_DEFRAG = -450,
NF_IP_PRI_CONNTRACK_DEFRAG = -400,
NF_IP_PRI_RAW = -300,
NF_IP_PRI_SELINUX_FIRST = -225,

1
include/uapi/linux/netfilter_ipv6.h
View File

@ -62,6 +62,7 @@
enum nf_ip6_hook_priorities {
NF_IP6_PRI_FIRST = INT_MIN,
NF_IP6_PRI_RAW_BEFORE_DEFRAG = -450,
NF_IP6_PRI_CONNTRACK_DEFRAG = -400,
NF_IP6_PRI_RAW = -300,
NF_IP6_PRI_SELINUX_FIRST = -225,

57
include/uapi/linux/netfilter_ipv6/ip6t_srh.h Normal file
View File

@ -0,0 +1,57 @@
/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
#ifndef _IP6T_SRH_H
#define _IP6T_SRH_H
#include <linux/types.h>
#include <linux/netfilter.h>
/* Values for "mt_flags" field in struct ip6t_srh */
#define IP6T_SRH_NEXTHDR 0x0001
#define IP6T_SRH_LEN_EQ 0x0002
#define IP6T_SRH_LEN_GT 0x0004
#define IP6T_SRH_LEN_LT 0x0008
#define IP6T_SRH_SEGS_EQ 0x0010
#define IP6T_SRH_SEGS_GT 0x0020
#define IP6T_SRH_SEGS_LT 0x0040
#define IP6T_SRH_LAST_EQ 0x0080
#define IP6T_SRH_LAST_GT 0x0100
#define IP6T_SRH_LAST_LT 0x0200
#define IP6T_SRH_TAG 0x0400
#define IP6T_SRH_MASK 0x07FF
/* Values for "mt_invflags" field in struct ip6t_srh */
#define IP6T_SRH_INV_NEXTHDR 0x0001
#define IP6T_SRH_INV_LEN_EQ 0x0002
#define IP6T_SRH_INV_LEN_GT 0x0004
#define IP6T_SRH_INV_LEN_LT 0x0008
#define IP6T_SRH_INV_SEGS_EQ 0x0010
#define IP6T_SRH_INV_SEGS_GT 0x0020
#define IP6T_SRH_INV_SEGS_LT 0x0040
#define IP6T_SRH_INV_LAST_EQ 0x0080
#define IP6T_SRH_INV_LAST_GT 0x0100
#define IP6T_SRH_INV_LAST_LT 0x0200
#define IP6T_SRH_INV_TAG 0x0400
#define IP6T_SRH_INV_MASK 0x07FF
/**
* struct ip6t_srh - SRH match options
* @ next_hdr: Next header field of SRH
* @ hdr_len: Extension header length field of SRH
* @ segs_left: Segments left field of SRH
* @ last_entry: Last entry field of SRH
* @ tag: Tag field of SRH
* @ mt_flags: match options
* @ mt_invflags: Invert the sense of match options
*/
struct ip6t_srh {
__u8 next_hdr;
__u8 hdr_len;
__u8 segs_left;
__u8 last_entry;
__u16 tag;
__u16 mt_flags;
__u16 mt_invflags;
};
#endif /*_IP6T_SRH_H*/

2
net/bridge/netfilter/ebtables.c
View File

@ -2445,7 +2445,6 @@ static int __init ebtables_init(void)
return ret;
}
printk(KERN_INFO "Ebtables v2.0 registered\n");
return 0;
}
@ -2453,7 +2452,6 @@ static void __exit ebtables_fini(void)
{
nf_unregister_sockopt(&ebt_sockopts);
xt_unregister_target(&ebt_standard_target);
printk(KERN_INFO "Ebtables v2.0 unregistered\n");
}
EXPORT_SYMBOL(ebt_register_table);

54
net/bridge/netfilter/nf_tables_bridge.c
View File

@ -42,40 +42,6 @@ nft_do_chain_bridge(void *priv,
return nft_do_chain(&pkt, priv);
}
static struct nft_af_info nft_af_bridge __read_mostly = {
.family = NFPROTO_BRIDGE,
.nhooks = NF_BR_NUMHOOKS,
.owner = THIS_MODULE,
};
static int nf_tables_bridge_init_net(struct net *net)
{
net->nft.bridge = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
if (net->nft.bridge == NULL)
return -ENOMEM;
memcpy(net->nft.bridge, &nft_af_bridge, sizeof(nft_af_bridge));
if (nft_register_afinfo(net, net->nft.bridge) < 0)
goto err;
return 0;
err:
kfree(net->nft.bridge);
return -ENOMEM;
}
static void nf_tables_bridge_exit_net(struct net *net)
{
nft_unregister_afinfo(net, net->nft.bridge);
kfree(net->nft.bridge);
}
static struct pernet_operations nf_tables_bridge_net_ops = {
.init = nf_tables_bridge_init_net,
.exit = nf_tables_bridge_exit_net,
};
static const struct nf_chain_type filter_bridge = {
.name = "filter",
.type = NFT_CHAIN_T_DEFAULT,
@ -97,27 +63,11 @@ static const struct nf_chain_type filter_bridge = {
static int __init nf_tables_bridge_init(void)
{
int ret;
ret = nft_register_chain_type(&filter_bridge);
if (ret < 0)
return ret;
ret = register_pernet_subsys(&nf_tables_bridge_net_ops);
if (ret < 0)
goto err_register_subsys;
return ret;
err_register_subsys:
nft_unregister_chain_type(&filter_bridge);
return ret;
return nft_register_chain_type(&filter_bridge);
}
static void __exit nf_tables_bridge_exit(void)
{
unregister_pernet_subsys(&nf_tables_bridge_net_ops);
nft_unregister_chain_type(&filter_bridge);
}
@ -126,4 +76,4 @@ module_exit(nf_tables_bridge_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_FAMILY(AF_BRIDGE);
MODULE_ALIAS_NFT_CHAIN(AF_BRIDGE, "filter");

5
net/ipv4/netfilter/Kconfig
View File

@ -79,8 +79,9 @@ config NF_TABLES_ARP
endif # NF_TABLES
config NF_FLOW_TABLE_IPV4
select NF_FLOW_TABLE
tristate "Netfilter flow table IPv4 module"
depends on NF_CONNTRACK && NF_TABLES
select NF_FLOW_TABLE
help
This option adds the flow table IPv4 support.
@ -157,6 +158,7 @@ config NF_NAT_SNMP_BASIC
depends on NF_CONNTRACK_SNMP
depends on NETFILTER_ADVANCED
default NF_NAT && NF_CONNTRACK_SNMP
select ASN1
---help---
This module implements an Application Layer Gateway (ALG) for
@ -342,6 +344,7 @@ config IP_NF_TARGET_CLUSTERIP
depends on NF_CONNTRACK_IPV4
depends on NETFILTER_ADVANCED
select NF_CONNTRACK_MARK
select NETFILTER_FAMILY_ARP
help
The CLUSTERIP target allows you to build load-balancing clusters of
network servers without having a dedicated load-balancing

6
net/ipv4/netfilter/Makefile
View File

@ -27,9 +27,15 @@ obj-$(CONFIG_NF_REJECT_IPV4) += nf_reject_ipv4.o
# NAT helpers (nf_conntrack)
obj-$(CONFIG_NF_NAT_H323) += nf_nat_h323.o
obj-$(CONFIG_NF_NAT_PPTP) += nf_nat_pptp.o
nf_nat_snmp_basic-y := nf_nat_snmp_basic-asn1.o nf_nat_snmp_basic_main.o
nf_nat_snmp_basic-y : nf_nat_snmp_basic-asn1.h nf_nat_snmp_basic-asn1.c
obj-$(CONFIG_NF_NAT_SNMP_BASIC) += nf_nat_snmp_basic.o
clean-files := nf_nat_snmp_basic-asn1.c nf_nat_snmp_basic-asn1.h
obj-$(CONFIG_NF_NAT_MASQUERADE_IPV4) += nf_nat_masquerade_ipv4.o
# NAT protocols (nf_nat)
obj-$(CONFIG_NF_NAT_PROTO_GRE) += nf_nat_proto_gre.o

1
net/ipv4/netfilter/arp_tables.c
View File

@ -1656,7 +1656,6 @@ static int __init arp_tables_init(void)
if (ret < 0)
goto err4;
pr_info("arp_tables: (C) 2002 David S. Miller\n");
return 0;
err4:

1
net/ipv4/netfilter/ip_tables.c
View File

@ -1939,7 +1939,6 @@ static int __init ip_tables_init(void)
if (ret < 0)
goto err5;
pr_info("(C) 2000-2006 Netfilter Core Team\n");
return 0;
err5:

31
net/ipv4/netfilter/iptable_raw.c
View File

@ -3,6 +3,7 @@
*
* Copyright (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
*/
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/slab.h>
@ -12,6 +13,10 @@
static int __net_init iptable_raw_table_init(struct net *net);
static bool raw_before_defrag __read_mostly;
MODULE_PARM_DESC(raw_before_defrag, "Enable raw table before defrag");
module_param(raw_before_defrag, bool, 0000);
static const struct xt_table packet_raw = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
@ -21,6 +26,15 @@ static const struct xt_table packet_raw = {
.table_init = iptable_raw_table_init,
};
static const struct xt_table packet_raw_before_defrag = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
.me = THIS_MODULE,
.af = NFPROTO_IPV4,
.priority = NF_IP_PRI_RAW_BEFORE_DEFRAG,
.table_init = iptable_raw_table_init,
};
/* The work comes in here from netfilter.c. */
static unsigned int
iptable_raw_hook(void *priv, struct sk_buff *skb,
@ -34,15 +48,19 @@ static struct nf_hook_ops *rawtable_ops __read_mostly;
static int __net_init iptable_raw_table_init(struct net *net)
{
struct ipt_replace *repl;
const struct xt_table *table = &packet_raw;
int ret;
if (raw_before_defrag)
table = &packet_raw_before_defrag;
if (net->ipv4.iptable_raw)
return 0;
repl = ipt_alloc_initial_table(&packet_raw);
repl = ipt_alloc_initial_table(table);
if (repl == NULL)
return -ENOMEM;
ret = ipt_register_table(net, &packet_raw, repl, rawtable_ops,
ret = ipt_register_table(net, table, repl, rawtable_ops,
&net->ipv4.iptable_raw);
kfree(repl);
return ret;
@ -63,8 +81,15 @@ static struct pernet_operations iptable_raw_net_ops = {
static int __init iptable_raw_init(void)
{
int ret;
const struct xt_table *table = &packet_raw;
rawtable_ops = xt_hook_ops_alloc(&packet_raw, iptable_raw_hook);
if (raw_before_defrag) {
table = &packet_raw_before_defrag;
pr_info("Enabling raw table before defrag\n");
}
rawtable_ops = xt_hook_ops_alloc(table, iptable_raw_hook);
if (IS_ERR(rawtable_ops))
return PTR_ERR(rawtable_ops);

2
net/ipv4/netfilter/nf_defrag_ipv4.c
View File

@ -78,6 +78,8 @@ static unsigned int ipv4_conntrack_defrag(void *priv,
if (skb_nfct(skb) && !nf_ct_is_template((struct nf_conn *)skb_nfct(skb)))
return NF_ACCEPT;
#endif
if (skb->_nfct == IP_CT_UNTRACKED)
return NF_ACCEPT;
#endif
/* Gather fragments. */
if (ip_is_fragment(ip_hdr(skb))) {

177
net/ipv4/netfilter/nf_nat_snmp_basic.asn1 Normal file
View File

@ -0,0 +1,177 @@
Message ::=
SEQUENCE {
version
INTEGER ({snmp_version}),
community
OCTET STRING,
pdu
PDUs
}
ObjectName ::=
OBJECT IDENTIFIER
ObjectSyntax ::=
CHOICE {
simple
SimpleSyntax,
application-wide
ApplicationSyntax
}
SimpleSyntax ::=
CHOICE {
integer-value
INTEGER,
string-value
OCTET STRING,
objectID-value
OBJECT IDENTIFIER
}
ApplicationSyntax ::=
CHOICE {
ipAddress-value
IpAddress,
counter-value
Counter32,
timeticks-value
TimeTicks,
arbitrary-value
Opaque,
big-counter-value
Counter64,
unsigned-integer-value
Unsigned32
}
IpAddress ::=
[APPLICATION 0]
IMPLICIT OCTET STRING OPTIONAL ({snmp_helper})
Counter32 ::=
[APPLICATION 1]
IMPLICIT INTEGER OPTIONAL
Unsigned32 ::=
[APPLICATION 2]
IMPLICIT INTEGER OPTIONAL
Gauge32 ::= Unsigned32 OPTIONAL
TimeTicks ::=
[APPLICATION 3]
IMPLICIT INTEGER OPTIONAL
Opaque ::=
[APPLICATION 4]
IMPLICIT OCTET STRING OPTIONAL
Counter64 ::=
[APPLICATION 6]
IMPLICIT INTEGER OPTIONAL
PDUs ::=
CHOICE {
get-request
GetRequest-PDU,
get-next-request
GetNextRequest-PDU,
get-bulk-request
GetBulkRequest-PDU,
response
Response-PDU,
set-request
SetRequest-PDU,
inform-request
InformRequest-PDU,
snmpV2-trap
SNMPv2-Trap-PDU,
report
Report-PDU
}
GetRequest-PDU ::=
[0] IMPLICIT PDU OPTIONAL
GetNextRequest-PDU ::=
[1] IMPLICIT PDU OPTIONAL
Response-PDU ::=
[2] IMPLICIT PDU OPTIONAL
SetRequest-PDU ::=
[3] IMPLICIT PDU OPTIONAL
-- [4] is obsolete
GetBulkRequest-PDU ::=
[5] IMPLICIT PDU OPTIONAL
InformRequest-PDU ::=
[6] IMPLICIT PDU OPTIONAL
SNMPv2-Trap-PDU ::=
[7] IMPLICIT PDU OPTIONAL
Report-PDU ::=
[8] IMPLICIT PDU OPTIONAL
PDU ::=
SEQUENCE {
request-id
INTEGER,
error-status
INTEGER,
error-index
INTEGER,
variable-bindings
VarBindList
}
VarBind ::=
SEQUENCE {
name
ObjectName,
CHOICE {
value
ObjectSyntax,
unSpecified
NULL,
noSuchObject
[0] IMPLICIT NULL,
noSuchInstance
[1] IMPLICIT NULL,
endOfMibView
[2] IMPLICIT NULL
}
}
VarBindList ::= SEQUENCE OF VarBind

1286
net/ipv4/netfilter/nf_nat_snmp_basic.c
View File

File diff suppressed because it is too large Load Diff

235
net/ipv4/netfilter/nf_nat_snmp_basic_main.c Normal file
View File

@ -0,0 +1,235 @@
/*
* nf_nat_snmp_basic.c
*
* Basic SNMP Application Layer Gateway
*
* This IP NAT module is intended for use with SNMP network
* discovery and monitoring applications where target networks use
* conflicting private address realms.
*
* Static NAT is used to remap the networks from the view of the network
* management system at the IP layer, and this module remaps some application
* layer addresses to match.
*
* The simplest form of ALG is performed, where only tagged IP addresses
* are modified. The module does not need to be MIB aware and only scans
* messages at the ASN.1/BER level.
*
* Currently, only SNMPv1 and SNMPv2 are supported.
*
* More information on ALG and associated issues can be found in
* RFC 2962
*
* The ASB.1/BER parsing code is derived from the gxsnmp package by Gregory
* McLean & Jochen Friedrich, stripped down for use in the kernel.
*
* Copyright (c) 2000 RP Internet (www.rpi.net.au).
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*
* Author: James Morris <jmorris@intercode.com.au>
*
* Copyright (c) 2006-2010 Patrick McHardy <kaber@trash.net>
*/
#include <linux/module.h>
#include <linux/moduleparam.h>
#include <linux/types.h>
#include <linux/kernel.h>
#include <linux/in.h>
#include <linux/ip.h>
#include <linux/udp.h>
#include <net/checksum.h>
#include <net/udp.h>
#include <net/netfilter/nf_nat.h>
#include <net/netfilter/nf_conntrack_expect.h>
#include <net/netfilter/nf_conntrack_helper.h>
#include <linux/netfilter/nf_conntrack_snmp.h>
#include "nf_nat_snmp_basic-asn1.h"
MODULE_LICENSE("GPL");
MODULE_AUTHOR("James Morris <jmorris@intercode.com.au>");
MODULE_DESCRIPTION("Basic SNMP Application Layer Gateway");
MODULE_ALIAS("ip_nat_snmp_basic");
#define SNMP_PORT 161
#define SNMP_TRAP_PORT 162
static DEFINE_SPINLOCK(snmp_lock);
struct snmp_ctx {
unsigned char *begin;
__sum16 *check;
__be32 from;
__be32 to;
};
static void fast_csum(struct snmp_ctx *ctx, unsigned char offset)
{
unsigned char s[12] = {0,};
int size;
if (offset & 1) {
memcpy(&s[1], &ctx->from, 4);
memcpy(&s[7], &ctx->to, 4);
s[0] = ~0;
s[1] = ~s[1];
s[2] = ~s[2];
s[3] = ~s[3];
s[4] = ~s[4];
s[5] = ~0;
size = 12;
} else {
memcpy(&s[0], &ctx->from, 4);
memcpy(&s[4], &ctx->to, 4);
s[0] = ~s[0];
s[1] = ~s[1];
s[2] = ~s[2];
s[3] = ~s[3];
size = 8;
}
*ctx->check = csum_fold(csum_partial(s, size,
~csum_unfold(*ctx->check)));
}
int snmp_version(void *context, size_t hdrlen, unsigned char tag,
const void *data, size_t datalen)
{
if (*(unsigned char *)data > 1)
return -ENOTSUPP;
return 1;
}
int snmp_helper(void *context, size_t hdrlen, unsigned char tag,
const void *data, size_t datalen)
{
struct snmp_ctx *ctx = (struct snmp_ctx *)context;
__be32 *pdata = (__be32 *)data;
if (*pdata == ctx->from) {
pr_debug("%s: %pI4 to %pI4\n", __func__,
(void *)&ctx->from, (void *)&ctx->to);
if (*ctx->check)
fast_csum(ctx, (unsigned char *)data - ctx->begin);
*pdata = ctx->to;
}
return 1;
}
static int snmp_translate(struct nf_conn *ct, int dir, struct sk_buff *skb)
{
struct iphdr *iph = ip_hdr(skb);
struct udphdr *udph = (struct udphdr *)((__be32 *)iph + iph->ihl);
u16 datalen = ntohs(udph->len) - sizeof(struct udphdr);
char *data = (unsigned char *)udph + sizeof(struct udphdr);
struct snmp_ctx ctx;
int ret;
if (dir == IP_CT_DIR_ORIGINAL) {
ctx.from = ct->tuplehash[dir].tuple.src.u3.ip;
ctx.to = ct->tuplehash[!dir].tuple.dst.u3.ip;
} else {
ctx.from = ct->tuplehash[!dir].tuple.src.u3.ip;
ctx.to = ct->tuplehash[dir].tuple.dst.u3.ip;
}
if (ctx.from == ctx.to)
return NF_ACCEPT;
ctx.begin = (unsigned char *)udph + sizeof(struct udphdr);
ctx.check = &udph->check;
ret = asn1_ber_decoder(&nf_nat_snmp_basic_decoder, &ctx, data, datalen);
if (ret < 0) {
nf_ct_helper_log(skb, ct, "parser failed\n");
return NF_DROP;
}
return NF_ACCEPT;
}
/* We don't actually set up expectations, just adjust internal IP
* addresses if this is being NATted
*/
static int help(struct sk_buff *skb, unsigned int protoff,
struct nf_conn *ct,
enum ip_conntrack_info ctinfo)
{
int dir = CTINFO2DIR(ctinfo);
unsigned int ret;
const struct iphdr *iph = ip_hdr(skb);
const struct udphdr *udph = (struct udphdr *)((__be32 *)iph + iph->ihl);
/* SNMP replies and originating SNMP traps get mangled */
if (udph->source == htons(SNMP_PORT) && dir != IP_CT_DIR_REPLY)
return NF_ACCEPT;
if (udph->dest == htons(SNMP_TRAP_PORT) && dir != IP_CT_DIR_ORIGINAL)
return NF_ACCEPT;
/* No NAT? */
if (!(ct->status & IPS_NAT_MASK))
return NF_ACCEPT;
/* Make sure the packet length is ok. So far, we were only guaranteed
* to have a valid length IP header plus 8 bytes, which means we have
* enough room for a UDP header. Just verify the UDP length field so we
* can mess around with the payload.
*/
if (ntohs(udph->len) != skb->len - (iph->ihl << 2)) {
nf_ct_helper_log(skb, ct, "dropping malformed packet\n");
return NF_DROP;
}
if (!skb_make_writable(skb, skb->len)) {
nf_ct_helper_log(skb, ct, "cannot mangle packet");
return NF_DROP;
}
spin_lock_bh(&snmp_lock);
ret = snmp_translate(ct, dir, skb);
spin_unlock_bh(&snmp_lock);
return ret;
}
static const struct nf_conntrack_expect_policy snmp_exp_policy = {
.max_expected = 0,
.timeout = 180,
};
static struct nf_conntrack_helper snmp_trap_helper __read_mostly = {
.me = THIS_MODULE,
.help = help,
.expect_policy = &snmp_exp_policy,
.name = "snmp_trap",
.tuple.src.l3num = AF_INET,
.tuple.src.u.udp.port = cpu_to_be16(SNMP_TRAP_PORT),
.tuple.dst.protonum = IPPROTO_UDP,
};
static int __init nf_nat_snmp_basic_init(void)
{
BUG_ON(nf_nat_snmp_hook != NULL);
RCU_INIT_POINTER(nf_nat_snmp_hook, help);
return nf_conntrack_helper_register(&snmp_trap_helper);
}
static void __exit nf_nat_snmp_basic_fini(void)
{
RCU_INIT_POINTER(nf_nat_snmp_hook, NULL);
synchronize_rcu();
nf_conntrack_helper_unregister(&snmp_trap_helper);
}
module_init(nf_nat_snmp_basic_init);
module_exit(nf_nat_snmp_basic_fini);

49
net/ipv4/netfilter/nf_tables_arp.c
View File

@ -27,40 +27,6 @@ nft_do_chain_arp(void *priv,
return nft_do_chain(&pkt, priv);
}
static struct nft_af_info nft_af_arp __read_mostly = {
.family = NFPROTO_ARP,
.nhooks = NF_ARP_NUMHOOKS,
.owner = THIS_MODULE,
};
static int nf_tables_arp_init_net(struct net *net)
{
net->nft.arp = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
if (net->nft.arp== NULL)
return -ENOMEM;
memcpy(net->nft.arp, &nft_af_arp, sizeof(nft_af_arp));
if (nft_register_afinfo(net, net->nft.arp) < 0)
goto err;
return 0;
err:
kfree(net->nft.arp);
return -ENOMEM;
}
static void nf_tables_arp_exit_net(struct net *net)
{
nft_unregister_afinfo(net, net->nft.arp);
kfree(net->nft.arp);
}
static struct pernet_operations nf_tables_arp_net_ops = {
.init = nf_tables_arp_init_net,
.exit = nf_tables_arp_exit_net,
};
static const struct nf_chain_type filter_arp = {
.name = "filter",
.type = NFT_CHAIN_T_DEFAULT,
@ -76,22 +42,11 @@ static const struct nf_chain_type filter_arp = {
static int __init nf_tables_arp_init(void)
{
int ret;
ret = nft_register_chain_type(&filter_arp);
if (ret < 0)
return ret;
ret = register_pernet_subsys(&nf_tables_arp_net_ops);
if (ret < 0)
nft_unregister_chain_type(&filter_arp);
return ret;
return nft_register_chain_type(&filter_arp);
}
static void __exit nf_tables_arp_exit(void)
{
unregister_pernet_subsys(&nf_tables_arp_net_ops);
nft_unregister_chain_type(&filter_arp);
}
@ -100,4 +55,4 @@ module_exit(nf_tables_arp_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_FAMILY(3); /* NFPROTO_ARP */
MODULE_ALIAS_NFT_CHAIN(3, "filter"); /* NFPROTO_ARP */

49
net/ipv4/netfilter/nf_tables_ipv4.c
View File

@ -30,40 +30,6 @@ static unsigned int nft_do_chain_ipv4(void *priv,
return nft_do_chain(&pkt, priv);
}
static struct nft_af_info nft_af_ipv4 __read_mostly = {
.family = NFPROTO_IPV4,
.nhooks = NF_INET_NUMHOOKS,
.owner = THIS_MODULE,
};
static int nf_tables_ipv4_init_net(struct net *net)
{
net->nft.ipv4 = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
if (net->nft.ipv4 == NULL)
return -ENOMEM;
memcpy(net->nft.ipv4, &nft_af_ipv4, sizeof(nft_af_ipv4));
if (nft_register_afinfo(net, net->nft.ipv4) < 0)
goto err;
return 0;
err:
kfree(net->nft.ipv4);
return -ENOMEM;
}
static void nf_tables_ipv4_exit_net(struct net *net)
{
nft_unregister_afinfo(net, net->nft.ipv4);
kfree(net->nft.ipv4);
}
static struct pernet_operations nf_tables_ipv4_net_ops = {
.init = nf_tables_ipv4_init_net,
.exit = nf_tables_ipv4_exit_net,
};
static const struct nf_chain_type filter_ipv4 = {
.name = "filter",
.type = NFT_CHAIN_T_DEFAULT,
@ -85,22 +51,11 @@ static const struct nf_chain_type filter_ipv4 = {
static int __init nf_tables_ipv4_init(void)
{
int ret;
ret = nft_register_chain_type(&filter_ipv4);
if (ret < 0)
return ret;
ret = register_pernet_subsys(&nf_tables_ipv4_net_ops);
if (ret < 0)
nft_unregister_chain_type(&filter_ipv4);
return ret;
return nft_register_chain_type(&filter_ipv4);
}
static void __exit nf_tables_ipv4_exit(void)
{
unregister_pernet_subsys(&nf_tables_ipv4_net_ops);
nft_unregister_chain_type(&filter_ipv4);
}
@ -109,4 +64,4 @@ module_exit(nf_tables_ipv4_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_FAMILY(AF_INET);
MODULE_ALIAS_NFT_CHAIN(AF_INET, "filter");

12
net/ipv6/netfilter/Kconfig
View File

@ -72,8 +72,9 @@ endif # NF_TABLES_IPV6
endif # NF_TABLES
config NF_FLOW_TABLE_IPV6
select NF_FLOW_TABLE
tristate "Netfilter flow table IPv6 module"
depends on NF_CONNTRACK && NF_TABLES
select NF_FLOW_TABLE
help
This option adds the flow table IPv6 support.
@ -240,6 +241,15 @@ config IP6_NF_MATCH_RT
To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_MATCH_SRH
tristate '"srh" Segment Routing header match support'
depends on NETFILTER_ADVANCED
help
srh matching allows you to match packets based on the segment
routing header of the packet.
To compile it as a module, choose M here. If unsure, say N.
# The targets
config IP6_NF_TARGET_HL
tristate '"HL" hoplimit target support'

1
net/ipv6/netfilter/Makefile
View File

@ -57,6 +57,7 @@ obj-$(CONFIG_IP6_NF_MATCH_MH) += ip6t_mh.o
obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o
obj-$(CONFIG_IP6_NF_MATCH_RPFILTER) += ip6t_rpfilter.o
obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
obj-$(CONFIG_IP6_NF_MATCH_SRH) += ip6t_srh.o
# targets
obj-$(CONFIG_IP6_NF_TARGET_MASQUERADE) += ip6t_MASQUERADE.o

1
net/ipv6/netfilter/ip6_tables.c
View File

@ -1952,7 +1952,6 @@ static int __init ip6_tables_init(void)
if (ret < 0)
goto err5;
pr_info("(C) 2000-2006 Netfilter Core Team\n");
return 0;
err5:

161
net/ipv6/netfilter/ip6t_srh.c Normal file
View File

@ -0,0 +1,161 @@
/* Kernel module to match Segment Routing Header (SRH) parameters. */
/* Author:
* Ahmed Abdelsalam <amsalam20@gmail.com>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*/
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ipv6.h>
#include <linux/types.h>
#include <net/ipv6.h>
#include <net/seg6.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv6/ip6t_srh.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
/* Test a struct->mt_invflags and a boolean for inequality */
#define NF_SRH_INVF(ptr, flag, boolean) \
((boolean) ^ !!((ptr)->mt_invflags & (flag)))
static bool srh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct ip6t_srh *srhinfo = par->matchinfo;
struct ipv6_sr_hdr *srh;
struct ipv6_sr_hdr _srh;
int hdrlen, srhoff = 0;
if (ipv6_find_hdr(skb, &srhoff, IPPROTO_ROUTING, NULL, NULL) < 0)
return false;
srh = skb_header_pointer(skb, srhoff, sizeof(_srh), &_srh);
if (!srh)
return false;
hdrlen = ipv6_optlen(srh);
if (skb->len - srhoff < hdrlen)
return false;
if (srh->type != IPV6_SRCRT_TYPE_4)
return false;
if (srh->segments_left > srh->first_segment)
return false;
/* Next Header matching */
if (srhinfo->mt_flags & IP6T_SRH_NEXTHDR)
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_NEXTHDR,
!(srh->nexthdr == srhinfo->next_hdr)))
return false;
/* Header Extension Length matching */
if (srhinfo->mt_flags & IP6T_SRH_LEN_EQ)
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LEN_EQ,
!(srh->hdrlen == srhinfo->hdr_len)))
return false;
if (srhinfo->mt_flags & IP6T_SRH_LEN_GT)
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LEN_GT,
!(srh->hdrlen > srhinfo->hdr_len)))
return false;
if (srhinfo->mt_flags & IP6T_SRH_LEN_LT)
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LEN_LT,
!(srh->hdrlen < srhinfo->hdr_len)))
return false;
/* Segments Left matching */
if (srhinfo->mt_flags & IP6T_SRH_SEGS_EQ)
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_SEGS_EQ,
!(srh->segments_left == srhinfo->segs_left)))
return false;
if (srhinfo->mt_flags & IP6T_SRH_SEGS_GT)
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_SEGS_GT,
!(srh->segments_left > srhinfo->segs_left)))
return false;
if (srhinfo->mt_flags & IP6T_SRH_SEGS_LT)
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_SEGS_LT,
!(srh->segments_left < srhinfo->segs_left)))
return false;
/**
* Last Entry matching
* Last_Entry field was introduced in revision 6 of the SRH draft.
* It was called First_Segment in the previous revision
*/
if (srhinfo->mt_flags & IP6T_SRH_LAST_EQ)
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LAST_EQ,
!(srh->first_segment == srhinfo->last_entry)))
return false;
if (srhinfo->mt_flags & IP6T_SRH_LAST_GT)
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LAST_GT,
!(srh->first_segment > srhinfo->last_entry)))
return false;
if (srhinfo->mt_flags & IP6T_SRH_LAST_LT)
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LAST_LT,
!(srh->first_segment < srhinfo->last_entry)))
return false;
/**
* Tag matchig
* Tag field was introduced in revision 6 of the SRH draft.
*/
if (srhinfo->mt_flags & IP6T_SRH_TAG)
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_TAG,
!(srh->tag == srhinfo->tag)))
return false;
return true;
}
static int srh_mt6_check(const struct xt_mtchk_param *par)
{
const struct ip6t_srh *srhinfo = par->matchinfo;
if (srhinfo->mt_flags & ~IP6T_SRH_MASK) {
pr_err("unknown srh match flags %X\n", srhinfo->mt_flags);
return -EINVAL;
}
if (srhinfo->mt_invflags & ~IP6T_SRH_INV_MASK) {
pr_err("unknown srh invflags %X\n", srhinfo->mt_invflags);
return -EINVAL;
}
return 0;
}
static struct xt_match srh_mt6_reg __read_mostly = {
.name = "srh",
.family = NFPROTO_IPV6,
.match = srh_mt6,
.matchsize = sizeof(struct ip6t_srh),
.checkentry = srh_mt6_check,
.me = THIS_MODULE,
};
static int __init srh_mt6_init(void)
{
return xt_register_match(&srh_mt6_reg);
}
static void __exit srh_mt6_exit(void)
{
xt_unregister_match(&srh_mt6_reg);
}
module_init(srh_mt6_init);
module_exit(srh_mt6_exit);
MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("Xtables: IPv6 Segment Routing Header match");
MODULE_AUTHOR("Ahmed Abdelsalam <amsalam20@gmail.com>");

31
net/ipv6/netfilter/ip6table_raw.c
View File

@ -3,6 +3,7 @@
*
* Copyright (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
*/
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <linux/slab.h>
@ -11,6 +12,10 @@
static int __net_init ip6table_raw_table_init(struct net *net);
static bool raw_before_defrag __read_mostly;
MODULE_PARM_DESC(raw_before_defrag, "Enable raw table before defrag");
module_param(raw_before_defrag, bool, 0000);
static const struct xt_table packet_raw = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
@ -20,6 +25,15 @@ static const struct xt_table packet_raw = {
.table_init = ip6table_raw_table_init,
};
static const struct xt_table packet_raw_before_defrag = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
.me = THIS_MODULE,
.af = NFPROTO_IPV6,
.priority = NF_IP6_PRI_RAW_BEFORE_DEFRAG,
.table_init = ip6table_raw_table_init,
};
/* The work comes in here from netfilter.c. */
static unsigned int
ip6table_raw_hook(void *priv, struct sk_buff *skb,
@ -33,15 +47,19 @@ static struct nf_hook_ops *rawtable_ops __read_mostly;
static int __net_init ip6table_raw_table_init(struct net *net)
{
struct ip6t_replace *repl;
const struct xt_table *table = &packet_raw;
int ret;
if (raw_before_defrag)
table = &packet_raw_before_defrag;
if (net->ipv6.ip6table_raw)
return 0;
repl = ip6t_alloc_initial_table(&packet_raw);
repl = ip6t_alloc_initial_table(table);
if (repl == NULL)
return -ENOMEM;
ret = ip6t_register_table(net, &packet_raw, repl, rawtable_ops,
ret = ip6t_register_table(net, table, repl, rawtable_ops,
&net->ipv6.ip6table_raw);
kfree(repl);
return ret;
@ -62,9 +80,16 @@ static struct pernet_operations ip6table_raw_net_ops = {
static int __init ip6table_raw_init(void)
{
int ret;
const struct xt_table *table = &packet_raw;
if (raw_before_defrag) {
table = &packet_raw_before_defrag;
pr_info("Enabling raw table before defrag\n");
}
/* Register hooks */
rawtable_ops = xt_hook_ops_alloc(&packet_raw, ip6table_raw_hook);
rawtable_ops = xt_hook_ops_alloc(table, ip6table_raw_hook);
if (IS_ERR(rawtable_ops))
return PTR_ERR(rawtable_ops);

15
net/ipv6/netfilter/nf_conntrack_reasm.c
View File

@ -231,7 +231,7 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
if ((unsigned int)end > IPV6_MAXPLEN) {
pr_debug("offset is too large.\n");
return -1;
return -EINVAL;
}
ecn = ip6_frag_ecn(ipv6_hdr(skb));
@ -264,7 +264,7 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
* this case. -DaveM
*/
pr_debug("end of fragment not rounded to 8 bytes.\n");
return -1;
return -EPROTO;
}
if (end > fq->q.len) {
/* Some bits beyond end -> corruption. */
@ -358,7 +358,7 @@ found:
discard_fq:
inet_frag_kill(&fq->q, &nf_frags);
err:
return -1;
return -EINVAL;
}
/*
@ -567,6 +567,7 @@ find_prev_fhdr(struct sk_buff *skb, u8 *prevhdrp, int *prevhoff, int *fhoff)
int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
{
u16 savethdr = skb->transport_header;
struct net_device *dev = skb->dev;
int fhoff, nhoff, ret;
struct frag_hdr *fhdr;
@ -600,8 +601,12 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
spin_lock_bh(&fq->q.lock);
if (nf_ct_frag6_queue(fq, skb, fhdr, nhoff) < 0) {
ret = -EINVAL;
ret = nf_ct_frag6_queue(fq, skb, fhdr, nhoff);
if (ret < 0) {
if (ret == -EPROTO) {
skb->transport_header = savethdr;
ret = 0;
}
goto out_unlock;
}

3
net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
View File

@ -63,6 +63,9 @@ static unsigned int ipv6_defrag(void *priv,
/* Previously seen (loopback)? */
if (skb_nfct(skb) && !nf_ct_is_template((struct nf_conn *)skb_nfct(skb)))
return NF_ACCEPT;
if (skb->_nfct == IP_CT_UNTRACKED)
return NF_ACCEPT;
#endif
err = nf_ct_frag6_gather(state->net, skb,

1
net/ipv6/netfilter/nf_flow_table_ipv6.c
View File

@ -5,7 +5,6 @@
#include <linux/rhashtable.h>
#include <linux/ipv6.h>
#include <linux/netdevice.h>
#include <linux/ipv6.h>
#include <net/ipv6.h>
#include <net/ip6_route.h>
#include <net/neighbour.h>

49
net/ipv6/netfilter/nf_tables_ipv6.c
View File

@ -28,40 +28,6 @@ static unsigned int nft_do_chain_ipv6(void *priv,
return nft_do_chain(&pkt, priv);
}
static struct nft_af_info nft_af_ipv6 __read_mostly = {
.family = NFPROTO_IPV6,
.nhooks = NF_INET_NUMHOOKS,
.owner = THIS_MODULE,
};
static int nf_tables_ipv6_init_net(struct net *net)
{
net->nft.ipv6 = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
if (net->nft.ipv6 == NULL)
return -ENOMEM;
memcpy(net->nft.ipv6, &nft_af_ipv6, sizeof(nft_af_ipv6));
if (nft_register_afinfo(net, net->nft.ipv6) < 0)
goto err;
return 0;
err:
kfree(net->nft.ipv6);
return -ENOMEM;
}
static void nf_tables_ipv6_exit_net(struct net *net)
{
nft_unregister_afinfo(net, net->nft.ipv6);
kfree(net->nft.ipv6);
}
static struct pernet_operations nf_tables_ipv6_net_ops = {
.init = nf_tables_ipv6_init_net,
.exit = nf_tables_ipv6_exit_net,
};
static const struct nf_chain_type filter_ipv6 = {
.name = "filter",
.type = NFT_CHAIN_T_DEFAULT,
@ -83,22 +49,11 @@ static const struct nf_chain_type filter_ipv6 = {
static int __init nf_tables_ipv6_init(void)
{
int ret;
ret = nft_register_chain_type(&filter_ipv6);
if (ret < 0)
return ret;
ret = register_pernet_subsys(&nf_tables_ipv6_net_ops);
if (ret < 0)
nft_unregister_chain_type(&filter_ipv6);
return ret;
return nft_register_chain_type(&filter_ipv6);
}
static void __exit nf_tables_ipv6_exit(void)
{
unregister_pernet_subsys(&nf_tables_ipv6_net_ops);
nft_unregister_chain_type(&filter_ipv6);
}
@ -107,4 +62,4 @@ module_exit(nf_tables_ipv6_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_FAMILY(AF_INET6);
MODULE_ALIAS_NFT_CHAIN(AF_INET6, "filter");

6
net/netfilter/Kconfig
View File

@ -506,7 +506,7 @@ config NFT_CT
connection tracking information such as the flow state.
config NFT_FLOW_OFFLOAD
depends on NF_CONNTRACK
depends on NF_CONNTRACK && NF_FLOW_TABLE
tristate "Netfilter nf_tables hardware flow offload module"
help
This option adds the "flow_offload" expression that you can use to
@ -665,8 +665,9 @@ endif # NF_TABLES_NETDEV
endif # NF_TABLES
config NF_FLOW_TABLE_INET
select NF_FLOW_TABLE
tristate "Netfilter flow table mixed IPv4/IPv6 module"
depends on NF_FLOW_TABLE_IPV4 && NF_FLOW_TABLE_IPV6
select NF_FLOW_TABLE
help
This option adds the flow table mixed IPv4/IPv6 support.
@ -674,6 +675,7 @@ config NF_FLOW_TABLE_INET
config NF_FLOW_TABLE
tristate "Netfilter flow table module"
depends on NF_CONNTRACK && NF_TABLES
help
This option adds the flow table core infrastructure.

6
net/netfilter/core.c
View File

@ -140,7 +140,7 @@ nf_hook_entries_grow(const struct nf_hook_entries *old,
if (reg->nat_hook && orig_ops[i]->nat_hook) {
kvfree(new);
return ERR_PTR(-EEXIST);
return ERR_PTR(-EBUSY);
}
if (inserted || reg->priority > orig_ops[i]->priority) {
@ -377,8 +377,8 @@ static void nf_remove_net_hook(struct nf_hook_entries *old,
}
}
void __nf_unregister_net_hook(struct net *net, int pf,
const struct nf_hook_ops *reg)
static void __nf_unregister_net_hook(struct net *net, int pf,
const struct nf_hook_ops *reg)
{
struct nf_hook_entries __rcu **pp;
struct nf_hook_entries *p;

3
net/netfilter/ipset/ip_set_core.c
View File

@ -2122,7 +2122,6 @@ ip_set_init(void)
return ret;
}
pr_info("ip_set: protocol %u\n", IPSET_PROTOCOL);
return 0;
}
@ -2138,3 +2137,5 @@ ip_set_fini(void)
module_init(ip_set_init);
module_exit(ip_set_fini);
MODULE_DESCRIPTION("ip_set: protocol " __stringify(IPSET_PROTOCOL));

1
net/netfilter/ipvs/ip_vs_app.c
View File

@ -595,7 +595,6 @@ static int ip_vs_app_open(struct inode *inode, struct file *file)
}
static const struct file_operations ip_vs_app_fops = {
.owner = THIS_MODULE,
.open = ip_vs_app_open,
.read = seq_read,
.llseek = seq_lseek,

2
net/netfilter/ipvs/ip_vs_conn.c
View File

@ -1143,7 +1143,6 @@ static int ip_vs_conn_open(struct inode *inode, struct file *file)
}
static const struct file_operations ip_vs_conn_fops = {
.owner = THIS_MODULE,
.open = ip_vs_conn_open,
.read = seq_read,
.llseek = seq_lseek,
@ -1221,7 +1220,6 @@ static int ip_vs_conn_sync_open(struct inode *inode, struct file *file)
}
static const struct file_operations ip_vs_conn_sync_fops = {
.owner = THIS_MODULE,
.open = ip_vs_conn_sync_open,
.read = seq_read,
.llseek = seq_lseek,

3
net/netfilter/ipvs/ip_vs_ctl.c
View File

@ -2116,7 +2116,6 @@ static int ip_vs_info_open(struct inode *inode, struct file *file)
}
static const struct file_operations ip_vs_info_fops = {
.owner = THIS_MODULE,
.open = ip_vs_info_open,
.read = seq_read,
.llseek = seq_lseek,
@ -2161,7 +2160,6 @@ static int ip_vs_stats_seq_open(struct inode *inode, struct file *file)
}
static const struct file_operations ip_vs_stats_fops = {
.owner = THIS_MODULE,
.open = ip_vs_stats_seq_open,
.read = seq_read,
.llseek = seq_lseek,
@ -2230,7 +2228,6 @@ static int ip_vs_stats_percpu_seq_open(struct inode *inode, struct file *file)
}
static const struct file_operations ip_vs_stats_percpu_fops = {
.owner = THIS_MODULE,
.open = ip_vs_stats_percpu_seq_open,
.read = seq_read,
.llseek = seq_lseek,

2
net/netfilter/nf_conncount.c
View File

@ -71,7 +71,7 @@ static inline bool already_closed(const struct nf_conn *conn)
return conn->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT ||
conn->proto.tcp.state == TCP_CONNTRACK_CLOSE;
else
return 0;
return false;
}
static int key_diff(const u32 *a, const u32 *b, unsigned int klen)

6
net/netfilter/nf_conntrack_core.c
View File

@ -58,8 +58,6 @@
#include "nf_internals.h"
#define NF_CONNTRACK_VERSION "0.5.0"
int (*nfnetlink_parse_nat_setup_hook)(struct nf_conn *ct,
enum nf_nat_manip_type manip,
const struct nlattr *attr) __read_mostly;
@ -2068,10 +2066,6 @@ int nf_conntrack_init_start(void)
if (!nf_conntrack_cachep)
goto err_cachep;
printk(KERN_INFO "nf_conntrack version %s (%u buckets, %d max)\n",
NF_CONNTRACK_VERSION, nf_conntrack_htable_size,
nf_conntrack_max);
ret = nf_conntrack_expect_init();
if (ret < 0)
goto err_expect;

1
net/netfilter/nf_conntrack_expect.c
View File

@ -649,7 +649,6 @@ static int exp_open(struct inode *inode, struct file *file)
}
static const struct file_operations exp_file_ops = {
.owner = THIS_MODULE,
.open = exp_open,
.read = seq_read,
.llseek = seq_lseek,

5
net/netfilter/nf_conntrack_netlink.c
View File

@ -57,8 +57,6 @@
MODULE_LICENSE("GPL");
static char __initdata version[] = "0.93";
static int ctnetlink_dump_tuples_proto(struct sk_buff *skb,
const struct nf_conntrack_tuple *tuple,
const struct nf_conntrack_l4proto *l4proto)
@ -3425,7 +3423,6 @@ static int __init ctnetlink_init(void)
{
int ret;
pr_info("ctnetlink v%s: registering with nfnetlink.\n", version);
ret = nfnetlink_subsys_register(&ctnl_subsys);
if (ret < 0) {
pr_err("ctnetlink_init: cannot register with nfnetlink.\n");
@ -3459,8 +3456,6 @@ err_out:
static void __exit ctnetlink_exit(void)
{
pr_info("ctnetlink: unregistering from nfnetlink.\n");
unregister_pernet_subsys(&ctnetlink_net_ops);
nfnetlink_subsys_unregister(&ctnl_exp_subsys);
nfnetlink_subsys_unregister(&ctnl_subsys);

2
net/netfilter/nf_conntrack_standalone.c
View File

@ -382,7 +382,6 @@ static int ct_open(struct inode *inode, struct file *file)
}
static const struct file_operations ct_file_ops = {
.owner = THIS_MODULE,
.open = ct_open,
.read = seq_read,
.llseek = seq_lseek,
@ -475,7 +474,6 @@ static int ct_cpu_seq_open(struct inode *inode, struct file *file)
}
static const struct file_operations ct_cpu_seq_fops = {
.owner = THIS_MODULE,
.open = ct_cpu_seq_open,
.read = seq_read,
.llseek = seq_lseek,

1
net/netfilter/nf_log.c
View File

@ -402,7 +402,6 @@ static int nflog_open(struct inode *inode, struct file *file)
}
static const struct file_operations nflog_file_ops = {
.owner = THIS_MODULE,
.open = nflog_open,
.read = seq_read,
.llseek = seq_lseek,

2
net/netfilter/nf_queue.c
View File

@ -15,8 +15,6 @@
#include <linux/netfilter_bridge.h>
#include <linux/seq_file.h>
#include <linux/rcupdate.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv6.h>
#include <net/protocol.h>
#include <net/netfilter/nf_queue.h>
#include <net/dst.h>

1
net/netfilter/nf_synproxy_core.c
View File

@ -317,7 +317,6 @@ static int synproxy_cpu_seq_open(struct inode *inode, struct file *file)
}
static const struct file_operations synproxy_cpu_seq_fops = {
.owner = THIS_MODULE,
.open = synproxy_cpu_seq_open,
.read = seq_read,
.llseek = seq_lseek,

928
net/netfilter/nf_tables_api.c
View File

File diff suppressed because it is too large Load Diff

49
net/netfilter/nf_tables_inet.c
View File

@ -38,40 +38,6 @@ static unsigned int nft_do_chain_inet(void *priv, struct sk_buff *skb,
return nft_do_chain(&pkt, priv);
}
static struct nft_af_info nft_af_inet __read_mostly = {
.family = NFPROTO_INET,
.nhooks = NF_INET_NUMHOOKS,
.owner = THIS_MODULE,
};
static int __net_init nf_tables_inet_init_net(struct net *net)
{
net->nft.inet = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
if (net->nft.inet == NULL)
return -ENOMEM;
memcpy(net->nft.inet, &nft_af_inet, sizeof(nft_af_inet));
if (nft_register_afinfo(net, net->nft.inet) < 0)
goto err;
return 0;
err:
kfree(net->nft.inet);
return -ENOMEM;
}
static void __net_exit nf_tables_inet_exit_net(struct net *net)
{
nft_unregister_afinfo(net, net->nft.inet);
kfree(net->nft.inet);
}
static struct pernet_operations nf_tables_inet_net_ops = {
.init = nf_tables_inet_init_net,
.exit = nf_tables_inet_exit_net,
};
static const struct nf_chain_type filter_inet = {
.name = "filter",
.type = NFT_CHAIN_T_DEFAULT,
@ -93,22 +59,11 @@ static const struct nf_chain_type filter_inet = {
static int __init nf_tables_inet_init(void)
{
int ret;
ret = nft_register_chain_type(&filter_inet);
if (ret < 0)
return ret;
ret = register_pernet_subsys(&nf_tables_inet_net_ops);
if (ret < 0)
nft_unregister_chain_type(&filter_inet);
return ret;
return nft_register_chain_type(&filter_inet);
}
static void __exit nf_tables_inet_exit(void)
{
unregister_pernet_subsys(&nf_tables_inet_net_ops);
nft_unregister_chain_type(&filter_inet);
}
@ -117,4 +72,4 @@ module_exit(nf_tables_inet_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_FAMILY(1);
MODULE_ALIAS_NFT_CHAIN(1, "filter");

70
net/netfilter/nf_tables_netdev.c
View File

@ -38,41 +38,6 @@ nft_do_chain_netdev(void *priv, struct sk_buff *skb,
return nft_do_chain(&pkt, priv);
}
static struct nft_af_info nft_af_netdev __read_mostly = {
.family = NFPROTO_NETDEV,
.nhooks = NF_NETDEV_NUMHOOKS,
.owner = THIS_MODULE,
.flags = NFT_AF_NEEDS_DEV,
};
static int nf_tables_netdev_init_net(struct net *net)
{
net->nft.netdev = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
if (net->nft.netdev == NULL)
return -ENOMEM;
memcpy(net->nft.netdev, &nft_af_netdev, sizeof(nft_af_netdev));
if (nft_register_afinfo(net, net->nft.netdev) < 0)
goto err;
return 0;
err:
kfree(net->nft.netdev);
return -ENOMEM;
}
static void nf_tables_netdev_exit_net(struct net *net)
{
nft_unregister_afinfo(net, net->nft.netdev);
kfree(net->nft.netdev);
}
static struct pernet_operations nf_tables_netdev_net_ops = {
.init = nf_tables_netdev_init_net,
.exit = nf_tables_netdev_exit_net,
};
static const struct nf_chain_type nft_filter_chain_netdev = {
.name = "filter",
.type = NFT_CHAIN_T_DEFAULT,
@ -109,7 +74,6 @@ static int nf_tables_netdev_event(struct notifier_block *this,
unsigned long event, void *ptr)
{
struct net_device *dev = netdev_notifier_info_to_dev(ptr);
struct nft_af_info *afi;
struct nft_table *table;
struct nft_chain *chain, *nr;
struct nft_ctx ctx = {
@ -121,20 +85,18 @@ static int nf_tables_netdev_event(struct notifier_block *this,
return NOTIFY_DONE;
nfnl_lock(NFNL_SUBSYS_NFTABLES);
list_for_each_entry(afi, &dev_net(dev)->nft.af_info, list) {
ctx.afi = afi;
if (afi->family != NFPROTO_NETDEV)
list_for_each_entry(table, &ctx.net->nft.tables, list) {
if (table->family != NFPROTO_NETDEV)
continue;
list_for_each_entry(table, &afi->tables, list) {
ctx.table = table;
list_for_each_entry_safe(chain, nr, &table->chains, list) {
if (!nft_is_base_chain(chain))
continue;
ctx.family = table->family;
ctx.table = table;
list_for_each_entry_safe(chain, nr, &table->chains, list) {
if (!nft_is_base_chain(chain))
continue;
ctx.chain = chain;
nft_netdev_event(event, dev, &ctx);
}
ctx.chain = chain;
nft_netdev_event(event, dev, &ctx);
}
}
nfnl_unlock(NFNL_SUBSYS_NFTABLES);
@ -154,27 +116,21 @@ static int __init nf_tables_netdev_init(void)
if (ret)
return ret;
ret = register_pernet_subsys(&nf_tables_netdev_net_ops);
if (ret)
goto err1;
ret = register_netdevice_notifier(&nf_tables_netdev_notifier);
if (ret)
goto err2;
goto err_register_netdevice_notifier;
return 0;
err2:
unregister_pernet_subsys(&nf_tables_netdev_net_ops);
err1:
err_register_netdevice_notifier:
nft_unregister_chain_type(&nft_filter_chain_netdev);
return ret;
}
static void __exit nf_tables_netdev_exit(void)
{
unregister_netdevice_notifier(&nf_tables_netdev_notifier);
unregister_pernet_subsys(&nf_tables_netdev_net_ops);
nft_unregister_chain_type(&nft_filter_chain_netdev);
}
@ -183,4 +139,4 @@ module_exit(nf_tables_netdev_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NFT_FAMILY(5); /* NFPROTO_NETDEV */
MODULE_ALIAS_NFT_CHAIN(5, "filter"); /* NFPROTO_NETDEV */

4
net/netfilter/nfnetlink.c
View File

@ -37,8 +37,6 @@ MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_NETFILTER);
rcu_dereference_protected(table[(id)].subsys, \
lockdep_nfnl_is_held((id)))
static char __initdata nfversion[] = "0.30";
static struct {
struct mutex mutex;
const struct nfnetlink_subsystem __rcu *subsys;
@ -580,13 +578,11 @@ static int __init nfnetlink_init(void)
for (i=0; i<NFNL_SUBSYS_COUNT; i++)
mutex_init(&table[i].mutex);
pr_info("Netfilter messages via NETLINK v%s.\n", nfversion);
return register_pernet_subsys(&nfnetlink_net_ops);
}
static void __exit nfnetlink_exit(void)
{
pr_info("Removing netfilter NETLINK layer.\n");
unregister_pernet_subsys(&nfnetlink_net_ops);
}
module_init(nfnetlink_init);

2
net/netfilter/nfnetlink_acct.c
View File

@ -527,7 +527,6 @@ static int __init nfnl_acct_init(void)
goto err_out;
}
pr_info("nfnl_acct: registering with nfnetlink.\n");
ret = nfnetlink_subsys_register(&nfnl_acct_subsys);
if (ret < 0) {
pr_err("nfnl_acct_init: cannot register with nfnetlink.\n");
@ -543,7 +542,6 @@ err_out:
static void __exit nfnl_acct_exit(void)
{
pr_info("nfnl_acct: unregistering from nfnetlink.\n");
nfnetlink_subsys_unregister(&nfnl_acct_subsys);
unregister_pernet_subsys(&nfnl_acct_ops);
}

2
net/netfilter/nfnetlink_cttimeout.c
View File

@ -615,8 +615,6 @@ err_out:
static void __exit cttimeout_exit(void)
{
pr_info("cttimeout: unregistering from nfnetlink.\n");
nfnetlink_subsys_unregister(&cttimeout_subsys);
unregister_pernet_subsys(&cttimeout_ops);

1
net/netfilter/nfnetlink_log.c
View File

@ -1054,7 +1054,6 @@ static int nful_open(struct inode *inode, struct file *file)
}
static const struct file_operations nful_file_ops = {
.owner = THIS_MODULE,
.open = nful_open,
.read = seq_read,
.llseek = seq_lseek,

1
net/netfilter/nfnetlink_queue.c
View File

@ -1477,7 +1477,6 @@ static int nfqnl_open(struct inode *inode, struct file *file)
}
static const struct file_operations nfqnl_file_ops = {
.owner = THIS_MODULE,
.open = nfqnl_open,
.read = seq_read,
.llseek = seq_lseek,

18
net/netfilter/nft_compat.c
View File

@ -144,7 +144,7 @@ nft_target_set_tgchk_param(struct xt_tgchk_param *par,
{
par->net = ctx->net;
par->table = ctx->table->name;
switch (ctx->afi->family) {
switch (ctx->family) {
case AF_INET:
entry->e4.ip.proto = proto;
entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
@ -175,7 +175,7 @@ nft_target_set_tgchk_param(struct xt_tgchk_param *par,
} else {
par->hook_mask = 0;
}
par->family = ctx->afi->family;
par->family = ctx->family;
par->nft_compat = true;
}
@ -267,7 +267,7 @@ nft_target_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
par.net = ctx->net;
par.target = target;
par.targinfo = info;
par.family = ctx->afi->family;
par.family = ctx->family;
if (par.target->destroy != NULL)
par.target->destroy(&par);
@ -358,7 +358,7 @@ nft_match_set_mtchk_param(struct xt_mtchk_param *par, const struct nft_ctx *ctx,
{
par->net = ctx->net;
par->table = ctx->table->name;
switch (ctx->afi->family) {
switch (ctx->family) {
case AF_INET:
entry->e4.ip.proto = proto;
entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
@ -389,7 +389,7 @@ nft_match_set_mtchk_param(struct xt_mtchk_param *par, const struct nft_ctx *ctx,
} else {
par->hook_mask = 0;
}
par->family = ctx->afi->family;
par->family = ctx->family;
par->nft_compat = true;
}
@ -446,7 +446,7 @@ nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
par.net = ctx->net;
par.match = match;
par.matchinfo = info;
par.family = ctx->afi->family;
par.family = ctx->family;
if (par.match->destroy != NULL)
par.match->destroy(&par);
@ -648,7 +648,7 @@ nft_match_select_ops(const struct nft_ctx *ctx,
mt_name = nla_data(tb[NFTA_MATCH_NAME]);
rev = ntohl(nla_get_be32(tb[NFTA_MATCH_REV]));
family = ctx->afi->family;
family = ctx->family;
/* Re-use the existing match if it's already loaded. */
list_for_each_entry(nft_match, &nft_match_list, head) {
@ -733,7 +733,7 @@ nft_target_select_ops(const struct nft_ctx *ctx,
tg_name = nla_data(tb[NFTA_TARGET_NAME]);
rev = ntohl(nla_get_be32(tb[NFTA_TARGET_REV]));
family = ctx->afi->family;
family = ctx->family;
/* Re-use the existing target if it's already loaded. */
list_for_each_entry(nft_target, &nft_target_list, head) {
@ -812,8 +812,6 @@ static int __init nft_compat_module_init(void)
goto err_target;
}
pr_info("nf_tables_compat: (c) 2012 Pablo Neira Ayuso <pablo@netfilter.org>\n");
return ret;
err_target:

16
net/netfilter/nft_ct.c
View File

@ -405,7 +405,7 @@ static int nft_ct_get_init(const struct nft_ctx *ctx,
if (tb[NFTA_CT_DIRECTION] == NULL)
return -EINVAL;
switch (ctx->afi->family) {
switch (ctx->family) {
case NFPROTO_IPV4:
len = FIELD_SIZEOF(struct nf_conntrack_tuple,
src.u3.ip);
@ -456,7 +456,7 @@ static int nft_ct_get_init(const struct nft_ctx *ctx,
if (err < 0)
return err;
err = nf_ct_netns_get(ctx->net, ctx->afi->family);
err = nf_ct_netns_get(ctx->net, ctx->family);
if (err < 0)
return err;
@ -550,7 +550,7 @@ static int nft_ct_set_init(const struct nft_ctx *ctx,
if (err < 0)
goto err1;
err = nf_ct_netns_get(ctx->net, ctx->afi->family);
err = nf_ct_netns_get(ctx->net, ctx->family);
if (err < 0)
goto err1;
@ -564,7 +564,7 @@ err1:
static void nft_ct_get_destroy(const struct nft_ctx *ctx,
const struct nft_expr *expr)
{
nf_ct_netns_put(ctx->net, ctx->afi->family);
nf_ct_netns_put(ctx->net, ctx->family);
}
static void nft_ct_set_destroy(const struct nft_ctx *ctx,
@ -573,7 +573,7 @@ static void nft_ct_set_destroy(const struct nft_ctx *ctx,
struct nft_ct *priv = nft_expr_priv(expr);
__nft_ct_set_destroy(ctx, priv);
nf_ct_netns_put(ctx->net, ctx->afi->family);
nf_ct_netns_put(ctx->net, ctx->family);
}
static int nft_ct_get_dump(struct sk_buff *skb, const struct nft_expr *expr)
@ -734,7 +734,7 @@ static int nft_ct_helper_obj_init(const struct nft_ctx *ctx,
struct nft_ct_helper_obj *priv = nft_obj_data(obj);
struct nf_conntrack_helper *help4, *help6;
char name[NF_CT_HELPER_NAME_LEN];
int family = ctx->afi->family;
int family = ctx->family;
if (!tb[NFTA_CT_HELPER_NAME] || !tb[NFTA_CT_HELPER_L4PROTO])
return -EINVAL;
@ -753,14 +753,14 @@ static int nft_ct_helper_obj_init(const struct nft_ctx *ctx,
switch (family) {
case NFPROTO_IPV4:
if (ctx->afi->family == NFPROTO_IPV6)
if (ctx->family == NFPROTO_IPV6)
return -EINVAL;
help4 = nf_conntrack_helper_try_module_get(name, family,
priv->l4proto);
break;
case NFPROTO_IPV6:
if (ctx->afi->family == NFPROTO_IPV4)
if (ctx->family == NFPROTO_IPV4)
return -EINVAL;
help6 = nf_conntrack_helper_try_module_get(name, family,

2
net/netfilter/nft_dynset.c
View File

@ -164,7 +164,7 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
}
priv->sreg_key = nft_parse_register(tb[NFTA_DYNSET_SREG_KEY]);
err = nft_validate_register_load(priv->sreg_key, set->klen);;
err = nft_validate_register_load(priv->sreg_key, set->klen);
if (err < 0)
return err;

4
net/netfilter/nft_flow_offload.c
View File

@ -151,7 +151,7 @@ static int nft_flow_offload_init(const struct nft_ctx *ctx,
priv->flowtable = flowtable;
flowtable->use++;
return nf_ct_netns_get(ctx->net, ctx->afi->family);
return nf_ct_netns_get(ctx->net, ctx->family);
}
static void nft_flow_offload_destroy(const struct nft_ctx *ctx,
@ -160,7 +160,7 @@ static void nft_flow_offload_destroy(const struct nft_ctx *ctx,
struct nft_flow_offload *priv = nft_expr_priv(expr);
priv->flowtable->use--;
nf_ct_netns_put(ctx->net, ctx->afi->family);
nf_ct_netns_put(ctx->net, ctx->family);
}
static int nft_flow_offload_dump(struct sk_buff *skb, const struct nft_expr *expr)

4
net/netfilter/nft_log.c
View File

@ -112,7 +112,7 @@ static int nft_log_init(const struct nft_ctx *ctx,
break;
}
err = nf_logger_find_get(ctx->afi->family, li->type);
err = nf_logger_find_get(ctx->family, li->type);
if (err < 0)
goto err1;
@ -133,7 +133,7 @@ static void nft_log_destroy(const struct nft_ctx *ctx,
if (priv->prefix != nft_log_null_prefix)
kfree(priv->prefix);
nf_logger_put(ctx->afi->family, li->type);
nf_logger_put(ctx->family, li->type);
}
static int nft_log_dump(struct sk_buff *skb, const struct nft_expr *expr)

2
net/netfilter/nft_masq.c
View File

@ -73,7 +73,7 @@ int nft_masq_init(const struct nft_ctx *ctx,
}
}
return nf_ct_netns_get(ctx->net, ctx->afi->family);
return nf_ct_netns_get(ctx->net, ctx->family);
}
EXPORT_SYMBOL_GPL(nft_masq_init);

4
net/netfilter/nft_meta.c
View File

@ -339,7 +339,7 @@ static int nft_meta_get_validate(const struct nft_ctx *ctx,
if (priv->key != NFT_META_SECPATH)
return 0;
switch (ctx->afi->family) {
switch (ctx->family) {
case NFPROTO_NETDEV:
hooks = 1 << NF_NETDEV_INGRESS;
break;
@ -370,7 +370,7 @@ int nft_meta_set_validate(const struct nft_ctx *ctx,
if (priv->key != NFT_META_PKTTYPE)
return 0;
switch (ctx->afi->family) {
switch (ctx->family) {
case NFPROTO_BRIDGE:
hooks = 1 << NF_BR_PRE_ROUTING;
break;

2
net/netfilter/nft_nat.c
View File

@ -142,7 +142,7 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
return -EINVAL;
family = ntohl(nla_get_be32(tb[NFTA_NAT_FAMILY]));
if (family != ctx->afi->family)
if (family != ctx->family)
return -EOPNOTSUPP;
switch (family) {

2
net/netfilter/nft_redir.c
View File

@ -75,7 +75,7 @@ int nft_redir_init(const struct nft_ctx *ctx,
return -EINVAL;
}
return nf_ct_netns_get(ctx->net, ctx->afi->family);
return nf_ct_netns_get(ctx->net, ctx->family);
}
EXPORT_SYMBOL_GPL(nft_redir_init);

7
net/netfilter/x_tables.c
View File

@ -1082,10 +1082,10 @@ struct xt_table *xt_request_find_table_lock(struct net *net, u_int8_t af,
{
struct xt_table *t = xt_find_table_lock(net, af, name);
#ifdef CONFIG_MODULE
#ifdef CONFIG_MODULES
if (IS_ERR(t)) {
int err = request_module("%stable_%s", xt_prefix[af], name);
if (err)
if (err < 0)
return ERR_PTR(err);
t = xt_find_table_lock(net, af, name);
}
@ -1362,7 +1362,6 @@ static int xt_table_open(struct inode *inode, struct file *file)
}
static const struct file_operations xt_table_ops = {
.owner = THIS_MODULE,
.open = xt_table_open,
.read = seq_read,
.llseek = seq_lseek,
@ -1498,7 +1497,6 @@ static int xt_match_open(struct inode *inode, struct file *file)
}
static const struct file_operations xt_match_ops = {
.owner = THIS_MODULE,
.open = xt_match_open,
.read = seq_read,
.llseek = seq_lseek,
@ -1551,7 +1549,6 @@ static int xt_target_open(struct inode *inode, struct file *file)
}
static const struct file_operations xt_target_ops = {
.owner = THIS_MODULE,
.open = xt_target_open,
.read = seq_read,
.llseek = seq_lseek,

5
net/netfilter/xt_hashlimit.c
View File

@ -353,7 +353,7 @@ static int htable_create(struct net *net, struct hashlimit_cfg3 *cfg,
static bool select_all(const struct xt_hashlimit_htable *ht,
const struct dsthash_ent *he)
{
return 1;
return true;
}
static bool select_gc(const struct xt_hashlimit_htable *ht,
@ -1266,7 +1266,6 @@ static int dl_proc_open(struct inode *inode, struct file *file)
}
static const struct file_operations dl_file_ops_v2 = {
.owner = THIS_MODULE,
.open = dl_proc_open_v2,
.read = seq_read,
.llseek = seq_lseek,
@ -1274,7 +1273,6 @@ static const struct file_operations dl_file_ops_v2 = {
};
static const struct file_operations dl_file_ops_v1 = {
.owner = THIS_MODULE,
.open = dl_proc_open_v1,
.read = seq_read,
.llseek = seq_lseek,
@ -1282,7 +1280,6 @@ static const struct file_operations dl_file_ops_v1 = {
};
static const struct file_operations dl_file_ops = {
.owner = THIS_MODULE,
.open = dl_proc_open,
.read = seq_read,
.llseek = seq_lseek,

2
net/netfilter/xt_ipcomp.c
View File

@ -58,7 +58,7 @@ static bool comp_mt(const struct sk_buff *skb, struct xt_action_param *par)
*/
pr_debug("Dropping evil IPComp tinygram.\n");
par->hotdrop = true;
return 0;
return false;
}
return spi_match(compinfo->spis[0], compinfo->spis[1],