[netfilter-cvslog] r3867 - in trunk/patch-o-matic-ng/ACCOUNT/linux:
include/linux/netfilter_ipv4 net/ipv4/netfilter
laforge at netfilter.org
laforge at netfilter.org
Fri Apr 15 17:56:22 CEST 2005
Author: laforge at netfilter.org
Date: 2005-04-15 17:56:21 +0200 (Fri, 15 Apr 2005)
New Revision: 3867
Modified:
trunk/patch-o-matic-ng/ACCOUNT/linux/include/linux/netfilter_ipv4/ipt_ACCOUNT.h
trunk/patch-o-matic-ng/ACCOUNT/linux/net/ipv4/netfilter/ipt_ACCOUNT.c
Log:
patch to fix the ACCOUNT target for large networks. (Thomas Jarosch)
Modified: trunk/patch-o-matic-ng/ACCOUNT/linux/include/linux/netfilter_ipv4/ipt_ACCOUNT.h
===================================================================
--- trunk/patch-o-matic-ng/ACCOUNT/linux/include/linux/netfilter_ipv4/ipt_ACCOUNT.h 2005-04-15 09:39:55 UTC (rev 3866)
+++ trunk/patch-o-matic-ng/ACCOUNT/linux/include/linux/netfilter_ipv4/ipt_ACCOUNT.h 2005-04-15 15:56:21 UTC (rev 3867)
@@ -1,5 +1,5 @@
/***************************************************************************
- * Copyright (C) 2004 by Intra2net AG *
+ * Copyright (C) 2004-2005 by Intra2net AG *
* opensource at intra2net.com *
* *
* This program is free software; you can redistribute it and/or modify *
Modified: trunk/patch-o-matic-ng/ACCOUNT/linux/net/ipv4/netfilter/ipt_ACCOUNT.c
===================================================================
--- trunk/patch-o-matic-ng/ACCOUNT/linux/net/ipv4/netfilter/ipt_ACCOUNT.c 2005-04-15 09:39:55 UTC (rev 3866)
+++ trunk/patch-o-matic-ng/ACCOUNT/linux/net/ipv4/netfilter/ipt_ACCOUNT.c 2005-04-15 15:56:21 UTC (rev 3867)
@@ -3,7 +3,7 @@
* See http://www.intra2net.com/opensource/ipt_account *
* for further information *
* *
- * Copyright (C) 2004 by Intra2net AG *
+ * Copyright (C) 2004-2005 by Intra2net AG *
* opensource at intra2net.com *
* *
* This program is free software; you can redistribute it and/or modify *
@@ -15,11 +15,12 @@
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
-#include <linux/spinlock.h>
#include <net/icmp.h>
#include <net/udp.h>
#include <net/tcp.h>
#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/lockhelp.h>
+#include <asm/semaphore.h>
#include <linux/kernel.h>
#include <linux/mm.h>
#include <linux/string.h>
@@ -43,9 +44,9 @@
static void *ipt_acc_tmpbuf = NULL;
/* Spinlock used for manipulating the current accounting tables/data */
-static spinlock_t ipt_acc_lock = SPIN_LOCK_UNLOCKED;
-/* Spinlock used for manipulating userspace handles/snapshot data */
-static spinlock_t ipt_acc_userspace_lock = SPIN_LOCK_UNLOCKED;
+DECLARE_LOCK(ipt_acc_lock);
+/* Mutex (semaphore) used for manipulating userspace handles/snapshot data */
+static struct semaphore ipt_acc_userspace_mutex;
/* Recursive free of all data structures */
@@ -226,7 +227,7 @@
targinfosize, IPT_ALIGN(sizeof(struct ipt_acc_info)));
}
- spin_lock_bh(&ipt_acc_lock);
+ LOCK_BH(&ipt_acc_lock);
DEBUGP("ACCOUNT: ipt_acc_deleteentry called for table: %s (#%d)\n",
info->table_name, info->table_nr);
@@ -252,14 +253,14 @@
sizeof(struct ipt_acc_table));
}
- spin_unlock_bh(&ipt_acc_lock);
+ UNLOCK_BH(&ipt_acc_lock);
return;
}
}
/* Table not found */
printk("ACCOUNT: Table %s not found for destroy\n", info->table_name);
- spin_unlock_bh(&ipt_acc_lock);
+ UNLOCK_BH(&ipt_acc_lock);
}
static void ipt_acc_depth0_insert(struct ipt_acc_mask_24 *mask_24,
@@ -443,7 +444,7 @@
ipt_acc_tables[info->table_nr].ip,
ipt_acc_tables[info->table_nr].netmask,
src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
- spin_unlock_bh(&ipt_acc_lock);
+ UNLOCK_BH(&ipt_acc_lock);
return IPT_CONTINUE;
}
@@ -454,7 +455,7 @@
ipt_acc_tables[info->table_nr].ip,
ipt_acc_tables[info->table_nr].netmask,
src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
- spin_unlock_bh(&ipt_acc_lock);
+ UNLOCK_BH(&ipt_acc_lock);
return IPT_CONTINUE;
}
@@ -465,7 +466,7 @@
ipt_acc_tables[info->table_nr].ip,
ipt_acc_tables[info->table_nr].netmask,
src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
- spin_unlock_bh(&ipt_acc_lock);
+ UNLOCK_BH(&ipt_acc_lock);
return IPT_CONTINUE;
}
@@ -473,7 +474,7 @@
"Table id %u. IPs %u.%u.%u.%u/%u.%u.%u.%u\n",
info->table_nr, NIPQUAD(src_ip), NIPQUAD(dst_ip));
- spin_unlock_bh(&ipt_acc_lock);
+ UNLOCK_BH(&ipt_acc_lock);
return IPT_CONTINUE;
}
@@ -678,23 +679,24 @@
}
/* Fill up handle structure */
- ipt_acc_handles[handle].ip = ipt_acc_tables[table_nr].ip;
- ipt_acc_handles[handle].depth = ipt_acc_tables[table_nr].depth;
- ipt_acc_handles[handle].itemcount = ipt_acc_tables[table_nr].itemcount;
- ipt_acc_handles[handle].data = ipt_acc_tables[table_nr].data;
+ dest->ip = ipt_acc_tables[table_nr].ip;
+ dest->depth = ipt_acc_tables[table_nr].depth;
+ dest->itemcount = ipt_acc_tables[table_nr].itemcount;
+ dest->data = ipt_acc_tables[table_nr].data;
*count = ipt_acc_tables[table_nr].itemcount;
/* "Flush" table data */
ipt_acc_tables[table_nr].data = new_data_page;
ipt_acc_tables[table_nr].itemcount = 0;
- return handle;
+ return 0;
}
/* Copy 8 bit network data into a prepared buffer.
We only copy entries != 0 to increase performance.
*/
-static int ipt_acc_handle_copy_data(void *to_user, int *pos,
+static int ipt_acc_handle_copy_data(void *to_user, u_int32_t *to_user_pos,
+ u_int32_t *tmpbuf_pos,
struct ipt_acc_mask_24 *data,
u_int32_t net_ip, u_int32_t net_OR_mask)
{
@@ -712,13 +714,15 @@
handle_ip.dst_bytes = data->ip[i].dst_bytes;
/* Temporary buffer full? Flush to userspace */
- if (*pos+handle_ip_size >= PAGE_SIZE) {
- *pos = 0;
- if (copy_to_user(to_user, ipt_acc_tmpbuf, *pos))
+ if (*tmpbuf_pos+handle_ip_size >= PAGE_SIZE) {
+ if (copy_to_user(to_user + *to_user_pos, ipt_acc_tmpbuf,
+ *tmpbuf_pos))
return -EFAULT;
+ *to_user_pos = *to_user_pos + *tmpbuf_pos;
+ *tmpbuf_pos = 0;
}
- memcpy(ipt_acc_tmpbuf+*pos, &handle_ip, handle_ip_size);
- *pos += handle_ip_size;
+ memcpy(ipt_acc_tmpbuf+*tmpbuf_pos, &handle_ip, handle_ip_size);
+ *tmpbuf_pos += handle_ip_size;
}
}
@@ -731,7 +735,7 @@
*/
static int ipt_acc_handle_get_data(u_int32_t handle, void *to_user)
{
- u_int32_t tmpbuf_pos=0, net_ip;
+ u_int32_t to_user_pos=0, tmpbuf_pos=0, net_ip;
unsigned char depth;
if (handle >= ACCOUNT_MAX_HANDLES) {
@@ -752,12 +756,13 @@
if (depth == 0) {
struct ipt_acc_mask_24 *network =
(struct ipt_acc_mask_24*)ipt_acc_handles[handle].data;
- if (ipt_acc_handle_copy_data(to_user, &tmpbuf_pos, network, net_ip, 0))
+ if (ipt_acc_handle_copy_data(to_user, &to_user_pos, &tmpbuf_pos,
+ network, net_ip, 0))
return -1;
/* Flush remaining data to userspace */
if (tmpbuf_pos)
- if (copy_to_user(to_user, ipt_acc_tmpbuf, tmpbuf_pos))
+ if (copy_to_user(to_user+to_user_pos, ipt_acc_tmpbuf, tmpbuf_pos))
return -1;
return 0;
@@ -772,15 +777,15 @@
if (network_16->mask_24[b]) {
struct ipt_acc_mask_24 *network =
(struct ipt_acc_mask_24*)network_16->mask_24[b];
- if (ipt_acc_handle_copy_data(to_user, &tmpbuf_pos, network,
- net_ip, (b << 16)))
+ if (ipt_acc_handle_copy_data(to_user, &to_user_pos,
+ &tmpbuf_pos, network, net_ip, (b << 16)))
return -1;
}
}
/* Flush remaining data to userspace */
if (tmpbuf_pos)
- if (copy_to_user(to_user, ipt_acc_tmpbuf, tmpbuf_pos))
+ if (copy_to_user(to_user+to_user_pos, ipt_acc_tmpbuf, tmpbuf_pos))
return -1;
return 0;
@@ -799,7 +804,8 @@
if (network_16->mask_24[b]) {
struct ipt_acc_mask_24 *network =
(struct ipt_acc_mask_24*)network_16->mask_24[b];
- if (ipt_acc_handle_copy_data(to_user, &tmpbuf_pos,
+ if (ipt_acc_handle_copy_data(to_user,
+ &to_user_pos, &tmpbuf_pos,
network, net_ip, (a << 8) | (b << 16)))
return -1;
}
@@ -809,7 +815,7 @@
/* Flush remaining data to userspace */
if (tmpbuf_pos)
- if (copy_to_user(to_user, ipt_acc_tmpbuf, tmpbuf_pos))
+ if (copy_to_user(to_user+to_user_pos, ipt_acc_tmpbuf, tmpbuf_pos))
return -1;
return 0;
@@ -842,16 +848,16 @@
break;
}
- spin_lock_bh(&ipt_acc_userspace_lock);
+ down(&ipt_acc_userspace_mutex);
ret = ipt_acc_handle_free(handle.handle_nr);
- spin_unlock_bh(&ipt_acc_userspace_lock);
+ up(&ipt_acc_userspace_mutex);
break;
case IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL: {
u_int32_t i;
- spin_lock_bh(&ipt_acc_userspace_lock);
+ down(&ipt_acc_userspace_mutex);
for (i = 0; i < ACCOUNT_MAX_HANDLES; i++)
ipt_acc_handle_free(i);
- spin_unlock_bh(&ipt_acc_userspace_lock);
+ up(&ipt_acc_userspace_mutex);
ret = 0;
break;
}
@@ -938,9 +944,9 @@
break;
}
- spin_lock_bh(&ipt_acc_userspace_lock);
+ down(&ipt_acc_userspace_mutex);
ret = ipt_acc_handle_get_data(handle.handle_nr, user);
- spin_unlock_bh(&ipt_acc_userspace_lock);
+ up(&ipt_acc_userspace_mutex);
if (ret) {
printk("ACCOUNT: ipt_acc_get_ctl: ipt_acc_handle_get_data"
" failed for handle %u\n", handle.handle_nr);
@@ -960,11 +966,11 @@
/* Find out how many handles are in use */
handle.itemcount = 0;
- spin_lock_bh(&ipt_acc_userspace_lock);
+ down(&ipt_acc_userspace_mutex);
for (i = 0; i < ACCOUNT_MAX_HANDLES; i++)
if (ipt_acc_handles[i].data)
handle.itemcount++;
- spin_unlock_bh(&ipt_acc_userspace_lock);
+ up(&ipt_acc_userspace_mutex);
if (copy_to_user(user, &handle,
sizeof(struct ipt_acc_handle_sockopt))) {
@@ -987,32 +993,31 @@
}
size += 1; /* Terminating NULL character */
- if (*len < size) {
- spin_unlock_bh(&ipt_acc_lock);
- printk("ACCOUNT: ipt_acc_get_ctl: not enough space (%u < %u)"
- " to store table names\n", *len, size);
+ if (*len < size || size > PAGE_SIZE) {
+ UNLOCK_BH(&ipt_acc_lock);
+ printk("ACCOUNT: ipt_acc_get_ctl: not enough space (%u < %u < %lu)"
+ " to store table names\n", *len, size, PAGE_SIZE);
ret = -ENOMEM;
break;
}
/* Copy table names to userspace */
- tnames = user;
+ tnames = ipt_acc_tmpbuf;
for (i = 0; i < ACCOUNT_MAX_TABLES; i++) {
if (ipt_acc_tables[i].name[0] != 0) {
- int len = strlen (ipt_acc_tables[i].name) + 1;
- /* copy string + terminating zero */
- if (copy_to_user(tnames, ipt_acc_tables[i].name, len)) {
- spin_unlock_bh(&ipt_acc_lock);
- return -EFAULT;
- }
- tnames += len;
+ name_len = strlen (ipt_acc_tables[i].name) + 1;
+ memcpy(tnames, ipt_acc_tables[i].name, name_len);
+ tnames += name_len;
}
}
- /* Append terminating zero */
- i = 0;
- ret = copy_to_user(tnames, &i, 1);
- spin_unlock_bh(&ipt_acc_lock);
- if (ret)
+ UNLOCK_BH(&ipt_acc_lock);
+
+ /* Terminating NULL character */
+ *tnames = 0;
+
+ /* Transfer to userspace */
+ if (copy_to_user(user, ipt_acc_tmpbuf, size))
return -EFAULT;
+
ret = 0;
break;
}
More information about the netfilter-cvslog
mailing list