From yasuyuki.kozakai at toshiba.co.jp Fri Jun 1 02:32:34 2007 From: yasuyuki.kozakai at toshiba.co.jp (Yasuyuki KOZAKAI) Date: Fri Jun 1 03:36:04 2007 Subject: [PATCH] nf_ct_destroy for nf_conntrack_destroy callbacks In-Reply-To: References: Message-ID: <200706010032.l510WZTm000963@toshiba.co.jp> Hi, From: "Mohammad Mohsenzadeh" Date: Thu, 31 May 2007 10:36:39 -0400 > Hello, > I made this patch to allow multiple modules to register for conntrack > destroy callback. I was wondering what are your thoughts on this. > Thanks I have a plan to add it with ct_extend - which allocates extended area in conntrack. Please see archives. By the way, > @@ -615,9 +615,7 @@ > INIT_LIST_HEAD(&bysource[i]); > } > > - /* FIXME: Man, this is a hack. */ > - NF_CT_ASSERT(rcu_dereference(nf_conntrack_destroyed) == NULL); > - rcu_assign_pointer(nf_conntrack_destroyed, nf_nat_cleanup_conntrack); > + nf_ct_register_destroy_cb(&nf_nat_cleanup_conntrack); > The coding style is not aligned. Or any your tool mangled white spaces ? > int > +nf_ct_register_destroy_cb(void (*destroy)(struct nf_conn *ct)) > +{ > + struct nf_ct_destroy *entry; > + > + write_lock_bh (&nf_ct_destroy_lock); > + list_for_each_entry (entry, &nf_ct_destroy_head, list) { > + if (entry->destroy == destroy) { > + write_unlock_bh (&nf_ct_destroy_lock); > + return -EINVAL; > + } > + } > + > + entry = kmalloc (sizeof (struct nf_ct_destroy), GFP_ATOMIC); > + if (!entry) { > + write_unlock_bh (&nf_ct_destroy_lock); > + return -ENOMEM; > + } > + > + entry->destroy = destroy; > + list_add (&entry->list, &nf_ct_destroy_head); > + write_unlock_bh (&nf_ct_destroy_lock); > + > + return 0; > +} > +EXPORT_SYMBOL_GPL(nf_ct_register_destroy_cb); You can replace lock with RCU. -- Yasuyuki Kozakai From henrik at henriknordstrom.net Fri Jun 1 04:36:16 2007 From: henrik at henriknordstrom.net (Henrik Nordstrom) Date: Fri Jun 1 05:39:39 2007 Subject: How to pass arguments to a kernel module In-Reply-To: <70309fc20705302111w41c08d91u6c62185d204d41ba@mail.gmail.com> References: <70309fc20705302111w41c08d91u6c62185d204d41ba@mail.gmail.com> Message-ID: <1180665376.21871.10.camel@henriknordstrom.net> ons 2007-05-30 klockan 21:11 -0700 skrev Tharanga Abeyseela: > Dear all, > > I have implemented a small firewall on linux as a kernel module (.ko) > (using victor castros tutorial on netfilter programming) . and now i > need to pass arguments such as source ip, dst ip, port..etc..from a > remote machine to my firewall module. basically .ko module should > accept that parameters and block the specific traffic. without > unloading the kernel module how should i insert my firewall rules to > kernel module. > can someone give me a sample code for that. You would preferably use a netlink socket Used quite a lot by the netfilter modules, and there is a whole framework in netfilter for netlink, nfnetlink. Might be of use for you. http://www.netfilter.org/projects/libnfnetlink/index.html not sure if there is any documentation on how to add new nfnetlink subsystems other than the code. For general information about Netlink see http://linux-net.osdl.org/index.php/Generic_Netlink_HOWTO http://www.linuxjournal.com/article/7356 Regards Henrik -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: Detta =?ISO-8859-1?Q?=E4r?= en digitalt signerad meddelandedel Url : /pipermail/netfilter-devel/attachments/20070601/4d07cfa1/attachment.pgp From eric at inl.fr Fri Jun 1 16:17:13 2007 From: eric at inl.fr (Eric Leblond) Date: Fri Jun 1 17:20:41 2007 Subject: Bug in conntrack -U Message-ID: <1180707433.4733.7.camel@ghlodit.inl.fr> Hi, I've found a problem with conntrack-tools. Running : conntrack -U -m 20 -s 192.168.50.140 -d 192.168.50.129 -p tcp --orig-port-src 43515 --orig-port-dst 22 returns Operation failed: invalid parameters Problem has been verified with kernel 2.6.20 and 2.6.17 with subversion compiled libraries and conntrack-tools on 32bits and 64bits system. I did not find the time to test it on latest kernel. BR, -- Eric Leblond INL SARL From kaber at trash.net Fri Jun 1 17:33:59 2007 From: kaber at trash.net (Patrick McHardy) Date: Fri Jun 1 18:39:23 2007 Subject: [RFC][PATCH 0/7]: ct_extend In-Reply-To: <200705310902.l4V9212d010654@toshiba.co.jp> References: <200705071200.l47C0UoM006287@toshiba.co.jp> <465E5159.4050604@trash.net> <200705310902.l4V9212d010654@toshiba.co.jp> Message-ID: <46603C67.4070201@trash.net> Yasuyuki KOZAKAI wrote: > I've revisited the issue of competition between NAT referring > extension area for NAT and nfctnetlink trying to assign helper (which might > result in reallocating extension area for NAT). > > And I've found that the current nfctnetlink has similar but different > problem. It is possible to change helper infomations while helper referring > them. > > After all, if we don't want to introduce rwlock for such competition, > we'd better to limit nfctnetlink so that it doesn't assign, change, or > remove helper of confirmed conntrack. > > If people agree to remove ctnetlink_change_helper(), I'll submit the latest > pactchset of ct_extend. I don't think we can do that, it has been part of the ABI since the beginning I think and we might need it for userspace helpers. How about grabbing nf_conntrack_lock and replacing the entire conntrack structure in this case? From kaber at trash.net Fri Jun 1 17:38:22 2007 From: kaber at trash.net (Patrick McHardy) Date: Fri Jun 1 18:43:47 2007 Subject: H.323 behavior In-Reply-To: References: <925A849792280C4E80C5461017A4B8A210B7F8@mail733.InfraSupportEtc.com> <465E506D.6060008@trash.net> Message-ID: <46603D6E.9040606@trash.net> Jing Min Zhao wrote: > >> It would probably make sense to destroy the connection when we seen >> a CloseLogicalChannel or CloseLogicalChannelAck message to deal with >> this kind of problem. >> > > Sometimes when people change codec, for example, from voice to T.38 fax, > they also close channels and open channels, but the H.245 connection > doesn't diconnect. So better to wait for the connection disconnect > itself or at least disconnect upon EndSessionCommand. CloseLogicalChannel might not be the right message (its been a while since I last did something with H.323), but at least when we know for sure the connection is closed we could kill it instead of waiting for the timeout. From kaber at trash.net Fri Jun 1 17:41:31 2007 From: kaber at trash.net (Patrick McHardy) Date: Fri Jun 1 18:46:51 2007 Subject: change in behavior of OUTPUT chain rule in 2.6.19 In-Reply-To: <13313.1180642185@mdt.dhcp.pit.laurelnetworks.com> References: <13313.1180642185@mdt.dhcp.pit.laurelnetworks.com> Message-ID: <46603E2B.8080503@trash.net> Mike Accetta wrote: > Jan Engelhardt writes: > >>On Dec 14 2006 13:30, Mike Accetta wrote: >> >>>Between 2.6.18 and 2.6.19 (and 2.6.19.1) we've observed that a reject rule >> >>on >> >>>the OUTPUT chain no longer causes a connection attempt to abort immediately >>>with "Connection refused". As a specific example, this rule >>> >>>iptables -A OUTPUT -p tcp --destination-port 23 \ >>>--destination 10.0.20.1 -j REJECT --reject-with tcp-reset >> >>I cannot reproduce this with 2.6.20.2. Have you tried any newer kernel? > > > This was filed as Bugzilla #7716 and fixed by Patrick McHardy in 2.6.20. The patch was also sent to -stable, I think its in 2.6.19.3. From azez at ufomechanic.net Fri Jun 1 18:25:42 2007 From: azez at ufomechanic.net (Amin Azez) Date: Fri Jun 1 19:29:11 2007 Subject: [PATCH] add direction match to conntrack match Message-ID: <46604886.4080400@ufomechanic.net> This adds the virtual states ORIGINAL and REPLY to the conntrack match, making it possible to tell if the packet being compared is part of the original flow or the reply flow. e.g. iptables -t mangle -A PREROUTING -m conntrack --ctstate REPLY The patch is against kernel 2.6.17 and iptables 1.3.6, but it is simple enough. Signed-off by: Sam Liddicott -------------- next part -------------- A non-text attachment was scrubbed... Name: ctstate-dir.patch Type: text/x-patch Size: 2344 bytes Desc: not available Url : /pipermail/netfilter-devel/attachments/20070601/b0517ddf/ctstate-dir.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: ctstate-kernel.patch Type: text/x-patch Size: 1756 bytes Desc: not available Url : /pipermail/netfilter-devel/attachments/20070601/b0517ddf/ctstate-kernel.bin From kaber at trash.net Fri Jun 1 18:30:16 2007 From: kaber at trash.net (Patrick McHardy) Date: Fri Jun 1 19:35:38 2007 Subject: [PATCH] add direction match to conntrack match In-Reply-To: <46604886.4080400@ufomechanic.net> References: <46604886.4080400@ufomechanic.net> Message-ID: <46604998.3050602@trash.net> Amin Azez wrote: > This adds the virtual states ORIGINAL and REPLY to the conntrack match, > making it possible to tell if the packet being compared is part of the > original flow or the reply flow. > > e.g. > > iptables -t mangle -A PREROUTING -m conntrack --ctstate REPLY > > The patch is against kernel 2.6.17 and iptables 1.3.6, but it is simple > enough. I've been using a similar patch at a previous job, I think its quite useful, so if you send me a patch for current -git I'll queue it for 2.6.23. > > Index: linux-2.6.17.1/include/linux/netfilter/xt_conntrack.h > =================================================================== > --- linux-2.6.17.1.orig/include/linux/netfilter/xt_conntrack.h > +++ linux-2.6.17.1/include/linux/netfilter/xt_conntrack.h > @@ -14,6 +14,9 @@ > #define XT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1)) > #define XT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2)) > #define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3)) > +/* match on direction of packet */ > +#define XT_CONNTRACK_STATE_ORIGINAL (1 << (IP_CT_NUMBER + 4)) > +#define XT_CONNTRACK_STATE_REPLY (1 << (IP_CT_NUMBER + 5)) But I think use should use a regular flag for this. The XT_CONNTRACK_STATE_SNAT are already a not so great idea since the same information is in the status bits, which can also be matched. From azez at ufomechanic.net Fri Jun 1 18:47:07 2007 From: azez at ufomechanic.net (Amin Azez) Date: Fri Jun 1 19:50:46 2007 Subject: [PATCH] iptables gateway match Message-ID: <46604D8B.7030507@ufomechanic.net> This adds a gateway match to iptables that lets you match against the routed ipv4 gateway, it's very useful for SNAT if you want to avoid replicating your routing in your SNAT table. e.g. iptables -t nat -A POSTROUTING -m gateway --nexthop 172.16.1.1 -j SNAT --to-address 172.16.1.5 iptables -t nat -A POSTROUTING -m gateway --nexthop 192.168.1.1 -j SNAT --to-address 192.168.1.25 to help you choose the right SNAT address. It works by comparing the to-be-matched gateway IP with the key in the neighbor table of the next-hop (the key is the layer 3 address). --gateway 1.2.3.4 only matches if the packet is destined to 1.2.3.4 as a ROUTE, i.e. 1.2.3.4 is not also the target address. --nexthop 1.2.3.4 matches if the next hop is specified as 1.2.3.4 either as a gateway or as a final destination. It can't do magic, and match on non-routed aliases of routers, it only matches the targeted IP address from which the layer 2 address has been (or will be) actually derived. The .gateway-test doesn't work for me because I don't build into my kernel source dir, but I tried to do it right for a public release. Signed-of by: Sam Liddicott -------------- next part -------------- A non-text attachment was scrubbed... Name: gateway.patch Type: text/x-patch Size: 4524 bytes Desc: not available Url : /pipermail/netfilter-devel/attachments/20070601/2f1612d8/gateway.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: gateway-kernel.patch Type: text/x-patch Size: 4068 bytes Desc: not available Url : /pipermail/netfilter-devel/attachments/20070601/2f1612d8/gateway-kernel.bin From kaber at trash.net Fri Jun 1 18:52:00 2007 From: kaber at trash.net (Patrick McHardy) Date: Fri Jun 1 19:57:52 2007 Subject: [PATCH] iptables gateway match In-Reply-To: <46604D8B.7030507@ufomechanic.net> References: <46604D8B.7030507@ufomechanic.net> Message-ID: <46604EB0.9080302@trash.net> Amin Azez wrote: > This adds a gateway match to iptables that lets you match against the > routed ipv4 gateway, it's very useful for SNAT if you want to avoid > replicating your routing in your SNAT table. > > e.g. > > iptables -t nat -A POSTROUTING -m gateway --nexthop 172.16.1.1 -j SNAT > --to-address 172.16.1.5 > iptables -t nat -A POSTROUTING -m gateway --nexthop 192.168.1.1 -j SNAT > --to-address 192.168.1.25 I'm wondering whether we really need a new match for this. It should be possible to do the same using routing realms and the realm match. From azez at ufomechanic.net Fri Jun 1 21:28:11 2007 From: azez at ufomechanic.net (Amin Azez) Date: Fri Jun 1 22:31:34 2007 Subject: [PATCH] add direction match to conntrack match In-Reply-To: <46604998.3050602@trash.net> References: <46604886.4080400@ufomechanic.net> <46604998.3050602@trash.net> Message-ID: <4660734B.3090203@ufomechanic.net> Patrick McHardy wrote: > Amin Azez wrote: > >> This adds the virtual states ORIGINAL and REPLY to the conntrack match, >> making it possible to tell if the packet being compared is part of the >> original flow or the reply flow. >> >> e.g. >> >> iptables -t mangle -A PREROUTING -m conntrack --ctstate REPLY >> >> The patch is against kernel 2.6.17 and iptables 1.3.6, but it is simple >> enough. >> > > > I've been using a similar patch at a previous job, I think its quite > useful, so if you send me a patch for current -git I'll queue it > for 2.6.23. > > >> Index: linux-2.6.17.1/include/linux/netfilter/xt_conntrack.h >> =================================================================== >> --- linux-2.6.17.1.orig/include/linux/netfilter/xt_conntrack.h >> +++ linux-2.6.17.1/include/linux/netfilter/xt_conntrack.h >> @@ -14,6 +14,9 @@ >> #define XT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1)) >> #define XT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2)) >> #define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3)) >> +/* match on direction of packet */ >> +#define XT_CONNTRACK_STATE_ORIGINAL (1 << (IP_CT_NUMBER + 4)) >> +#define XT_CONNTRACK_STATE_REPLY (1 << (IP_CT_NUMBER + 5)) >> > > > But I think use should use a regular flag for this. The > XT_CONNTRACK_STATE_SNAT are already a not so great idea > since the same information is in the status bits, which > can also be matched. > The regular flags are declared as u_int8_t, and all 8 bits are already used. This was the neatest way I could come up with without destroying user-space compatability. Git will have to wait a week I'm afraid, but you'll get it ASAP. Sam From azez at ufomechanic.net Fri Jun 1 21:36:38 2007 From: azez at ufomechanic.net (Amin Azez) Date: Fri Jun 1 22:40:00 2007 Subject: [PATCH] iptables gateway match In-Reply-To: <46604EB0.9080302@trash.net> References: <46604D8B.7030507@ufomechanic.net> <46604EB0.9080302@trash.net> Message-ID: <46607546.4050100@ufomechanic.net> Patrick McHardy wrote: > Amin Azez wrote: > >> This adds a gateway match to iptables that lets you match against the >> routed ipv4 gateway, it's very useful for SNAT if you want to avoid >> replicating your routing in your SNAT table. >> >> e.g. >> >> iptables -t nat -A POSTROUTING -m gateway --nexthop 172.16.1.1 -j SNAT >> --to-address 172.16.1.5 >> iptables -t nat -A POSTROUTING -m gateway --nexthop 192.168.1.1 -j SNAT >> --to-address 192.168.1.25 >> > > > I'm wondering whether we really need a new match for this. It should > be possible to do the same using routing realms and the realm match. > It's possible that it could be managed using realms, but THAT would be a hack, and one very hard for rule generating systems to use, especially if realms were already in use. The match as used here is purely for ip<->ip routing compatability, easy auto generation of SNATing rules when the next hop router doesn't have a reverse route. It's also useful for collecting per-gateway statistics (esp. with load balancing) and debugging complex routing. It will also be useful to most people who won't or can't bend realms to their will. I don't know if realms will help in the load balancing routing case anyway. Sam From henrik at henriknordstrom.net Sat Jun 2 13:34:42 2007 From: henrik at henriknordstrom.net (Henrik Nordstrom) Date: Sat Jun 2 14:38:25 2007 Subject: [PATCH] add direction match to conntrack match In-Reply-To: <4660734B.3090203@ufomechanic.net> References: <46604886.4080400@ufomechanic.net> <46604998.3050602@trash.net> <4660734B.3090203@ufomechanic.net> Message-ID: <1180784082.27259.38.camel@henriknordstrom.net> fre 2007-06-01 klockan 20:28 +0100 skrev Amin Azez: > This was the neatest way I could come up with without destroying > user-space compatability. Another alternative is to create a new revision of the conntrack match extending the flags fields to at least a 32-bit and I'd also propose moving the NAT bits into the flags field. Requires a little more work, but allows for a cleaner result.. See for example the MARK target for how to do this. Regards Henrik -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: Detta =?ISO-8859-1?Q?=E4r?= en digitalt signerad meddelandedel Url : /pipermail/netfilter-devel/attachments/20070602/44d196a5/attachment.pgp From henrik at henriknordstrom.net Sat Jun 2 13:38:43 2007 From: henrik at henriknordstrom.net (Henrik Nordstrom) Date: Sat Jun 2 14:42:09 2007 Subject: [PATCH] iptables gateway match In-Reply-To: <46604D8B.7030507@ufomechanic.net> References: <46604D8B.7030507@ufomechanic.net> Message-ID: <1180784323.27259.42.camel@henriknordstrom.net> fre 2007-06-01 klockan 17:47 +0100 skrev Amin Azez: > This adds a gateway match to iptables that lets you match against the > routed ipv4 gateway, it's very useful for SNAT if you want to avoid > replicating your routing in your SNAT table. > > e.g. > > iptables -t nat -A POSTROUTING -m gateway --nexthop 172.16.1.1 -j SNAT > --to-address 172.16.1.5 > iptables -t nat -A POSTROUTING -m gateway --nexthop 192.168.1.1 -j SNAT > --to-address 192.168.1.25 Cool. Been needing something like this many times in complex environments with multiple links needing NAT based on the link and not source/destination.. Helps keeping NAT table nice and clean with a direct mapping to the network infrastructure rather than addresses.. Regards Henrik -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: Detta =?ISO-8859-1?Q?=E4r?= en digitalt signerad meddelandedel Url : /pipermail/netfilter-devel/attachments/20070602/6e94c44e/attachment.pgp From jengelh at linux01.gwdg.de Sat Jun 2 14:45:34 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sat Jun 2 15:49:55 2007 Subject: change in behavior of OUTPUT chain rule in 2.6.19 In-Reply-To: <46603E2B.8080503@trash.net> References: <13313.1180642185@mdt.dhcp.pit.laurelnetworks.com> <46603E2B.8080503@trash.net> Message-ID: On Jun 1 2007 17:41, Patrick McHardy wrote: >>>> >>>>iptables -A OUTPUT -p tcp --destination-port 23 \ >>>>--destination 10.0.20.1 -j REJECT --reject-with tcp-reset >>> >>>I cannot reproduce this with 2.6.20.2. Have you tried any newer kernel? >> >> This was filed as Bugzilla #7716 and fixed by Patrick McHardy in 2.6.20. > >The patch was also sent to -stable, I think its in 2.6.19.3. https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=7716 Software error: DBD::mysql::st execute failed: Unknown column 'products.classification_id' in 'where clause' [for Statement "SELECT products.name, classifications.name FROM products, classifications WHERE classifications.id = products.classification_id ORDER BY classifications.name"] at Bugzilla/DB.pm line 84 Bugzilla::DB::SendSQL('SELECT products.name, classifications.name FROM products, cla...') called at globals.pl line 140 main::GenerateVersionTable() called at globals.pl line 312 main::GetVersionTable() called at /var/www/bugzilla.netfilter.org/htdocs/bugzilla/show_bug.cgi line 60 For help, please send mail to the webmaster (webmaster@netfilter.org), giving this error message and the time and date of the error. Sat Jun 2 14:46:26 CEST 2007 Jan -- From kaber at trash.net Sat Jun 2 14:54:23 2007 From: kaber at trash.net (Patrick McHardy) Date: Sat Jun 2 15:58:28 2007 Subject: iptables throws unknown error - suspecting 32/64 compat issue In-Reply-To: <465CA950.403@trash.net> References: <46431C0D.5080507@trash.net> <464325EA.8040303@trash.net> <465CA950.403@trash.net> Message-ID: <4661687F.6040302@trash.net> Patrick McHardy wrote: > Jan Engelhardt wrote: > >>This is fixed in 2.6.21, thanks. > > > > Yes, the hashlimit compat issue is. But the underlying problem still > persists, I'll send you a patch for testing soon. Here it is, could you please test whether it fixes the crash by backing out the hashlimit compat patch and triggering the size error again? Thanks. -------------- next part -------------- [NETFILTER]: ip_tables: fix compat related crash check_compat_entry_size_and_hooks iterates over the matches and calls compat_check_calc_match, which loads the match and calculates the compat offsets, but unlike the non-compat version, doesn't call ->checkentry yet. On error however it calls cleanup_matches, which in turn calls ->destroy, which can result in crashes if the destroy function (validly) expects to only get called after the checkentry function. Add a compat_release_match function that only drops the module reference on error and rename compat_check_calc_match to compat_find_calc_match to reflect the fact that it doesn't call the checkentry function. Reported by Jan Engelhardt Signed-off-by: Patrick McHardy --- commit aea9d0eb2c80de9d31a9ecbcaf5e529b7503ea13 tree f014a00779dc3c3745e3294a393941ab91c3d37e parent e7d815ef75f70dcdf55001f1f88ae7ae8827a7ba author Patrick McHardy Sat, 02 Jun 2007 14:51:13 +0200 committer Patrick McHardy Sat, 02 Jun 2007 14:51:13 +0200 net/ipv4/netfilter/ip_tables.c | 22 ++++++++++++++++------ 1 files changed, 16 insertions(+), 6 deletions(-) diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index e3f83bf..8fde1d1 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c @@ -1425,7 +1425,7 @@ out: } static inline int -compat_check_calc_match(struct ipt_entry_match *m, +compat_find_calc_match(struct ipt_entry_match *m, const char *name, const struct ipt_ip *ip, unsigned int hookmask, @@ -1449,6 +1449,16 @@ compat_check_calc_match(struct ipt_entry_match *m, } static inline int +compat_release_match(struct ipt_entry_match *m, unsigned int *i) +{ + if (i && (*i)-- == 0) + return 1; + + module_put(m->u.kernel.match->me); + return 0; +} + +static inline int check_compat_entry_size_and_hooks(struct ipt_entry *e, struct xt_table_info *newinfo, unsigned int *size, @@ -1485,10 +1495,10 @@ check_compat_entry_size_and_hooks(struct ipt_entry *e, off = 0; entry_offset = (void *)e - (void *)base; j = 0; - ret = IPT_MATCH_ITERATE(e, compat_check_calc_match, name, &e->ip, + ret = IPT_MATCH_ITERATE(e, compat_find_calc_match, name, &e->ip, e->comefrom, &off, &j); if (ret != 0) - goto cleanup_matches; + goto release_matches; t = ipt_get_target(e); target = try_then_request_module(xt_find_target(AF_INET, @@ -1499,7 +1509,7 @@ check_compat_entry_size_and_hooks(struct ipt_entry *e, duprintf("check_compat_entry_size_and_hooks: `%s' not found\n", t->u.user.name); ret = target ? PTR_ERR(target) : -ENOENT; - goto cleanup_matches; + goto release_matches; } t->u.kernel.target = target; @@ -1526,8 +1536,8 @@ check_compat_entry_size_and_hooks(struct ipt_entry *e, out: module_put(t->u.kernel.target->me); -cleanup_matches: - IPT_MATCH_ITERATE(e, cleanup_match, &j); +release_matches: + IPT_MATCH_ITERATE(e, compat_release_match, &j); return ret; } From kaber at trash.net Sat Jun 2 14:55:16 2007 From: kaber at trash.net (Patrick McHardy) Date: Sat Jun 2 15:59:17 2007 Subject: change in behavior of OUTPUT chain rule in 2.6.19 In-Reply-To: References: <13313.1180642185@mdt.dhcp.pit.laurelnetworks.com> <46603E2B.8080503@trash.net> Message-ID: <466168B4.7020103@trash.net> Jan Engelhardt wrote: > https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=7716 > > Software error: > > DBD::mysql::st execute failed: Unknown column 'products.classification_id' in > 'where clause' [for Statement "SELECT products.name, classifications.name FROM > products, classifications WHERE classifications.id = products.classification_id > ORDER BY classifications.name"] at Bugzilla/DB.pm line 84 > Bugzilla::DB::SendSQL('SELECT products.name, classifications.name FROM > products, cla...') called at globals.pl line 140 > main::GenerateVersionTable() called at globals.pl line 312 > main::GetVersionTable() called at > /var/www/bugzilla.netfilter.org/htdocs/bugzilla/show_bug.cgi line 60 > > For help, please send mail to the webmaster (webmaster@netfilter.org), giving > this error message and the time and date of the error. > > Sat Jun 2 14:46:26 CEST 2007 Well, gentoo is a pile of crap. From jengelh at linux01.gwdg.de Sat Jun 2 15:29:33 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sat Jun 2 16:34:33 2007 Subject: iptables throws unknown error - suspecting 32/64 compat issue In-Reply-To: <4661687F.6040302@trash.net> References: <46431C0D.5080507@trash.net> <464325EA.8040303@trash.net> <465CA950.403@trash.net> <4661687F.6040302@trash.net> Message-ID: On Jun 2 2007 14:54, Patrick McHardy wrote: >>>This is fixed in 2.6.21, thanks. >> >> Yes, the hashlimit compat issue is. But the underlying problem still >> persists, I'll send you a patch for testing soon. > >Here it is, could you please test whether it fixes the crash by >backing out the hashlimit compat patch and triggering the size >error again? Thanks. Do you mean conntrack compat? http://lists.netfilter.org/pipermail/netfilter-devel/2007-May/027763.html Jan -- From kaber at trash.net Sat Jun 2 15:53:07 2007 From: kaber at trash.net (Patrick McHardy) Date: Sat Jun 2 16:57:08 2007 Subject: iptables throws unknown error - suspecting 32/64 compat issue In-Reply-To: References: <46431C0D.5080507@trash.net> <464325EA.8040303@trash.net> <465CA950.403@trash.net> <4661687F.6040302@trash.net> Message-ID: <46617643.3090102@trash.net> Jan Engelhardt wrote: > On Jun 2 2007 14:54, Patrick McHardy wrote: > >>>>This is fixed in 2.6.21, thanks. >>> >>>Yes, the hashlimit compat issue is. But the underlying problem still >>>persists, I'll send you a patch for testing soon. >> >>Here it is, could you please test whether it fixes the crash by >>backing out the hashlimit compat patch and triggering the size >>error again? Thanks. > > > Do you mean conntrack compat? > http://lists.netfilter.org/pipermail/netfilter-devel/2007-May/027763.html Right, I confused them. From jengelh at linux01.gwdg.de Sat Jun 2 16:25:18 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sat Jun 2 17:30:17 2007 Subject: iptables throws unknown error - suspecting 32/64 compat issue In-Reply-To: <4661687F.6040302@trash.net> References: <46431C0D.5080507@trash.net> <464325EA.8040303@trash.net> <465CA950.403@trash.net> <4661687F.6040302@trash.net> Message-ID: On Jun 2 2007 14:54, Patrick McHardy wrote: >Patrick McHardy wrote: >> Jan Engelhardt wrote: >> >>>This is fixed in 2.6.21, thanks. >> >> Yes, the hashlimit compat issue is. But the underlying problem still >> persists, I'll send you a patch for testing soon. > >Here it is, could you please test whether it fixes the crash by >backing out the hashlimit compat patch and triggering the size >error again? Thanks. [connlimit compat] Kernel built, rebooted, no panics or thelike. So to sum it up, hashlimit works, connlimit works. Seems all nice. Thanks, Jan -- From kaber at trash.net Sat Jun 2 16:43:23 2007 From: kaber at trash.net (Patrick McHardy) Date: Sat Jun 2 17:47:24 2007 Subject: iptables throws unknown error - suspecting 32/64 compat issue In-Reply-To: References: <46431C0D.5080507@trash.net> <464325EA.8040303@trash.net> <465CA950.403@trash.net> <4661687F.6040302@trash.net> Message-ID: <4661820B.6030700@trash.net> Jan Engelhardt wrote: > On Jun 2 2007 14:54, Patrick McHardy wrote: > >>Here it is, could you please test whether it fixes the crash by >>backing out the hashlimit compat patch and triggering the size >>error again? Thanks. > > [connlimit compat] > > Kernel built, rebooted, no panics or thelike. > So to sum it up, hashlimit works, connlimit works. Seems all nice. Thanks Jan. Will send upstream and to -stable soon. From jengelh at linux01.gwdg.de Sat Jun 2 18:56:57 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sat Jun 2 20:01:11 2007 Subject: [PATCH] xt_gateway match (kernel) In-Reply-To: References: <46604D8B.7030507@ufomechanic.net> Message-ID: Originally from Amin Azez , http://lists.netfilter.org/pipermail/netfilter-devel/2007-June/027954.html This adds a gateway match to iptables that lets you match against the routed ipv4 gateway, it's very useful for SNAT if you want to avoid replicating your routing in your SNAT table. e.g. iptables -t nat -A POSTROUTING -m gateway --nexthop 172.16.1.1 \ -j SNAT --to-address 172.16.1.5 iptables -t nat -A POSTROUTING -m gateway --nexthop 192.168.1.1 \ -j SNAT --to-address 192.168.1.25 to help you choose the right SNAT address. It works by comparing the to-be-matched gateway IP with the key in the neighbor table of the next-hop (the key is the layer 3 address). --gateway 1.2.3.4 only matches if the packet is destined to 1.2.3.4 as a ROUTE, i.e. 1.2.3.4 is not also the target address. --nexthop 1.2.3.4 matches if the next hop is specified as 1.2.3.4 either as a gateway or as a final destination. It cannot do magic, and match on non-routed aliases of routers, it only matches the targeted IP address from which the layer 2 address has been (or will be) actually derived. Signed-off-by: Jan Engelhardt [Posted to LKML/NF-DEV on 2007-06-02] --- include/linux/netfilter/xt_gateway.h | 13 +++++ net/netfilter/Kconfig | 9 +++ net/netfilter/Makefile | 1 net/netfilter/xt_gateway.c | 85 +++++++++++++++++++++++++++++++++++ 4 files changed, 108 insertions(+) Index: linux-2.6.22-rc3-git6/include/linux/netfilter/xt_gateway.h =================================================================== --- /dev/null +++ linux-2.6.22-rc3-git6/include/linux/netfilter/xt_gateway.h @@ -0,0 +1,13 @@ +#ifndef _XT_GATEWAY_H +#define _XT_GATEWAY_H + +#define XT_GATEWAY_INV 0x1 /* Negate the condition */ +#define XT_GATEWAY_ROUTE 0x2 /* ...and the gateway is not the final hop */ + +struct xt_gateway_info { + /* Inclusive: network order. */ + uint32_t gateway; + uint8_t flags; +}; + +#endif /* _XT_GATEWAY_H */ Index: linux-2.6.22-rc3-git6/net/netfilter/Kconfig =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/Kconfig +++ linux-2.6.22-rc3-git6/net/netfilter/Kconfig @@ -468,6 +468,15 @@ config NETFILTER_XT_MATCH_ESP To compile it as a module, choose M here. If unsure, say N. +config NETFILTER_XT_MATCH_GATEWAY + tristate '"gateway" match support' + depends on NETFILTER_XTABLES + ---help--- + This option makes possible to match the IP address of the + routed gateway for routed packets. + + To compile it as a module, choose M here. If unsure, say N. + config NETFILTER_XT_MATCH_HELPER tristate '"helper" match support' depends on NETFILTER_XTABLES Index: linux-2.6.22-rc3-git6/net/netfilter/Makefile =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/Makefile +++ linux-2.6.22-rc3-git6/net/netfilter/Makefile @@ -56,6 +56,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRAC obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o +obj-$(CONFIG_NETFILTER_XT_MATCH_GATEWAY) += xt_gateway.o obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o Index: linux-2.6.22-rc3-git6/net/netfilter/xt_gateway.c =================================================================== --- /dev/null +++ linux-2.6.22-rc3-git6/net/netfilter/xt_gateway.c @@ -0,0 +1,85 @@ +/* + * netfilter module to match nexthop router by IP address + * (C) 2007 UFO Mechanic + * ? Jan Engelhardt , 2007 + * to save time and bugs, based on ip_range by + * (C) 2003 Jozsef Kadlecsik + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ +#include +#include +#include +#include +#include +#include +#include +#include + +static int xt_gateway_match1(const struct sk_buff *skb, + const struct xt_gateway_info *info) +{ + const struct iphdr *iph; + const struct dst_entry *dst; + const struct neighbour *neigh; + const struct neigh_table *tbl; + + if (skb == NULL) /* necessary? */ + return false; + if ((dst = skb->dst) == NULL) + return false; + if ((neigh = dst->neighbour) == NULL) + return false; + if ((tbl = neigh->tbl) == NULL) + return false; + if (tbl->family != AF_INET) + return false; + if (memcmp(&info->gateway, &neigh->primary_key, tbl->key_len) != 0) + return false; + if (info->flags & XT_GATEWAY_ROUTE) + return true; + iph = ip_hdr(skb); + if (iph->daddr == info->gateway) + return true; + + return false; +} + +static int xt_gateway_match(const struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, + const struct xt_match *match, + const void *matchinfo, int offset, + unsigned int protoff, int *hotdrop) +{ + const struct xt_gateway_info *info = matchinfo; + return !!(info->flags & XT_GATEWAY_INV) ^ + xt_gateway_match1(skb, info); +} + +static struct xt_match xt_gateway_reg = { + .name = "gateway", + .family = AF_INET, + .match = xt_gateway_match, + .matchsize = sizeof(struct xt_gateway_info), + .me = THIS_MODULE +}; + +static int __init xt_gateway_init(void) +{ + return xt_register_match(&xt_gateway_reg); +} + +static void __exit xt_gateway_exit(void) +{ + xt_unregister_match(&xt_gateway_reg); + return; +} + +module_init(xt_gateway_init); +module_exit(xt_gateway_exit); +MODULE_AUTHOR("Sam Liddicott "); +MODULE_DESCRIPTION("netfilter nexthop gateway match module"); +MODULE_LICENSE("GPL"); From jengelh at linux01.gwdg.de Sat Jun 2 18:57:14 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sat Jun 2 20:01:30 2007 Subject: [PATCH] xt_gateway match (iptables) In-Reply-To: References: <46604D8B.7030507@ufomechanic.net> Message-ID: --- extensions/.gateway-test | 3 extensions/libipt_gateway.c | 157 ++++++++++++++++++++++++++++++++++++++++++ extensions/libipt_gateway.man | 9 ++ 3 files changed, 169 insertions(+) Index: iptables/extensions/.gateway-test =================================================================== --- /dev/null +++ iptables/extensions/.gateway-test @@ -0,0 +1,3 @@ +#!/bin/sh +# True if gateway match patch is applied. +[ -f "$KERNEL_DIR/include/linux/netfilter/xt_gateway.h" ] && echo gateway Index: iptables/extensions/libipt_gateway.c =================================================================== --- /dev/null +++ iptables/extensions/libipt_gateway.c @@ -0,0 +1,157 @@ +/* + * Shared library add-on to iptables to add gateway IP address matching support. + * Based on iprange + * (C) UFO Mechanic + * ? Jan Engelhardt , 2007 + */ +#include +#include +#include +#include +#include + +#include +#include + +/* Function which prints out usage message. */ +static void help(void) +{ + printf( +"gateway match v%s options:\n" +"[!] --gateway ip Match IP address of routed gateway\n" +"[!] --nexthop ip Match IP address of next hop\n" +"\n", +IPTABLES_VERSION); +} + +static struct option opts[] = { + {"gateway", 1, NULL, '1'}, + {"nexthop", 1, NULL, '2'}, + {NULL}, +}; + +/* + * Function which parses command options; + * returns true if it ate an option. + */ +static int parse(int c, char **argv, int invert, unsigned int *flags, + const struct ipt_entry *entry, unsigned int *nfcache, + struct ipt_entry_match **match) +{ + struct xt_gateway_info *info = (void *)(*match)->data; + struct in_addr *ip; + + switch (c) { + case '1': + if (*flags) + exit_error(PARAMETER_PROBLEM, "gateway match: You " + "cannot specify both \"--gateway\" and " + "\"--nexthop\""); + + check_inverse(optarg, &invert, &optind, 0); + if (invert) + info->flags |= XT_GATEWAY_INV; + + ip = dotted_to_addr(optarg); + if (!ip) + exit_error(PARAMETER_PROBLEM, "gateway match: Bad IP " + "address \"%s\"\n", optarg); + + info->gateway = ip->s_addr; + info->flags |= XT_GATEWAY_ROUTE; + *flags = 1; + break; + + case '2': + if (*flags) + exit_error(PARAMETER_PROBLEM, "gateway match: You " + "cannot specify both \"--gateway\" and " + "\"--nexthop\""); + + check_inverse(optarg, &invert, &optind, 0); + if (invert) + info->flags |= XT_GATEWAY_INV; + + ip = dotted_to_addr(optarg); + if (!ip) + exit_error(PARAMETER_PROBLEM, + "gateway match: Bad IP address `%s'\n", optarg); + + info->gateway = ip->s_addr; + info->flags &= XT_GATEWAY_ROUTE; + *flags = 1; + break; + + default: + return 0; + } + + return 1; +} + +/* Final check; must have specified --gateway */ +static void final_check(unsigned int flags) +{ + if (!flags) + exit_error(PARAMETER_PROBLEM, + "gateway match: You must specify `--gateway' " + "or `--nexthop'"); +} + +/* Prints out the info. */ +static void print(const struct ipt_ip *ip, const struct ipt_entry_match *match, + int numeric) +{ + const struct xt_gateway_info *info = (const void *)match->data; + struct in_addr a; + + a.s_addr = info->gateway; + + if (info->flags & XT_GATEWAY_ROUTE) + printf("gateway "); + else + printf("nexthop "); + + if (info->flags & XT_GATEWAY_INV) + printf("! "); + + printf("%s", addr_to_dotted(&a)); +} + +/* Saves the union ipt_info in parsable form to stdout. */ +static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) +{ + const struct xt_gateway_info *info = (const void *)match->data; + struct in_addr a; + + a.s_addr = info->gateway; + + if (info->flags & XT_GATEWAY_INV) + printf("! "); + + if (info->flags & XT_GATEWAY_ROUTE) + printf("--gateway "); + else + printf("--nexthop "); + + printf("%s ", addr_to_dotted(&a)); +} + +static struct iptables_match gateway = { + .next = NULL, + .name = "gateway", + .version = IPTABLES_VERSION, + .size = IPT_ALIGN(sizeof(struct xt_gateway_info)), + .userspacesize = IPT_ALIGN(sizeof(struct xt_gateway_info)), + .help = &help, + .parse = &parse, + .final_check = &final_check, + .print = &print, + .save = &save, + .extra_opts = opts +}; + +static __attribute__((constructor)) void libipt_gateway_init(void) +{ + register_match(&gateway); +} Index: iptables/extensions/libipt_gateway.man =================================================================== --- /dev/null +++ iptables/extensions/libipt_gateway.man @@ -0,0 +1,9 @@ +This matches the gateway by IP address on routed packets. +It does not mach packets that are not routed, or which +are directly addresses to the gateway. +.TP +.BI "[!]" "--gateway " "ip" +Check that the packet is routed to a gateway with the specified ip address. +.BI "[!]" "--nexthop " "ip" +Check if the packet is being directed to the specified ip address +either directly or as a route. From jengelh at linux01.gwdg.de Sat Jun 2 18:56:15 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sat Jun 2 20:05:02 2007 Subject: [PATCH] xt_gateway match In-Reply-To: <46604D8B.7030507@ufomechanic.net> References: <46604D8B.7030507@ufomechanic.net> Message-ID: On Jun 1 2007 17:47, Amin Azez wrote: > >This adds a gateway match to iptables that lets you match against the >routed ipv4 gateway, it's very useful for SNAT if you want to avoid >replicating your routing in your SNAT table. > >e.g. > >iptables -t nat -A POSTROUTING -m gateway --nexthop 172.16.1.1 -j SNAT >--to-address 172.16.1.5 >iptables -t nat -A POSTROUTING -m gateway --nexthop 192.168.1.1 -j SNAT >--to-address 192.168.1.25 > >The .gateway-test doesn't work for me because I don't build into my >kernel source dir, but I tried to do it right for a public release. (Neither do I, just run `KERNEL_DIR=/ws/linux-2.6.22-rc3 make` in the iptables directory.) + info->flags ^= info->flags & IPT_GATEWAY_ROUTE; Stunning line. So, I refreshed this to be xtables-style, xt_gateway. It builds cleanly, but only done limited testing on it yet. Especially, I decoupled that bigass return statement to make it easier to read. I hope I got all the conditions right. How things look: inet 192.168.222.36/24 default gw 192.168.222.1 What I did: iptables -A OUTPUT -m gateway --gateway 192.168.222.1 iptables -A OUTPUT -m gateway --nexthop 192.168.222.1 ping -c1 192.168.222.1 iptables -nvL +1 for the --gateway rule +1 for the --nexthop rule ping -c1 134.76.13.21 +1 for the --gateway rule +0 for the --nexthop rule Route to 134.76.13.21 is: (192.168.222.36) 192.168.222.1 10.10.96.1 134.76.63.254 134.76.13.21 Does xt_gateway still do the right thing? Please check, thanks! (patches as a response to this mail, or svnized for now @ https://dev.computergmbh.de/svn/misc_kernel/xt_gateway/trunk/ ) Jan -- From jengelh at linux01.gwdg.de Sat Jun 2 19:08:22 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sat Jun 2 20:12:33 2007 Subject: [PATCH] xt_gateway match (kernel,2) In-Reply-To: References: <46604D8B.7030507@ufomechanic.net> Message-ID: On Jun 2 2007 18:56, Jan Engelhardt wrote: >--- > include/linux/netfilter/xt_gateway.h | 13 +++++ > net/netfilter/Kconfig | 9 +++ > net/netfilter/Makefile | 1 > net/netfilter/xt_gateway.c | 85 +++++++++++++++++++++++++++++++++++ > 4 files changed, 108 insertions(+) A MODULE_ALIAS was missing, causing iptables/netfilter not to autoload the module. SVN tree? updated (grab the refreshed patch from there, not reposting for this minimal change). Jan -- [?] https://dev.computergmbh.de/svn/misc_kernel/xt_gateway/trunk/ From jengelh at linux01.gwdg.de Sat Jun 2 20:49:37 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sat Jun 2 21:58:40 2007 Subject: How to match protocol 0 In-Reply-To: <20070430173654.GB6904@linuxace.com> References: <20070428220206.GA26272@linuxace.com> <463524E7.60107@netfilter.org> <20070430171317.GA6904@linuxace.com> <20070430173654.GB6904@linuxace.com> Message-ID: Hello all, regarding your questions in http://lists.netfilter.org/pipermail/netfilter/2007-April/068496.html and the thread http://lists.netfilter.org/pipermail/netfilter-devel/2007-April/027675.html I think it's actually quite easy. How about: iptables -m u32 --u32 "8&0x0F00=0" This takes bytes 8+4 of a packet (bytes 8,9,10,11), ANDs it with 0x0F00, so as to get only byte 9 (which is the IPv4 field for the Layer4 protocol) and see if it is 0. (Yes, we would have to use a shift before comparing, but since comparing for protocol zero, it does not matter.) Ok, everyone got that? :) Jan -- From jengelh at linux01.gwdg.de Sat Jun 2 23:19:52 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sun Jun 3 00:27:22 2007 Subject: How to match protocol 0 In-Reply-To: References: <20070428220206.GA26272@linuxace.com> <463524E7.60107@netfilter.org> <20070430171317.GA6904@linuxace.com> <20070430173654.GB6904@linuxace.com> Message-ID: On Jun 2 2007 20:49, Jan Engelhardt wrote: >Hello all, > > >regarding your questions in >http://lists.netfilter.org/pipermail/netfilter/2007-April/068496.html >and the thread >http://lists.netfilter.org/pipermail/netfilter-devel/2007-April/027675.html > >I think it's actually quite easy. How about: > > iptables -m u32 --u32 "8&0x0F00=0" minor glitch, it should read: for TCP (prot 6): iptables -m u32 --u32 "8 & 0x00FF0000 = 0x00060000" for UDP (prot 17): iptables -m u32 --u32 "8 & 0x00FF0000 = 0x00110000" for HBH (prot 0): iptables -m u32 --u32 "8 & 0x00FF0000 = 0x00000000" (Leading zeroes can be omitted of course.) And, for example completeness, have some shift, TCP: iptables -m u32 --u32 "8 & 0xFF0000 >> 16 = 6" Happy matching. Jan -- From jengelh at linux01.gwdg.de Sat Jun 2 23:46:46 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sun Jun 3 00:51:03 2007 Subject: [PATCH 0/2] xt_u32 - match arbitrary bits and bytes of a packet Message-ID: Hello! along comes xt_u32, a revamped ipt_u32, * added ipv6 support since that seemed dead simple, given u32's task. I would have even liked to unlock u32 for _all_ protocols, but .family = AF_UNSPEC does not do the right thing right now, but that's not so much a showstopper. And arptables seems miles away from using iptables modules. So AF_INET and AF_INET6 it is for now. * Reduced the buffer size to 17 KB. I think that is quite ok since I added an overflow check, SHOULD THERE BE ANY device with an MTU larger than our loopback masterpiece (16436 bytes). Are there such devices that support Megasuperjumboframes? The previous buffer size of 64 KB was probably the cutting edge, as a single IPv4 fragment/packet does not support more than that anyway. Questions, comments, blame, praise, please. I'd like to get this merged so I do not have to maintain it out-of-tree. Jan -- From jengelh at linux01.gwdg.de Sat Jun 2 23:50:18 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sun Jun 3 00:54:37 2007 Subject: [PATCH 1/2] xt_u32 (kernel) - match arbitrary bits and bytes of a packet In-Reply-To: References: Message-ID: Adds the U32 module that has been sitting in POM-NG for ages. Additionally, more features: along comes xt_u32, a revamped ipt_u32, * added ipv6 support since that seemed dead simple, given u32's task. I would have even liked to unlock u32 for _all_ protocols, but .family = AF_UNSPEC does not do the right thing right now, but that's not so much a showstopper. And arptables seems miles away from using iptables modules. So AF_INET and AF_INET6 it is for now. * Reduced the buffer size to 17 KB. I think that is quite ok since I added an overflow check, SHOULD THERE BE ANY device with an MTU larger than our loopback masterpiece (16436 bytes). Are there such devices that support Megasuperjumboframes? The previous buffer size of 64 KB was probably the cutting edge, as a single IPv4 fragment/packet does not support more than that anyway. Signed-off-by: Jan Engelhardt --- include/linux/netfilter/xt_u32.h | 37 ++++++ net/netfilter/Kconfig | 13 ++ net/netfilter/Makefile | 1 net/netfilter/xt_u32.c | 234 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 285 insertions(+) Index: linux-2.6.22-rc3-git6/include/linux/netfilter/xt_u32.h =================================================================== --- /dev/null +++ linux-2.6.22-rc3-git6/include/linux/netfilter/xt_u32.h @@ -0,0 +1,37 @@ +#ifndef _XT_U32_H +#define _XT_U32_H 1 + +enum xt_u32_ops { + XT_U32_AND, + XT_U32_LEFTSH, + XT_U32_RIGHTSH, + XT_U32_AT, +}; + +struct xt_u32_location_element { + uint32_t number; + uint8_t nextop; +}; + +struct xt_u32_value_element { + uint32_t min, max; +}; + +/* + * Any way to allow for an arbitrary number of elements? + * For now, I settle with a limit of 10 each. + */ +#define XT_U32_MAXSIZE 10 + +struct xt_u32_test { + struct xt_u32_location_element location[XT_U32_MAXSIZE+1]; + struct xt_u32_value_element value[XT_U32_MAXSIZE+1]; + uint8_t nnums, nvalues; +}; + +struct xt_u32 { + struct xt_u32_test tests[XT_U32_MAXSIZE+1]; + uint8_t ntests; +}; + +#endif /* _XT_U32_H */ Index: linux-2.6.22-rc3-git6/net/netfilter/Kconfig =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/Kconfig +++ linux-2.6.22-rc3-git6/net/netfilter/Kconfig @@ -644,6 +644,19 @@ config NETFILTER_XT_MATCH_TCPMSS To compile it as a module, choose M here. If unsure, say N. +config NETFILTER_XT_MATCH_U32 + tristate '"u32" match support' + depends on NETFILTER_XTABLES + ---help--- + u32 allows you to extract quantities of up to 4 bytes from a packet, + AND them with specified masks, shift them by specified amounts and + test whether the results are in any of a set of specified ranges. + The specification of what to extract is general enough to skip over + headers with lengths stored in the packet, as in IP or TCP header + lengths. + + Details and examples are in the kernel module source. + config NETFILTER_XT_MATCH_HASHLIMIT tristate '"hashlimit" match support' depends on NETFILTER_XTABLES && (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) Index: linux-2.6.22-rc3-git6/net/netfilter/Makefile =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/Makefile +++ linux-2.6.22-rc3-git6/net/netfilter/Makefile @@ -73,4 +73,5 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STATISTI obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o +obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o Index: linux-2.6.22-rc3-git6/net/netfilter/xt_u32.c =================================================================== --- /dev/null +++ linux-2.6.22-rc3-git6/net/netfilter/xt_u32.c @@ -0,0 +1,234 @@ +/* + * xt_u32 - kernel module to match u32 packet content + * + * Original author: Don Cohen + * ? Jan Engelhardt , 2007 + */ + +/* +U32 tests whether quantities of up to 4 bytes extracted from a packet +have specified values. The specification of what to extract is general +enough to find data at given offsets from tcp headers or payloads. + + --u32 tests + The argument amounts to a program in a small language described below. + tests := location = value | tests && location = value + value := range | value , range + range := number | number : number + a single number, n, is interpreted the same as n:n + n:m is interpreted as the range of numbers >=n and <=m + location := number | location operator number + operator := & | << | >> | @ + + The operators &, <<, >>, && mean the same as in c. The = is really a set + membership operator and the value syntax describes a set. The @ operator + is what allows moving to the next header and is described further below. + + *** Until I can find out how to avoid it, there are some artificial limits + on the size of the tests: + - no more than 10 ='s (and 9 &&'s) in the u32 argument + - no more than 10 ranges (and 9 commas) per value + - no more than 10 numbers (and 9 operators) per location + + To describe the meaning of location, imagine the following machine that + interprets it. There are three registers: + A is of type char*, initially the address of the IP header + B and C are unsigned 32 bit integers, initially zero + + The instructions are: + number B = number; + C = (*(A+B)<<24)+(*(A+B+1)<<16)+(*(A+B+2)<<8)+*(A+B+3) + &number C = C&number + <>number C = C>>number + @number A = A+C; then do the instruction number + Any access of memory outside [skb->head,skb->end] causes the match to fail. + Otherwise the result of the computation is the final value of C. + + Whitespace is allowed but not required in the tests. + However the characters that do occur there are likely to require + shell quoting, so it's a good idea to enclose the arguments in quotes. + +Example: + match IP packets with total length >= 256 + The IP header contains a total length field in bytes 2-3. + --u32 "0&0xFFFF=0x100:0xFFFF" + read bytes 0-3 + AND that with FFFF (giving bytes 2-3), + and test whether that's in the range [0x100:0xFFFF] + +Example: (more realistic, hence more complicated) + match icmp packets with icmp type 0 + First test that it's an icmp packet, true iff byte 9 (protocol) = 1 + --u32 "6&0xFF=1 && ... + read bytes 6-9, use & to throw away bytes 6-8 and compare the result to 1 + Next test that it's not a fragment. + (If so it might be part of such a packet but we can't always tell.) + n.b. This test is generally needed if you want to match anything + beyond the IP header. + The last 6 bits of byte 6 and all of byte 7 are 0 iff this is a complete + packet (not a fragment). Alternatively, you can allow first fragments + by only testing the last 5 bits of byte 6. + ... 4&0x3FFF=0 && ... + Last test: the first byte past the IP header (the type) is 0 + This is where we have to use the @syntax. The length of the IP header + (IHL) in 32 bit words is stored in the right half of byte 0 of the + IP header itself. + ... 0>>22&0x3C@0>>24=0" + The first 0 means read bytes 0-3, + >>22 means shift that 22 bits to the right. Shifting 24 bits would give + the first byte, so only 22 bits is four times that plus a few more bits. + &3C then eliminates the two extra bits on the right and the first four + bits of the first byte. + For instance, if IHL=5 then the IP header is 20 (4 x 5) bytes long. + In this case bytes 0-1 are (in binary) xxxx0101 yyzzzzzz, + >>22 gives the 10 bit value xxxx0101yy and &3C gives 010100. + @ means to use this number as a new offset into the packet, and read + four bytes starting from there. This is the first 4 bytes of the icmp + payload, of which byte 0 is the icmp type. Therefore we simply shift + the value 24 to the right to throw out all but the first byte and compare + the result with 0. + +Example: + tcp payload bytes 8-12 is any of 1, 2, 5 or 8 + First we test that the packet is a tcp packet (similar to icmp). + --u32 "6&0xFF=6 && ... + Next, test that it's not a fragment (same as above). + ... 0>>22&0x3C@12>>26&0x3C@8=1,2,5,8" + 0>>22&3C as above computes the number of bytes in the IP header. + @ makes this the new offset into the packet, which is the start of the + tcp header. The length of the tcp header (again in 32 bit words) is + the left half of byte 12 of the tcp header. The 12>>26&3C + computes this length in bytes (similar to the IP header before). + @ makes this the new offset, which is the start of the tcp payload. + Finally 8 reads bytes 8-12 of the payload and = checks whether the + result is any of 1, 2, 5 or 8 +*/ + +#include +#include +#include +#include +#include +#include + +/* This is slow, but it's simple. --RR */ + +/* + * I think 17KB should suffice. The largest MTU I have + * seen so far is lo's, being 16436. -jengelh + */ +static char xt_u32_buffer[17*1024]; +static DEFINE_SPINLOCK(xt_u32_lock); + +static int xt_u32_match(const struct sk_buff *skb, const struct net_device *in, + const struct net_device *out, + const struct xt_match *match, const void *matchinfo, + int offset, unsigned int protoff, int *hotdrop) +{ + const struct xt_u32 *data = matchinfo; + const struct xt_u32_test *ct; + const unsigned char *base, *head; + int i, nnums, nvals, testind; + uint32_t pos, val, at; + + spin_lock_bh(&xt_u32_lock); + + head = skb_header_pointer(skb, 0, min(skb->len, + sizeof(xt_u32_buffer)), xt_u32_buffer); + if (head == NULL) { + *hotdrop = 1; + return false; + } + + base = head; + for (testind = 0; testind < data->ntests; ++testind) { + ct = &data->tests[testind]; + + at = 0; + pos = ct->location[0].number; + if (at + pos + 3 > skb->len || at + pos < 0) { + spin_unlock_bh(&xt_u32_lock); + return false; + } + + val = (base[pos] << 24) | (base[pos+1] << 16) | + (base[pos+2] << 8) | base[pos+3]; + nnums = ct->nnums; + + for (i = 1; i < nnums; ++i) { + uint32_t number = ct->location[i].number; + switch (ct->location[i].nextop) { + case XT_U32_AND: + val &= number; + break; + case XT_U32_LEFTSH: + val <<= number; + break; + case XT_U32_RIGHTSH: + val >>= number; + break; + case XT_U32_AT: + at += val; + pos = number; + if (at + pos + 3 > skb->len || at + pos < 0) { + spin_unlock_bh(&xt_u32_lock); + return 0; + } + + val = (base[at+pos] << 24) | + (base[at+pos+1] << 16) | + (base[at+pos+2] << 8) | base[at+pos+3]; + break; + } + } + + nvals = ct->nvalues; + for (i = 0; i < nvals; ++i) + if (ct->value[i].min <= val && val <= ct->value[i].max) + break; + + if (i >= ct->nvalues) { + spin_unlock_bh(&xt_u32_lock); + return false; + } + } + + spin_unlock_bh(&xt_u32_lock); + return 1; +} + +static struct xt_match xt_u32_reg[] = { + { + .name = "u32", + .family = AF_INET, + .match = xt_u32_match, + .matchsize = sizeof(struct xt_u32), + .me = THIS_MODULE, + }, + { + .name = "u32", + .family = AF_INET6, + .match = xt_u32_match, + .matchsize = sizeof(struct xt_u32), + .me = THIS_MODULE, + }, +}; + +static int __init xt_u32_init(void) +{ + return xt_register_matches(xt_u32_reg, ARRAY_SIZE(xt_u32_reg)); +} + +static void __exit xt_u32_exit(void) +{ + xt_unregister_matches(xt_u32_reg, ARRAY_SIZE(xt_u32_reg)); + return; +} + +module_init(xt_u32_init); +module_exit(xt_u32_exit); +MODULE_AUTHOR("Don Cohen "); +MODULE_DESCRIPTION("netfilter u32 match module"); +MODULE_LICENSE("GPL"); +MODULE_ALIAS("ipt_u32"); From jengelh at linux01.gwdg.de Sat Jun 2 23:51:20 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sun Jun 3 00:55:57 2007 Subject: [PATCH 2/2] xt_u32 (iptables) - match arbitrary bits and bytes of a packet In-Reply-To: References: Message-ID: Signed-off-by: Jan Engelhardt --- extensions/.u32-test | 2 extensions/libipt_u32.c | 290 ++++++++++++++++++++++++++++++++++++++++++++++ extensions/libipt_u32.man | 8 + 3 files changed, 300 insertions(+) Index: iptables/extensions/.u32-test =================================================================== --- /dev/null +++ iptables/extensions/.u32-test @@ -0,0 +1,2 @@ +#!/bin/sh +[ -f "$KERNEL_DIR/include/linux/netfilter/xt_u32.h" ] && echo u32 Index: iptables/extensions/libipt_u32.c =================================================================== --- /dev/null +++ iptables/extensions/libipt_u32.c @@ -0,0 +1,290 @@ +/* Shared library add-on to iptables to add u32 matching, + * generalized matching on values found at packet offsets + * + * Detailed doc is in the kernel module source + * net/netfilter/xt_u32.c + * + * (C) 2002 by Don Cohen + * Released under the terms of GNU GPL v2 + */ +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +/* Function which prints out usage message. */ +static void help(void) +{ + printf( "u32 v%s options:\n" + " --u32 tests\n" + " tests := location = value | tests && location = value\n" + " value := range | value , range\n" + " range := number | number : number\n" + " location := number | location operator number\n" + " operator := & | << | >> | @\n", + IPTABLES_VERSION); +} + +/* defined in /usr/include/getopt.h maybe in man getopt */ +static struct option opts[] = { + {"u32", 1, NULL, '1'}, + {NULL}, +}; + +/* shared printing code */ +static void print_u32(const struct xt_u32 *data) +{ + const struct xt_u32_test *ct; + unsigned int testind, i; + + for (testind = 0; testind < data->ntests; ++testind) { + ct = &data->tests[testind]; + + if (testind > 0) + printf("&&"); + + printf("0x%x", ct->location[0].number); + for (i = 1; i < ct->nnums; ++i) { + switch (ct->location[i].nextop) { + case XT_U32_AND: + printf("&"); + break; + case XT_U32_LEFTSH: + printf("<<"); + break; + case XT_U32_RIGHTSH: + printf(">>"); + break; + case XT_U32_AT: + printf("@"); + break; + } + printf("0x%x", ct->location[i].number); + } + + printf("="); + for (i = 0; i < ct->nvalues; ++i) { + if (i > 0) + printf(","); + if (ct->value[i].min == ct->value[i].max) + printf("0x%x", ct->value[i].min); + else + printf("0x%x:0x%x", ct->value[i].min, + ct->value[i].max); + } + } + printf(" "); +} + +/* string_to_number is not quite what we need here ... */ +uint32_t parse_number(char **s, int pos) +{ + uint32_t number; + char *end; + errno = 0; + + number = strtoul(*s, &end, 0); + if (end == *s) + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: expected number", pos); + if (errno) + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: error reading number", pos); + *s = end; + return number; +} + +/* Function which parses command options; returns true if it ate an option */ +static int parse(int c, char **argv, int invert, unsigned int *flags, + const struct ipt_entry *entry, unsigned int *nfcache, + struct ipt_entry_match **match) +{ + struct xt_u32 *data = (void *)(*match)->data; + char *arg = argv[optind-1]; /* the argument string */ + char *start = arg; + int state = 0, testind = 0, locind = 0, valind = 0; + + if (c != '1') + return 0; + + /* + * states: + * 0 = looking for numbers and operations, + * 1 = looking for ranges + */ + while (1) { + /* read next operand/number or range */ + while (isspace(*arg)) + ++arg; + + if (*arg == '\0') { + /* end of argument found */ + if (state == 0) + exit_error(PARAMETER_PROBLEM, + "u32: input ended in location spec"); + if (valind == 0) + exit_error(PARAMETER_PROBLEM, + "u32: test ended with no value spec"); + + data->tests[testind].nnums = locind; + data->tests[testind].nvalues = valind; + testind++; + data->ntests = testind; + + if (testind > XT_U32_MAXSIZE) + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: too many \"&&\"s", + arg - start); + return 1; + } + + if (state == 0) { + /* + * reading location: read a number if nothing read yet, + * otherwise either op number or = to end location spec + */ + if (*arg == '=') { + if (locind == 0) { + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: " + "location spec missing", + arg - start); + } else { + arg++; + state = 1; + } + } else { + if (locind != 0) { + /* need op before number */ + if (*arg == '&') { + data->tests[testind].location[locind].nextop = XT_U32_AND; + } else if (*arg == '<') { + arg++; + if (*arg != '<') + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: a second < expected", arg - start); + data->tests[testind].location[locind].nextop = XT_U32_LEFTSH; + } else if (*arg == '>') { + arg++; + if (*arg != '>') + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: a second > expected", arg - start); + data->tests[testind].location[locind].nextop = XT_U32_RIGHTSH; + } else if (*arg == '@') { + data->tests[testind].location[locind].nextop = XT_U32_AT; + } else { + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: operator expected", arg - start); + } + ++arg; + } + /* now a number; string_to_number skips white space? */ + data->tests[testind].location[locind].number = + parse_number(&arg, arg - start); + locind++; + if (locind > XT_U32_MAXSIZE) + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: too many operators", arg - start); + } + } else { + /* + * state 1 - reading values: read a range if nothing + * read yet, otherwise either ,range or && to end + * test spec + */ + if (*arg == '&') { + arg++; + if (*arg != '&') + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: a second & was expected", arg - start); + if (valind == 0) { + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: value spec missing", arg - start); + } else { + data->tests[testind].nnums = locind; + data->tests[testind].nvalues = valind; + ++testind; + if (testind > XT_U32_MAXSIZE) + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: too many \"&&\"s", arg - start); + ++arg; + state = 0; + locind = 0; + valind = 0; + } + } + else { /* read value range */ + if (valind) { /* need , before number */ + if (*arg != ',') + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: expected , or &&", arg - start); + arg++; + } + data->tests[testind].value[valind].min = parse_number(&arg, arg - start); + + while (isspace(*arg)) + ++arg; + + if (*arg==':') { + arg++; + data->tests[testind].value[valind].max = + parse_number(&arg, arg-start); + } else { + data->tests[testind].value[valind].max = + data->tests[testind].value[valind].min; + } + + valind++; + if (valind > XT_U32_MAXSIZE) + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: too many ,'s", arg-start); + } + } + } +} + +/* Final check; must specify something. */ +static void final_check(unsigned int flags) +{ +} + +/* Prints out the matchinfo. */ +static void print(const struct ipt_ip *ip, const struct ipt_entry_match *match, + int numeric) +{ + printf("u32 "); + print_u32((const void *)match->data); +} + +/* Saves the union ipt_matchinfo in parsable form to stdout. */ +static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) +{ + printf("--u32 "); + print_u32((const void *)match->data); +} + +struct iptables_match u32 = { + .next = NULL, + .name = "u32", + .version = IPTABLES_VERSION, + .size = IPT_ALIGN(sizeof(struct xt_u32)), + .userspacesize = IPT_ALIGN(sizeof(struct xt_u32)), + .help = &help, + .parse = &parse, + .final_check = &final_check, + .print = &print, + .save = &save, + .extra_opts = opts, +}; + +static __attribute__((constructor)) void libipt_u32_init(void) +{ + register_match(&u32); +} Index: iptables/extensions/libipt_u32.man =================================================================== --- /dev/null +++ iptables/extensions/libipt_u32.man @@ -0,0 +1,8 @@ +U32 allows you to extract quantities of up to 4 bytes from a packet, +AND them with specified masks, shift them by specified amounts and +test whether the results are in any of a set of specified ranges. +The specification of what to extract is general enough to skip over +headers with lengths stored in the packet, as in IP or TCP header +lengths. + +Details and examples are in the kernel module source. From dim at openvz.org Sun Jun 3 08:47:44 2007 From: dim at openvz.org (Dmitry Mishin) Date: Sun Jun 3 10:33:49 2007 Subject: iptables throws unknown error - suspecting 32/64 compat issue In-Reply-To: <4661687F.6040302@trash.net> References: <465CA950.403@trash.net> <4661687F.6040302@trash.net> Message-ID: <200706031047.44848.dim@openvz.org> On Saturday 02 June 2007 16:54, Patrick McHardy wrote: > Patrick McHardy wrote: > > Jan Engelhardt wrote: > >>This is fixed in 2.6.21, thanks. > > > > Yes, the hashlimit compat issue is. But the underlying problem still > > persists, I'll send you a patch for testing soon. > > Here it is, could you please test whether it fixes the crash by > backing out the hashlimit compat patch and triggering the size > error again? Thanks. Patrick, it looks like translate_compat_table() should be fixed also. -- Thanks, Dmitry. From jengelh at linux01.gwdg.de Sun Jun 3 10:20:13 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sun Jun 3 11:25:20 2007 Subject: [PATCH 0/2] xt_u32 - match arbitrary bits and bytes of a packet In-Reply-To: <18087.1180847247@turing-police.cc.vt.edu> References: <18087.1180847247@turing-police.cc.vt.edu> Message-ID: On Jun 3 2007 01:07, Valdis.Kletnieks@vt.edu wrote: >On Sat, 02 Jun 2007 23:46:46 +0200, Jan Engelhardt said: > >> along comes xt_u32, a revamped ipt_u32, > >+1 for doing this - I've been dragging along a local ipt_u32 patch for a while, >and been wishing it had ipv6 support. > >> * Reduced the buffer size to 17 KB. I think that is quite ok since >> I added an overflow check, SHOULD THERE BE ANY device with an >> MTU larger than our loopback masterpiece (16436 bytes). >> >> Are there such devices that support Megasuperjumboframes? > >IP over Infiniband? I think those have some outrageous MTU? Personally, >I wouldn't need it for anything bigger than 9K ethernet jumbograms, but >that one's a decision for others. Can you find out? For such supersize packets, I'd like to switch to kmalloc/vmalloc rather than keeping a big buffer in the .bss. Jan -- From jengelh at linux01.gwdg.de Sun Jun 3 13:12:41 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sun Jun 3 14:17:02 2007 Subject: [PATCH 0/2] xt_connlimit - connection limiting Message-ID: Hello! as with xt_u32, I would like to get xt_connlimit merged. Find patches as a reply to this mail. Runtime tested. Jan -- From jengelh at linux01.gwdg.de Sun Jun 3 13:12:55 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sun Jun 3 14:17:15 2007 Subject: [PATCH 1/2] xt_connlimit (kernel) - connection limiting In-Reply-To: References: Message-ID: Adds the connlimit match that has been in POM-NG for a long time. * works with 2.6.22, xtables'ified and all that * will request nf_conntrack_ipv4 upon load (otherwise it hotdrops every packet - a glitch that goes back to at least 2.6.20.2) Signed-off-by: Jan Engelhardt --- include/linux/netfilter/nf_conntrack_common.h | 1 include/linux/netfilter/xt_connlimit.h | 14 + net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 5 net/netfilter/Kconfig | 7 net/netfilter/Makefile | 1 net/netfilter/xt_connlimit.c | 250 +++++++++++++++++++++++++ 6 files changed, 278 insertions(+) Index: linux-2.6.22-rc3-git6/include/linux/netfilter/nf_conntrack_common.h =================================================================== --- linux-2.6.22-rc3-git6.orig/include/linux/netfilter/nf_conntrack_common.h +++ linux-2.6.22-rc3-git6/include/linux/netfilter/nf_conntrack_common.h @@ -164,6 +164,7 @@ struct ip_conntrack_stat /* call to create an explicit dependency on nf_conntrack. */ extern void need_conntrack(void); +extern void need_conntrack_ipv4(void); #endif /* __KERNEL__ */ Index: linux-2.6.22-rc3-git6/include/linux/netfilter/xt_connlimit.h =================================================================== --- /dev/null +++ linux-2.6.22-rc3-git6/include/linux/netfilter/xt_connlimit.h @@ -0,0 +1,14 @@ +#ifndef _XT_CONNLIMIT_H +#define _XT_CONNLIMIT_H + +struct xt_connlimit_data; + +struct xt_connlimit_info { + uint32_t mask; + unsigned int limit, inverse; + + /* this needs to be at the end */ + struct xt_connlimit_data *data; +}; + +#endif /* _XT_CONNLIMIT_H */ Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c @@ -519,3 +519,8 @@ static void __exit nf_conntrack_l3proto_ module_init(nf_conntrack_l3proto_ipv4_init); module_exit(nf_conntrack_l3proto_ipv4_fini); + +void need_conntrack_ipv4(void) +{ +} +EXPORT_SYMBOL(need_conntrack_ipv4); Index: linux-2.6.22-rc3-git6/net/netfilter/Kconfig =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/Kconfig +++ linux-2.6.22-rc3-git6/net/netfilter/Kconfig @@ -411,6 +411,13 @@ config NETFILTER_XT_MATCH_CONNBYTES If you want to compile it as a module, say M here and read . If unsure, say `N'. +config NETFILTER_XT_MATCH_CONNLIMIT + tristate '"connlimit" match support"' + depends on NETFILTER_XTABLES && NF_CONNTRACK_IPV4 + ---help--- + This match allows you to match against the number of parallel TCP + connections to a server per client IP address (or address block). + config NETFILTER_XT_MATCH_CONNMARK tristate '"connmark" connection mark match support' depends on NETFILTER_XTABLES Index: linux-2.6.22-rc3-git6/net/netfilter/Makefile =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/Makefile +++ linux-2.6.22-rc3-git6/net/netfilter/Makefile @@ -51,6 +51,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSEC # matches obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o +obj-$(CONFIG_NETFILTER_XT_MATCH_CONNLIMIT) += xt_connlimit.o obj-$(CONFIG_NETFILTER_XT_MATCH_CONNMARK) += xt_connmark.o obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) += xt_conntrack.o obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o Index: linux-2.6.22-rc3-git6/net/netfilter/xt_connlimit.c =================================================================== --- /dev/null +++ linux-2.6.22-rc3-git6/net/netfilter/xt_connlimit.c @@ -0,0 +1,250 @@ +/* + * netfilter module to limit the number of parallel tcp + * connections per IP address. + * (c) 2000 Gerd Knorr + * Nov 2002: Martin Bene : + * only ignore TIME_WAIT or gone connections + * ? Jan Engelhardt , 2007 + * + * based on ... + * + * Kernel module to match connection tracking information. + * GPL (C) 1999 Rusty Russell (rusty@rustcorp.com.au). + */ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define DEBUG 0 + +/* we will save the tuples of all connections we care about */ +struct xt_connlimit_conn { + struct list_head list; + struct nf_conntrack_tuple tuple; +}; + +struct xt_connlimit_data { + struct list_head iphash[256]; + spinlock_t lock; +}; + +static inline unsigned int connlimit_iphash(uint32_t addr) +{ + return (addr ^ (addr >> 8) ^ (addr >> 16) ^ (addr >> 24)) & 0xff; +} + +static int count_them(struct xt_connlimit_data *data, uint32_t addr, + uint32_t mask, struct nf_conn *ct) +{ +#if DEBUG + static const char const *tcp_state[] = { + "none", "established", "syn_sent", "syn_recv", "fin_wait", + "time_wait", "close", "close_wait", "last_ack", "listen" + }; +#endif + struct nf_conntrack_tuple_hash *found; + struct nf_conntrack_tuple tuple; + struct xt_connlimit_conn *conn; + struct list_head *hash, *lh; + int addit = 1, matches = 0; + struct nf_conn *found_ct; + + spin_lock_bh(&data->lock); + tuple = ct->tuplehash[0].tuple; + hash = &data->iphash[connlimit_iphash(addr & mask)]; + + /* check the saved connections */ + for (lh = hash->next; lh != hash; lh = lh->next) { + conn = list_entry(lh, struct xt_connlimit_conn, list); + found = nf_conntrack_find_get(&conn->tuple, ct); + found_ct = NULL; + + if (found != NULL && + (found_ct = nf_ct_tuplehash_to_ctrack(found)) != NULL && + memcmp(&conn->tuple, &tuple, sizeof(tuple)) == 0 && + found_ct->proto.tcp.state != TCP_CONNTRACK_TIME_WAIT) + /* + * Just to be sure we have it only once in the list. + * We should not see tuples twice unless someone hooks + * this into a table without "-p tcp --syn". + */ + addit = 0; + +#if DEBUG + printk(KERN_WARNING "xt_connlimit [%u]: src=%u.%u.%u.%u:%u " + "dst=%u.%u.%u.%u:%d %s\n", + connlimit_iphash(addr & mask), + NIPQUAD(conn->tuple.src.u3.ip), + ntohs(conn->tuple.src.u.tcp.port), + NIPQUAD(conn->tuple.dst.u3.ip), + ntohs(conn->tuple.dst.u.tcp.port), + (found == NULL) ? "gone" : + tcp_state[found_ct->proto.tcp.state]); +#endif + + if (found == NULL) { + /* this one is gone */ + lh = lh->prev; + list_del(lh->next); + kfree(conn); + continue; + } + + if (found_ct->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT) { + /* + * we do not care about connections which are + * closed already -> ditch it + */ + lh = lh->prev; + list_del(lh->next); + kfree(conn); + nf_conntrack_put(&found_ct->ct_general); + continue; + } + + if ((addr & mask) == (conn->tuple.src.u3.ip & mask)) + /* same source IP address -> be counted! */ + ++matches; + + nf_conntrack_put(&found_ct->ct_general); + } + + if (addit) { + /* save the new connection in our list */ +#if DEBUG + printk(KERN_WARNING "xt_connlimit [%u]: src=%u.%u.%u.%u:%u " + "dst=%u.%u.%u.%u:%u new\n", + connlimit_iphash(addr & mask), + NIPQUAD(tuple.src.u3.ip), ntohs(tuple.src.u.tcp.port), + NIPQUAD(tuple.dst.u3.ip), ntohs(tuple.dst.u.tcp.port)); +#endif + + conn = kzalloc(sizeof(*conn), GFP_ATOMIC); + if (conn == NULL) + return -ENOMEM; + + INIT_LIST_HEAD(&conn->list); + conn->tuple = tuple; + list_add(&conn->list, hash); + ++matches; + } + + spin_unlock_bh(&data->lock); + return matches; +} + +static int xt_connlimit_match(const struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, + const struct xt_match *match, + const void *matchinfo, int offset, + unsigned int protoff, int *hotdrop) +{ + const struct xt_connlimit_info *info = matchinfo; + enum ip_conntrack_info ctinfo; + const struct iphdr *iph; + int connections, rv; + struct nf_conn *ct; + + ct = nf_ct_get(skb, &ctinfo); + if (ct == NULL) { + printk(KERN_INFO "xt_connlimit: INVALID connection or " + "nf_conntrack_ipv4 not loaded\n"); + *hotdrop = 1; + return false; + } + + iph = ip_hdr(skb); + connections = count_them(info->data, iph->saddr, info->mask, ct); + if (connections < 0) { + /* kmalloc failed, drop it entirely */ + printk(KERN_DEBUG "xt_connlimit: kmalloc failed\n"); + *hotdrop = 1; + return false; + } + + rv = info->inverse ^ (connections > info->limit); +#if DEBUG + printk(KERN_DEBUG "xt_connlimit: src=%u.%u.%u.%u mask=%u.%u.%u.%u " + "connections=%d limit=%u match=%s\n", + NIPQUAD(iph->saddr), NIPQUAD(info->mask), + connections, info->limit, match ? "yes" : "no"); +#endif + + return rv; +} + +static int xt_connlimit_check(const char *tablename, const void *ip, + const struct xt_match *match, void *matchinfo, + unsigned int hook_mask) +{ + struct xt_connlimit_info *info = matchinfo; + unsigned int i; + + /* init private data */ + info->data = kmalloc(sizeof(struct xt_connlimit_data), GFP_KERNEL); + spin_lock_init(&info->data->lock); + for (i = 0; i < 256; ++i) + INIT_LIST_HEAD(&info->data->iphash[i]); + + return 1; +} + +static void xt_connlimit_destroy(const struct xt_match *match, void *matchinfo) +{ + struct xt_connlimit_info *info = matchinfo; + struct xt_connlimit_conn *conn; + struct list_head *hash; + unsigned int i; + + for (i = 0; i < 256; ++i) { + hash = &info->data->iphash[i]; + while (hash != hash->next) { + conn = list_entry(hash->next, + struct xt_connlimit_conn, list); + list_del(hash->next); + kfree(conn); + } + } + + kfree(info->data); + return; +} + +static struct xt_match xt_connlimit_reg = { + .name = "connlimit", + .family = AF_INET, + .proto = IPPROTO_TCP, + .checkentry = xt_connlimit_check, + .match = xt_connlimit_match, + .matchsize = sizeof(struct xt_connlimit_info), + .destroy = xt_connlimit_destroy, + .me = THIS_MODULE, +}; + +static int __init xt_connlimit_init(void) +{ + need_conntrack_ipv4(); + return xt_register_match(&xt_connlimit_reg); +} + +static void __exit xt_connlimit_exit(void) +{ + xt_unregister_match(&xt_connlimit_reg); + return; +} + +module_init(xt_connlimit_init); +module_exit(xt_connlimit_exit); +MODULE_LICENSE("GPL"); +MODULE_ALIAS("ipt_connlimit"); From jengelh at linux01.gwdg.de Sun Jun 3 13:14:03 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sun Jun 3 14:18:24 2007 Subject: [PATCH 2/2] xt_connlimit (iptables) - connection limiting In-Reply-To: References: Message-ID: Adds connlimit to iptables. Signed-off-by: Jan Engelhardt --- extensions/.connlimit-test | 2 extensions/libipt_connlimit.c | 129 ++++++++++++++++++++++++++++++++++++++++ extensions/libipt_connlimit.man | 21 ++++++ 3 files changed, 152 insertions(+) Index: iptables/extensions/.connlimit-test =================================================================== --- /dev/null +++ iptables/extensions/.connlimit-test @@ -0,0 +1,2 @@ +#!/bin/sh +[ -f "$KERNEL_DIR/include/linux/netfilter/xt_connlimit.h" ] && echo connlimit Index: iptables/extensions/libipt_connlimit.c =================================================================== --- /dev/null +++ iptables/extensions/libipt_connlimit.c @@ -0,0 +1,129 @@ +/* Shared library add-on to iptables to add connection limit support. */ +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/* Function which prints out usage message. */ +static void help(void) +{ + printf( +"connlimit v%s options:\n" +"[!] --connlimit-above n match if the number of existing tcp connections is (not) above n\n" +" --connlimit-mask n group hosts using mask\n" +"\n", IPTABLES_VERSION); +} + +static struct option opts[] = { + {"connlimit-above", 1, NULL, '1'}, + {"connlimit-mask", 1, NULL, '2'}, + {NULL}, +}; + +/* Function which parses command options; returns true if it + ate an option */ +static int parse(int c, char **argv, int invert, unsigned int *flags, + const struct ipt_entry *entry, unsigned int *nfcache, + struct ipt_entry_match **match) +{ + struct xt_connlimit_info *info = (void *)(*match)->data; + int i; + + if (!(*flags & 2)) + /* + * set default mask unless we have already seen a mask option + */ + info->mask = htonl(0xFFFFFFFF); + + switch (c) { + case '1': + check_inverse(optarg, &invert, &optind, 0); + info->limit = strtoul(argv[optind-1], NULL, 0); + info->inverse = invert; + *flags |= 1; + break; + + case '2': + i = strtol(argv[optind-1], NULL, 0); + if (i < 0 || i > 32) + exit_error(PARAMETER_PROBLEM, + "--connlimit-mask must be between 0 and 32"); + + if (i == 0) + info->mask = 0; + else + info->mask = htonl(0xFFFFFFFF << (32 - i)); + + *flags |= 2; + break; + + default: + return 0; + } + + return 1; +} + +/* Final check */ +static void final_check(unsigned int flags) +{ + if (!(flags & 1)) + exit_error(PARAMETER_PROBLEM, "You must specify `--connlimit-above'"); +} + +static int count_bits(u_int32_t mask) +{ + int i, bits; + + for (bits = 0, i = 31; i >= 0; i--) { + if (mask & htonl((u_int32_t)1 << i)) { + bits++; + continue; + } + break; + } + return bits; +} + +/* Prints out the matchinfo. */ +static void print(const struct ipt_ip *ip, const struct ipt_entry_match *match, + int numeric) +{ + const struct xt_connlimit_info *info = (const void *)match->data; + + printf("#conn/%d %s %d ", count_bits(info->mask), + info->inverse ? "<" : ">", info->limit); +} + +/* Saves the matchinfo in parsable form to stdout. */ +static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) +{ + const struct xt_connlimit_info *info = (const void *)match->data; + + printf("%s--connlimit-above %u --connlimit-mask %u ", + info->inverse ? "! " : "", info->limit, + count_bits(info->mask)); +} + +static struct iptables_match connlimit = { + .name = "connlimit", + .version = IPTABLES_VERSION, + .size = IPT_ALIGN(sizeof(struct xt_connlimit_info)), + .userspacesize = offsetof(struct xt_connlimit_info, data), + .help = help, + .parse = parse, + .final_check = final_check, + .print = print, + .save = save, + .extra_opts = opts, +}; + +static __attribute__((constructor)) void libipt_connlimit_init(void) +{ + register_match(&connlimit); +} Index: iptables/extensions/libipt_connlimit.man =================================================================== --- /dev/null +++ iptables/extensions/libipt_connlimit.man @@ -0,0 +1,21 @@ +Allows you to restrict the number of parallel TCP connections to a +server per client IP address (or address block). +.TP +[\fB!\fR] \fB--connlimit-above \fIn\fR +match if the number of existing tcp connections is (not) above n +.TP +.BI "--connlimit-mask " "bits" +group hosts using mask +.P +Examples: +.TP +# allow 2 telnet connections per client host +iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT +.TP +# you can also match the other way around: +iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT +.TP +# limit the nr of parallel http requests to 16 per class C sized \ +network (24 bit netmask) +iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 +--connlimit-mask 24 -j REJECT From jengelh at linux01.gwdg.de Sun Jun 3 13:23:54 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sun Jun 3 14:28:13 2007 Subject: [PATCH 2/2] xt_connlimit (iptables) - connection limiting In-Reply-To: References: Message-ID: Previous patch had a wrong #include line, this one seems better :) ================ Adds connlimit to iptables. Signed-off-by: Jan Engelhardt --- extensions/.connlimit-test | 2 extensions/libipt_connlimit.c | 129 ++++++++++++++++++++++++++++++++++++++++ extensions/libipt_connlimit.man | 21 ++++++ 3 files changed, 152 insertions(+) Index: iptables/extensions/.connlimit-test =================================================================== --- /dev/null +++ iptables/extensions/.connlimit-test @@ -0,0 +1,2 @@ +#!/bin/sh +[ -f "$KERNEL_DIR/include/linux/netfilter/xt_connlimit.h" ] && echo connlimit Index: iptables/extensions/libipt_connlimit.c =================================================================== --- /dev/null +++ iptables/extensions/libipt_connlimit.c @@ -0,0 +1,129 @@ +/* Shared library add-on to iptables to add connection limit support. */ +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/* Function which prints out usage message. */ +static void help(void) +{ + printf( +"connlimit v%s options:\n" +"[!] --connlimit-above n match if the number of existing tcp connections is (not) above n\n" +" --connlimit-mask n group hosts using mask\n" +"\n", IPTABLES_VERSION); +} + +static struct option opts[] = { + {"connlimit-above", 1, NULL, '1'}, + {"connlimit-mask", 1, NULL, '2'}, + {NULL}, +}; + +/* Function which parses command options; returns true if it + ate an option */ +static int parse(int c, char **argv, int invert, unsigned int *flags, + const struct ipt_entry *entry, unsigned int *nfcache, + struct ipt_entry_match **match) +{ + struct xt_connlimit_info *info = (void *)(*match)->data; + int i; + + if (!(*flags & 2)) + /* + * set default mask unless we have already seen a mask option + */ + info->mask = htonl(0xFFFFFFFF); + + switch (c) { + case '1': + check_inverse(optarg, &invert, &optind, 0); + info->limit = strtoul(argv[optind-1], NULL, 0); + info->inverse = invert; + *flags |= 1; + break; + + case '2': + i = strtol(argv[optind-1], NULL, 0); + if (i < 0 || i > 32) + exit_error(PARAMETER_PROBLEM, + "--connlimit-mask must be between 0 and 32"); + + if (i == 0) + info->mask = 0; + else + info->mask = htonl(0xFFFFFFFF << (32 - i)); + + *flags |= 2; + break; + + default: + return 0; + } + + return 1; +} + +/* Final check */ +static void final_check(unsigned int flags) +{ + if (!(flags & 1)) + exit_error(PARAMETER_PROBLEM, "You must specify `--connlimit-above'"); +} + +static int count_bits(u_int32_t mask) +{ + int i, bits; + + for (bits = 0, i = 31; i >= 0; i--) { + if (mask & htonl((u_int32_t)1 << i)) { + bits++; + continue; + } + break; + } + return bits; +} + +/* Prints out the matchinfo. */ +static void print(const struct ipt_ip *ip, const struct ipt_entry_match *match, + int numeric) +{ + const struct xt_connlimit_info *info = (const void *)match->data; + + printf("#conn/%d %s %d ", count_bits(info->mask), + info->inverse ? "<" : ">", info->limit); +} + +/* Saves the matchinfo in parsable form to stdout. */ +static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) +{ + const struct xt_connlimit_info *info = (const void *)match->data; + + printf("%s--connlimit-above %u --connlimit-mask %u ", + info->inverse ? "! " : "", info->limit, + count_bits(info->mask)); +} + +static struct iptables_match connlimit = { + .name = "connlimit", + .version = IPTABLES_VERSION, + .size = IPT_ALIGN(sizeof(struct xt_connlimit_info)), + .userspacesize = offsetof(struct xt_connlimit_info, data), + .help = help, + .parse = parse, + .final_check = final_check, + .print = print, + .save = save, + .extra_opts = opts, +}; + +static __attribute__((constructor)) void libipt_connlimit_init(void) +{ + register_match(&connlimit); +} Index: iptables/extensions/libipt_connlimit.man =================================================================== --- /dev/null +++ iptables/extensions/libipt_connlimit.man @@ -0,0 +1,21 @@ +Allows you to restrict the number of parallel TCP connections to a +server per client IP address (or address block). +.TP +[\fB!\fR] \fB--connlimit-above \fIn\fR +match if the number of existing tcp connections is (not) above n +.TP +.BI "--connlimit-mask " "bits" +group hosts using mask +.P +Examples: +.TP +# allow 2 telnet connections per client host +iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT +.TP +# you can also match the other way around: +iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT +.TP +# limit the nr of parallel http requests to 16 per class C sized \ +network (24 bit netmask) +iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 +--connlimit-mask 24 -j REJECT From yasuyuki.kozakai at toshiba.co.jp Sun Jun 3 13:46:56 2007 From: yasuyuki.kozakai at toshiba.co.jp (Yasuyuki KOZAKAI) Date: Sun Jun 3 14:50:47 2007 Subject: [PATCH 1/2] xt_connlimit (kernel) - connection limiting In-Reply-To: References: Message-ID: <200706031146.l53BkuqU000974@toshiba.co.jp> Hi, From: Jan Engelhardt Date: Sun, 3 Jun 2007 13:12:55 +0200 (MEST) > +static int __init xt_connlimit_init(void) > +{ > + need_conntrack_ipv4(); > + return xt_register_match(&xt_connlimit_reg); > +} You can use nf_ct_l3proto_try_module_get() instead of introducing need_conntrack_ipv4(). Please refer xt_state.c and xt_conntrack.c as example. -- Yasuyuki Kozakai From jengelh at linux01.gwdg.de Sun Jun 3 14:34:41 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sun Jun 3 15:38:30 2007 Subject: [PATCH] libipt_hashlimit doc update Message-ID: Add srcip,srcport to hashlimit manpage. Signed-off-by: Jan Engelhardt --- extensions/libipt_hashlimit.man | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Index: iptables/extensions/libipt_hashlimit.man =================================================================== --- iptables.orig/extensions/libipt_hashlimit.man +++ iptables/extensions/libipt_hashlimit.man @@ -16,8 +16,8 @@ A rate just like the limit match .BI "--hashlimit-burst " "num" Burst value, just like limit match .TP -.BI "--hashlimit-mode " "destip | destip-destport" -Limit per IP or per port +.BI "--hashlimit-mode " "dstip,srcip,dstport,srcport" +A comma-separated list of objects to take into consideration .TP .BI "--hashlimit-name " "foo" The name for the /proc/net/ipt_hashlimit/foo entry From jengelh at linux01.gwdg.de Sun Jun 3 14:35:46 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sun Jun 3 15:40:53 2007 Subject: [PATCH 1/2] xt_connlimit (kernel) - connection limiting In-Reply-To: <200706031146.l53BkuaZ011945@toshiba.co.jp> References: <200706031146.l53BkuaZ011945@toshiba.co.jp> Message-ID: Hello, >From: Jan Engelhardt >Date: Sun, 3 Jun 2007 13:12:55 +0200 (MEST) > >> +static int __init xt_connlimit_init(void) >> +{ >> + need_conntrack_ipv4(); >> + return xt_register_match(&xt_connlimit_reg); >> +} > >You can use nf_ct_l3proto_try_module_get() instead of introducing >need_conntrack_ipv4(). Please refer xt_state.c and xt_conntrack.c as >example. Thank you for this hint. I will add it and post updates versions of the patch(es) when I am done with all. Thanks, Jan -- From kaber at trash.net Sun Jun 3 18:57:13 2007 From: kaber at trash.net (Patrick McHardy) Date: Sun Jun 3 20:03:46 2007 Subject: iptables throws unknown error - suspecting 32/64 compat issue In-Reply-To: <200706031047.44848.dim@openvz.org> References: <465CA950.403@trash.net> <4661687F.6040302@trash.net> <200706031047.44848.dim@openvz.org> Message-ID: <4662F2E9.1090903@trash.net> Dmitry Mishin wrote: > On Saturday 02 June 2007 16:54, Patrick McHardy wrote: > >>Here it is, could you please test whether it fixes the crash by >>backing out the hashlimit compat patch and triggering the size >>error again? Thanks. > > Patrick, > it looks like translate_compat_table() should be fixed also. You're right, thanks for catching this. This patch should be better. -------------- next part -------------- [NETFILTER]: ip_tables: fix compat related crash check_compat_entry_size_and_hooks iterates over the matches and calls compat_check_calc_match, which loads the match and calculates the compat offsets, but unlike the non-compat version, doesn't call ->checkentry yet. On error however it calls cleanup_matches, which in turn calls ->destroy, which can result in crashes if the destroy function (validly) expects to only get called after the checkentry function. Add a compat_release_match function that only drops the module reference on error and rename compat_check_calc_match to compat_find_calc_match to reflect the fact that it doesn't call the checkentry function. Reported by Jan Engelhardt Signed-off-by: Patrick McHardy --- commit b2b15a77343e2baadee22a5e64f691732874b10b tree 7d82cf0a9fd3cf77933205a7a1834e958293e293 parent e7d815ef75f70dcdf55001f1f88ae7ae8827a7ba author Patrick McHardy Sun, 03 Jun 2007 18:57:04 +0200 committer Patrick McHardy Sun, 03 Jun 2007 18:57:04 +0200 net/ipv4/netfilter/ip_tables.c | 41 ++++++++++++++++++++++++++++++++-------- 1 files changed, 33 insertions(+), 8 deletions(-) diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index e3f83bf..0a35639 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c @@ -1425,7 +1425,7 @@ out: } static inline int -compat_check_calc_match(struct ipt_entry_match *m, +compat_find_calc_match(struct ipt_entry_match *m, const char *name, const struct ipt_ip *ip, unsigned int hookmask, @@ -1449,6 +1449,31 @@ compat_check_calc_match(struct ipt_entry_match *m, } static inline int +compat_release_match(struct ipt_entry_match *m, unsigned int *i) +{ + if (i && (*i)-- == 0) + return 1; + + module_put(m->u.kernel.match->me); + return 0; +} + +static inline int +compat_release_entry(struct ipt_entry *e, unsigned int *i) +{ + struct ipt_entry_target *t; + + if (i && (*i)-- == 0) + return 1; + + /* Cleanup all matches */ + IPT_MATCH_ITERATE(e, compat_release_match, NULL); + t = ipt_get_target(e); + module_put(t->u.kernel.target->me); + return 0; +} + +static inline int check_compat_entry_size_and_hooks(struct ipt_entry *e, struct xt_table_info *newinfo, unsigned int *size, @@ -1485,10 +1510,10 @@ check_compat_entry_size_and_hooks(struct ipt_entry *e, off = 0; entry_offset = (void *)e - (void *)base; j = 0; - ret = IPT_MATCH_ITERATE(e, compat_check_calc_match, name, &e->ip, + ret = IPT_MATCH_ITERATE(e, compat_find_calc_match, name, &e->ip, e->comefrom, &off, &j); if (ret != 0) - goto cleanup_matches; + goto release_matches; t = ipt_get_target(e); target = try_then_request_module(xt_find_target(AF_INET, @@ -1499,7 +1524,7 @@ check_compat_entry_size_and_hooks(struct ipt_entry *e, duprintf("check_compat_entry_size_and_hooks: `%s' not found\n", t->u.user.name); ret = target ? PTR_ERR(target) : -ENOENT; - goto cleanup_matches; + goto release_matches; } t->u.kernel.target = target; @@ -1526,8 +1551,8 @@ check_compat_entry_size_and_hooks(struct ipt_entry *e, out: module_put(t->u.kernel.target->me); -cleanup_matches: - IPT_MATCH_ITERATE(e, cleanup_match, &j); +release_matches: + IPT_MATCH_ITERATE(e, compat_release_match, &j); return ret; } @@ -1690,13 +1715,13 @@ translate_compat_table(const char *name, free_newinfo: xt_free_table_info(newinfo); -out: IPT_ENTRY_ITERATE(entry0, total_size, cleanup_entry, &j); return ret; out_unlock: compat_flush_offsets(); xt_compat_unlock(AF_INET); - goto out; + IPT_ENTRY_ITERATE(entry0, total_size, compat_release_entry, &j); + return ret; } static int From andy at andybev.com Sun Jun 3 19:00:22 2007 From: andy at andybev.com (Andrew Beverley) Date: Sun Jun 3 20:04:11 2007 Subject: [PATCH 1/2] xt_connlimit (kernel) - connection limiting In-Reply-To: References: Message-ID: <1180890022.6601.6.camel@andybev> On Sun, 2007-06-03 at 13:12 +0200, Jan Engelhardt wrote: > Adds the connlimit match that has been in POM-NG for a long time. > > * works with 2.6.22, xtables'ified and all that > > * will request nf_conntrack_ipv4 upon load > (otherwise it hotdrops every packet - a glitch that goes back > to at least 2.6.20.2) Excellent! This has been at the back of my mind for a while. Is there any chance of getting UDP flows added as well as TCP connections? I use connlimit for detecting p2p software, but some p2p software now uses UDP instead. Thanks, Andy Beverley From kaber at trash.net Sun Jun 3 19:10:29 2007 From: kaber at trash.net (Patrick McHardy) Date: Sun Jun 3 20:16:57 2007 Subject: [PATCH] iptables gateway match In-Reply-To: <46607546.4050100@ufomechanic.net> References: <46604D8B.7030507@ufomechanic.net> <46604EB0.9080302@trash.net> <46607546.4050100@ufomechanic.net> Message-ID: <4662F605.9040700@trash.net> Amin Azez wrote: > Patrick McHardy wrote: > >> I'm wondering whether we really need a new match for this. It should >> be possible to do the same using routing realms and the realm match. >> > > It's possible that it could be managed using realms, but THAT would be a > hack, and one very hard for rule generating systems to use, especially > if realms were already in use. I don't consider that this a hack. Its even more useful since you can do masked matches. I also don't see the problem for generated rules, in fact I used them for exactly this (and other) purpose in a rule generating system. > The match as used here is purely for ip<->ip routing compatability, easy > auto generation of SNATing rules when the next hop router doesn't have a > reverse route. > > It's also useful for collecting per-gateway statistics (esp. with load > balancing) and debugging complex routing. > > It will also be useful to most people who won't or can't bend realms to > their will. > > I don't know if realms will help in the load balancing routing case anyway. Yes, you can use one realm per nexthop. From kaber at trash.net Sun Jun 3 19:10:42 2007 From: kaber at trash.net (Patrick McHardy) Date: Sun Jun 3 20:17:16 2007 Subject: [PATCH] add direction match to conntrack match In-Reply-To: <4660734B.3090203@ufomechanic.net> References: <46604886.4080400@ufomechanic.net> <46604998.3050602@trash.net> <4660734B.3090203@ufomechanic.net> Message-ID: <4662F612.9060801@trash.net> Amin Azez wrote: > Patrick McHardy wrote: > >> But I think use should use a regular flag for this. The >> XT_CONNTRACK_STATE_SNAT are already a not so great idea >> since the same information is in the status bits, which >> can also be matched. >> > > The regular flags are declared as u_int8_t, and all 8 bits are already > used. > > This was the neatest way I could come up with without destroying > user-space compatability. You're right of course. Extending the flags like Henrik suggested would probably make sense, sooner or later we're going to have more conntrack related things someone wants to match on. Port numbers come to mind .. From jengelh at linux01.gwdg.de Sun Jun 3 19:18:48 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sun Jun 3 20:23:59 2007 Subject: [PATCH 1/2] xt_connlimit (kernel) - connection limiting In-Reply-To: <1180890022.6601.6.camel@andybev> References: <1180890022.6601.6.camel@andybev> Message-ID: On Jun 3 2007 18:00, Andrew Beverley wrote: >On Sun, 2007-06-03 at 13:12 +0200, Jan Engelhardt wrote: >> Adds the connlimit match that has been in POM-NG for a long time. >> >> * works with 2.6.22, xtables'ified and all that >> >> * will request nf_conntrack_ipv4 upon load >> (otherwise it hotdrops every packet - a glitch that goes back >> to at least 2.6.20.2) > >Excellent! This has been at the back of my mind for a while. > >Is there any chance of getting UDP flows added as well as TCP >connections? I dare to say it's easy. The real problem is rather, that UDP is connectionless, so for one, connlimit can, by definition of the word 'connectionless', not apply to UDP, though it is technically possible. Second, because UDP "connections" "fly" (timeout after 30 seconds), just spewing one UDP packet out may kill another connection (e.g. if you use connlimit in conjunction with DROP or REJECT). What's more, UDP packets can be easily forged, much more than TCP, so anyone on the same subtree (not subnet, because that's something different) can send a bogus UDP packet and stop your connections from working. Let's see how to implement UDP counting... Jan -- From kaber at trash.net Sun Jun 3 19:23:20 2007 From: kaber at trash.net (Patrick McHardy) Date: Sun Jun 3 20:29:46 2007 Subject: [PATCH 1/2] xt_u32 (kernel) - match arbitrary bits and bytes of a packet In-Reply-To: References: Message-ID: <4662F908.4090401@trash.net> [Please don't flood unrelated mailinglists with netfilter patches, this includes the netfilter user list] Jan Engelhardt wrote: > * added ipv6 support since that seemed dead simple, given u32's > task. I would have even liked to unlock u32 for _all_ protocols, > but .family = AF_UNSPEC does not do the right thing right now, > but that's not so much a showstopper. > > And arptables seems miles away from using iptables modules. So > AF_INET and AF_INET6 it is for now. arp_tables doesn't support matches at all. > > * Reduced the buffer size to 17 KB. I think that is quite ok since > I added an overflow check, SHOULD THERE BE ANY device with an > MTU larger than our loopback masterpiece (16436 bytes). > > Are there such devices that support Megasuperjumboframes? > The previous buffer size of 64 KB was probably the cutting edge, > as a single IPv4 fragment/packet does not support more than that > anyway. Think of TSO. > > > Signed-off-by: Jan Engelhardt > > --- > include/linux/netfilter/xt_u32.h | 37 ++++++ > net/netfilter/Kconfig | 13 ++ > net/netfilter/Makefile | 1 > net/netfilter/xt_u32.c | 234 +++++++++++++++++++++++++++++++++++++++ > 4 files changed, 285 insertions(+) > > Index: linux-2.6.22-rc3-git6/include/linux/netfilter/xt_u32.h > =================================================================== > --- /dev/null > +++ linux-2.6.22-rc3-git6/include/linux/netfilter/xt_u32.h > +struct xt_u32_value_element { > + uint32_t min, max; We use u_int32_t in all netfilter files. Also u_int32_t min; u_int32_t max; please (and everywhere else of course). > +#endif /* _XT_U32_H */ > Index: linux-2.6.22-rc3-git6/net/netfilter/Kconfig > =================================================================== > --- linux-2.6.22-rc3-git6.orig/net/netfilter/Kconfig > +++ linux-2.6.22-rc3-git6/net/netfilter/Kconfig > @@ -644,6 +644,19 @@ config NETFILTER_XT_MATCH_TCPMSS > > To compile it as a module, choose M here. If unsure, say N. > > +config NETFILTER_XT_MATCH_U32 > + tristate '"u32" match support' > + depends on NETFILTER_XTABLES > + ---help--- > + u32 allows you to extract quantities of up to 4 bytes from a packet, > + AND them with specified masks, shift them by specified amounts and > + test whether the results are in any of a set of specified ranges. > + The specification of what to extract is general enough to skip over > + headers with lengths stored in the packet, as in IP or TCP header > + lengths. > + > + Details and examples are in the kernel module source. Details and examples belong in the manpage. > +++ linux-2.6.22-rc3-git6/net/netfilter/xt_u32.c > @@ -0,0 +1,234 @@ > +/* > + * xt_u32 - kernel module to match u32 packet content > + * > + * Original author: Don Cohen > + * ? Jan Engelhardt , 2007 > + */ > + > +/* > +U32 tests whether quantities of up to 4 bytes extracted from a packet > +have specified values. The specification of what to extract is general > +enough to find data at given offsets from tcp headers or payloads. > + > + --u32 tests > + The argument amounts to a program in a small language described below. > + tests := location = value | tests && location = value > + value := range | value , range > + range := number | number : number > + a single number, n, is interpreted the same as n:n > + n:m is interpreted as the range of numbers >=n and <=m > + location := number | location operator number > + operator := & | << | >> | @ > + > + The operators &, <<, >>, && mean the same as in c. The = is really a set > + membership operator and the value syntax describes a set. The @ operator > + is what allows moving to the next header and is described further below. > + > + *** Until I can find out how to avoid it, there are some artificial limits > + on the size of the tests: > + - no more than 10 ='s (and 9 &&'s) in the u32 argument > + - no more than 10 ranges (and 9 commas) per value > + - no more than 10 numbers (and 9 operators) per location > + > + To describe the meaning of location, imagine the following machine that > + interprets it. There are three registers: > + A is of type char*, initially the address of the IP header > + B and C are unsigned 32 bit integers, initially zero > + > + The instructions are: > + number B = number; > + C = (*(A+B)<<24)+(*(A+B+1)<<16)+(*(A+B+2)<<8)+*(A+B+3) > + &number C = C&number > + < + >>number C = C>>number > + @number A = A+C; then do the instruction number > + Any access of memory outside [skb->head,skb->end] causes the match to fail. > + Otherwise the result of the computation is the final value of C. > + > + Whitespace is allowed but not required in the tests. > + However the characters that do occur there are likely to require > + shell quoting, so it's a good idea to enclose the arguments in quotes. > + > +Example: > + match IP packets with total length >= 256 > + The IP header contains a total length field in bytes 2-3. > + --u32 "0&0xFFFF=0x100:0xFFFF" > + read bytes 0-3 > + AND that with FFFF (giving bytes 2-3), > + and test whether that's in the range [0x100:0xFFFF] > + > +Example: (more realistic, hence more complicated) > + match icmp packets with icmp type 0 > + First test that it's an icmp packet, true iff byte 9 (protocol) = 1 > + --u32 "6&0xFF=1 && ... > + read bytes 6-9, use & to throw away bytes 6-8 and compare the result to 1 > + Next test that it's not a fragment. > + (If so it might be part of such a packet but we can't always tell.) > + n.b. This test is generally needed if you want to match anything > + beyond the IP header. > + The last 6 bits of byte 6 and all of byte 7 are 0 iff this is a complete > + packet (not a fragment). Alternatively, you can allow first fragments > + by only testing the last 5 bits of byte 6. > + ... 4&0x3FFF=0 && ... > + Last test: the first byte past the IP header (the type) is 0 > + This is where we have to use the @syntax. The length of the IP header > + (IHL) in 32 bit words is stored in the right half of byte 0 of the > + IP header itself. > + ... 0>>22&0x3C@0>>24=0" > + The first 0 means read bytes 0-3, > + >>22 means shift that 22 bits to the right. Shifting 24 bits would give > + the first byte, so only 22 bits is four times that plus a few more bits. > + &3C then eliminates the two extra bits on the right and the first four > + bits of the first byte. > + For instance, if IHL=5 then the IP header is 20 (4 x 5) bytes long. > + In this case bytes 0-1 are (in binary) xxxx0101 yyzzzzzz, > + >>22 gives the 10 bit value xxxx0101yy and &3C gives 010100. > + @ means to use this number as a new offset into the packet, and read > + four bytes starting from there. This is the first 4 bytes of the icmp > + payload, of which byte 0 is the icmp type. Therefore we simply shift > + the value 24 to the right to throw out all but the first byte and compare > + the result with 0. > + > +Example: > + tcp payload bytes 8-12 is any of 1, 2, 5 or 8 > + First we test that the packet is a tcp packet (similar to icmp). > + --u32 "6&0xFF=6 && ... > + Next, test that it's not a fragment (same as above). > + ... 0>>22&0x3C@12>>26&0x3C@8=1,2,5,8" > + 0>>22&3C as above computes the number of bytes in the IP header. > + @ makes this the new offset into the packet, which is the start of the > + tcp header. The length of the tcp header (again in 32 bit words) is > + the left half of byte 12 of the tcp header. The 12>>26&3C > + computes this length in bytes (similar to the IP header before). > + @ makes this the new offset, which is the start of the tcp payload. > + Finally 8 reads bytes 8-12 of the payload and = checks whether the > + result is any of 1, 2, 5 or 8 > +*/ Remove all the above up to the copyright please. > + > +#include > +#include > +#include > +#include > +#include > +#include > + > +/* This is slow, but it's simple. --RR */ > + > +/* > + * I think 17KB should suffice. The largest MTU I have > + * seen so far is lo's, being 16436. -jengelh > + */ > +static char xt_u32_buffer[17*1024]; 64k and please allocate this. > +static DEFINE_SPINLOCK(xt_u32_lock); > + > +static int xt_u32_match(const struct sk_buff *skb, const struct net_device *in, > + const struct net_device *out, > + const struct xt_match *match, const void *matchinfo, > + int offset, unsigned int protoff, int *hotdrop) > +{ > + const struct xt_u32 *data = matchinfo; > + const struct xt_u32_test *ct; > + const unsigned char *base, *head; > + int i, nnums, nvals, testind; > + uint32_t pos, val, at; > + > + spin_lock_bh(&xt_u32_lock); > + > + head = skb_header_pointer(skb, 0, min(skb->len, > + sizeof(xt_u32_buffer)), xt_u32_buffer); min can go with 64k buffer. > + if (head == NULL) { > + *hotdrop = 1; > + return false; > + } might as well BUG_ON since a copy of size <= skb->len cant fail. > + > + base = head; > + for (testind = 0; testind < data->ntests; ++testind) { > + ct = &data->tests[testind]; > + > + at = 0; > + pos = ct->location[0].number; > + if (at + pos + 3 > skb->len || at + pos < 0) { > + spin_unlock_bh(&xt_u32_lock); > + return false; what about inversion? Matches return int, so please use 0/1 (or send me a patch to convert all of them to boolean first). > + } > + > + val = (base[pos] << 24) | (base[pos+1] << 16) | > + (base[pos+2] << 8) | base[pos+3]; > + nnums = ct->nnums; > + > + for (i = 1; i < nnums; ++i) { > + uint32_t number = ct->location[i].number; > + switch (ct->location[i].nextop) { > + case XT_U32_AND: > + val &= number; > + break; > + case XT_U32_LEFTSH: > + val <<= number; > + break; > + case XT_U32_RIGHTSH: > + val >>= number; > + break; > + case XT_U32_AT: > + at += val; > + pos = number; > + if (at + pos + 3 > skb->len || at + pos < 0) { > + spin_unlock_bh(&xt_u32_lock); > + return 0; > + } > + > + val = (base[at+pos] << 24) | > + (base[at+pos+1] << 16) | > + (base[at+pos+2] << 8) | base[at+pos+3]; > + break; > + } > + } > + > + nvals = ct->nvalues; > + for (i = 0; i < nvals; ++i) > + if (ct->value[i].min <= val && val <= ct->value[i].max) > + break; > + > + if (i >= ct->nvalues) { > + spin_unlock_bh(&xt_u32_lock); > + return false; > + } > + } > + > + spin_unlock_bh(&xt_u32_lock); > + return 1; > +} > + > +static struct xt_match xt_u32_reg[] = { > + { > + .name = "u32", > + .family = AF_INET, > + .match = xt_u32_match, > + .matchsize = sizeof(struct xt_u32), > + .me = THIS_MODULE, > + }, > + { > + .name = "u32", > + .family = AF_INET6, > + .match = xt_u32_match, > + .matchsize = sizeof(struct xt_u32), > + .me = THIS_MODULE, > + }, > +}; > + > +static int __init xt_u32_init(void) > +{ > + return xt_register_matches(xt_u32_reg, ARRAY_SIZE(xt_u32_reg)); > +} > + > +static void __exit xt_u32_exit(void) > +{ > + xt_unregister_matches(xt_u32_reg, ARRAY_SIZE(xt_u32_reg)); > + return; > +} > + > +module_init(xt_u32_init); > +module_exit(xt_u32_exit); > +MODULE_AUTHOR("Don Cohen "); > +MODULE_DESCRIPTION("netfilter u32 match module"); > +MODULE_LICENSE("GPL"); > +MODULE_ALIAS("ipt_u32"); > From jengelh at linux01.gwdg.de Sun Jun 3 19:29:25 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sun Jun 3 20:34:31 2007 Subject: iptables throws unknown error - suspecting 32/64 compat issue In-Reply-To: <4662F2E9.1090903@trash.net> References: <465CA950.403@trash.net> <4661687F.6040302@trash.net> <200706031047.44848.dim@openvz.org> <4662F2E9.1090903@trash.net> Message-ID: On Jun 3 2007 18:57, Patrick McHardy wrote: >Dmitry Mishin wrote: >> On Saturday 02 June 2007 16:54, Patrick McHardy wrote: >> >>>Here it is, could you please test whether it fixes the crash by >>>backing out the hashlimit compat patch and triggering the size >>>error again? Thanks. >> >> Patrick, >> it looks like translate_compat_table() should be fixed also. > >You're right, thanks for catching this. This patch should be >better. I am kind of impartial when it comes to testing patches, but when I look through and want to reply to them, doing them inline is preferred. Tested-By: Jan Engelhardt Jan -- From kaber at trash.net Sun Jun 3 19:31:24 2007 From: kaber at trash.net (Patrick McHardy) Date: Sun Jun 3 20:37:49 2007 Subject: iptables throws unknown error - suspecting 32/64 compat issue In-Reply-To: References: <465CA950.403@trash.net> <4661687F.6040302@trash.net> <200706031047.44848.dim@openvz.org> <4662F2E9.1090903@trash.net> Message-ID: <4662FAEC.4050301@trash.net> Jan Engelhardt wrote: > I am kind of impartial when it comes to testing patches, but when > I look through and want to reply to them, doing them inline is > preferred. Content-Disposition: inline; filename="x" Works fine in any mailer I've tried. From kaber at trash.net Sun Jun 3 19:34:46 2007 From: kaber at trash.net (Patrick McHardy) Date: Sun Jun 3 20:41:11 2007 Subject: [PATCH 1/2] xt_connlimit (kernel) - connection limiting In-Reply-To: References: Message-ID: <4662FBB6.9060000@trash.net> Jan Engelhardt wrote: > Adds the connlimit match that has been in POM-NG for a long time. This has about half the points I mentioned last time unfixed, starting with proper use of list.h. From kaber at trash.net Sun Jun 3 19:36:26 2007 From: kaber at trash.net (Patrick McHardy) Date: Sun Jun 3 20:42:52 2007 Subject: [PATCH] libipt_hashlimit doc update In-Reply-To: References: Message-ID: <4662FC1A.2040702@trash.net> Jan Engelhardt wrote: > Add srcip,srcport to hashlimit manpage. Applied, thanks Jan. From jengelh at linux01.gwdg.de Sun Jun 3 20:11:19 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sun Jun 3 21:16:27 2007 Subject: iptables throws unknown error - suspecting 32/64 compat issue In-Reply-To: <4662FAEC.4050301@trash.net> References: <465CA950.403@trash.net> <4661687F.6040302@trash.net> <200706031047.44848.dim@openvz.org> <4662F2E9.1090903@trash.net> <4662FAEC.4050301@trash.net> Message-ID: On Jun 3 2007 19:31, Patrick McHardy wrote: >Jan Engelhardt wrote: >> I am kind of impartial when it comes to testing patches, but when >> I look through and want to reply to them, doing them inline is >> preferred. > >Content-Disposition: inline; > filename="x" > >Works fine in any mailer I've tried. Try pine. * Displayed the attachment inline. (I think this needs a config option, which is enabled for me). * On reply, it strips the attachments. * On export, the attachment is retained. Time to figure. Jan -- From andy at andybev.com Sun Jun 3 20:32:06 2007 From: andy at andybev.com (Andrew Beverley) Date: Sun Jun 3 21:35:43 2007 Subject: [PATCH 1/2] xt_connlimit (kernel) - connection limiting In-Reply-To: References: <1180890022.6601.6.camel@andybev> Message-ID: <1180895526.6601.44.camel@andybev> On Sun, 2007-06-03 at 19:18 +0200, Jan Engelhardt wrote: > On Jun 3 2007 18:00, Andrew Beverley wrote: > >On Sun, 2007-06-03 at 13:12 +0200, Jan Engelhardt wrote: > >> Adds the connlimit match that has been in POM-NG for a long time. > >> > >> * works with 2.6.22, xtables'ified and all that > >> > >> * will request nf_conntrack_ipv4 upon load > >> (otherwise it hotdrops every packet - a glitch that goes back > >> to at least 2.6.20.2) > > > >Excellent! This has been at the back of my mind for a while. > > > >Is there any chance of getting UDP flows added as well as TCP > >connections? > > I dare to say it's easy. The real problem is rather, that UDP is > connectionless, so for one, connlimit can, by definition of the word > 'connectionless', not apply to UDP, though it is technically > possible. Understood. > Second, because UDP "connections" "fly" (timeout after 30 > seconds), just spewing one UDP packet out may kill another connection > (e.g. if you use connlimit in conjunction with DROP or REJECT). I see what you mean, although I personally would use this with an IPSET target, and I would argue it is the responsibility of the administrator to ensure it is used correctly. > What's more, UDP packets can be easily forged, much more than TCP, so > anyone on the same subtree (not subnet, because that's something > different) can send a bogus UDP packet and stop your connections from > working. I didn't know that, but I doubt anyone where I would use it would be able to do that :-) > Let's see how to implement UDP counting... The alternative, as I see it, is to adapt hashlimit to have an option to limit by number of different concurrent streams to different port numbers (but same source/destination IP address). However, I personally think it would sit better in connlimit, even if UDP is not a connection by strict definition. Is it something you would consider, or shall I look at it myself? With regards to Patrick's comment, IIRC this was one of the points he originally raised. Regards, Andy Beverley From jengelh at linux01.gwdg.de Sun Jun 3 22:09:53 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sun Jun 3 23:13:47 2007 Subject: [PATCH 1/2] xt_u32 (kernel) - match arbitrary bits and bytes of a packet In-Reply-To: <4662F908.4090401@trash.net> References: <4662F908.4090401@trash.net> Message-ID: On Jun 3 2007 19:23, Patrick McHardy wrote: > >Jan Engelhardt wrote: >> * added ipv6 support since that seemed dead simple, given u32's >> task. I would have even liked to unlock u32 for _all_ protocols, >> but .family = AF_UNSPEC does not do the right thing right now, >> but that's not so much a showstopper. >> >> And arptables seems miles away from using iptables modules. So >> AF_INET and AF_INET6 it is for now. > >arp_tables doesn't support matches at all. Oh well, so much for that idea. >> >> * Reduced the buffer size to 17 KB. I think that is quite ok since >> I added an overflow check, SHOULD THERE BE ANY device with an >> MTU larger than our loopback masterpiece (16436 bytes). >> >> Are there such devices that support Megasuperjumboframes? >> The previous buffer size of 64 KB was probably the cutting edge, >> as a single IPv4 fragment/packet does not support more than that >> anyway. > >Think of TSO. Right, next version already uses kmalloc. >> + uint32_t min, max; > >We use u_int32_t in all netfilter files. Also > > u_int32_t min; > u_int32_t max; > >please (and everywhere else of course). Is this a showstopper? After all, uint32_t is close to the same-named C99 type. It's kinda strange to have __u32, u32, u_int32_t and uint32_t for one and the same thing. >> + Details and examples are in the kernel module source. > >Details and examples belong in the manpage. I agree. >> +static char xt_u32_buffer[17*1024]; >64k and please allocate this. Yup. >> + if (head == NULL) { >> + *hotdrop = 1; >> + return false; >> + } > >might as well BUG_ON since a copy of size <= skb->len cant fail. Hmm, scripts/checkpatch.pl barfs on BUG_ONs :-) Use WARN_ON + hotdrop, or still go with BUG_ON? >> + base = head; >> + for (testind = 0; testind < data->ntests; ++testind) { >> + ct = &data->tests[testind]; >> + >> + at = 0; >> + pos = ct->location[0].number; >> + if (at + pos + 3 > skb->len || at + pos < 0) { >> + spin_unlock_bh(&xt_u32_lock); >> + return false; > >what about inversion? If it was not supported before, I have not implemented it. >Matches return int, so please use 0/1 >(or send me a patch to convert all of them to boolean first). Alright! Thanks, Jan -- From yasuyuki.kozakai at toshiba.co.jp Mon Jun 4 02:45:48 2007 From: yasuyuki.kozakai at toshiba.co.jp (Yasuyuki KOZAKAI) Date: Mon Jun 4 03:49:37 2007 Subject: [RFC][PATCH 0/7]: ct_extend In-Reply-To: <46603C67.4070201@trash.net> References: <465E5159.4050604@trash.net> <200705310902.l4V9212d010654@toshiba.co.jp> <46603C67.4070201@trash.net> Message-ID: <200706040045.l540jnFe007950@toshiba.co.jp> From: Patrick McHardy Date: Fri, 01 Jun 2007 17:33:59 +0200 > > After all, if we don't want to introduce rwlock for such competition, > > we'd better to limit nfctnetlink so that it doesn't assign, change, or > > remove helper of confirmed conntrack. > > > > If people agree to remove ctnetlink_change_helper(), I'll submit the latest > > pactchset of ct_extend. > > > I don't think we can do that, it has been part of the ABI since the > beginning I think and we might need it for userspace helpers. OK, I'll try to find an other idea. > How about grabbing nf_conntrack_lock and replacing the entire conntrack > structure in this case? It requires very complicated operations. I want to avoid that as possible. I'm thinking about exporting nf_nat_lock and locks of helpers, and grabbing all of them just before reallocating extended area. But I'm not sure it is possible because we have to take care about deadlock due to grabbing multiple locks in different order. One more idea is Rusty's comment in the original patch, it replaces array of extended area with linked list. But it results in so many small memory objects. Hmm... -- Yasuyuki Kozakai From laforge at netfilter.org Mon Jun 4 09:15:12 2007 From: laforge at netfilter.org (Harald Welte) Date: Mon Jun 4 10:23:46 2007 Subject: [jasan@x31.com: Netfilter FAQ patch] Message-ID: <20070604071512.GH6552@prithivi.gnumonks.org> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/netfilter-devel/attachments/20070604/b1b432cc/attachment-0001.pgp From dim at openvz.org Mon Jun 4 09:54:10 2007 From: dim at openvz.org (Dmitry Mishin) Date: Mon Jun 4 10:58:46 2007 Subject: iptables throws unknown error - suspecting 32/64 compat issue In-Reply-To: <4662F2E9.1090903@trash.net> References: <200706031047.44848.dim@openvz.org> <4662F2E9.1090903@trash.net> Message-ID: <200706041154.11187.dim@openvz.org> On Sunday 03 June 2007 20:57, Patrick McHardy wrote: > Dmitry Mishin wrote: > > On Saturday 02 June 2007 16:54, Patrick McHardy wrote: > >>Here it is, could you please test whether it fixes the crash by > >>backing out the hashlimit compat patch and triggering the size > >>error again? Thanks. > > > > Patrick, > > it looks like translate_compat_table() should be fixed also. > > You're right, thanks for catching this. This patch should be > better. It's better, but I see the issue with iterate with compat_check_entry() calls. If it fails, some of target/matches' check_* functions are called, some not. Please, review my version of this patch. Signed-off-by: Dmitry Mishin --- diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h index 2f46dd7..9c294a5 100644 --- a/include/linux/netfilter_ipv4/ip_tables.h +++ b/include/linux/netfilter_ipv4/ip_tables.h @@ -264,6 +264,23 @@ ({ \ __ret; \ }) +/* fn returns 0 to continue iteration */ +#define IPT_ENTRY_ITERATE_CONTINUE(entries, size, i, fn, args...) \ +({ \ + unsigned int __i; \ + int __ret = 0; \ + struct ipt_entry *__entry; \ + \ + for (__i = i; __i < (size); __i += __entry->next_offset) { \ + __entry = (void *)(entries) + __i; \ + \ + __ret = fn(__entry , ## args); \ + if (__ret != 0) \ + break; \ + } \ + __ret; \ +}) + /* * Main firewall chains definitions and global var's definitions. */ diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index e3f83bf..9bacf1a 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c @@ -499,7 +499,8 @@ check_entry(struct ipt_entry *e, const c } static inline int check_match(struct ipt_entry_match *m, const char *name, - const struct ipt_ip *ip, unsigned int hookmask) + const struct ipt_ip *ip, unsigned int hookmask, + unsigned int *i) { struct xt_match *match; int ret; @@ -515,6 +516,8 @@ static inline int check_match(struct ipt m->u.kernel.match->name); ret = -EINVAL; } + if (!ret) + (*i)++; return ret; } @@ -537,11 +540,10 @@ find_check_match(struct ipt_entry_match } m->u.kernel.match = match; - ret = check_match(m, name, ip, hookmask); + ret = check_match(m, name, ip, hookmask, i); if (ret) goto err; - (*i)++; return 0; err: module_put(m->u.kernel.match->me); @@ -1425,7 +1427,7 @@ out: } static inline int -compat_check_calc_match(struct ipt_entry_match *m, +compat_find_calc_match(struct ipt_entry_match *m, const char *name, const struct ipt_ip *ip, unsigned int hookmask, @@ -1449,6 +1451,31 @@ compat_check_calc_match(struct ipt_entry } static inline int +compat_release_match(struct ipt_entry_match *m, unsigned int *i) +{ + if (i && (*i)-- == 0) + return 1; + + module_put(m->u.kernel.match->me); + return 0; +} + +static inline int +compat_release_entry(struct ipt_entry *e, unsigned int *i) +{ + struct ipt_entry_target *t; + + if (i && (*i)-- == 0) + return 1; + + /* Cleanup all matches */ + IPT_MATCH_ITERATE(e, compat_release_match, NULL); + t = ipt_get_target(e); + module_put(t->u.kernel.target->me); + return 0; +} + +static inline int check_compat_entry_size_and_hooks(struct ipt_entry *e, struct xt_table_info *newinfo, unsigned int *size, @@ -1485,10 +1512,10 @@ check_compat_entry_size_and_hooks(struct off = 0; entry_offset = (void *)e - (void *)base; j = 0; - ret = IPT_MATCH_ITERATE(e, compat_check_calc_match, name, &e->ip, + ret = IPT_MATCH_ITERATE(e, compat_find_calc_match, name, &e->ip, e->comefrom, &off, &j); if (ret != 0) - goto cleanup_matches; + goto release_matches; t = ipt_get_target(e); target = try_then_request_module(xt_find_target(AF_INET, @@ -1499,7 +1526,7 @@ check_compat_entry_size_and_hooks(struct duprintf("check_compat_entry_size_and_hooks: `%s' not found\n", t->u.user.name); ret = target ? PTR_ERR(target) : -ENOENT; - goto cleanup_matches; + goto release_matches; } t->u.kernel.target = target; @@ -1526,8 +1553,8 @@ check_compat_entry_size_and_hooks(struct out: module_put(t->u.kernel.target->me); -cleanup_matches: - IPT_MATCH_ITERATE(e, cleanup_match, &j); +release_matches: + IPT_MATCH_ITERATE(e, compat_release_match, &j); return ret; } @@ -1574,15 +1601,26 @@ static int compat_copy_entry_from_user(s return ret; } -static inline int compat_check_entry(struct ipt_entry *e, const char *name) +static inline int compat_check_entry(struct ipt_entry *e, const char *name, + unsigned int *i) { - int ret; + int j, ret; - ret = IPT_MATCH_ITERATE(e, check_match, name, &e->ip, e->comefrom); + j = 0; + ret = IPT_MATCH_ITERATE(e, check_match, name, &e->ip, e->comefrom, &j); if (ret) - return ret; + goto cleanup_matches; + + ret = check_target(e, name); + if (ret) + goto cleanup_matches; - return check_target(e, name); + (*i)++; + return 0; + + cleanup_matches: + IPT_MATCH_ITERATE(e, cleanup_match, &j); + return ret; } static int @@ -1673,10 +1711,17 @@ translate_compat_table(const char *name, if (!mark_source_chains(newinfo, valid_hooks, entry1)) goto free_newinfo; + i = 0; ret = IPT_ENTRY_ITERATE(entry1, newinfo->size, compat_check_entry, - name); - if (ret) - goto free_newinfo; + name, &i); + if (ret) { + j -= i; + IPT_ENTRY_ITERATE_CONTINUE(entry1, newinfo->size, i, + compat_release_entry, &j); + IPT_ENTRY_ITERATE(entry1, newinfo->size, cleanup_entry, &i); + xt_free_table_info(newinfo); + return ret; + } /* And one copy for every other CPU */ for_each_possible_cpu(i) @@ -1691,7 +1736,7 @@ translate_compat_table(const char *name, free_newinfo: xt_free_table_info(newinfo); out: - IPT_ENTRY_ITERATE(entry0, total_size, cleanup_entry, &j); + IPT_ENTRY_ITERATE(entry0, total_size, compat_release_entry, &j); return ret; out_unlock: compat_flush_offsets(); From pablo at netfilter.org Mon Jun 4 11:59:03 2007 From: pablo at netfilter.org (Pablo Neira Ayuso) Date: Mon Jun 4 13:03:56 2007 Subject: Bug in conntrack -U In-Reply-To: <1180707433.4733.7.camel@ghlodit.inl.fr> References: <1180707433.4733.7.camel@ghlodit.inl.fr> Message-ID: <4663E267.1030900@netfilter.org> Eric Leblond wrote: > I've found a problem with conntrack-tools. Running : > conntrack -U -m 20 -s 192.168.50.140 -d 192.168.50.129 -p tcp --orig-port-src 43515 --orig-port-dst 22 > returns > Operation failed: invalid parameters > > Problem has been verified with kernel 2.6.20 and 2.6.17 with subversion > compiled libraries and conntrack-tools on 32bits and 64bits system. I > did not find the time to test it on latest kernel. The problem seems to be in libnetfilter_conntrack. The patch attached should fix the problem. Thanks for the report. -- The dawn of the fourth age of Linux firewalling is coming; a time of great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris -------------- next part -------------- Index: src/conntrack/build.c =================================================================== --- src/conntrack/build.c (revisi?n: 6840) +++ src/conntrack/build.c (copia de trabajo) @@ -252,8 +252,13 @@ __build_tuple(req, size, &ct->tuple[__DIR_ORIG], CTA_TUPLE_ORIG); __build_tuple(req, size, &ct->tuple[__DIR_REPL], CTA_TUPLE_REPLY); - /* always build IPS_CONFIRMED */ - __build_status(req, size, ct); + if (test_bit(ATTR_STATUS, ct->set)) + __build_status(req, size, ct); + else { + /* build IPS_CONFIRMED if we're creating a new conntrack */ + if (type == IPCTNL_MSG_CT_NEW && flags & NLM_F_CREATE) + __build_status(req, size, ct); + } if (test_bit(ATTR_TIMEOUT, ct->set)) __build_timeout(req, size, ct); From azez at ufomechanic.net Mon Jun 4 12:14:26 2007 From: azez at ufomechanic.net (Amin Azez) Date: Mon Jun 4 13:16:53 2007 Subject: [PATCH] xt_gateway match Message-ID: <200706041133.l54BXqv07802@server1.secure-linux-server.com> Sorry for the horrible quoting style, pocket outlook is nasty, and the hermes linux port isn't progressed enough for me to switch... Thanks for looking at this, Jan. I'm away from a testing box right now, but I think you got a test wrong. The gateway test is meant to exclude cases where the neighbour table matches AND the daddr matches, because that means the packet wasn't routed to that target AS a gateway. For nexthop we don't want to match daddr regardless, only if it is also matching the neighbor table. Gateway: match neighbourtable and not match daddr Nexthop: match neighbour table. Note: if --gateway is used, a downstream snat'd network can't ping the gateway (no math, no snat) but can ping beyond the gateway. Sam -----Original Message----- From: "Jan Engelhardt" To: "Amin Azez" Cc: netfilter-devel@lists.netfilter.org Sent: 02/06/07 17:56 Subject: [PATCH] xt_gateway match ... + info->flags ^= info->flags & IPT_GATEWAY_ROUTE; Stunning line. So, I refreshed this to be xtables-style, xt_gateway. It builds cleanly, but only done limited testing on it yet. Especially, I decoupled that bigass return statement to make it easier to read. I hope I got all the conditions right. How things look: inet 192.168.222.36/24 default gw 192.168.222.1 What I did: iptables -A OUTPUT -m gateway --gateway 192.168.222.1 iptables -A OUTPUT -m gateway --nexthop 192.168.222.1 ping -c1 192.168.222.1 iptables -nvL +1 for the --gateway rule +1 for the --nexthop rule ping -c1 134.76.13.21 +1 for the --gateway rule +0 for the --nexthop rule Route to 134.76.13.21 is: (192.168.222.36) 192.168.222.1 10.10.96.1 134.76.63.254 134.76.13.21 Does xt_gateway still do the right thing? Please check, thanks! (patches as a response to this mail, or svnized for now @ https://dev.computergmbh.de/svn/misc_kernel/xt_gateway/trunk/ ) Jan -- From pablo at netfilter.org Mon Jun 4 12:41:30 2007 From: pablo at netfilter.org (Pablo Neira Ayuso) Date: Mon Jun 4 13:45:03 2007 Subject: [jasan@x31.com: Netfilter FAQ patch] In-Reply-To: <20070604071512.GH6552@prithivi.gnumonks.org> References: <20070604071512.GH6552@prithivi.gnumonks.org> Message-ID: <4663EC5A.8000301@netfilter.org> Jan wrote: > I'd like to submit a patch changing few IMHO important sections of > the FAQ. I think there are still many old sections which no-one > sould be interested in anymore. It could be useful to just keep > the older revision available and cleanse the current one (I would > gladly do it). Indeed, the FAQ is outdated. We're looking for people interested in maintaining documentation. Would you be willing to do it? If so, please make sure you use a recent SVN working copy since your patch didn't apply cleanly, anyhow I have fixed and applied it. If you aren't sure about the status of any question, just drop me a line. Thanks. -- The dawn of the fourth age of Linux firewalling is coming; a time of great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris From mailinglists at lonecoder.net Mon Jun 4 12:44:55 2007 From: mailinglists at lonecoder.net (Tarek W.) Date: Mon Jun 4 13:48:37 2007 Subject: [jasan@x31.com: Netfilter FAQ patch] In-Reply-To: <4663EC5A.8000301@netfilter.org> References: <20070604071512.GH6552@prithivi.gnumonks.org> <4663EC5A.8000301@netfilter.org> Message-ID: <9103ca1c0706040344u6f64bd39ned7ca067a76b460@mail.gmail.com> Hi guys, I ported the FAQ some time ago to Docbook XML as per Harald's request. You might find it has a cleaner structure and more updated content. Tarek On 6/4/07, Pablo Neira Ayuso wrote: > Jan wrote: > > I'd like to submit a patch changing few IMHO important sections of > > the FAQ. I think there are still many old sections which no-one > > sould be interested in anymore. It could be useful to just keep > > the older revision available and cleanse the current one (I would > > gladly do it). > > Indeed, the FAQ is outdated. We're looking for people interested in > maintaining documentation. Would you be willing to do it? If so, please > make sure you use a recent SVN working copy since your patch didn't > apply cleanly, anyhow I have fixed and applied it. > > If you aren't sure about the status of any question, just drop me a line. > > Thanks. > > -- > The dawn of the fourth age of Linux firewalling is coming; a time of > great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris > > From pablo at netfilter.org Mon Jun 4 12:52:39 2007 From: pablo at netfilter.org (Pablo Neira Ayuso) Date: Mon Jun 4 13:56:48 2007 Subject: [jasan@x31.com: Netfilter FAQ patch] In-Reply-To: <9103ca1c0706040344u6f64bd39ned7ca067a76b460@mail.gmail.com> References: <20070604071512.GH6552@prithivi.gnumonks.org> <4663EC5A.8000301@netfilter.org> <9103ca1c0706040344u6f64bd39ned7ca067a76b460@mail.gmail.com> Message-ID: <4663EEF7.50706@netfilter.org> Hi Tarek, Tarek W. wrote: > I ported the FAQ some time ago to Docbook XML as per Harald's request. > > You might find it has a cleaner structure and more updated content. Thanks, I didn't notice. Let's use the XML file instead then. -- The dawn of the fourth age of Linux firewalling is coming; a time of great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris From kaber at trash.net Mon Jun 4 13:25:55 2007 From: kaber at trash.net (Patrick McHardy) Date: Mon Jun 4 14:32:42 2007 Subject: [PATCH 1/2] xt_u32 (kernel) - match arbitrary bits and bytes of a packet In-Reply-To: References: <4662F908.4090401@trash.net> Message-ID: <4663F6C3.9070100@trash.net> Jan Engelhardt wrote: > On Jun 3 2007 19:23, Patrick McHardy wrote: > >>>+ uint32_t min, max; >> >>We use u_int32_t in all netfilter files. Also >> > > Is this a showstopper? After all, uint32_t is close to the same-named > C99 type. It's kinda strange to have __u32, u32, u_int32_t and uint32_t > for one and the same thing. We try to keep things consistent at least along subsystems, so yes, I won't apply a patch that adds to the inconsistency. >>>+ if (head == NULL) { >>>+ *hotdrop = 1; >>>+ return false; >>>+ } >> >>might as well BUG_ON since a copy of size <= skb->len cant fail. > > > Hmm, scripts/checkpatch.pl barfs on BUG_ONs :-) > Use WARN_ON + hotdrop, or still go with BUG_ON? BUG_ON please, this is what we use for all other impossible skb_copy_bits failures. >>>+ base = head; >>>+ for (testind = 0; testind < data->ntests; ++testind) { >>>+ ct = &data->tests[testind]; >>>+ >>>+ at = 0; >>>+ pos = ct->location[0].number; >>>+ if (at + pos + 3 > skb->len || at + pos < 0) { >>>+ spin_unlock_bh(&xt_u32_lock); >>>+ return false; >> >>what about inversion? > > > If it was not supported before, I have not implemented it. We don't add new matches without inversion anymore, so please add support for it. From Valdis.Kletnieks at vt.edu Sun Jun 3 07:07:27 2007 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@vt.edu) Date: Mon Jun 4 14:37:02 2007 Subject: [PATCH 0/2] xt_u32 - match arbitrary bits and bytes of a packet In-Reply-To: Your message of "Sat, 02 Jun 2007 23:46:46 +0200." References: Message-ID: <18087.1180847247@turing-police.cc.vt.edu> On Sat, 02 Jun 2007 23:46:46 +0200, Jan Engelhardt said: > along comes xt_u32, a revamped ipt_u32, +1 for doing this - I've been dragging along a local ipt_u32 patch for a while, and been wishing it had ipv6 support. > * Reduced the buffer size to 17 KB. I think that is quite ok since > I added an overflow check, SHOULD THERE BE ANY device with an > MTU larger than our loopback masterpiece (16436 bytes). > > Are there such devices that support Megasuperjumboframes? IP over Infiniband? I think those have some outrageous MTU? Personally, I wouldn't need it for anything bigger than 9K ethernet jumbograms, but that one's a decision for others. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : /pipermail/netfilter-devel/attachments/20070603/74ecb661/attachment-0001.pgp From akinobu.mita at gmail.com Sun Jun 3 14:00:30 2007 From: akinobu.mita at gmail.com (Akinobu Mita) Date: Mon Jun 4 14:37:07 2007 Subject: [PATCH] nf_conntrack_amanda: fix textsearch_prepare() error check Message-ID: <20070603120030.GA876@APFDCB5C> The return value from textsearch_prepare() needs to be checked by IS_ERR(). Because it returns error code as a pointer. Cc: "Brian J. Murrell" Signed-off-by: Akinobu Mita --- net/netfilter/nf_conntrack_amanda.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) Index: 2.6-mm/net/netfilter/nf_conntrack_amanda.c =================================================================== --- 2.6-mm.orig/net/netfilter/nf_conntrack_amanda.c +++ 2.6-mm/net/netfilter/nf_conntrack_amanda.c @@ -208,13 +208,14 @@ static int __init nf_conntrack_amanda_in { int ret, i; - ret = -ENOMEM; for (i = 0; i < ARRAY_SIZE(search); i++) { search[i].ts = textsearch_prepare(ts_algo, search[i].string, search[i].len, GFP_KERNEL, TS_AUTOLOAD); - if (search[i].ts == NULL) + if (IS_ERR(search[i].ts)) { + ret = PTR_ERR(search[i].ts); goto err1; + } } ret = nf_conntrack_helper_register(&amanda_helper[0]); if (ret < 0) @@ -227,10 +228,9 @@ static int __init nf_conntrack_amanda_in err2: nf_conntrack_helper_unregister(&amanda_helper[0]); err1: - for (; i >= 0; i--) { - if (search[i].ts) - textsearch_destroy(search[i].ts); - } + while (--i >= 0) + textsearch_destroy(search[i].ts); + return ret; } From kaber at trash.net Mon Jun 4 13:41:12 2007 From: kaber at trash.net (Patrick McHardy) Date: Mon Jun 4 14:48:01 2007 Subject: [PATCH] nf_conntrack_amanda: fix textsearch_prepare() error check In-Reply-To: <20070603120030.GA876@APFDCB5C> References: <20070603120030.GA876@APFDCB5C> Message-ID: <4663FA58.4050101@trash.net> Akinobu Mita wrote: > The return value from textsearch_prepare() needs to be checked > by IS_ERR(). Because it returns error code as a pointer. Good catch, applied. Thanks Akinobu. From kaber at trash.net Mon Jun 4 13:58:37 2007 From: kaber at trash.net (Patrick McHardy) Date: Mon Jun 4 15:05:27 2007 Subject: [RFC][PATCH 0/7]: ct_extend In-Reply-To: <200706040045.l540jnhh008964@toshiba.co.jp> References: <465E5159.4050604@trash.net> <200705310902.l4V9212d010654@toshiba.co.jp> <46603C67.4070201@trash.net> <200706040045.l540jnhh008964@toshiba.co.jp> Message-ID: <4663FE6D.20005@trash.net> Yasuyuki KOZAKAI wrote: > From: Patrick McHardy > Date: Fri, 01 Jun 2007 17:33:59 +0200 > >>How about grabbing nf_conntrack_lock and replacing the entire conntrack >>structure in this case? > > > It requires very complicated operations. I want to avoid that as possible. > > I'm thinking about exporting nf_nat_lock and locks of helpers, and grabbing > all of them just before reallocating extended area. But I'm not sure it is > possible because we have to take care about deadlock due to grabbing > multiple locks in different order. > > One more idea is Rusty's comment in the original patch, it replaces array > of extended area with linked list. But it results in so many small memory > objects. Hmm... If it results in one allocation per extension I don't think its a good idea, one benefit of the array is that we can allocate the room for multiple extensions at once if we already know its going to be needed. From jengelh at linux01.gwdg.de Mon Jun 4 17:09:51 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jun 4 18:13:50 2007 Subject: [PATCH 0/4] Use bools for xt_match and xt_target Message-ID: Hi, (just an introductory message so that it looks nice in MUAs with thread support) Along comes... a four-patch set that transforms: * xt_match->match(hotdrop) argument * xt_match->match() return type * xt_match->checkentry() return type * xt_target->checkentry() return type to booleans, because that is all they do right now. Jan -- From jengelh at linux01.gwdg.de Mon Jun 4 17:10:21 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jun 4 18:14:42 2007 Subject: [PATCH 1/4] Switch hotdrop to bool In-Reply-To: References: Message-ID: Switch the "hotdrop" variables to boolean Signed-off-by: Jan Engelhardt --- include/linux/netfilter/x_tables.h | 2 +- net/ipv4/netfilter/arp_tables.c | 2 +- net/ipv4/netfilter/ip_tables.c | 8 ++++---- net/ipv4/netfilter/ipt_addrtype.c | 2 +- net/ipv4/netfilter/ipt_ah.c | 4 ++-- net/ipv4/netfilter/ipt_ecn.c | 6 +++--- net/ipv4/netfilter/ipt_iprange.c | 2 +- net/ipv4/netfilter/ipt_owner.c | 2 +- net/ipv4/netfilter/ipt_recent.c | 4 ++-- net/ipv4/netfilter/ipt_tos.c | 2 +- net/ipv4/netfilter/ipt_ttl.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 ++++++------ net/ipv6/netfilter/ip6t_ah.c | 6 +++--- net/ipv6/netfilter/ip6t_eui64.c | 4 ++-- net/ipv6/netfilter/ip6t_frag.c | 6 +++--- net/ipv6/netfilter/ip6t_hbh.c | 6 +++--- net/ipv6/netfilter/ip6t_hl.c | 2 +- net/ipv6/netfilter/ip6t_ipv6header.c | 2 +- net/ipv6/netfilter/ip6t_mh.c | 6 +++--- net/ipv6/netfilter/ip6t_owner.c | 2 +- net/ipv6/netfilter/ip6t_rt.c | 6 +++--- net/netfilter/xt_comment.c | 2 +- net/netfilter/xt_connbytes.c | 2 +- net/netfilter/xt_connmark.c | 2 +- net/netfilter/xt_conntrack.c | 2 +- net/netfilter/xt_dccp.c | 12 ++++++------ net/netfilter/xt_dscp.c | 4 ++-- net/netfilter/xt_esp.c | 4 ++-- net/netfilter/xt_hashlimit.c | 4 ++-- net/netfilter/xt_helper.c | 2 +- net/netfilter/xt_length.c | 4 ++-- net/netfilter/xt_limit.c | 2 +- net/netfilter/xt_mac.c | 2 +- net/netfilter/xt_mark.c | 2 +- net/netfilter/xt_multiport.c | 8 ++++---- net/netfilter/xt_physdev.c | 2 +- net/netfilter/xt_pkttype.c | 2 +- net/netfilter/xt_policy.c | 2 +- net/netfilter/xt_quota.c | 2 +- net/netfilter/xt_realm.c | 2 +- net/netfilter/xt_sctp.c | 8 ++++---- net/netfilter/xt_state.c | 2 +- net/netfilter/xt_statistic.c | 2 +- net/netfilter/xt_string.c | 2 +- net/netfilter/xt_tcpmss.c | 4 ++-- net/netfilter/xt_tcpudp.c | 16 ++++++++-------- 46 files changed, 92 insertions(+), 92 deletions(-) Index: linux-2.6.22-rc3-git6/include/linux/netfilter/x_tables.h =================================================================== --- linux-2.6.22-rc3-git6.orig/include/linux/netfilter/x_tables.h +++ linux-2.6.22-rc3-git6/include/linux/netfilter/x_tables.h @@ -148,7 +148,7 @@ struct xt_match const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop); + bool *hotdrop); /* Called when user tries to insert an entry of this type. */ /* Should return true or false. */ Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/arp_tables.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/arp_tables.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/arp_tables.c @@ -224,7 +224,7 @@ unsigned int arpt_do_table(struct sk_buf static const char nulldevname[IFNAMSIZ]; unsigned int verdict = NF_DROP; struct arphdr *arp; - int hotdrop = 0; + bool hotdrop = false; struct arpt_entry *e, *back; const char *indev, *outdev; void *table_base; Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ip_tables.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ip_tables.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ip_tables.c @@ -188,7 +188,7 @@ int do_match(struct ipt_entry_match *m, const struct net_device *in, const struct net_device *out, int offset, - int *hotdrop) + bool *hotdrop) { /* Stop iteration if it doesn't match */ if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data, @@ -216,7 +216,7 @@ ipt_do_table(struct sk_buff **pskb, u_int16_t offset; struct iphdr *ip; u_int16_t datalen; - int hotdrop = 0; + bool hotdrop = false; /* Initializing verdict to NF_DROP keeps gcc happy. */ unsigned int verdict = NF_DROP; const char *indev, *outdev; @@ -2077,7 +2077,7 @@ icmp_match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { struct icmphdr _icmph, *ic; const struct ipt_icmp *icmpinfo = matchinfo; @@ -2092,7 +2092,7 @@ icmp_match(const struct sk_buff *skb, * can't. Hence, no choice but to drop. */ duprintf("Dropping evil ICMP tinygram.\n"); - *hotdrop = 1; + *hotdrop = true; return 0; } Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_addrtype.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_addrtype.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_addrtype.c @@ -30,7 +30,7 @@ static inline int match_type(__be32 addr static int match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const struct xt_match *match, const void *matchinfo, - int offset, unsigned int protoff, int *hotdrop) + int offset, unsigned int protoff, bool *hotdrop) { const struct ipt_addrtype_info *info = matchinfo; const struct iphdr *iph = ip_hdr(skb); Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ah.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_ah.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ah.c @@ -44,7 +44,7 @@ match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { struct ip_auth_hdr _ahdr, *ah; const struct ipt_ah *ahinfo = matchinfo; @@ -60,7 +60,7 @@ match(const struct sk_buff *skb, * can't. Hence, no choice but to drop. */ duprintf("Dropping evil AH tinygram.\n"); - *hotdrop = 1; + *hotdrop = true; return 0; } Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ecn.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_ecn.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ecn.c @@ -30,7 +30,7 @@ static inline int match_ip(const struct static inline int match_tcp(const struct sk_buff *skb, const struct ipt_ecn_info *einfo, - int *hotdrop) + bool *hotdrop) { struct tcphdr _tcph, *th; @@ -39,7 +39,7 @@ static inline int match_tcp(const struct */ th = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_tcph), &_tcph); if (th == NULL) { - *hotdrop = 0; + *hotdrop = false; return 0; } @@ -69,7 +69,7 @@ static inline int match_tcp(const struct static int match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const struct xt_match *match, const void *matchinfo, - int offset, unsigned int protoff, int *hotdrop) + int offset, unsigned int protoff, bool *hotdrop) { const struct ipt_ecn_info *info = matchinfo; Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_iprange.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_iprange.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_iprange.c @@ -29,7 +29,7 @@ match(const struct sk_buff *skb, const struct net_device *out, const struct xt_match *match, const void *matchinfo, - int offset, unsigned int protoff, int *hotdrop) + int offset, unsigned int protoff, bool *hotdrop) { const struct ipt_iprange_info *info = matchinfo; const struct iphdr *iph = ip_hdr(skb); Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_owner.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_owner.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_owner.c @@ -29,7 +29,7 @@ match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { const struct ipt_owner_info *info = matchinfo; Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_recent.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_recent.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_recent.c @@ -173,7 +173,7 @@ static int ipt_recent_match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const struct xt_match *match, const void *matchinfo, - int offset, unsigned int protoff, int *hotdrop) + int offset, unsigned int protoff, bool *hotdrop) { const struct ipt_recent_info *info = matchinfo; struct recent_table *t; @@ -201,7 +201,7 @@ ipt_recent_match(const struct sk_buff *s goto out; e = recent_entry_init(t, addr, ttl); if (e == NULL) - *hotdrop = 1; + *hotdrop = true; ret ^= 1; goto out; } Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_tos.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_tos.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_tos.c @@ -26,7 +26,7 @@ match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { const struct ipt_tos_info *info = matchinfo; Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ttl.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_ttl.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ttl.c @@ -21,7 +21,7 @@ MODULE_LICENSE("GPL"); static int match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const struct xt_match *match, const void *matchinfo, - int offset, unsigned int protoff, int *hotdrop) + int offset, unsigned int protoff, bool *hotdrop) { const struct ipt_ttl_info *info = matchinfo; const u8 ttl = ip_hdr(skb)->ttl; Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6_tables.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6_tables.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6_tables.c @@ -102,7 +102,7 @@ ip6_packet_match(const struct sk_buff *s const char *outdev, const struct ip6t_ip6 *ip6info, unsigned int *protoff, - int *fragoff, int *hotdrop) + int *fragoff, bool *hotdrop) { size_t i; unsigned long ret; @@ -162,7 +162,7 @@ ip6_packet_match(const struct sk_buff *s protohdr = ipv6_find_hdr(skb, protoff, -1, &_frag_off); if (protohdr < 0) { if (_frag_off == 0) - *hotdrop = 1; + *hotdrop = true; return 0; } *fragoff = _frag_off; @@ -225,7 +225,7 @@ int do_match(struct ip6t_entry_match *m, const struct net_device *out, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { /* Stop iteration if it doesn't match */ if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data, @@ -252,7 +252,7 @@ ip6t_do_table(struct sk_buff **pskb, static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); int offset = 0; unsigned int protoff = 0; - int hotdrop = 0; + bool hotdrop = false; /* Initializing verdict to NF_DROP keeps gcc happy. */ unsigned int verdict = NF_DROP; const char *indev, *outdev; @@ -1299,7 +1299,7 @@ icmp6_match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { struct icmp6hdr _icmp, *ic; const struct ip6t_icmp *icmpinfo = matchinfo; @@ -1313,7 +1313,7 @@ icmp6_match(const struct sk_buff *skb, /* We've been asked to examine this packet, and we can't. Hence, no choice but to drop. */ duprintf("Dropping evil ICMP tinygram.\n"); - *hotdrop = 1; + *hotdrop = true; return 0; } Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_ah.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_ah.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_ah.c @@ -49,7 +49,7 @@ match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { struct ip_auth_hdr *ah, _ah; const struct ip6t_ah *ahinfo = matchinfo; @@ -60,13 +60,13 @@ match(const struct sk_buff *skb, err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL); if (err < 0) { if (err != -ENOENT) - *hotdrop = 1; + *hotdrop = true; return 0; } ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah); if (ah == NULL) { - *hotdrop = 1; + *hotdrop = true; return 0; } Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_eui64.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_eui64.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_eui64.c @@ -27,7 +27,7 @@ match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { unsigned char eui64[8]; int i = 0; @@ -35,7 +35,7 @@ match(const struct sk_buff *skb, if (!(skb_mac_header(skb) >= skb->head && (skb_mac_header(skb) + ETH_HLEN) <= skb->data) && offset != 0) { - *hotdrop = 1; + *hotdrop = true; return 0; } Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_frag.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_frag.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_frag.c @@ -48,7 +48,7 @@ match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { struct frag_hdr _frag, *fh; const struct ip6t_frag *fraginfo = matchinfo; @@ -58,13 +58,13 @@ match(const struct sk_buff *skb, err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL); if (err < 0) { if (err != -ENOENT) - *hotdrop = 1; + *hotdrop = true; return 0; } fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag); if (fh == NULL) { - *hotdrop = 1; + *hotdrop = true; return 0; } Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_hbh.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_hbh.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_hbh.c @@ -55,7 +55,7 @@ match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { struct ipv6_opt_hdr _optsh, *oh; const struct ip6t_opts *optinfo = matchinfo; @@ -71,13 +71,13 @@ match(const struct sk_buff *skb, err = ipv6_find_hdr(skb, &ptr, match->data, NULL); if (err < 0) { if (err != -ENOENT) - *hotdrop = 1; + *hotdrop = true; return 0; } oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh); if (oh == NULL) { - *hotdrop = 1; + *hotdrop = true; return 0; } Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_hl.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_hl.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_hl.c @@ -22,7 +22,7 @@ MODULE_LICENSE("GPL"); static int match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const struct xt_match *match, const void *matchinfo, - int offset, unsigned int protoff, int *hotdrop) + int offset, unsigned int protoff, bool *hotdrop) { const struct ip6t_hl_info *info = matchinfo; const struct ipv6hdr *ip6h = ipv6_hdr(skb); Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_ipv6header.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_ipv6header.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_ipv6header.c @@ -34,7 +34,7 @@ ipv6header_match(const struct sk_buff *s const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { const struct ip6t_ipv6header_info *info = matchinfo; unsigned int temp; Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_mh.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_mh.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_mh.c @@ -48,7 +48,7 @@ match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { struct ip6_mh _mh, *mh; const struct ip6t_mh *mhinfo = matchinfo; @@ -62,14 +62,14 @@ match(const struct sk_buff *skb, /* We've been asked to examine this packet, and we can't. Hence, no choice but to drop. */ duprintf("Dropping evil MH tinygram.\n"); - *hotdrop = 1; + *hotdrop = true; return 0; } if (mh->ip6mh_proto != IPPROTO_NONE) { duprintf("Dropping invalid MH Payload Proto: %u\n", mh->ip6mh_proto); - *hotdrop = 1; + *hotdrop = true; return 0; } Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_owner.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_owner.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_owner.c @@ -31,7 +31,7 @@ match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { const struct ip6t_owner_info *info = matchinfo; Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_rt.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_rt.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_rt.c @@ -50,7 +50,7 @@ match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { struct ipv6_rt_hdr _route, *rh; const struct ip6t_rt *rtinfo = matchinfo; @@ -64,13 +64,13 @@ match(const struct sk_buff *skb, err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL); if (err < 0) { if (err != -ENOENT) - *hotdrop = 1; + *hotdrop = true; return 0; } rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route); if (rh == NULL) { - *hotdrop = 1; + *hotdrop = true; return 0; } Index: linux-2.6.22-rc3-git6/net/netfilter/xt_comment.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_comment.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_comment.c @@ -23,7 +23,7 @@ match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protooff, - int *hotdrop) + bool *hotdrop) { /* We always match */ return 1; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_connbytes.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_connbytes.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_connbytes.c @@ -23,7 +23,7 @@ match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { const struct xt_connbytes_info *sinfo = matchinfo; struct nf_conn *ct; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_connmark.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_connmark.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_connmark.c @@ -38,7 +38,7 @@ match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { const struct xt_connmark_info *info = matchinfo; struct nf_conn *ct; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_conntrack.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_conntrack.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_conntrack.c @@ -27,7 +27,7 @@ match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { const struct xt_conntrack_info *sinfo = matchinfo; struct nf_conn *ct; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_dccp.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_dccp.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_dccp.c @@ -36,7 +36,7 @@ dccp_find_option(u_int8_t option, const struct sk_buff *skb, unsigned int protoff, const struct dccp_hdr *dh, - int *hotdrop) + bool *hotdrop) { /* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */ unsigned char *op; @@ -45,7 +45,7 @@ dccp_find_option(u_int8_t option, unsigned int i; if (dh->dccph_doff * 4 < __dccp_hdr_len(dh)) { - *hotdrop = 1; + *hotdrop = true; return 0; } @@ -57,7 +57,7 @@ dccp_find_option(u_int8_t option, if (op == NULL) { /* If we don't have the whole header, drop packet. */ spin_unlock_bh(&dccp_buflock); - *hotdrop = 1; + *hotdrop = true; return 0; } @@ -86,7 +86,7 @@ match_types(const struct dccp_hdr *dh, u static inline int match_option(u_int8_t option, const struct sk_buff *skb, unsigned int protoff, - const struct dccp_hdr *dh, int *hotdrop) + const struct dccp_hdr *dh, bool *hotdrop) { return dccp_find_option(option, skb, protoff, dh, hotdrop); } @@ -99,7 +99,7 @@ match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { const struct xt_dccp_info *info = matchinfo; struct dccp_hdr _dh, *dh; @@ -109,7 +109,7 @@ match(const struct sk_buff *skb, dh = skb_header_pointer(skb, protoff, sizeof(_dh), &_dh); if (dh == NULL) { - *hotdrop = 1; + *hotdrop = true; return 0; } Index: linux-2.6.22-rc3-git6/net/netfilter/xt_dscp.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_dscp.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_dscp.c @@ -29,7 +29,7 @@ static int match(const struct sk_buff *s const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { const struct xt_dscp_info *info = matchinfo; u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT; @@ -44,7 +44,7 @@ static int match6(const struct sk_buff * const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { const struct xt_dscp_info *info = matchinfo; u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_esp.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_esp.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_esp.c @@ -50,7 +50,7 @@ match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { struct ip_esp_hdr _esp, *eh; const struct xt_esp *espinfo = matchinfo; @@ -65,7 +65,7 @@ match(const struct sk_buff *skb, * can't. Hence, no choice but to drop. */ duprintf("Dropping evil ESP tinygram.\n"); - *hotdrop = 1; + *hotdrop = true; return 0; } Index: linux-2.6.22-rc3-git6/net/netfilter/xt_hashlimit.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_hashlimit.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_hashlimit.c @@ -440,7 +440,7 @@ hashlimit_match(const struct sk_buff *sk const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { struct xt_hashlimit_info *r = ((struct xt_hashlimit_info *)matchinfo)->u.master; @@ -487,7 +487,7 @@ hashlimit_match(const struct sk_buff *sk return 0; hotdrop: - *hotdrop = 1; + *hotdrop = true; return 0; } Index: linux-2.6.22-rc3-git6/net/netfilter/xt_helper.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_helper.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_helper.c @@ -36,7 +36,7 @@ match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { const struct xt_helper_info *info = matchinfo; struct nf_conn *ct; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_length.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_length.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_length.c @@ -28,7 +28,7 @@ match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { const struct xt_length_info *info = matchinfo; u_int16_t pktlen = ntohs(ip_hdr(skb)->tot_len); @@ -44,7 +44,7 @@ match6(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { const struct xt_length_info *info = matchinfo; const u_int16_t pktlen = (ntohs(ipv6_hdr(skb)->payload_len) + Index: linux-2.6.22-rc3-git6/net/netfilter/xt_limit.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_limit.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_limit.c @@ -65,7 +65,7 @@ ipt_limit_match(const struct sk_buff *sk const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { struct xt_rateinfo *r = ((struct xt_rateinfo *)matchinfo)->master; unsigned long now = jiffies; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_mac.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_mac.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_mac.c @@ -32,7 +32,7 @@ match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { const struct xt_mac_info *info = matchinfo; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_mark.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_mark.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_mark.c @@ -27,7 +27,7 @@ match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { const struct xt_mark_info *info = matchinfo; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_multiport.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_multiport.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_multiport.c @@ -102,7 +102,7 @@ match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { __be16 _ports[2], *pptr; const struct xt_multiport *multiinfo = matchinfo; @@ -116,7 +116,7 @@ match(const struct sk_buff *skb, * can't. Hence, no choice but to drop. */ duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n"); - *hotdrop = 1; + *hotdrop = true; return 0; } @@ -133,7 +133,7 @@ match_v1(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { __be16 _ports[2], *pptr; const struct xt_multiport_v1 *multiinfo = matchinfo; @@ -147,7 +147,7 @@ match_v1(const struct sk_buff *skb, * can't. Hence, no choice but to drop. */ duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n"); - *hotdrop = 1; + *hotdrop = true; return 0; } Index: linux-2.6.22-rc3-git6/net/netfilter/xt_physdev.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_physdev.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_physdev.c @@ -31,7 +31,7 @@ match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { int i; static const char nulldevname[IFNAMSIZ]; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_pkttype.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_pkttype.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_pkttype.c @@ -28,7 +28,7 @@ static int match(const struct sk_buff *s const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { u_int8_t type; const struct xt_pkttype_info *info = matchinfo; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_policy.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_policy.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_policy.c @@ -115,7 +115,7 @@ static int match(const struct sk_buff *s const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { const struct xt_policy_info *info = matchinfo; int ret; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_quota.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_quota.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_quota.c @@ -20,7 +20,7 @@ static int match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const struct xt_match *match, const void *matchinfo, - int offset, unsigned int protoff, int *hotdrop) + int offset, unsigned int protoff, bool *hotdrop) { struct xt_quota_info *q = ((struct xt_quota_info *)matchinfo)->master; int ret = q->flags & XT_QUOTA_INVERT ? 1 : 0; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_realm.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_realm.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_realm.c @@ -29,7 +29,7 @@ match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { const struct xt_realm_info *info = matchinfo; struct dst_entry *dst = skb->dst; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_sctp.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_sctp.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_sctp.c @@ -47,7 +47,7 @@ match_packet(const struct sk_buff *skb, int chunk_match_type, const struct xt_sctp_flag_info *flag_info, const int flag_count, - int *hotdrop) + bool *hotdrop) { u_int32_t chunkmapcopy[256 / sizeof (u_int32_t)]; sctp_chunkhdr_t _sch, *sch; @@ -64,7 +64,7 @@ match_packet(const struct sk_buff *skb, sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch); if (sch == NULL || sch->length == 0) { duprintf("Dropping invalid SCTP packet.\n"); - *hotdrop = 1; + *hotdrop = true; return 0; } @@ -127,7 +127,7 @@ match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { const struct xt_sctp_info *info = matchinfo; sctp_sctphdr_t _sh, *sh; @@ -140,7 +140,7 @@ match(const struct sk_buff *skb, sh = skb_header_pointer(skb, protoff, sizeof(_sh), &_sh); if (sh == NULL) { duprintf("Dropping evil TCP offset=0 tinygram.\n"); - *hotdrop = 1; + *hotdrop = true; return 0; } duprintf("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest)); Index: linux-2.6.22-rc3-git6/net/netfilter/xt_state.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_state.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_state.c @@ -28,7 +28,7 @@ match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { const struct xt_state_info *sinfo = matchinfo; enum ip_conntrack_info ctinfo; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_statistic.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_statistic.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_statistic.c @@ -28,7 +28,7 @@ static int match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const struct xt_match *match, const void *matchinfo, - int offset, unsigned int protoff, int *hotdrop) + int offset, unsigned int protoff, bool *hotdrop) { struct xt_statistic_info *info = (struct xt_statistic_info *)matchinfo; int ret = info->flags & XT_STATISTIC_INVERT ? 1 : 0; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_string.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_string.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_string.c @@ -28,7 +28,7 @@ static int match(const struct sk_buff *s const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { const struct xt_string_info *conf = matchinfo; struct ts_state state; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_tcpmss.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_tcpmss.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_tcpmss.c @@ -31,7 +31,7 @@ match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { const struct xt_tcpmss_match_info *info = matchinfo; struct tcphdr _tcph, *th; @@ -77,7 +77,7 @@ out: return info->invert; dropit: - *hotdrop = 1; + *hotdrop = true; return 0; } Index: linux-2.6.22-rc3-git6/net/netfilter/xt_tcpudp.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_tcpudp.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_tcpudp.c @@ -42,7 +42,7 @@ tcp_find_option(u_int8_t option, unsigned int protoff, unsigned int optlen, int invert, - int *hotdrop) + bool *hotdrop) { /* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */ u_int8_t _opt[60 - sizeof(struct tcphdr)], *op; @@ -57,7 +57,7 @@ tcp_find_option(u_int8_t option, op = skb_header_pointer(skb, protoff + sizeof(struct tcphdr), optlen, _opt); if (op == NULL) { - *hotdrop = 1; + *hotdrop = true; return 0; } @@ -78,7 +78,7 @@ tcp_match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { struct tcphdr _tcph, *th; const struct xt_tcp *tcpinfo = matchinfo; @@ -92,7 +92,7 @@ tcp_match(const struct sk_buff *skb, */ if (offset == 1) { duprintf("Dropping evil TCP offset=1 frag.\n"); - *hotdrop = 1; + *hotdrop = true; } /* Must not be a fragment. */ return 0; @@ -105,7 +105,7 @@ tcp_match(const struct sk_buff *skb, /* We've been asked to examine this packet, and we can't. Hence, no choice but to drop. */ duprintf("Dropping evil TCP offset=0 tinygram.\n"); - *hotdrop = 1; + *hotdrop = true; return 0; } @@ -123,7 +123,7 @@ tcp_match(const struct sk_buff *skb, return 0; if (tcpinfo->option) { if (th->doff * 4 < sizeof(_tcph)) { - *hotdrop = 1; + *hotdrop = true; return 0; } if (!tcp_find_option(tcpinfo->option, skb, protoff, @@ -157,7 +157,7 @@ udp_match(const struct sk_buff *skb, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { struct udphdr _udph, *uh; const struct xt_udp *udpinfo = matchinfo; @@ -171,7 +171,7 @@ udp_match(const struct sk_buff *skb, /* We've been asked to examine this packet, and we can't. Hence, no choice but to drop. */ duprintf("Dropping evil UDP tinygram.\n"); - *hotdrop = 1; + *hotdrop = true; return 0; } From jengelh at linux01.gwdg.de Mon Jun 4 17:10:45 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jun 4 18:15:11 2007 Subject: [PATCH 2/4] Switch xt_match->match to bool In-Reply-To: References: Message-ID: Switch the return type of match functions to boolean Signed-off-by: Jan Engelhardt --- include/linux/netfilter/x_tables.h | 16 ++++++------- net/ipv4/netfilter/ip_tables.c | 26 ++++++++++----------- net/ipv4/netfilter/ipt_addrtype.c | 12 +++++----- net/ipv4/netfilter/ipt_ah.c | 10 ++++---- net/ipv4/netfilter/ipt_ecn.c | 38 +++++++++++++++---------------- net/ipv4/netfilter/ipt_iprange.c | 8 +++--- net/ipv4/netfilter/ipt_owner.c | 10 ++++---- net/ipv4/netfilter/ipt_recent.c | 12 +++++----- net/ipv4/netfilter/ipt_tos.c | 2 - net/ipv4/netfilter/ipt_ttl.c | 12 +++++----- net/ipv6/netfilter/ip6_tables.c | 42 +++++++++++++++++------------------ net/ipv6/netfilter/ip6t_ah.c | 12 +++++----- net/ipv6/netfilter/ip6t_eui64.c | 8 +++--- net/ipv6/netfilter/ip6t_frag.c | 12 +++++----- net/ipv6/netfilter/ip6t_hbh.c | 18 +++++++-------- net/ipv6/netfilter/ip6t_hl.c | 12 +++++----- net/ipv6/netfilter/ip6t_ipv6header.c | 6 ++--- net/ipv6/netfilter/ip6t_mh.c | 17 +++++--------- net/ipv6/netfilter/ip6t_owner.c | 10 ++++---- net/ipv6/netfilter/ip6t_rt.c | 26 ++++++++++----------- net/netfilter/xt_comment.c | 4 +-- net/netfilter/xt_connbytes.c | 4 +-- net/netfilter/xt_connmark.c | 4 +-- net/netfilter/xt_conntrack.c | 24 ++++++++++---------- net/netfilter/xt_dccp.c | 22 +++++++++--------- net/netfilter/xt_dscp.c | 32 +++++++++++++------------- net/netfilter/xt_esp.c | 12 +++++----- net/netfilter/xt_hashlimit.c | 17 +++++++------- net/netfilter/xt_helper.c | 6 ++--- net/netfilter/xt_length.c | 4 +-- net/netfilter/xt_limit.c | 6 ++--- net/netfilter/xt_mac.c | 2 - net/netfilter/xt_mark.c | 2 - net/netfilter/xt_multiport.c | 34 ++++++++++++++-------------- net/netfilter/xt_physdev.c | 28 ++++++++++------------- net/netfilter/xt_pkttype.c | 2 - net/netfilter/xt_policy.c | 26 ++++++++++----------- net/netfilter/xt_quota.c | 6 ++--- net/netfilter/xt_realm.c | 2 - net/netfilter/xt_sctp.c | 26 ++++++++++----------- net/netfilter/xt_state.c | 2 - net/netfilter/xt_statistic.c | 8 +++--- net/netfilter/xt_string.c | 16 ++++++------- net/netfilter/xt_tcpmss.c | 4 +-- net/netfilter/xt_tcpudp.c | 39 +++++++++++++++----------------- 45 files changed, 317 insertions(+), 324 deletions(-) Index: linux-2.6.22-rc3-git6/include/linux/netfilter/x_tables.h =================================================================== --- linux-2.6.22-rc3-git6.orig/include/linux/netfilter/x_tables.h +++ linux-2.6.22-rc3-git6/include/linux/netfilter/x_tables.h @@ -141,14 +141,14 @@ struct xt_match /* Arguments changed since 2.6.9, as this must now handle non-linear skb, using skb_header_pointer and skb_ip_make_writable. */ - int (*match)(const struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - const struct xt_match *match, - const void *matchinfo, - int offset, - unsigned int protoff, - bool *hotdrop); + bool (*match)(const struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, + const struct xt_match *match, + const void *matchinfo, + int offset, + unsigned int protoff, + bool *hotdrop); /* Called when user tries to insert an entry of this type. */ /* Should return true or false. */ Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ip_tables.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ip_tables.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ip_tables.c @@ -183,19 +183,19 @@ ipt_error(struct sk_buff **pskb, } static inline -int do_match(struct ipt_entry_match *m, - const struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - int offset, - bool *hotdrop) +bool do_match(struct ipt_entry_match *m, + const struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, + int offset, + bool *hotdrop) { /* Stop iteration if it doesn't match */ if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data, offset, ip_hdrlen(skb), hotdrop)) - return 1; + return true; else - return 0; + return false; } static inline struct ipt_entry * @@ -2060,16 +2060,16 @@ void ipt_unregister_table(struct xt_tabl } /* Returns 1 if the type and code is matched by the range, 0 otherwise */ -static inline int +static inline bool icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code, u_int8_t type, u_int8_t code, - int invert) + bool invert) { return ((test_type == 0xFF) || (type == test_type && code >= min_code && code <= max_code)) ^ invert; } -static int +static bool icmp_match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -2084,7 +2084,7 @@ icmp_match(const struct sk_buff *skb, /* Must not be a fragment. */ if (offset) - return 0; + return false; ic = skb_header_pointer(skb, protoff, sizeof(_icmph), &_icmph); if (ic == NULL) { @@ -2093,7 +2093,7 @@ icmp_match(const struct sk_buff *skb, */ duprintf("Dropping evil ICMP tinygram.\n"); *hotdrop = true; - return 0; + return false; } return icmp_type_code_match(icmpinfo->type, Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_addrtype.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_addrtype.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_addrtype.c @@ -22,19 +22,19 @@ MODULE_LICENSE("GPL"); MODULE_AUTHOR("Patrick McHardy "); MODULE_DESCRIPTION("iptables addrtype match"); -static inline int match_type(__be32 addr, u_int16_t mask) +static inline bool match_type(__be32 addr, u_int16_t mask) { return !!(mask & (1 << inet_addr_type(addr))); } -static int match(const struct sk_buff *skb, - const struct net_device *in, const struct net_device *out, - const struct xt_match *match, const void *matchinfo, - int offset, unsigned int protoff, bool *hotdrop) +static bool match(const struct sk_buff *skb, + const struct net_device *in, const struct net_device *out, + const struct xt_match *match, const void *matchinfo, + int offset, unsigned int protoff, bool *hotdrop) { const struct ipt_addrtype_info *info = matchinfo; const struct iphdr *iph = ip_hdr(skb); - int ret = 1; + bool ret = true; if (info->source) ret &= match_type(iph->saddr, info->source)^info->invert_source; Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ah.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_ah.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ah.c @@ -25,10 +25,10 @@ MODULE_DESCRIPTION("iptables AH SPI matc #endif /* Returns 1 if the spi is matched by the range, 0 otherwise */ -static inline int -spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, int invert) +static inline bool +spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert) { - int r=0; + bool r; duprintf("ah spi_match:%c 0x%x <= 0x%x <= 0x%x",invert? '!':' ', min,spi,max); r=(spi >= min && spi <= max) ^ invert; @@ -36,7 +36,7 @@ spi_match(u_int32_t min, u_int32_t max, return r; } -static int +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -51,7 +51,7 @@ match(const struct sk_buff *skb, /* Must not be a fragment. */ if (offset) - return 0; + return false; ah = skb_header_pointer(skb, protoff, sizeof(_ahdr), &_ahdr); Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ecn.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_ecn.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ecn.c @@ -22,15 +22,15 @@ MODULE_AUTHOR("Harald Welte tos & IPT_ECN_IP_MASK) == einfo->ip_ect; } -static inline int match_tcp(const struct sk_buff *skb, - const struct ipt_ecn_info *einfo, - bool *hotdrop) +static inline bool match_tcp(const struct sk_buff *skb, + const struct ipt_ecn_info *einfo, + bool *hotdrop) { struct tcphdr _tcph, *th; @@ -40,51 +40,51 @@ static inline int match_tcp(const struct th = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_tcph), &_tcph); if (th == NULL) { *hotdrop = false; - return 0; + return false; } if (einfo->operation & IPT_ECN_OP_MATCH_ECE) { if (einfo->invert & IPT_ECN_OP_MATCH_ECE) { if (th->ece == 1) - return 0; + return false; } else { if (th->ece == 0) - return 0; + return false; } } if (einfo->operation & IPT_ECN_OP_MATCH_CWR) { if (einfo->invert & IPT_ECN_OP_MATCH_CWR) { if (th->cwr == 1) - return 0; + return false; } else { if (th->cwr == 0) - return 0; + return false; } } - return 1; + return true; } -static int match(const struct sk_buff *skb, - const struct net_device *in, const struct net_device *out, - const struct xt_match *match, const void *matchinfo, - int offset, unsigned int protoff, bool *hotdrop) +static bool match(const struct sk_buff *skb, + const struct net_device *in, const struct net_device *out, + const struct xt_match *match, const void *matchinfo, + int offset, unsigned int protoff, bool *hotdrop) { const struct ipt_ecn_info *info = matchinfo; if (info->operation & IPT_ECN_OP_MATCH_IP) if (!match_ip(skb, info)) - return 0; + return false; if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) { if (ip_hdr(skb)->protocol != IPPROTO_TCP) - return 0; + return false; if (!match_tcp(skb, info, hotdrop)) - return 0; + return false; } - return 1; + return true; } static int checkentry(const char *tablename, const void *ip_void, Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_iprange.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_iprange.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_iprange.c @@ -23,7 +23,7 @@ MODULE_DESCRIPTION("iptables arbitrary I #define DEBUGP(format, args...) #endif -static int +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -44,7 +44,7 @@ match(const struct sk_buff *skb, info->flags & IPRANGE_SRC_INV ? "(INV) " : "", NIPQUAD(info->src.min_ip), NIPQUAD(info->src.max_ip)); - return 0; + return false; } } if (info->flags & IPRANGE_DST) { @@ -57,10 +57,10 @@ match(const struct sk_buff *skb, info->flags & IPRANGE_DST_INV ? "(INV) " : "", NIPQUAD(info->dst.min_ip), NIPQUAD(info->dst.max_ip)); - return 0; + return false; } } - return 1; + return true; } static struct xt_match iprange_match = { Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_owner.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_owner.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_owner.c @@ -21,7 +21,7 @@ MODULE_LICENSE("GPL"); MODULE_AUTHOR("Marc Boucher "); MODULE_DESCRIPTION("iptables owner match"); -static int +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -34,21 +34,21 @@ match(const struct sk_buff *skb, const struct ipt_owner_info *info = matchinfo; if (!skb->sk || !skb->sk->sk_socket || !skb->sk->sk_socket->file) - return 0; + return false; if(info->match & IPT_OWNER_UID) { if ((skb->sk->sk_socket->file->f_uid != info->uid) ^ !!(info->invert & IPT_OWNER_UID)) - return 0; + return false; } if(info->match & IPT_OWNER_GID) { if ((skb->sk->sk_socket->file->f_gid != info->gid) ^ !!(info->invert & IPT_OWNER_GID)) - return 0; + return false; } - return 1; + return true; } static int Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_recent.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_recent.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_recent.c @@ -169,7 +169,7 @@ static void recent_table_flush(struct re } } -static int +static bool ipt_recent_match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const struct xt_match *match, const void *matchinfo, @@ -180,7 +180,7 @@ ipt_recent_match(const struct sk_buff *s struct recent_entry *e; __be32 addr; u_int8_t ttl; - int ret = info->invert; + bool ret = info->invert; if (info->side == IPT_RECENT_DEST) addr = ip_hdr(skb)->daddr; @@ -202,15 +202,15 @@ ipt_recent_match(const struct sk_buff *s e = recent_entry_init(t, addr, ttl); if (e == NULL) *hotdrop = true; - ret ^= 1; + ret = !ret; goto out; } if (info->check_set & IPT_RECENT_SET) - ret ^= 1; + ret = !ret; else if (info->check_set & IPT_RECENT_REMOVE) { recent_entry_remove(t, e); - ret ^= 1; + ret = !ret; } else if (info->check_set & (IPT_RECENT_CHECK | IPT_RECENT_UPDATE)) { unsigned long t = jiffies - info->seconds * HZ; unsigned int i, hits = 0; @@ -219,7 +219,7 @@ ipt_recent_match(const struct sk_buff *s if (info->seconds && time_after(t, e->stamps[i])) continue; if (++hits >= info->hit_count) { - ret ^= 1; + ret = !ret; break; } } Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_tos.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_tos.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_tos.c @@ -18,7 +18,7 @@ MODULE_LICENSE("GPL"); MODULE_DESCRIPTION("iptables TOS match module"); -static int +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ttl.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_ttl.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ttl.c @@ -18,10 +18,10 @@ MODULE_AUTHOR("Harald Welte ttl; @@ -42,10 +42,10 @@ static int match(const struct sk_buff *s default: printk(KERN_WARNING "ipt_ttl: unknown mode %d\n", info->mode); - return 0; + return false; } - return 0; + return false; } static struct xt_match ttl_match = { Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6_tables.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6_tables.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6_tables.c @@ -96,7 +96,7 @@ ip6t_ext_hdr(u8 nexthdr) } /* Returns whether matches rule or not. */ -static inline int +static inline bool ip6_packet_match(const struct sk_buff *skb, const char *indev, const char *outdev, @@ -122,7 +122,7 @@ ip6_packet_match(const struct sk_buff *s dprintf("DST: %u. Mask: %u. Target: %u.%s\n", ip->daddr, ipinfo->dmsk.s_addr, ipinfo->dst.s_addr, ipinfo->invflags & IP6T_INV_DSTIP ? " (INV)" : "");*/ - return 0; + return false; } /* Look for ifname matches; this should unroll nicely. */ @@ -136,7 +136,7 @@ ip6_packet_match(const struct sk_buff *s dprintf("VIA in mismatch (%s vs %s).%s\n", indev, ip6info->iniface, ip6info->invflags&IP6T_INV_VIA_IN ?" (INV)":""); - return 0; + return false; } for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) { @@ -149,7 +149,7 @@ ip6_packet_match(const struct sk_buff *s dprintf("VIA out mismatch (%s vs %s).%s\n", outdev, ip6info->outiface, ip6info->invflags&IP6T_INV_VIA_OUT ?" (INV)":""); - return 0; + return false; } /* ... might want to do something with class and flowlabel here ... */ @@ -163,7 +163,7 @@ ip6_packet_match(const struct sk_buff *s if (protohdr < 0) { if (_frag_off == 0) *hotdrop = true; - return 0; + return false; } *fragoff = _frag_off; @@ -174,17 +174,17 @@ ip6_packet_match(const struct sk_buff *s if (ip6info->proto == protohdr) { if(ip6info->invflags & IP6T_INV_PROTO) { - return 0; + return false; } - return 1; + return true; } /* We need match for the '-p all', too! */ if ((ip6info->proto != 0) && !(ip6info->invflags & IP6T_INV_PROTO)) - return 0; + return false; } - return 1; + return true; } /* should be ip6 safe */ @@ -219,20 +219,20 @@ ip6t_error(struct sk_buff **pskb, } static inline -int do_match(struct ip6t_entry_match *m, - const struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - int offset, - unsigned int protoff, - bool *hotdrop) +bool do_match(struct ip6t_entry_match *m, + const struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, + int offset, + unsigned int protoff, + bool *hotdrop) { /* Stop iteration if it doesn't match */ if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data, offset, protoff, hotdrop)) - return 1; + return true; else - return 0; + return false; } static inline struct ip6t_entry * @@ -1291,7 +1291,7 @@ icmp6_type_code_match(u_int8_t test_type ^ invert; } -static int +static bool icmp6_match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -1306,7 +1306,7 @@ icmp6_match(const struct sk_buff *skb, /* Must not be a fragment. */ if (offset) - return 0; + return false; ic = skb_header_pointer(skb, protoff, sizeof(_icmp), &_icmp); if (ic == NULL) { @@ -1314,7 +1314,7 @@ icmp6_match(const struct sk_buff *skb, can't. Hence, no choice but to drop. */ duprintf("Dropping evil ICMP tinygram.\n"); *hotdrop = true; - return 0; + return false; } return icmp6_type_code_match(icmpinfo->type, Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_ah.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_ah.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_ah.c @@ -30,10 +30,10 @@ MODULE_AUTHOR("Andras Kis-Szabo = min && spi <= max) ^ invert; @@ -41,7 +41,7 @@ spi_match(u_int32_t min, u_int32_t max, return r; } -static int +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -61,13 +61,13 @@ match(const struct sk_buff *skb, if (err < 0) { if (err != -ENOENT) *hotdrop = true; - return 0; + return false; } ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah); if (ah == NULL) { *hotdrop = true; - return 0; + return false; } hdrlen = (ah->hdrlen + 2) << 2; Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_eui64.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_eui64.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_eui64.c @@ -19,7 +19,7 @@ MODULE_DESCRIPTION("IPv6 EUI64 address c MODULE_LICENSE("GPL"); MODULE_AUTHOR("Andras Kis-Szabo "); -static int +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -36,7 +36,7 @@ match(const struct sk_buff *skb, (skb_mac_header(skb) + ETH_HLEN) <= skb->data) && offset != 0) { *hotdrop = true; - return 0; + return false; } memset(eui64, 0, sizeof(eui64)); @@ -55,11 +55,11 @@ match(const struct sk_buff *skb, i++; if (i == 8) - return 1; + return true; } } - return 0; + return false; } static struct xt_match eui64_match = { Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_frag.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_frag.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_frag.c @@ -29,10 +29,10 @@ MODULE_AUTHOR("Andras Kis-Szabo = min && id <= max) ^ invert; @@ -40,7 +40,7 @@ id_match(u_int32_t min, u_int32_t max, u return r; } -static int +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -59,13 +59,13 @@ match(const struct sk_buff *skb, if (err < 0) { if (err != -ENOENT) *hotdrop = true; - return 0; + return false; } fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag); if (fh == NULL) { *hotdrop = true; - return 0; + return false; } DEBUGP("INFO %04X ", fh->frag_off); Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_hbh.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_hbh.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_hbh.c @@ -47,7 +47,7 @@ MODULE_ALIAS("ip6t_dst"); * 5 -> RTALERT 2 x x */ -static int +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -62,7 +62,7 @@ match(const struct sk_buff *skb, unsigned int temp; unsigned int ptr; unsigned int hdrlen = 0; - unsigned int ret = 0; + bool ret = false; u8 _opttype, *tp = NULL; u8 _optlen, *lp = NULL; unsigned int optlen; @@ -72,19 +72,19 @@ match(const struct sk_buff *skb, if (err < 0) { if (err != -ENOENT) *hotdrop = true; - return 0; + return false; } oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh); if (oh == NULL) { *hotdrop = true; - return 0; + return false; } hdrlen = ipv6_optlen(oh); if (skb->len - ptr < hdrlen) { /* Packet smaller than it's length field */ - return 0; + return false; } DEBUGP("IPv6 OPTS LEN %u %u ", hdrlen, oh->hdrlen); @@ -123,7 +123,7 @@ match(const struct sk_buff *skb, DEBUGP("Tbad %02X %02X\n", *tp, (optinfo->opts[temp] & 0xFF00) >> 8); - return 0; + return false; } else { DEBUGP("Tok "); } @@ -144,7 +144,7 @@ match(const struct sk_buff *skb, if (spec_len != 0x00FF && spec_len != *lp) { DEBUGP("Lbad %02X %04X\n", *lp, spec_len); - return 0; + return false; } DEBUGP("Lok "); optlen = *lp + 2; @@ -167,10 +167,10 @@ match(const struct sk_buff *skb, if (temp == optinfo->optsnr) return ret; else - return 0; + return false; } - return 0; + return false; } /* Called when user tries to insert an entry of this type. */ Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_hl.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_hl.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_hl.c @@ -19,10 +19,10 @@ MODULE_AUTHOR("Maciej Soltysiak mode); - return 0; + return false; } - return 0; + return false; } static struct xt_match hl_match = { Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_ipv6header.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_ipv6header.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_ipv6header.c @@ -26,7 +26,7 @@ MODULE_LICENSE("GPL"); MODULE_DESCRIPTION("IPv6 headers match"); MODULE_AUTHOR("Andras Kis-Szabo "); -static int +static bool ipv6header_match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -58,7 +58,7 @@ ipv6header_match(const struct sk_buff *s /* Is there enough space for the next ext header? */ if (len < (int)sizeof(struct ipv6_opt_hdr)) - return 0; + return false; /* No more exthdr -> evaluate */ if (nexthdr == NEXTHDR_NONE) { temp |= MASK_NONE; @@ -99,7 +99,7 @@ ipv6header_match(const struct sk_buff *s temp |= MASK_DSTOPTS; break; default: - return 0; + return false; break; } Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_mh.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_mh.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_mh.c @@ -31,16 +31,13 @@ MODULE_LICENSE("GPL"); #endif /* Returns 1 if the type is matched by the range, 0 otherwise */ -static inline int -type_match(u_int8_t min, u_int8_t max, u_int8_t type, int invert) +static inline bool +type_match(u_int8_t min, u_int8_t max, u_int8_t type, bool invert) { - int ret; - - ret = (type >= min && type <= max) ^ invert; - return ret; + return (type >= min && type <= max) ^ invert; } -static int +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -55,7 +52,7 @@ match(const struct sk_buff *skb, /* Must not be a fragment. */ if (offset) - return 0; + return false; mh = skb_header_pointer(skb, protoff, sizeof(_mh), &_mh); if (mh == NULL) { @@ -63,14 +60,14 @@ match(const struct sk_buff *skb, can't. Hence, no choice but to drop. */ duprintf("Dropping evil MH tinygram.\n"); *hotdrop = true; - return 0; + return false; } if (mh->ip6mh_proto != IPPROTO_NONE) { duprintf("Dropping invalid MH Payload Proto: %u\n", mh->ip6mh_proto); *hotdrop = true; - return 0; + return false; } return type_match(mhinfo->types[0], mhinfo->types[1], mh->ip6mh_type, Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_owner.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_owner.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_owner.c @@ -23,7 +23,7 @@ MODULE_DESCRIPTION("IP6 tables owner mat MODULE_LICENSE("GPL"); -static int +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -36,21 +36,21 @@ match(const struct sk_buff *skb, const struct ip6t_owner_info *info = matchinfo; if (!skb->sk || !skb->sk->sk_socket || !skb->sk->sk_socket->file) - return 0; + return false; if (info->match & IP6T_OWNER_UID) { if ((skb->sk->sk_socket->file->f_uid != info->uid) ^ !!(info->invert & IP6T_OWNER_UID)) - return 0; + return false; } if (info->match & IP6T_OWNER_GID) { if ((skb->sk->sk_socket->file->f_gid != info->gid) ^ !!(info->invert & IP6T_OWNER_GID)) - return 0; + return false; } - return 1; + return true; } static int Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_rt.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_rt.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_rt.c @@ -31,10 +31,10 @@ MODULE_AUTHOR("Andras Kis-Szabo = min && id <= max) ^ invert; @@ -42,7 +42,7 @@ segsleft_match(u_int32_t min, u_int32_t return r; } -static int +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -57,7 +57,7 @@ match(const struct sk_buff *skb, unsigned int temp; unsigned int ptr; unsigned int hdrlen = 0; - unsigned int ret = 0; + bool ret = false; struct in6_addr *ap, _addr; int err; @@ -65,19 +65,19 @@ match(const struct sk_buff *skb, if (err < 0) { if (err != -ENOENT) *hotdrop = true; - return 0; + return false; } rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route); if (rh == NULL) { *hotdrop = true; - return 0; + return false; } hdrlen = ipv6_optlen(rh); if (skb->len - ptr < hdrlen) { /* Pcket smaller than its length field */ - return 0; + return false; } DEBUGP("IPv6 RT LEN %u %u ", hdrlen, rh->hdrlen); @@ -136,7 +136,7 @@ match(const struct sk_buff *skb, DEBUGP("Not strict "); if (rtinfo->addrnr > (unsigned int)((hdrlen - 8) / 16)) { DEBUGP("There isn't enough space\n"); - return 0; + return false; } else { unsigned int i = 0; @@ -164,13 +164,13 @@ match(const struct sk_buff *skb, if (i == rtinfo->addrnr) return ret; else - return 0; + return false; } } else { DEBUGP("Strict "); if (rtinfo->addrnr > (unsigned int)((hdrlen - 8) / 16)) { DEBUGP("There isn't enough space\n"); - return 0; + return false; } else { DEBUGP("#%d ", rtinfo->addrnr); for (temp = 0; temp < rtinfo->addrnr; temp++) { @@ -190,11 +190,11 @@ match(const struct sk_buff *skb, (temp == (unsigned int)((hdrlen - 8) / 16))) return ret; else - return 0; + return false; } } - return 0; + return false; } /* Called when user tries to insert an entry of this type. */ Index: linux-2.6.22-rc3-git6/net/netfilter/xt_comment.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_comment.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_comment.c @@ -15,7 +15,7 @@ MODULE_LICENSE("GPL"); MODULE_ALIAS("ipt_comment"); MODULE_ALIAS("ip6t_comment"); -static int +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -26,7 +26,7 @@ match(const struct sk_buff *skb, bool *hotdrop) { /* We always match */ - return 1; + return true; } static struct xt_match xt_comment_match[] = { Index: linux-2.6.22-rc3-git6/net/netfilter/xt_connbytes.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_connbytes.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_connbytes.c @@ -15,7 +15,7 @@ MODULE_AUTHOR("Harald Welte counters; switch (sinfo->what) { Index: linux-2.6.22-rc3-git6/net/netfilter/xt_connmark.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_connmark.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_connmark.c @@ -30,7 +30,7 @@ MODULE_DESCRIPTION("IP tables connmark m MODULE_LICENSE("GPL"); MODULE_ALIAS("ipt_connmark"); -static int +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -46,7 +46,7 @@ match(const struct sk_buff *skb, ct = nf_ct_get(skb, &ctinfo); if (!ct) - return 0; + return false; return (((ct->mark) & info->mask) == info->mark) ^ info->invert; } Index: linux-2.6.22-rc3-git6/net/netfilter/xt_conntrack.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_conntrack.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_conntrack.c @@ -19,7 +19,7 @@ MODULE_AUTHOR("Marc Boucher statemask) == 0, XT_CONNTRACK_STATE)) - return 0; + return false; } if (ct == NULL) { if (sinfo->flags & ~XT_CONNTRACK_STATE) - return 0; - return 1; + return false; + return true; } if (sinfo->flags & XT_CONNTRACK_PROTO && FWINV(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum != sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum, XT_CONNTRACK_PROTO)) - return 0; + return false; if (sinfo->flags & XT_CONNTRACK_ORIGSRC && FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip & sinfo->sipmsk[IP_CT_DIR_ORIGINAL].s_addr) != sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip, XT_CONNTRACK_ORIGSRC)) - return 0; + return false; if (sinfo->flags & XT_CONNTRACK_ORIGDST && FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.ip & sinfo->dipmsk[IP_CT_DIR_ORIGINAL].s_addr) != sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip, XT_CONNTRACK_ORIGDST)) - return 0; + return false; if (sinfo->flags & XT_CONNTRACK_REPLSRC && FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip & sinfo->sipmsk[IP_CT_DIR_REPLY].s_addr) != sinfo->tuple[IP_CT_DIR_REPLY].src.ip, XT_CONNTRACK_REPLSRC)) - return 0; + return false; if (sinfo->flags & XT_CONNTRACK_REPLDST && FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip & sinfo->dipmsk[IP_CT_DIR_REPLY].s_addr) != sinfo->tuple[IP_CT_DIR_REPLY].dst.ip, XT_CONNTRACK_REPLDST)) - return 0; + return false; if (sinfo->flags & XT_CONNTRACK_STATUS && FWINV((ct->status & sinfo->statusmask) == 0, XT_CONNTRACK_STATUS)) - return 0; + return false; if(sinfo->flags & XT_CONNTRACK_EXPIRES) { unsigned long expires = timer_pending(&ct->timeout) ? @@ -109,9 +109,9 @@ match(const struct sk_buff *skb, if (FWINV(!(expires >= sinfo->expires_min && expires <= sinfo->expires_max), XT_CONNTRACK_EXPIRES)) - return 0; + return false; } - return 1; + return true; } static int Index: linux-2.6.22-rc3-git6/net/netfilter/xt_dccp.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_dccp.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_dccp.c @@ -31,7 +31,7 @@ MODULE_ALIAS("ipt_dccp"); static unsigned char *dccp_optbuf; static DEFINE_SPINLOCK(dccp_buflock); -static inline int +static inline bool dccp_find_option(u_int8_t option, const struct sk_buff *skb, unsigned int protoff, @@ -46,11 +46,11 @@ dccp_find_option(u_int8_t option, if (dh->dccph_doff * 4 < __dccp_hdr_len(dh)) { *hotdrop = true; - return 0; + return false; } if (!optlen) - return 0; + return false; spin_lock_bh(&dccp_buflock); op = skb_header_pointer(skb, protoff + optoff, optlen, dccp_optbuf); @@ -58,13 +58,13 @@ dccp_find_option(u_int8_t option, /* If we don't have the whole header, drop packet. */ spin_unlock_bh(&dccp_buflock); *hotdrop = true; - return 0; + return false; } for (i = 0; i < optlen; ) { if (op[i] == option) { spin_unlock_bh(&dccp_buflock); - return 1; + return true; } if (op[i] < 2) @@ -74,24 +74,24 @@ dccp_find_option(u_int8_t option, } spin_unlock_bh(&dccp_buflock); - return 0; + return false; } -static inline int +static inline bool match_types(const struct dccp_hdr *dh, u_int16_t typemask) { return (typemask & (1 << dh->dccph_type)); } -static inline int +static inline bool match_option(u_int8_t option, const struct sk_buff *skb, unsigned int protoff, const struct dccp_hdr *dh, bool *hotdrop) { return dccp_find_option(option, skb, protoff, dh, hotdrop); } -static int +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -105,12 +105,12 @@ match(const struct sk_buff *skb, struct dccp_hdr _dh, *dh; if (offset) - return 0; + return false; dh = skb_header_pointer(skb, protoff, sizeof(_dh), &_dh); if (dh == NULL) { *hotdrop = true; - return 0; + return false; } return DCCHECK(((ntohs(dh->dccph_sport) >= info->spts[0]) Index: linux-2.6.22-rc3-git6/net/netfilter/xt_dscp.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_dscp.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_dscp.c @@ -22,22 +22,7 @@ MODULE_LICENSE("GPL"); MODULE_ALIAS("ipt_dscp"); MODULE_ALIAS("ip6t_dscp"); -static int match(const struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - const struct xt_match *match, - const void *matchinfo, - int offset, - unsigned int protoff, - bool *hotdrop) -{ - const struct xt_dscp_info *info = matchinfo; - u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT; - - return (dscp == info->dscp) ^ !!info->invert; -} - -static int match6(const struct sk_buff *skb, +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const struct xt_match *match, @@ -47,6 +32,21 @@ static int match6(const struct sk_buff * bool *hotdrop) { const struct xt_dscp_info *info = matchinfo; + u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT; + + return (dscp == info->dscp) ^ !!info->invert; +} + +static bool match6(const struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, + const struct xt_match *match, + const void *matchinfo, + int offset, + unsigned int protoff, + bool *hotdrop) +{ + const struct xt_dscp_info *info = matchinfo; u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT; return (dscp == info->dscp) ^ !!info->invert; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_esp.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_esp.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_esp.c @@ -31,10 +31,10 @@ MODULE_ALIAS("ip6t_esp"); #endif /* Returns 1 if the spi is matched by the range, 0 otherwise */ -static inline int -spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, int invert) +static inline bool +spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert) { - int r = 0; + bool r; duprintf("esp spi_match:%c 0x%x <= 0x%x <= 0x%x", invert ? '!' : ' ', min, spi, max); r = (spi >= min && spi <= max) ^ invert; @@ -42,7 +42,7 @@ spi_match(u_int32_t min, u_int32_t max, return r; } -static int +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -57,7 +57,7 @@ match(const struct sk_buff *skb, /* Must not be a fragment. */ if (offset) - return 0; + return false; eh = skb_header_pointer(skb, protoff, sizeof(_esp), &_esp); if (eh == NULL) { @@ -66,7 +66,7 @@ match(const struct sk_buff *skb, */ duprintf("Dropping evil ESP tinygram.\n"); *hotdrop = true; - return 0; + return false; } return spi_match(espinfo->spis[0], espinfo->spis[1], ntohl(eh->spi), Index: linux-2.6.22-rc3-git6/net/netfilter/xt_hashlimit.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_hashlimit.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_hashlimit.c @@ -94,7 +94,8 @@ static DEFINE_MUTEX(hlimit_mutex); /* ad static HLIST_HEAD(hashlimit_htables); static struct kmem_cache *hashlimit_cachep __read_mostly; -static inline int dst_cmp(const struct dsthash_ent *ent, struct dsthash_dst *b) +static inline bool dst_cmp(const struct dsthash_ent *ent, + struct dsthash_dst *b) { return !memcmp(&ent->dst, b, sizeof(ent->dst)); } @@ -227,18 +228,18 @@ static int htable_create(struct xt_hashl return 0; } -static int select_all(struct xt_hashlimit_htable *ht, struct dsthash_ent *he) +static bool select_all(struct xt_hashlimit_htable *ht, struct dsthash_ent *he) { return 1; } -static int select_gc(struct xt_hashlimit_htable *ht, struct dsthash_ent *he) +static bool select_gc(struct xt_hashlimit_htable *ht, struct dsthash_ent *he) { return (jiffies >= he->expires); } static void htable_selective_cleanup(struct xt_hashlimit_htable *ht, - int (*select)(struct xt_hashlimit_htable *ht, + bool (*select)(struct xt_hashlimit_htable *ht, struct dsthash_ent *he)) { unsigned int i; @@ -432,7 +433,7 @@ hashlimit_init_dst(struct xt_hashlimit_h return 0; } -static int +static bool hashlimit_match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -478,17 +479,17 @@ hashlimit_match(const struct sk_buff *sk /* We're underlimit. */ dh->rateinfo.credit -= dh->rateinfo.cost; spin_unlock_bh(&hinfo->lock); - return 1; + return true; } spin_unlock_bh(&hinfo->lock); /* default case: we're overlimit, thus don't match */ - return 0; + return false; hotdrop: *hotdrop = true; - return 0; + return false; } static int Index: linux-2.6.22-rc3-git6/net/netfilter/xt_helper.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_helper.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_helper.c @@ -28,7 +28,7 @@ MODULE_ALIAS("ip6t_helper"); #define DEBUGP(format, args...) #endif -static int +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -42,7 +42,7 @@ match(const struct sk_buff *skb, struct nf_conn *ct; struct nf_conn_help *master_help; enum ip_conntrack_info ctinfo; - int ret = info->invert; + bool ret = info->invert; ct = nf_ct_get((struct sk_buff *)skb, &ctinfo); if (!ct) { @@ -67,7 +67,7 @@ match(const struct sk_buff *skb, ct->master->helper->name, info->name); if (info->name[0] == '\0') - ret ^= 1; + ret = !ret; else ret ^= !strncmp(master_help->helper->name, info->name, strlen(master_help->helper->name)); Index: linux-2.6.22-rc3-git6/net/netfilter/xt_length.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_length.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_length.c @@ -20,7 +20,7 @@ MODULE_LICENSE("GPL"); MODULE_ALIAS("ipt_length"); MODULE_ALIAS("ip6t_length"); -static int +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -36,7 +36,7 @@ match(const struct sk_buff *skb, return (pktlen >= info->min && pktlen <= info->max) ^ info->invert; } -static int +static bool match6(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, Index: linux-2.6.22-rc3-git6/net/netfilter/xt_limit.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_limit.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_limit.c @@ -57,7 +57,7 @@ static DEFINE_SPINLOCK(limit_lock); #define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ) -static int +static bool ipt_limit_match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -79,11 +79,11 @@ ipt_limit_match(const struct sk_buff *sk /* We're not limited. */ r->credit -= r->cost; spin_unlock_bh(&limit_lock); - return 1; + return true; } spin_unlock_bh(&limit_lock); - return 0; + return false; } /* Precision saver. */ Index: linux-2.6.22-rc3-git6/net/netfilter/xt_mac.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_mac.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_mac.c @@ -24,7 +24,7 @@ MODULE_DESCRIPTION("iptables mac matchin MODULE_ALIAS("ipt_mac"); MODULE_ALIAS("ip6t_mac"); -static int +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, Index: linux-2.6.22-rc3-git6/net/netfilter/xt_mark.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_mark.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_mark.c @@ -19,7 +19,7 @@ MODULE_DESCRIPTION("iptables mark matchi MODULE_ALIAS("ipt_mark"); MODULE_ALIAS("ip6t_mark"); -static int +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, Index: linux-2.6.22-rc3-git6/net/netfilter/xt_multiport.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_multiport.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_multiport.c @@ -33,24 +33,24 @@ MODULE_ALIAS("ip6t_multiport"); #endif /* Returns 1 if the port is matched by the test, 0 otherwise. */ -static inline int +static inline bool ports_match(const u_int16_t *portlist, enum xt_multiport_flags flags, u_int8_t count, u_int16_t src, u_int16_t dst) { unsigned int i; for (i = 0; i < count; i++) { if (flags != XT_MULTIPORT_DESTINATION && portlist[i] == src) - return 1; + return true; if (flags != XT_MULTIPORT_SOURCE && portlist[i] == dst) - return 1; + return true; } - return 0; + return false; } /* Returns 1 if the port is matched by the test, 0 otherwise. */ -static inline int +static inline bool ports_match_v1(const struct xt_multiport_v1 *minfo, u_int16_t src, u_int16_t dst) { @@ -67,34 +67,34 @@ ports_match_v1(const struct xt_multiport if (minfo->flags == XT_MULTIPORT_SOURCE && src >= s && src <= e) - return 1 ^ minfo->invert; + return true ^ minfo->invert; if (minfo->flags == XT_MULTIPORT_DESTINATION && dst >= s && dst <= e) - return 1 ^ minfo->invert; + return true ^ minfo->invert; if (minfo->flags == XT_MULTIPORT_EITHER && ((dst >= s && dst <= e) || (src >= s && src <= e))) - return 1 ^ minfo->invert; + return true ^ minfo->invert; } else { /* exact port matching */ duprintf("src or dst matches with %d?\n", s); if (minfo->flags == XT_MULTIPORT_SOURCE && src == s) - return 1 ^ minfo->invert; + return true ^ minfo->invert; if (minfo->flags == XT_MULTIPORT_DESTINATION && dst == s) - return 1 ^ minfo->invert; + return true ^ minfo->invert; if (minfo->flags == XT_MULTIPORT_EITHER && (src == s || dst == s)) - return 1 ^ minfo->invert; + return true ^ minfo->invert; } } return minfo->invert; } -static int +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -108,7 +108,7 @@ match(const struct sk_buff *skb, const struct xt_multiport *multiinfo = matchinfo; if (offset) - return 0; + return false; pptr = skb_header_pointer(skb, protoff, sizeof(_ports), _ports); if (pptr == NULL) { @@ -117,7 +117,7 @@ match(const struct sk_buff *skb, */ duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n"); *hotdrop = true; - return 0; + return false; } return ports_match(multiinfo->ports, @@ -125,7 +125,7 @@ match(const struct sk_buff *skb, ntohs(pptr[0]), ntohs(pptr[1])); } -static int +static bool match_v1(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -139,7 +139,7 @@ match_v1(const struct sk_buff *skb, const struct xt_multiport_v1 *multiinfo = matchinfo; if (offset) - return 0; + return false; pptr = skb_header_pointer(skb, protoff, sizeof(_ports), _ports); if (pptr == NULL) { @@ -148,7 +148,7 @@ match_v1(const struct sk_buff *skb, */ duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n"); *hotdrop = true; - return 0; + return false; } return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1])); Index: linux-2.6.22-rc3-git6/net/netfilter/xt_physdev.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_physdev.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_physdev.c @@ -14,8 +14,6 @@ #include #include #include -#define MATCH 1 -#define NOMATCH 0 MODULE_LICENSE("GPL"); MODULE_AUTHOR("Bart De Schuymer "); @@ -23,7 +21,7 @@ MODULE_DESCRIPTION("iptables bridge phys MODULE_ALIAS("ipt_physdev"); MODULE_ALIAS("ip6t_physdev"); -static int +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -36,7 +34,7 @@ match(const struct sk_buff *skb, int i; static const char nulldevname[IFNAMSIZ]; const struct xt_physdev_info *info = matchinfo; - unsigned int ret; + bool ret; const char *indev, *outdev; struct nf_bridge_info *nf_bridge; @@ -47,33 +45,33 @@ match(const struct sk_buff *skb, /* Return MATCH if the invert flags of the used options are on */ if ((info->bitmask & XT_PHYSDEV_OP_BRIDGED) && !(info->invert & XT_PHYSDEV_OP_BRIDGED)) - return NOMATCH; + return false; if ((info->bitmask & XT_PHYSDEV_OP_ISIN) && !(info->invert & XT_PHYSDEV_OP_ISIN)) - return NOMATCH; + return false; if ((info->bitmask & XT_PHYSDEV_OP_ISOUT) && !(info->invert & XT_PHYSDEV_OP_ISOUT)) - return NOMATCH; + return false; if ((info->bitmask & XT_PHYSDEV_OP_IN) && !(info->invert & XT_PHYSDEV_OP_IN)) - return NOMATCH; + return false; if ((info->bitmask & XT_PHYSDEV_OP_OUT) && !(info->invert & XT_PHYSDEV_OP_OUT)) - return NOMATCH; - return MATCH; + return false; + return true; } /* This only makes sense in the FORWARD and POSTROUTING chains */ if ((info->bitmask & XT_PHYSDEV_OP_BRIDGED) && (!!(nf_bridge->mask & BRNF_BRIDGED) ^ !(info->invert & XT_PHYSDEV_OP_BRIDGED))) - return NOMATCH; + return false; if ((info->bitmask & XT_PHYSDEV_OP_ISIN && (!nf_bridge->physindev ^ !!(info->invert & XT_PHYSDEV_OP_ISIN))) || (info->bitmask & XT_PHYSDEV_OP_ISOUT && (!nf_bridge->physoutdev ^ !!(info->invert & XT_PHYSDEV_OP_ISOUT)))) - return NOMATCH; + return false; if (!(info->bitmask & XT_PHYSDEV_OP_IN)) goto match_outdev; @@ -85,11 +83,11 @@ match(const struct sk_buff *skb, } if ((ret == 0) ^ !(info->invert & XT_PHYSDEV_OP_IN)) - return NOMATCH; + return false; match_outdev: if (!(info->bitmask & XT_PHYSDEV_OP_OUT)) - return MATCH; + return true; outdev = nf_bridge->physoutdev ? nf_bridge->physoutdev->name : nulldevname; for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned int); i++) { @@ -98,7 +96,7 @@ match_outdev: & ((const unsigned int *)info->out_mask)[i]; } - return (ret != 0) ^ !(info->invert & XT_PHYSDEV_OP_OUT); + return ret ^ !(info->invert & XT_PHYSDEV_OP_OUT); } static int Index: linux-2.6.22-rc3-git6/net/netfilter/xt_pkttype.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_pkttype.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_pkttype.c @@ -21,7 +21,7 @@ MODULE_DESCRIPTION("IP tables match to m MODULE_ALIAS("ipt_pkttype"); MODULE_ALIAS("ip6t_pkttype"); -static int match(const struct sk_buff *skb, +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const struct xt_match *match, Index: linux-2.6.22-rc3-git6/net/netfilter/xt_policy.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_policy.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_policy.c @@ -20,7 +20,7 @@ MODULE_AUTHOR("Patrick McHardy a6, &m->a6, &a2->a6); } - return 0; + return false; } -static inline int +static inline bool match_xfrm_state(struct xfrm_state *x, const struct xt_policy_elem *e, unsigned short family) { @@ -108,14 +108,14 @@ match_policy_out(const struct sk_buff *s return strict ? i == info->len : 0; } -static int match(const struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - const struct xt_match *match, - const void *matchinfo, - int offset, - unsigned int protoff, - bool *hotdrop) +static bool match(const struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, + const struct xt_match *match, + const void *matchinfo, + int offset, + unsigned int protoff, + bool *hotdrop) { const struct xt_policy_info *info = matchinfo; int ret; @@ -126,9 +126,9 @@ static int match(const struct sk_buff *s ret = match_policy_out(skb, info, match->family); if (ret < 0) - ret = info->flags & XT_POLICY_MATCH_NONE ? 1 : 0; + ret = info->flags & XT_POLICY_MATCH_NONE ? true : false; else if (info->flags & XT_POLICY_MATCH_NONE) - ret = 0; + ret = false; return ret; } Index: linux-2.6.22-rc3-git6/net/netfilter/xt_quota.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_quota.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_quota.c @@ -16,19 +16,19 @@ MODULE_ALIAS("ip6t_quota"); static DEFINE_SPINLOCK(quota_lock); -static int +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const struct xt_match *match, const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop) { struct xt_quota_info *q = ((struct xt_quota_info *)matchinfo)->master; - int ret = q->flags & XT_QUOTA_INVERT ? 1 : 0; + bool ret = q->flags & XT_QUOTA_INVERT; spin_lock_bh("a_lock); if (q->quota >= skb->len) { q->quota -= skb->len; - ret ^= 1; + ret = !ret; } else { /* we do not allow even small packets from now on */ q->quota = 0; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_realm.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_realm.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_realm.c @@ -21,7 +21,7 @@ MODULE_LICENSE("GPL"); MODULE_DESCRIPTION("X_tables realm match"); MODULE_ALIAS("ipt_realm"); -static int +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, Index: linux-2.6.22-rc3-git6/net/netfilter/xt_sctp.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_sctp.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_sctp.c @@ -23,7 +23,7 @@ MODULE_ALIAS("ipt_sctp"); #define SCCHECK(cond, option, flag, invflag) (!((flag) & (option)) \ || (!!((invflag) & (option)) ^ (cond))) -static int +static bool match_flags(const struct xt_sctp_flag_info *flag_info, const int flag_count, u_int8_t chunktype, @@ -37,10 +37,10 @@ match_flags(const struct xt_sctp_flag_in } } - return 1; + return true; } -static inline int +static inline bool match_packet(const struct sk_buff *skb, unsigned int offset, const u_int32_t *chunkmap, @@ -65,7 +65,7 @@ match_packet(const struct sk_buff *skb, if (sch == NULL || sch->length == 0) { duprintf("Dropping invalid SCTP packet.\n"); *hotdrop = true; - return 0; + return false; } duprintf("Chunk num: %d\toffset: %d\ttype: %d\tlength: %d\tflags: %x\n", @@ -80,7 +80,7 @@ match_packet(const struct sk_buff *skb, case SCTP_CHUNK_MATCH_ANY: if (match_flags(flag_info, flag_count, sch->type, sch->flags)) { - return 1; + return true; } break; @@ -94,14 +94,14 @@ match_packet(const struct sk_buff *skb, case SCTP_CHUNK_MATCH_ONLY: if (!match_flags(flag_info, flag_count, sch->type, sch->flags)) { - return 0; + return false; } break; } } else { switch (chunk_match_type) { case SCTP_CHUNK_MATCH_ONLY: - return 0; + return false; } } } while (offset < skb->len); @@ -110,16 +110,16 @@ match_packet(const struct sk_buff *skb, case SCTP_CHUNK_MATCH_ALL: return SCTP_CHUNKMAP_IS_CLEAR(chunkmap); case SCTP_CHUNK_MATCH_ANY: - return 0; + return false; case SCTP_CHUNK_MATCH_ONLY: - return 1; + return true; } /* This will never be reached, but required to stop compiler whine */ - return 0; + return false; } -static int +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -134,14 +134,14 @@ match(const struct sk_buff *skb, if (offset) { duprintf("Dropping non-first fragment.. FIXME\n"); - return 0; + return false; } sh = skb_header_pointer(skb, protoff, sizeof(_sh), &_sh); if (sh == NULL) { duprintf("Dropping evil TCP offset=0 tinygram.\n"); *hotdrop = true; - return 0; + return false; } duprintf("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest)); Index: linux-2.6.22-rc3-git6/net/netfilter/xt_state.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_state.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_state.c @@ -20,7 +20,7 @@ MODULE_DESCRIPTION("ip[6]_tables connect MODULE_ALIAS("ipt_state"); MODULE_ALIAS("ip6t_state"); -static int +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, Index: linux-2.6.22-rc3-git6/net/netfilter/xt_statistic.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_statistic.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_statistic.c @@ -24,26 +24,26 @@ MODULE_ALIAS("ip6t_statistic"); static DEFINE_SPINLOCK(nth_lock); -static int +static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const struct xt_match *match, const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop) { struct xt_statistic_info *info = (struct xt_statistic_info *)matchinfo; - int ret = info->flags & XT_STATISTIC_INVERT ? 1 : 0; + bool ret = info->flags & XT_STATISTIC_INVERT; switch (info->mode) { case XT_STATISTIC_MODE_RANDOM: if ((net_random() & 0x7FFFFFFF) < info->u.random.probability) - ret ^= 1; + ret = !ret; break; case XT_STATISTIC_MODE_NTH: info = info->master; spin_lock_bh(&nth_lock); if (info->u.nth.count++ == info->u.nth.every) { info->u.nth.count = 0; - ret ^= 1; + ret = !ret; } spin_unlock_bh(&nth_lock); break; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_string.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_string.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_string.c @@ -21,14 +21,14 @@ MODULE_LICENSE("GPL"); MODULE_ALIAS("ipt_string"); MODULE_ALIAS("ip6t_string"); -static int match(const struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - const struct xt_match *match, - const void *matchinfo, - int offset, - unsigned int protoff, - bool *hotdrop) +static bool match(const struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, + const struct xt_match *match, + const void *matchinfo, + int offset, + unsigned int protoff, + bool *hotdrop) { const struct xt_string_info *conf = matchinfo; struct ts_state state; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_tcpmss.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_tcpmss.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_tcpmss.c @@ -23,7 +23,7 @@ MODULE_AUTHOR("Marc Boucher = min && port <= max) ^ invert; - return ret; + return (port >= min && port <= max) ^ invert; } -static int +static bool tcp_find_option(u_int8_t option, const struct sk_buff *skb, unsigned int protoff, unsigned int optlen, - int invert, + bool invert, bool *hotdrop) { /* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */ @@ -58,7 +55,7 @@ tcp_find_option(u_int8_t option, optlen, _opt); if (op == NULL) { *hotdrop = true; - return 0; + return false; } for (i = 0; i < optlen; ) { @@ -70,7 +67,7 @@ tcp_find_option(u_int8_t option, return invert; } -static int +static bool tcp_match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -95,7 +92,7 @@ tcp_match(const struct sk_buff *skb, *hotdrop = true; } /* Must not be a fragment. */ - return 0; + return false; } #define FWINVTCP(bool,invflg) ((bool) ^ !!(tcpinfo->invflags & invflg)) @@ -106,33 +103,33 @@ tcp_match(const struct sk_buff *skb, can't. Hence, no choice but to drop. */ duprintf("Dropping evil TCP offset=0 tinygram.\n"); *hotdrop = true; - return 0; + return false; } if (!port_match(tcpinfo->spts[0], tcpinfo->spts[1], ntohs(th->source), !!(tcpinfo->invflags & XT_TCP_INV_SRCPT))) - return 0; + return false; if (!port_match(tcpinfo->dpts[0], tcpinfo->dpts[1], ntohs(th->dest), !!(tcpinfo->invflags & XT_TCP_INV_DSTPT))) - return 0; + return false; if (!FWINVTCP((((unsigned char *)th)[13] & tcpinfo->flg_mask) == tcpinfo->flg_cmp, XT_TCP_INV_FLAGS)) - return 0; + return false; if (tcpinfo->option) { if (th->doff * 4 < sizeof(_tcph)) { *hotdrop = true; - return 0; + return false; } if (!tcp_find_option(tcpinfo->option, skb, protoff, th->doff*4 - sizeof(_tcph), tcpinfo->invflags & XT_TCP_INV_OPTION, hotdrop)) - return 0; + return false; } - return 1; + return true; } /* Called when user tries to insert an entry of this type. */ @@ -149,7 +146,7 @@ tcp_checkentry(const char *tablename, return !(tcpinfo->invflags & ~XT_TCP_INV_MASK); } -static int +static bool udp_match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, @@ -164,7 +161,7 @@ udp_match(const struct sk_buff *skb, /* Must not be a fragment. */ if (offset) - return 0; + return false; uh = skb_header_pointer(skb, protoff, sizeof(_udph), &_udph); if (uh == NULL) { @@ -172,7 +169,7 @@ udp_match(const struct sk_buff *skb, can't. Hence, no choice but to drop. */ duprintf("Dropping evil UDP tinygram.\n"); *hotdrop = true; - return 0; + return false; } return port_match(udpinfo->spts[0], udpinfo->spts[1], From jengelh at linux01.gwdg.de Mon Jun 4 17:11:00 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jun 4 18:15:54 2007 Subject: [PATCH 3/4] Switch xt_match->checkentry to bool In-Reply-To: References: Message-ID: Switch the return type of match functions to boolean Signed-off-by: Jan Engelhardt --- include/linux/netfilter/x_tables.h | 10 +++++----- net/ipv4/netfilter/ip_tables.c | 10 +++++----- net/ipv4/netfilter/ipt_ah.c | 6 +++--- net/ipv4/netfilter/ipt_ecn.c | 14 +++++++------- net/ipv4/netfilter/ipt_owner.c | 6 +++--- net/ipv4/netfilter/ipt_recent.c | 14 +++++++------- net/ipv6/netfilter/ip6_tables.c | 14 +++++++------- net/ipv6/netfilter/ip6t_ah.c | 6 +++--- net/ipv6/netfilter/ip6t_frag.c | 6 +++--- net/ipv6/netfilter/ip6t_hbh.c | 6 +++--- net/ipv6/netfilter/ip6t_ipv6header.c | 6 +++--- net/ipv6/netfilter/ip6t_mh.c | 2 +- net/ipv6/netfilter/ip6t_owner.c | 6 +++--- net/ipv6/netfilter/ip6t_rt.c | 8 ++++---- net/netfilter/xt_connbytes.c | 18 +++++++++--------- net/netfilter/xt_connmark.c | 8 ++++---- net/netfilter/xt_conntrack.c | 6 +++--- net/netfilter/xt_dccp.c | 2 +- net/netfilter/xt_dscp.c | 14 +++++++------- net/netfilter/xt_esp.c | 6 +++--- net/netfilter/xt_hashlimit.c | 16 ++++++++-------- net/netfilter/xt_helper.c | 14 +++++++------- net/netfilter/xt_limit.c | 6 +++--- net/netfilter/xt_mark.c | 6 +++--- net/netfilter/xt_multiport.c | 10 +++++----- net/netfilter/xt_physdev.c | 8 ++++---- net/netfilter/xt_policy.c | 16 ++++++++-------- net/netfilter/xt_quota.c | 6 +++--- net/netfilter/xt_sctp.c | 2 +- net/netfilter/xt_state.c | 14 +++++++------- net/netfilter/xt_statistic.c | 6 +++--- net/netfilter/xt_string.c | 20 ++++++++++---------- net/netfilter/xt_tcpudp.c | 4 ++-- 33 files changed, 148 insertions(+), 148 deletions(-) Index: linux-2.6.22-rc3-git6/include/linux/netfilter/x_tables.h =================================================================== --- linux-2.6.22-rc3-git6.orig/include/linux/netfilter/x_tables.h +++ linux-2.6.22-rc3-git6/include/linux/netfilter/x_tables.h @@ -152,11 +152,11 @@ struct xt_match /* Called when user tries to insert an entry of this type. */ /* Should return true or false. */ - int (*checkentry)(const char *tablename, - const void *ip, - const struct xt_match *match, - void *matchinfo, - unsigned int hook_mask); + bool (*checkentry)(const char *tablename, + const void *ip, + const struct xt_match *match, + void *matchinfo, + unsigned int hook_mask); /* Called when entry of this type deleted. */ void (*destroy)(const struct xt_match *match, void *matchinfo); Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ip_tables.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ip_tables.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ip_tables.c @@ -152,20 +152,20 @@ ip_packet_match(const struct iphdr *ip, return 1; } -static inline int +static inline bool ip_checkentry(const struct ipt_ip *ip) { if (ip->flags & ~IPT_F_MASK) { duprintf("Unknown flag bits set: %08X\n", ip->flags & ~IPT_F_MASK); - return 0; + return false; } if (ip->invflags & ~IPT_INV_MASK) { duprintf("Unknown invflag bits set: %08X\n", ip->invflags & ~IPT_INV_MASK); - return 0; + return false; } - return 1; + return true; } static unsigned int @@ -2104,7 +2104,7 @@ icmp_match(const struct sk_buff *skb, } /* Called when user tries to insert an entry of this type. */ -static int +static bool icmp_checkentry(const char *tablename, const void *info, const struct xt_match *match, Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ah.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_ah.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ah.c @@ -70,7 +70,7 @@ match(const struct sk_buff *skb, } /* Called when user tries to insert an entry of this type. */ -static int +static bool checkentry(const char *tablename, const void *ip_void, const struct xt_match *match, @@ -82,9 +82,9 @@ checkentry(const char *tablename, /* Must specify no unknown invflags */ if (ahinfo->invflags & ~IPT_AH_INV_MASK) { duprintf("ipt_ah: unknown flags %X\n", ahinfo->invflags); - return 0; + return false; } - return 1; + return true; } static struct xt_match ah_match = { Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ecn.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_ecn.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ecn.c @@ -87,27 +87,27 @@ static bool match(const struct sk_buff * return true; } -static int checkentry(const char *tablename, const void *ip_void, - const struct xt_match *match, - void *matchinfo, unsigned int hook_mask) +static bool checkentry(const char *tablename, const void *ip_void, + const struct xt_match *match, + void *matchinfo, unsigned int hook_mask) { const struct ipt_ecn_info *info = matchinfo; const struct ipt_ip *ip = ip_void; if (info->operation & IPT_ECN_OP_MATCH_MASK) - return 0; + return false; if (info->invert & IPT_ECN_OP_MATCH_MASK) - return 0; + return false; if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) && ip->proto != IPPROTO_TCP) { printk(KERN_WARNING "ipt_ecn: can't match TCP bits in rule for" " non-tcp packets\n"); - return 0; + return false; } - return 1; + return true; } static struct xt_match ecn_match = { Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_owner.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_owner.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_owner.c @@ -51,7 +51,7 @@ match(const struct sk_buff *skb, return true; } -static int +static bool checkentry(const char *tablename, const void *ip, const struct xt_match *match, @@ -63,9 +63,9 @@ checkentry(const char *tablename, if (info->match & (IPT_OWNER_PID|IPT_OWNER_SID|IPT_OWNER_COMM)) { printk("ipt_owner: pid, sid and command matching " "not supported anymore\n"); - return 0; + return false; } - return 1; + return true; } static struct xt_match owner_match = { Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_recent.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_recent.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_recent.c @@ -235,7 +235,7 @@ out: return ret; } -static int +static bool ipt_recent_checkentry(const char *tablename, const void *ip, const struct xt_match *match, void *matchinfo, unsigned int hook_mask) @@ -243,24 +243,24 @@ ipt_recent_checkentry(const char *tablen const struct ipt_recent_info *info = matchinfo; struct recent_table *t; unsigned i; - int ret = 0; + bool ret = false; if (hweight8(info->check_set & (IPT_RECENT_SET | IPT_RECENT_REMOVE | IPT_RECENT_CHECK | IPT_RECENT_UPDATE)) != 1) - return 0; + return false; if ((info->check_set & (IPT_RECENT_SET | IPT_RECENT_REMOVE)) && (info->seconds || info->hit_count)) - return 0; + return false; if (info->name[0] == '\0' || strnlen(info->name, IPT_RECENT_NAME_LEN) == IPT_RECENT_NAME_LEN) - return 0; + return false; mutex_lock(&recent_mutex); t = recent_table_lookup(info->name); if (t != NULL) { t->refcnt++; - ret = 1; + ret = true; goto out; } @@ -287,7 +287,7 @@ ipt_recent_checkentry(const char *tablen spin_lock_bh(&recent_lock); list_add_tail(&t->list, &tables); spin_unlock_bh(&recent_lock); - ret = 1; + ret = true; out: mutex_unlock(&recent_mutex); return ret; Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6_tables.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6_tables.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6_tables.c @@ -188,20 +188,20 @@ ip6_packet_match(const struct sk_buff *s } /* should be ip6 safe */ -static inline int +static inline bool ip6_checkentry(const struct ip6t_ip6 *ipv6) { if (ipv6->flags & ~IP6T_F_MASK) { duprintf("Unknown flag bits set: %08X\n", ipv6->flags & ~IP6T_F_MASK); - return 0; + return false; } if (ipv6->invflags & ~IP6T_INV_MASK) { duprintf("Unknown invflag bits set: %08X\n", ipv6->invflags & ~IP6T_INV_MASK); - return 0; + return false; } - return 1; + return true; } static unsigned int @@ -1282,10 +1282,10 @@ void ip6t_unregister_table(struct xt_tab } /* Returns 1 if the type and code is matched by the range, 0 otherwise */ -static inline int +static inline bool icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code, u_int8_t type, u_int8_t code, - int invert) + bool invert) { return (type == test_type && code >= min_code && code <= max_code) ^ invert; @@ -1325,7 +1325,7 @@ icmp6_match(const struct sk_buff *skb, } /* Called when user tries to insert an entry of this type. */ -static int +static bool icmp6_checkentry(const char *tablename, const void *entry, const struct xt_match *match, Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_ah.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_ah.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_ah.c @@ -103,7 +103,7 @@ match(const struct sk_buff *skb, } /* Called when user tries to insert an entry of this type. */ -static int +static bool checkentry(const char *tablename, const void *entry, const struct xt_match *match, @@ -114,9 +114,9 @@ checkentry(const char *tablename, if (ahinfo->invflags & ~IP6T_AH_INV_MASK) { DEBUGP("ip6t_ah: unknown flags %X\n", ahinfo->invflags); - return 0; + return false; } - return 1; + return true; } static struct xt_match ah_match = { Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_frag.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_frag.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_frag.c @@ -120,7 +120,7 @@ match(const struct sk_buff *skb, } /* Called when user tries to insert an entry of this type. */ -static int +static bool checkentry(const char *tablename, const void *ip, const struct xt_match *match, @@ -131,9 +131,9 @@ checkentry(const char *tablename, if (fraginfo->invflags & ~IP6T_FRAG_INV_MASK) { DEBUGP("ip6t_frag: unknown flags %X\n", fraginfo->invflags); - return 0; + return false; } - return 1; + return true; } static struct xt_match frag_match = { Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_hbh.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_hbh.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_hbh.c @@ -174,7 +174,7 @@ match(const struct sk_buff *skb, } /* Called when user tries to insert an entry of this type. */ -static int +static bool checkentry(const char *tablename, const void *entry, const struct xt_match *match, @@ -185,9 +185,9 @@ checkentry(const char *tablename, if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) { DEBUGP("ip6t_opts: unknown flags %X\n", optsinfo->invflags); - return 0; + return false; } - return 1; + return true; } static struct xt_match opts_match[] = { Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_ipv6header.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_ipv6header.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_ipv6header.c @@ -124,7 +124,7 @@ ipv6header_match(const struct sk_buff *s } } -static int +static bool ipv6header_checkentry(const char *tablename, const void *ip, const struct xt_match *match, @@ -136,9 +136,9 @@ ipv6header_checkentry(const char *tablen /* invflags is 0 or 0xff in hard mode */ if ((!info->modeflag) && info->invflags != 0x00 && info->invflags != 0xFF) - return 0; + return false; - return 1; + return true; } static struct xt_match ip6t_ipv6header_match = { Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_mh.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_mh.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_mh.c @@ -75,7 +75,7 @@ match(const struct sk_buff *skb, } /* Called when user tries to insert an entry of this type. */ -static int +static bool mh_checkentry(const char *tablename, const void *entry, const struct xt_match *match, Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_owner.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_owner.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_owner.c @@ -53,7 +53,7 @@ match(const struct sk_buff *skb, return true; } -static int +static bool checkentry(const char *tablename, const void *ip, const struct xt_match *match, @@ -65,9 +65,9 @@ checkentry(const char *tablename, if (info->match & (IP6T_OWNER_PID | IP6T_OWNER_SID)) { printk("ipt_owner: pid and sid matching " "not supported anymore\n"); - return 0; + return false; } - return 1; + return true; } static struct xt_match owner_match = { Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_rt.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_rt.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_rt.c @@ -198,7 +198,7 @@ match(const struct sk_buff *skb, } /* Called when user tries to insert an entry of this type. */ -static int +static bool checkentry(const char *tablename, const void *entry, const struct xt_match *match, @@ -209,17 +209,17 @@ checkentry(const char *tablename, if (rtinfo->invflags & ~IP6T_RT_INV_MASK) { DEBUGP("ip6t_rt: unknown flags %X\n", rtinfo->invflags); - return 0; + return false; } if ((rtinfo->flags & (IP6T_RT_RES | IP6T_RT_FST_MASK)) && (!(rtinfo->flags & IP6T_RT_TYP) || (rtinfo->rt_type != 0) || (rtinfo->invflags & IP6T_RT_INV_TYP))) { DEBUGP("`--rt-type 0' required before `--rt-0-*'"); - return 0; + return false; } - return 1; + return true; } static struct xt_match rt_match = { Index: linux-2.6.22-rc3-git6/net/netfilter/xt_connbytes.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_connbytes.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_connbytes.c @@ -95,31 +95,31 @@ match(const struct sk_buff *skb, return (what >= sinfo->count.from); } -static int check(const char *tablename, - const void *ip, - const struct xt_match *match, - void *matchinfo, - unsigned int hook_mask) +static bool check(const char *tablename, + const void *ip, + const struct xt_match *match, + void *matchinfo, + unsigned int hook_mask) { const struct xt_connbytes_info *sinfo = matchinfo; if (sinfo->what != XT_CONNBYTES_PKTS && sinfo->what != XT_CONNBYTES_BYTES && sinfo->what != XT_CONNBYTES_AVGPKT) - return 0; + return false; if (sinfo->direction != XT_CONNBYTES_DIR_ORIGINAL && sinfo->direction != XT_CONNBYTES_DIR_REPLY && sinfo->direction != XT_CONNBYTES_DIR_BOTH) - return 0; + return false; if (nf_ct_l3proto_try_module_get(match->family) < 0) { printk(KERN_WARNING "can't load conntrack support for " "proto=%d\n", match->family); - return 0; + return false; } - return 1; + return true; } static void Index: linux-2.6.22-rc3-git6/net/netfilter/xt_connmark.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_connmark.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_connmark.c @@ -51,7 +51,7 @@ match(const struct sk_buff *skb, return (((ct->mark) & info->mask) == info->mark) ^ info->invert; } -static int +static bool checkentry(const char *tablename, const void *ip, const struct xt_match *match, @@ -62,14 +62,14 @@ checkentry(const char *tablename, if (cm->mark > 0xffffffff || cm->mask > 0xffffffff) { printk(KERN_WARNING "connmark: only support 32bit mark\n"); - return 0; + return false; } if (nf_ct_l3proto_try_module_get(match->family) < 0) { printk(KERN_WARNING "can't load conntrack support for " "proto=%d\n", match->family); - return 0; + return false; } - return 1; + return true; } static void Index: linux-2.6.22-rc3-git6/net/netfilter/xt_conntrack.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_conntrack.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_conntrack.c @@ -114,7 +114,7 @@ match(const struct sk_buff *skb, return true; } -static int +static bool checkentry(const char *tablename, const void *ip, const struct xt_match *match, @@ -124,9 +124,9 @@ checkentry(const char *tablename, if (nf_ct_l3proto_try_module_get(match->family) < 0) { printk(KERN_WARNING "can't load conntrack support for " "proto=%d\n", match->family); - return 0; + return false; } - return 1; + return true; } static void destroy(const struct xt_match *match, void *matchinfo) Index: linux-2.6.22-rc3-git6/net/netfilter/xt_dccp.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_dccp.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_dccp.c @@ -126,7 +126,7 @@ match(const struct sk_buff *skb, XT_DCCP_OPTION, info->flags, info->invflags); } -static int +static bool checkentry(const char *tablename, const void *inf, const struct xt_match *match, Index: linux-2.6.22-rc3-git6/net/netfilter/xt_dscp.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_dscp.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_dscp.c @@ -52,20 +52,20 @@ static bool match6(const struct sk_buff return (dscp == info->dscp) ^ !!info->invert; } -static int checkentry(const char *tablename, - const void *info, - const struct xt_match *match, - void *matchinfo, - unsigned int hook_mask) +static bool checkentry(const char *tablename, + const void *info, + const struct xt_match *match, + void *matchinfo, + unsigned int hook_mask) { const u_int8_t dscp = ((struct xt_dscp_info *)matchinfo)->dscp; if (dscp > XT_DSCP_MAX) { printk(KERN_ERR "xt_dscp: dscp %x out of range\n", dscp); - return 0; + return false; } - return 1; + return true; } static struct xt_match xt_dscp_match[] = { Index: linux-2.6.22-rc3-git6/net/netfilter/xt_esp.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_esp.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_esp.c @@ -74,7 +74,7 @@ match(const struct sk_buff *skb, } /* Called when user tries to insert an entry of this type. */ -static int +static bool checkentry(const char *tablename, const void *ip_void, const struct xt_match *match, @@ -85,10 +85,10 @@ checkentry(const char *tablename, if (espinfo->invflags & ~XT_ESP_INV_MASK) { duprintf("xt_esp: unknown flags %X\n", espinfo->invflags); - return 0; + return false; } - return 1; + return true; } static struct xt_match xt_esp_match[] = { Index: linux-2.6.22-rc3-git6/net/netfilter/xt_hashlimit.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_hashlimit.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_hashlimit.c @@ -492,7 +492,7 @@ hotdrop: return false; } -static int +static bool hashlimit_checkentry(const char *tablename, const void *inf, const struct xt_match *match, @@ -506,20 +506,20 @@ hashlimit_checkentry(const char *tablena user2credits(r->cfg.avg * r->cfg.burst) < user2credits(r->cfg.avg)) { printk(KERN_ERR "xt_hashlimit: overflow, try lower: %u/%u\n", r->cfg.avg, r->cfg.burst); - return 0; + return false; } if (r->cfg.mode == 0 || r->cfg.mode > (XT_HASHLIMIT_HASH_DPT | XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT)) - return 0; + return false; if (!r->cfg.gc_interval) - return 0; + return false; if (!r->cfg.expire) - return 0; + return false; if (r->name[sizeof(r->name) - 1] != '\0') - return 0; + return false; /* This is the best we've got: We cannot release and re-grab lock, * since checkentry() is called before x_tables.c grabs xt_mutex. @@ -531,13 +531,13 @@ hashlimit_checkentry(const char *tablena r->hinfo = htable_find_get(r->name, match->family); if (!r->hinfo && htable_create(r, match->family) != 0) { mutex_unlock(&hlimit_mutex); - return 0; + return false; } mutex_unlock(&hlimit_mutex); /* Ugly hack: For SMP, we only want to use one set */ r->u.master = r; - return 1; + return true; } static void Index: linux-2.6.22-rc3-git6/net/netfilter/xt_helper.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_helper.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_helper.c @@ -76,21 +76,21 @@ out_unlock: return ret; } -static int check(const char *tablename, - const void *inf, - const struct xt_match *match, - void *matchinfo, - unsigned int hook_mask) +static bool check(const char *tablename, + const void *inf, + const struct xt_match *match, + void *matchinfo, + unsigned int hook_mask) { struct xt_helper_info *info = matchinfo; if (nf_ct_l3proto_try_module_get(match->family) < 0) { printk(KERN_WARNING "can't load conntrack support for " "proto=%d\n", match->family); - return 0; + return false; } info->name[29] = '\0'; - return 1; + return true; } static void Index: linux-2.6.22-rc3-git6/net/netfilter/xt_limit.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_limit.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_limit.c @@ -98,7 +98,7 @@ user2credits(u_int32_t user) return (user * HZ * CREDITS_PER_JIFFY) / XT_LIMIT_SCALE; } -static int +static bool ipt_limit_checkentry(const char *tablename, const void *inf, const struct xt_match *match, @@ -112,7 +112,7 @@ ipt_limit_checkentry(const char *tablena || user2credits(r->avg * r->burst) < user2credits(r->avg)) { printk("Overflow in xt_limit, try lower: %u/%u\n", r->avg, r->burst); - return 0; + return false; } /* For SMP, we only want to use one set of counters. */ @@ -125,7 +125,7 @@ ipt_limit_checkentry(const char *tablena r->credit_cap = user2credits(r->avg * r->burst); /* Credits full. */ r->cost = user2credits(r->avg); } - return 1; + return true; } #ifdef CONFIG_COMPAT Index: linux-2.6.22-rc3-git6/net/netfilter/xt_mark.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_mark.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_mark.c @@ -34,7 +34,7 @@ match(const struct sk_buff *skb, return ((skb->mark & info->mask) == info->mark) ^ info->invert; } -static int +static bool checkentry(const char *tablename, const void *entry, const struct xt_match *match, @@ -45,9 +45,9 @@ checkentry(const char *tablename, if (minfo->mark > 0xffffffff || minfo->mask > 0xffffffff) { printk(KERN_WARNING "mark: only supports 32bit mark\n"); - return 0; + return false; } - return 1; + return true; } #ifdef CONFIG_COMPAT Index: linux-2.6.22-rc3-git6/net/netfilter/xt_multiport.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_multiport.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_multiport.c @@ -154,7 +154,7 @@ match_v1(const struct sk_buff *skb, return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1])); } -static inline int +static inline bool check(u_int16_t proto, u_int8_t ip_invflags, u_int8_t match_flags, @@ -172,7 +172,7 @@ check(u_int16_t proto, } /* Called when user tries to insert an entry of this type. */ -static int +static bool checkentry(const char *tablename, const void *info, const struct xt_match *match, @@ -186,7 +186,7 @@ checkentry(const char *tablename, multiinfo->count); } -static int +static bool checkentry_v1(const char *tablename, const void *info, const struct xt_match *match, @@ -200,7 +200,7 @@ checkentry_v1(const char *tablename, multiinfo->count); } -static int +static bool checkentry6(const char *tablename, const void *info, const struct xt_match *match, @@ -214,7 +214,7 @@ checkentry6(const char *tablename, multiinfo->count); } -static int +static bool checkentry6_v1(const char *tablename, const void *info, const struct xt_match *match, Index: linux-2.6.22-rc3-git6/net/netfilter/xt_physdev.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_physdev.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_physdev.c @@ -99,7 +99,7 @@ match_outdev: return ret ^ !(info->invert & XT_PHYSDEV_OP_OUT); } -static int +static bool checkentry(const char *tablename, const void *ip, const struct xt_match *match, @@ -110,7 +110,7 @@ checkentry(const char *tablename, if (!(info->bitmask & XT_PHYSDEV_OP_MASK) || info->bitmask & ~XT_PHYSDEV_OP_MASK) - return 0; + return false; if (info->bitmask & XT_PHYSDEV_OP_OUT && (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) || info->invert & XT_PHYSDEV_OP_BRIDGED) && @@ -120,9 +120,9 @@ checkentry(const char *tablename, "OUTPUT, FORWARD and POSTROUTING chains for non-bridged " "traffic is not supported anymore.\n"); if (hook_mask & (1 << NF_IP_LOCAL_OUT)) - return 0; + return false; } - return 1; + return true; } static struct xt_match xt_physdev_match[] = { Index: linux-2.6.22-rc3-git6/net/netfilter/xt_policy.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_policy.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_policy.c @@ -133,35 +133,35 @@ static bool match(const struct sk_buff * return ret; } -static int checkentry(const char *tablename, const void *ip_void, - const struct xt_match *match, - void *matchinfo, unsigned int hook_mask) +static bool checkentry(const char *tablename, const void *ip_void, + const struct xt_match *match, + void *matchinfo, unsigned int hook_mask) { struct xt_policy_info *info = matchinfo; if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) { printk(KERN_ERR "xt_policy: neither incoming nor " "outgoing policy selected\n"); - return 0; + return false; } /* hook values are equal for IPv4 and IPv6 */ if (hook_mask & (1 << NF_IP_PRE_ROUTING | 1 << NF_IP_LOCAL_IN) && info->flags & XT_POLICY_MATCH_OUT) { printk(KERN_ERR "xt_policy: output policy not valid in " "PRE_ROUTING and INPUT\n"); - return 0; + return false; } if (hook_mask & (1 << NF_IP_POST_ROUTING | 1 << NF_IP_LOCAL_OUT) && info->flags & XT_POLICY_MATCH_IN) { printk(KERN_ERR "xt_policy: input policy not valid in " "POST_ROUTING and OUTPUT\n"); - return 0; + return false; } if (info->len > XT_POLICY_MAX_ELEM) { printk(KERN_ERR "xt_policy: too many policy elements\n"); - return 0; + return false; } - return 1; + return true; } static struct xt_match xt_policy_match[] = { Index: linux-2.6.22-rc3-git6/net/netfilter/xt_quota.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_quota.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_quota.c @@ -38,7 +38,7 @@ match(const struct sk_buff *skb, return ret; } -static int +static bool checkentry(const char *tablename, const void *entry, const struct xt_match *match, void *matchinfo, unsigned int hook_mask) @@ -46,10 +46,10 @@ checkentry(const char *tablename, const struct xt_quota_info *q = (struct xt_quota_info *)matchinfo; if (q->flags & ~XT_QUOTA_MASK) - return 0; + return false; /* For SMP, we only want to use one set of counters. */ q->master = q; - return 1; + return true; } static struct xt_match xt_quota_match[] = { Index: linux-2.6.22-rc3-git6/net/netfilter/xt_sctp.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_sctp.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_sctp.c @@ -158,7 +158,7 @@ match(const struct sk_buff *skb, XT_SCTP_CHUNK_TYPES, info->flags, info->invflags); } -static int +static bool checkentry(const char *tablename, const void *inf, const struct xt_match *match, Index: linux-2.6.22-rc3-git6/net/netfilter/xt_state.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_state.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_state.c @@ -44,18 +44,18 @@ match(const struct sk_buff *skb, return (sinfo->statemask & statebit); } -static int check(const char *tablename, - const void *inf, - const struct xt_match *match, - void *matchinfo, - unsigned int hook_mask) +static bool check(const char *tablename, + const void *inf, + const struct xt_match *match, + void *matchinfo, + unsigned int hook_mask) { if (nf_ct_l3proto_try_module_get(match->family) < 0) { printk(KERN_WARNING "can't load conntrack support for " "proto=%d\n", match->family); - return 0; + return false; } - return 1; + return true; } static void Index: linux-2.6.22-rc3-git6/net/netfilter/xt_statistic.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_statistic.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_statistic.c @@ -52,7 +52,7 @@ match(const struct sk_buff *skb, return ret; } -static int +static bool checkentry(const char *tablename, const void *entry, const struct xt_match *match, void *matchinfo, unsigned int hook_mask) @@ -61,9 +61,9 @@ checkentry(const char *tablename, const if (info->mode > XT_STATISTIC_MODE_MAX || info->flags & ~XT_STATISTIC_MASK) - return 0; + return false; info->master = info; - return 1; + return true; } static struct xt_match xt_statistic_match[] = { Index: linux-2.6.22-rc3-git6/net/netfilter/xt_string.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_string.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_string.c @@ -42,30 +42,30 @@ static bool match(const struct sk_buff * #define STRING_TEXT_PRIV(m) ((struct xt_string_info *) m) -static int checkentry(const char *tablename, - const void *ip, - const struct xt_match *match, - void *matchinfo, - unsigned int hook_mask) +static bool checkentry(const char *tablename, + const void *ip, + const struct xt_match *match, + void *matchinfo, + unsigned int hook_mask) { struct xt_string_info *conf = matchinfo; struct ts_config *ts_conf; /* Damn, can't handle this case properly with iptables... */ if (conf->from_offset > conf->to_offset) - return 0; + return false; if (conf->algo[XT_STRING_MAX_ALGO_NAME_SIZE - 1] != '\0') - return 0; + return false; if (conf->patlen > XT_STRING_MAX_PATTERN_SIZE) - return 0; + return false; ts_conf = textsearch_prepare(conf->algo, conf->pattern, conf->patlen, GFP_KERNEL, TS_AUTOLOAD); if (IS_ERR(ts_conf)) - return 0; + return false; conf->config = ts_conf; - return 1; + return true; } static void destroy(const struct xt_match *match, void *matchinfo) Index: linux-2.6.22-rc3-git6/net/netfilter/xt_tcpudp.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_tcpudp.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_tcpudp.c @@ -133,7 +133,7 @@ tcp_match(const struct sk_buff *skb, } /* Called when user tries to insert an entry of this type. */ -static int +static bool tcp_checkentry(const char *tablename, const void *info, const struct xt_match *match, @@ -181,7 +181,7 @@ udp_match(const struct sk_buff *skb, } /* Called when user tries to insert an entry of this type. */ -static int +static bool udp_checkentry(const char *tablename, const void *info, const struct xt_match *match, From jengelh at linux01.gwdg.de Mon Jun 4 17:11:19 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jun 4 18:19:15 2007 Subject: [PATCH 4/4] Switch xt_target->checkentry to bool In-Reply-To: References: Message-ID: Switch the return type of target functions to boolean. Signed-off-by: Jan Engelhardt --- include/linux/netfilter/x_tables.h | 10 +++++----- net/ipv4/netfilter/arpt_mangle.c | 8 ++++---- net/ipv4/netfilter/ipt_CLUSTERIP.c | 28 ++++++++++++++-------------- net/ipv4/netfilter/ipt_ECN.c | 30 +++++++++++++++--------------- net/ipv4/netfilter/ipt_LOG.c | 16 ++++++++-------- net/ipv4/netfilter/ipt_MASQUERADE.c | 8 ++++---- net/ipv4/netfilter/ipt_NETMAP.c | 8 ++++---- net/ipv4/netfilter/ipt_REDIRECT.c | 8 ++++---- net/ipv4/netfilter/ipt_REJECT.c | 16 ++++++++-------- net/ipv4/netfilter/ipt_SAME.c | 14 +++++++------- net/ipv4/netfilter/ipt_TOS.c | 6 +++--- net/ipv4/netfilter/ipt_TTL.c | 8 ++++---- net/ipv4/netfilter/ipt_ULOG.c | 16 ++++++++-------- net/ipv4/netfilter/nf_nat_rule.c | 28 ++++++++++++++-------------- net/ipv6/netfilter/ip6t_HL.c | 8 ++++---- net/ipv6/netfilter/ip6t_LOG.c | 16 ++++++++-------- net/ipv6/netfilter/ip6t_REJECT.c | 16 ++++++++-------- net/netfilter/xt_CONNMARK.c | 10 +++++----- net/netfilter/xt_CONNSECMARK.c | 12 ++++++------ net/netfilter/xt_DSCP.c | 14 +++++++------- net/netfilter/xt_MARK.c | 14 +++++++------- net/netfilter/xt_NFLOG.c | 8 ++++---- net/netfilter/xt_SECMARK.c | 24 ++++++++++++------------ net/netfilter/xt_TCPMSS.c | 22 +++++++++++----------- 24 files changed, 174 insertions(+), 174 deletions(-) Index: linux-2.6.22-rc3-git6/include/linux/netfilter/x_tables.h =================================================================== --- linux-2.6.22-rc3-git6.orig/include/linux/netfilter/x_tables.h +++ linux-2.6.22-rc3-git6/include/linux/netfilter/x_tables.h @@ -202,11 +202,11 @@ struct xt_target hook_mask is a bitmask of hooks from which it can be called. */ /* Should return true or false. */ - int (*checkentry)(const char *tablename, - const void *entry, - const struct xt_target *target, - void *targinfo, - unsigned int hook_mask); + bool (*checkentry)(const char *tablename, + const void *entry, + const struct xt_target *target, + void *targinfo, + unsigned int hook_mask); /* Called when entry of this type deleted. */ void (*destroy)(const struct xt_target *target, void *targinfo); Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/arpt_mangle.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/arpt_mangle.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/arpt_mangle.c @@ -65,7 +65,7 @@ target(struct sk_buff **pskb, return mangle->target; } -static int +static bool checkentry(const char *tablename, const void *e, const struct xt_target *target, void *targinfo, unsigned int hook_mask) { @@ -73,12 +73,12 @@ checkentry(const char *tablename, const if (mangle->flags & ~ARPT_MANGLE_MASK || !(mangle->flags & ARPT_MANGLE_MASK)) - return 0; + return false; if (mangle->target != NF_DROP && mangle->target != NF_ACCEPT && mangle->target != ARPT_CONTINUE) - return 0; - return 1; + return false; + return true; } static struct arpt_target arpt_mangle_reg = { Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_CLUSTERIP.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_CLUSTERIP.c @@ -220,17 +220,17 @@ clusterip_add_node(struct clusterip_conf return 0; } -static int +static bool clusterip_del_node(struct clusterip_config *c, u_int16_t nodenum) { if (nodenum == 0 || nodenum > c->num_total_nodes) - return 1; + return true; if (test_and_clear_bit(nodenum - 1, &c->local_nodes)) - return 0; + return false; - return 1; + return true; } #endif @@ -370,7 +370,7 @@ target(struct sk_buff **pskb, return XT_CONTINUE; } -static int +static bool checkentry(const char *tablename, const void *e_void, const struct xt_target *target, @@ -387,13 +387,13 @@ checkentry(const char *tablename, cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT_DPT) { printk(KERN_WARNING "CLUSTERIP: unknown mode `%u'\n", cipinfo->hash_mode); - return 0; + return false; } if (e->ip.dmsk.s_addr != htonl(0xffffffff) || e->ip.dst.s_addr == 0) { printk(KERN_ERR "CLUSTERIP: Please specify destination IP\n"); - return 0; + return false; } /* FIXME: further sanity checks */ @@ -407,7 +407,7 @@ checkentry(const char *tablename, if (cipinfo->config != config) { printk(KERN_ERR "CLUSTERIP: Reloaded entry " "has invalid config pointer!\n"); - return 0; + return false; } } else { /* Case B: This is a new rule referring to an existing @@ -418,19 +418,19 @@ checkentry(const char *tablename, /* Case C: This is a completely new clusterip config */ if (!(cipinfo->flags & CLUSTERIP_FLAG_NEW)) { printk(KERN_WARNING "CLUSTERIP: no config found for %u.%u.%u.%u, need 'new'\n", NIPQUAD(e->ip.dst.s_addr)); - return 0; + return false; } else { struct net_device *dev; if (e->ip.iniface[0] == '\0') { printk(KERN_WARNING "CLUSTERIP: Please specify an interface name\n"); - return 0; + return false; } dev = dev_get_by_name(e->ip.iniface); if (!dev) { printk(KERN_WARNING "CLUSTERIP: no such interface %s\n", e->ip.iniface); - return 0; + return false; } config = clusterip_config_init(cipinfo, @@ -438,7 +438,7 @@ checkentry(const char *tablename, if (!config) { printk(KERN_WARNING "CLUSTERIP: cannot allocate config\n"); dev_put(dev); - return 0; + return false; } dev_mc_add(config->dev,config->clustermac, ETH_ALEN, 0); } @@ -448,10 +448,10 @@ checkentry(const char *tablename, if (nf_ct_l3proto_try_module_get(target->family) < 0) { printk(KERN_WARNING "can't load conntrack support for " "proto=%d\n", target->family); - return 0; + return false; } - return 1; + return true; } /* drop reference count of cluster config when rule is deleted */ Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ECN.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_ECN.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ECN.c @@ -24,8 +24,8 @@ MODULE_AUTHOR("Harald Welte tos & IPT_ECN_IP_MASK) != (einfo->ip_ect & IPT_ECN_IP_MASK)) { __u8 oldtos; if (!skb_make_writable(pskb, sizeof(struct iphdr))) - return 0; + return false; iph = ip_hdr(*pskb); oldtos = iph->tos; iph->tos &= ~IPT_ECN_IP_MASK; iph->tos |= (einfo->ip_ect & IPT_ECN_IP_MASK); nf_csum_replace2(&iph->check, htons(oldtos), htons(iph->tos)); } - return 1; + return true; } -/* Return 0 if there was an error. */ -static inline int +/* Return false if there was an error. */ +static inline bool set_ect_tcp(struct sk_buff **pskb, const struct ipt_ECN_info *einfo) { struct tcphdr _tcph, *tcph; @@ -54,16 +54,16 @@ set_ect_tcp(struct sk_buff **pskb, const tcph = skb_header_pointer(*pskb, ip_hdrlen(*pskb), sizeof(_tcph), &_tcph); if (!tcph) - return 0; + return false; if ((!(einfo->operation & IPT_ECN_OP_SET_ECE) || tcph->ece == einfo->proto.tcp.ece) && ((!(einfo->operation & IPT_ECN_OP_SET_CWR) || tcph->cwr == einfo->proto.tcp.cwr))) - return 1; + return true; if (!skb_make_writable(pskb, ip_hdrlen(*pskb) + sizeof(*tcph))) - return 0; + return false; tcph = (void *)ip_hdr(*pskb) + ip_hdrlen(*pskb); oldval = ((__be16 *)tcph)[6]; @@ -74,7 +74,7 @@ set_ect_tcp(struct sk_buff **pskb, const nf_proto_csum_replace2(&tcph->check, *pskb, oldval, ((__be16 *)tcph)[6], 0); - return 1; + return true; } static unsigned int @@ -99,7 +99,7 @@ target(struct sk_buff **pskb, return XT_CONTINUE; } -static int +static bool checkentry(const char *tablename, const void *e_void, const struct xt_target *target, @@ -112,20 +112,20 @@ checkentry(const char *tablename, if (einfo->operation & IPT_ECN_OP_MASK) { printk(KERN_WARNING "ECN: unsupported ECN operation %x\n", einfo->operation); - return 0; + return false; } if (einfo->ip_ect & ~IPT_ECN_IP_MASK) { printk(KERN_WARNING "ECN: new ECT codepoint %x out of mask\n", einfo->ip_ect); - return 0; + return false; } if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) { printk(KERN_WARNING "ECN: cannot use TCP operations on a " "non-tcp rule\n"); - return 0; + return false; } - return 1; + return true; } static struct xt_target ipt_ecn_reg = { Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_LOG.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_LOG.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_LOG.c @@ -435,24 +435,24 @@ ipt_log_target(struct sk_buff **pskb, return XT_CONTINUE; } -static int ipt_log_checkentry(const char *tablename, - const void *e, - const struct xt_target *target, - void *targinfo, - unsigned int hook_mask) +static bool ipt_log_checkentry(const char *tablename, + const void *e, + const struct xt_target *target, + void *targinfo, + unsigned int hook_mask) { const struct ipt_log_info *loginfo = targinfo; if (loginfo->level >= 8) { DEBUGP("LOG: level %u >= 8\n", loginfo->level); - return 0; + return false; } if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') { DEBUGP("LOG: prefix term %i\n", loginfo->prefix[sizeof(loginfo->prefix)-1]); - return 0; + return false; } - return 1; + return true; } static struct xt_target ipt_log_reg = { Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_MASQUERADE.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_MASQUERADE.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_MASQUERADE.c @@ -37,7 +37,7 @@ MODULE_DESCRIPTION("iptables MASQUERADE static DEFINE_RWLOCK(masq_lock); /* FIXME: Multiple targets. --RR */ -static int +static bool masquerade_check(const char *tablename, const void *e, const struct xt_target *target, @@ -48,13 +48,13 @@ masquerade_check(const char *tablename, if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { DEBUGP("masquerade_check: bad MAP_IPS.\n"); - return 0; + return false; } if (mr->rangesize != 1) { DEBUGP("masquerade_check: bad rangesize %u.\n", mr->rangesize); - return 0; + return false; } - return 1; + return true; } static unsigned int Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_NETMAP.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_NETMAP.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_NETMAP.c @@ -29,7 +29,7 @@ MODULE_DESCRIPTION("iptables 1:1 NAT map #define DEBUGP(format, args...) #endif -static int +static bool check(const char *tablename, const void *e, const struct xt_target *target, @@ -40,13 +40,13 @@ check(const char *tablename, if (!(mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)) { DEBUGP(MODULENAME":check: bad MAP_IPS.\n"); - return 0; + return false; } if (mr->rangesize != 1) { DEBUGP(MODULENAME":check: bad rangesize %u.\n", mr->rangesize); - return 0; + return false; } - return 1; + return true; } static unsigned int Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_REDIRECT.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_REDIRECT.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_REDIRECT.c @@ -32,7 +32,7 @@ MODULE_DESCRIPTION("iptables REDIRECT ta #endif /* FIXME: Take multiple ranges --RR */ -static int +static bool redirect_check(const char *tablename, const void *e, const struct xt_target *target, @@ -43,13 +43,13 @@ redirect_check(const char *tablename, if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { DEBUGP("redirect_check: bad MAP_IPS.\n"); - return 0; + return false; } if (mr->rangesize != 1) { DEBUGP("redirect_check: bad rangesize %u.\n", mr->rangesize); - return 0; + return false; } - return 1; + return true; } static unsigned int Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_REJECT.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_REJECT.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_REJECT.c @@ -217,27 +217,27 @@ static unsigned int reject(struct sk_buf return NF_DROP; } -static int check(const char *tablename, - const void *e_void, - const struct xt_target *target, - void *targinfo, - unsigned int hook_mask) +static bool check(const char *tablename, + const void *e_void, + const struct xt_target *target, + void *targinfo, + unsigned int hook_mask) { const struct ipt_reject_info *rejinfo = targinfo; const struct ipt_entry *e = e_void; if (rejinfo->with == IPT_ICMP_ECHOREPLY) { printk("REJECT: ECHOREPLY no longer supported.\n"); - return 0; + return false; } else if (rejinfo->with == IPT_TCP_RESET) { /* Must specify that it's a TCP packet */ if (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO)) { DEBUGP("REJECT: TCP_RESET invalid for non-tcp\n"); - return 0; + return false; } } - return 1; + return true; } static struct xt_target ipt_reject_reg = { Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_SAME.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_SAME.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_SAME.c @@ -33,7 +33,7 @@ MODULE_DESCRIPTION("iptables special SNA #define DEBUGP(format, args...) #endif -static int +static bool same_check(const char *tablename, const void *e, const struct xt_target *target, @@ -47,13 +47,13 @@ same_check(const char *tablename, if (mr->rangesize < 1) { DEBUGP("same_check: need at least one dest range.\n"); - return 0; + return false; } if (mr->rangesize > IPT_SAME_MAX_RANGE) { DEBUGP("same_check: too many ranges specified, maximum " "is %u ranges\n", IPT_SAME_MAX_RANGE); - return 0; + return false; } for (count = 0; count < mr->rangesize; count++) { if (ntohl(mr->range[count].min_ip) > @@ -62,11 +62,11 @@ same_check(const char *tablename, "range `%u.%u.%u.%u-%u.%u.%u.%u'.\n", NIPQUAD(mr->range[count].min_ip), NIPQUAD(mr->range[count].max_ip)); - return 0; + return false; } if (!(mr->range[count].flags & IP_NAT_RANGE_MAP_IPS)) { DEBUGP("same_check: bad MAP_IPS.\n"); - return 0; + return false; } rangeip = (ntohl(mr->range[count].max_ip) - ntohl(mr->range[count].min_ip) + 1); @@ -81,7 +81,7 @@ same_check(const char *tablename, DEBUGP("same_check: Couldn't allocate %u bytes " "for %u ipaddresses!\n", (sizeof(u_int32_t) * mr->ipnum), mr->ipnum); - return 0; + return false; } DEBUGP("same_check: Allocated %u bytes for %u ipaddresses.\n", (sizeof(u_int32_t) * mr->ipnum), mr->ipnum); @@ -97,7 +97,7 @@ same_check(const char *tablename, index++; } } - return 1; + return true; } static void Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_TOS.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_TOS.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_TOS.c @@ -43,7 +43,7 @@ target(struct sk_buff **pskb, return XT_CONTINUE; } -static int +static bool checkentry(const char *tablename, const void *e_void, const struct xt_target *target, @@ -58,9 +58,9 @@ checkentry(const char *tablename, && tos != IPTOS_MINCOST && tos != IPTOS_NORMALSVC) { printk(KERN_WARNING "TOS: bad tos value %#x\n", tos); - return 0; + return false; } - return 1; + return true; } static struct xt_target ipt_tos_reg = { Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_TTL.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_TTL.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_TTL.c @@ -62,7 +62,7 @@ ipt_ttl_target(struct sk_buff **pskb, return XT_CONTINUE; } -static int ipt_ttl_checkentry(const char *tablename, +static bool ipt_ttl_checkentry(const char *tablename, const void *e, const struct xt_target *target, void *targinfo, @@ -73,11 +73,11 @@ static int ipt_ttl_checkentry(const char if (info->mode > IPT_TTL_MAXMODE) { printk(KERN_WARNING "ipt_TTL: invalid or unknown Mode %u\n", info->mode); - return 0; + return false; } if ((info->mode != IPT_TTL_SET) && (info->ttl == 0)) - return 0; - return 1; + return false; + return true; } static struct xt_target ipt_TTL = { Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ULOG.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_ULOG.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ULOG.c @@ -328,25 +328,25 @@ static void ipt_logfn(unsigned int pf, ipt_ulog_packet(hooknum, skb, in, out, &loginfo, prefix); } -static int ipt_ulog_checkentry(const char *tablename, - const void *e, - const struct xt_target *target, - void *targinfo, - unsigned int hookmask) +static bool ipt_ulog_checkentry(const char *tablename, + const void *e, + const struct xt_target *target, + void *targinfo, + unsigned int hookmask) { struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) targinfo; if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') { DEBUGP("ipt_ULOG: prefix term %i\n", loginfo->prefix[sizeof(loginfo->prefix) - 1]); - return 0; + return false; } if (loginfo->qthreshold > ULOG_MAX_QLEN) { DEBUGP("ipt_ULOG: queue threshold %i > MAX_QLEN\n", loginfo->qthreshold); - return 0; + return false; } - return 1; + return true; } #ifdef CONFIG_COMPAT Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/nf_nat_rule.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/nf_nat_rule.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/nf_nat_rule.c @@ -140,36 +140,36 @@ static unsigned int ipt_dnat_target(stru return nf_nat_setup_info(ct, &mr->range[0], hooknum); } -static int ipt_snat_checkentry(const char *tablename, - const void *entry, - const struct xt_target *target, - void *targinfo, - unsigned int hook_mask) +static bool ipt_snat_checkentry(const char *tablename, + const void *entry, + const struct xt_target *target, + void *targinfo, + unsigned int hook_mask) { struct nf_nat_multi_range_compat *mr = targinfo; /* Must be a valid range */ if (mr->rangesize != 1) { printk("SNAT: multiple ranges no longer supported\n"); - return 0; + return false; } - return 1; + return true; } -static int ipt_dnat_checkentry(const char *tablename, - const void *entry, - const struct xt_target *target, - void *targinfo, - unsigned int hook_mask) +static bool ipt_dnat_checkentry(const char *tablename, + const void *entry, + const struct xt_target *target, + void *targinfo, + unsigned int hook_mask) { struct nf_nat_multi_range_compat *mr = targinfo; /* Must be a valid range */ if (mr->rangesize != 1) { printk("DNAT: multiple ranges no longer supported\n"); - return 0; + return false; } - return 1; + return true; } inline unsigned int Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_HL.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_HL.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_HL.c @@ -58,7 +58,7 @@ static unsigned int ip6t_hl_target(struc return XT_CONTINUE; } -static int ip6t_hl_checkentry(const char *tablename, +static bool ip6t_hl_checkentry(const char *tablename, const void *entry, const struct xt_target *target, void *targinfo, @@ -69,14 +69,14 @@ static int ip6t_hl_checkentry(const char if (info->mode > IP6T_HL_MAXMODE) { printk(KERN_WARNING "ip6t_HL: invalid or unknown Mode %u\n", info->mode); - return 0; + return false; } if ((info->mode != IP6T_HL_SET) && (info->hop_limit == 0)) { printk(KERN_WARNING "ip6t_HL: increment/decrement doesn't " "make sense with value 0\n"); - return 0; + return false; } - return 1; + return true; } static struct xt_target ip6t_HL = { Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_LOG.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_LOG.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_LOG.c @@ -448,24 +448,24 @@ ip6t_log_target(struct sk_buff **pskb, } -static int ip6t_log_checkentry(const char *tablename, - const void *entry, - const struct xt_target *target, - void *targinfo, - unsigned int hook_mask) +static bool ip6t_log_checkentry(const char *tablename, + const void *entry, + const struct xt_target *target, + void *targinfo, + unsigned int hook_mask) { const struct ip6t_log_info *loginfo = targinfo; if (loginfo->level >= 8) { DEBUGP("LOG: level %u >= 8\n", loginfo->level); - return 0; + return false; } if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') { DEBUGP("LOG: prefix term %i\n", loginfo->prefix[sizeof(loginfo->prefix)-1]); - return 0; + return false; } - return 1; + return true; } static struct xt_target ip6t_log_reg = { Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_REJECT.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_REJECT.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_REJECT.c @@ -221,27 +221,27 @@ static unsigned int reject6_target(struc return NF_DROP; } -static int check(const char *tablename, - const void *entry, - const struct xt_target *target, - void *targinfo, - unsigned int hook_mask) +static bool check(const char *tablename, + const void *entry, + const struct xt_target *target, + void *targinfo, + unsigned int hook_mask) { const struct ip6t_reject_info *rejinfo = targinfo; const struct ip6t_entry *e = entry; if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) { printk("ip6t_REJECT: ECHOREPLY is not supported.\n"); - return 0; + return false; } else if (rejinfo->with == IP6T_TCP_RESET) { /* Must specify that it's a TCP packet */ if (e->ipv6.proto != IPPROTO_TCP || (e->ipv6.invflags & XT_INV_PROTO)) { DEBUGP("ip6t_REJECT: TCP_RESET illegal for non-tcp\n"); - return 0; + return false; } } - return 1; + return true; } static struct xt_target ip6t_reject_reg = { Index: linux-2.6.22-rc3-git6/net/netfilter/xt_CONNMARK.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_CONNMARK.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_CONNMARK.c @@ -76,7 +76,7 @@ target(struct sk_buff **pskb, return XT_CONTINUE; } -static int +static bool checkentry(const char *tablename, const void *entry, const struct xt_target *target, @@ -88,21 +88,21 @@ checkentry(const char *tablename, if (nf_ct_l3proto_try_module_get(target->family) < 0) { printk(KERN_WARNING "can't load conntrack support for " "proto=%d\n", target->family); - return 0; + return false; } if (matchinfo->mode == XT_CONNMARK_RESTORE) { if (strcmp(tablename, "mangle") != 0) { printk(KERN_WARNING "CONNMARK: restore can only be " "called from \"mangle\" table, not \"%s\"\n", tablename); - return 0; + return false; } } if (matchinfo->mark > 0xffffffff || matchinfo->mask > 0xffffffff) { printk(KERN_WARNING "CONNMARK: Only supports 32bit mark\n"); - return 0; + return false; } - return 1; + return true; } static void Index: linux-2.6.22-rc3-git6/net/netfilter/xt_CONNSECMARK.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_CONNSECMARK.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_CONNSECMARK.c @@ -85,16 +85,16 @@ static unsigned int target(struct sk_buf return XT_CONTINUE; } -static int checkentry(const char *tablename, const void *entry, - const struct xt_target *target, void *targinfo, - unsigned int hook_mask) +static bool checkentry(const char *tablename, const void *entry, + const struct xt_target *target, void *targinfo, + unsigned int hook_mask) { struct xt_connsecmark_target_info *info = targinfo; if (nf_ct_l3proto_try_module_get(target->family) < 0) { printk(KERN_WARNING "can't load conntrack support for " "proto=%d\n", target->family); - return 0; + return false; } switch (info->mode) { case CONNSECMARK_SAVE: @@ -103,10 +103,10 @@ static int checkentry(const char *tablen default: printk(KERN_INFO PFX "invalid mode: %hu\n", info->mode); - return 0; + return false; } - return 1; + return true; } static void Index: linux-2.6.22-rc3-git6/net/netfilter/xt_DSCP.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_DSCP.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_DSCP.c @@ -66,19 +66,19 @@ static unsigned int target6(struct sk_bu return XT_CONTINUE; } -static int checkentry(const char *tablename, - const void *e_void, - const struct xt_target *target, - void *targinfo, - unsigned int hook_mask) +static bool checkentry(const char *tablename, + const void *e_void, + const struct xt_target *target, + void *targinfo, + unsigned int hook_mask) { const u_int8_t dscp = ((struct xt_DSCP_info *)targinfo)->dscp; if ((dscp > XT_DSCP_MAX)) { printk(KERN_WARNING "DSCP: dscp %x out of range\n", dscp); - return 0; + return false; } - return 1; + return true; } static struct xt_target xt_dscp_target[] = { Index: linux-2.6.22-rc3-git6/net/netfilter/xt_MARK.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_MARK.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_MARK.c @@ -65,7 +65,7 @@ target_v1(struct sk_buff **pskb, } -static int +static bool checkentry_v0(const char *tablename, const void *entry, const struct xt_target *target, @@ -76,12 +76,12 @@ checkentry_v0(const char *tablename, if (markinfo->mark > 0xffffffff) { printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n"); - return 0; + return false; } - return 1; + return true; } -static int +static bool checkentry_v1(const char *tablename, const void *entry, const struct xt_target *target, @@ -95,13 +95,13 @@ checkentry_v1(const char *tablename, && markinfo->mode != XT_MARK_OR) { printk(KERN_WARNING "MARK: unknown mode %u\n", markinfo->mode); - return 0; + return false; } if (markinfo->mark > 0xffffffff) { printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n"); - return 0; + return false; } - return 1; + return true; } #ifdef CONFIG_COMPAT Index: linux-2.6.22-rc3-git6/net/netfilter/xt_NFLOG.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_NFLOG.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_NFLOG.c @@ -38,7 +38,7 @@ nflog_target(struct sk_buff **pskb, return XT_CONTINUE; } -static int +static bool nflog_checkentry(const char *tablename, const void *entry, const struct xt_target *target, void *targetinfo, unsigned int hookmask) @@ -46,10 +46,10 @@ nflog_checkentry(const char *tablename, struct xt_nflog_info *info = targetinfo; if (info->flags & ~XT_NFLOG_MASK) - return 0; + return false; if (info->prefix[sizeof(info->prefix) - 1] != '\0') - return 0; - return 1; + return false; + return true; } static struct xt_target xt_nflog_target[] = { Index: linux-2.6.22-rc3-git6/net/netfilter/xt_SECMARK.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_SECMARK.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_SECMARK.c @@ -51,7 +51,7 @@ static unsigned int target(struct sk_buf return XT_CONTINUE; } -static int checkentry_selinux(struct xt_secmark_target_info *info) +static bool checkentry_selinux(struct xt_secmark_target_info *info) { int err; struct xt_secmark_target_selinux_info *sel = &info->u.sel; @@ -63,50 +63,50 @@ static int checkentry_selinux(struct xt_ if (err == -EINVAL) printk(KERN_INFO PFX "invalid SELinux context \'%s\'\n", sel->selctx); - return 0; + return false; } if (!sel->selsid) { printk(KERN_INFO PFX "unable to map SELinux context \'%s\'\n", sel->selctx); - return 0; + return false; } err = selinux_relabel_packet_permission(sel->selsid); if (err) { printk(KERN_INFO PFX "unable to obtain relabeling permission\n"); - return 0; + return false; } - return 1; + return true; } -static int checkentry(const char *tablename, const void *entry, - const struct xt_target *target, void *targinfo, - unsigned int hook_mask) +static bool checkentry(const char *tablename, const void *entry, + const struct xt_target *target, void *targinfo, + unsigned int hook_mask) { struct xt_secmark_target_info *info = targinfo; if (mode && mode != info->mode) { printk(KERN_INFO PFX "mode already set to %hu cannot mix with " "rules for mode %hu\n", mode, info->mode); - return 0; + return false; } switch (info->mode) { case SECMARK_MODE_SEL: if (!checkentry_selinux(info)) - return 0; + return false; break; default: printk(KERN_INFO PFX "invalid mode: %hu\n", info->mode); - return 0; + return false; } if (!mode) mode = info->mode; - return 1; + return true; } static struct xt_target xt_secmark_target[] = { Index: linux-2.6.22-rc3-git6/net/netfilter/xt_TCPMSS.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_TCPMSS.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_TCPMSS.c @@ -197,19 +197,19 @@ xt_tcpmss_target6(struct sk_buff **pskb, #define TH_SYN 0x02 /* Must specify -p tcp --syn */ -static inline int find_syn_match(const struct xt_entry_match *m) +static inline bool find_syn_match(const struct xt_entry_match *m) { const struct xt_tcp *tcpinfo = (const struct xt_tcp *)m->data; if (strcmp(m->u.kernel.match->name, "tcp") == 0 && tcpinfo->flg_cmp & TH_SYN && !(tcpinfo->invflags & XT_TCP_INV_FLAGS)) - return 1; + return true; - return 0; + return false; } -static int +static bool xt_tcpmss_checkentry4(const char *tablename, const void *entry, const struct xt_target *target, @@ -225,16 +225,16 @@ xt_tcpmss_checkentry4(const char *tablen (1 << NF_IP_POST_ROUTING))) != 0) { printk("xt_TCPMSS: path-MTU clamping only supported in " "FORWARD, OUTPUT and POSTROUTING hooks\n"); - return 0; + return false; } if (IPT_MATCH_ITERATE(e, find_syn_match)) - return 1; + return true; printk("xt_TCPMSS: Only works on TCP SYN packets\n"); - return 0; + return false; } #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) -static int +static bool xt_tcpmss_checkentry6(const char *tablename, const void *entry, const struct xt_target *target, @@ -250,12 +250,12 @@ xt_tcpmss_checkentry6(const char *tablen (1 << NF_IP6_POST_ROUTING))) != 0) { printk("xt_TCPMSS: path-MTU clamping only supported in " "FORWARD, OUTPUT and POSTROUTING hooks\n"); - return 0; + return false; } if (IP6T_MATCH_ITERATE(e, find_syn_match)) - return 1; + return true; printk("xt_TCPMSS: Only works on TCP SYN packets\n"); - return 0; + return false; } #endif From kaber at trash.net Mon Jun 4 17:19:43 2007 From: kaber at trash.net (Patrick McHardy) Date: Mon Jun 4 18:26:36 2007 Subject: [PATCH 1/4] Switch hotdrop to bool In-Reply-To: References: Message-ID: <46642D8F.6040806@trash.net> Jan Engelhardt wrote: > Switch the "hotdrop" variables to boolean Applied, thanks. From kaber at trash.net Mon Jun 4 17:20:51 2007 From: kaber at trash.net (Patrick McHardy) Date: Mon Jun 4 18:27:48 2007 Subject: [PATCH 2/4] Switch xt_match->match to bool In-Reply-To: References: Message-ID: <46642DD3.4080903@trash.net> Jan Engelhardt wrote: > Switch the return type of match functions to boolean Also applied (for 2.6.23 of course). From kaber at trash.net Mon Jun 4 17:21:57 2007 From: kaber at trash.net (Patrick McHardy) Date: Mon Jun 4 18:29:00 2007 Subject: [PATCH 3/4] Switch xt_match->checkentry to bool In-Reply-To: References: Message-ID: <46642E15.5050203@trash.net> Jan Engelhardt wrote: > Switch the return type of match functions to boolean Applied. From kaber at trash.net Mon Jun 4 17:25:02 2007 From: kaber at trash.net (Patrick McHardy) Date: Mon Jun 4 18:31:55 2007 Subject: [PATCH 4/4] Switch xt_target->checkentry to bool In-Reply-To: References: Message-ID: <46642ECE.1090402@trash.net> Jan Engelhardt wrote: > Switch the return type of target functions to boolean. Its actually a shame that we don't return proper errno codes, but I think that would seriously confuse iptables error messages, so applied. Thanks Jan. From jengelh at linux01.gwdg.de Mon Jun 4 17:29:00 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jun 4 18:32:55 2007 Subject: [PATCH 4/4] Switch xt_target->checkentry to bool In-Reply-To: <46642ECE.1090402@trash.net> References: <46642ECE.1090402@trash.net> Message-ID: On Jun 4 2007 17:25, Patrick McHardy wrote: >Jan Engelhardt wrote: >> Switch the return type of target functions to boolean. Log correction: return type of xt_target's checkentry(). Jan -- From jengelh at linux01.gwdg.de Mon Jun 4 17:29:57 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jun 4 18:33:52 2007 Subject: [PATCH 5/4] Use bools for xt_match In-Reply-To: References: Message-ID: Hi, this one slipped by (I am just going through some more cleanups), hence, an extra 5th patch on the bools stuff. Signed-off-by: Jan Engelhardt --- net/netfilter/xt_physdev.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) Index: linux-2.6.22-rc3-git6/net/netfilter/xt_physdev.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_physdev.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_physdev.c @@ -76,13 +76,13 @@ match(const struct sk_buff *skb, if (!(info->bitmask & XT_PHYSDEV_OP_IN)) goto match_outdev; indev = nf_bridge->physindev ? nf_bridge->physindev->name : nulldevname; - for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned int); i++) { + for (i = 0, ret = false; i < IFNAMSIZ/sizeof(unsigned int); i++) { ret |= (((const unsigned int *)indev)[i] ^ ((const unsigned int *)info->physindev)[i]) & ((const unsigned int *)info->in_mask)[i]; } - if ((ret == 0) ^ !(info->invert & XT_PHYSDEV_OP_IN)) + if (!ret ^ !(info->invert & XT_PHYSDEV_OP_IN)) return false; match_outdev: @@ -90,7 +90,7 @@ match_outdev: return true; outdev = nf_bridge->physoutdev ? nf_bridge->physoutdev->name : nulldevname; - for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned int); i++) { + for (i = 0, ret = false; i < IFNAMSIZ/sizeof(unsigned int); i++) { ret |= (((const unsigned int *)outdev)[i] ^ ((const unsigned int *)info->physoutdev)[i]) & ((const unsigned int *)info->out_mask)[i]; From kaber at trash.net Mon Jun 4 17:28:04 2007 From: kaber at trash.net (Patrick McHardy) Date: Mon Jun 4 18:34:58 2007 Subject: [PATCH 4/4] Switch xt_target->checkentry to bool In-Reply-To: References: <46642ECE.1090402@trash.net> Message-ID: <46642F84.3010701@trash.net> Jan Engelhardt wrote: > On Jun 4 2007 17:25, Patrick McHardy wrote: > >>Jan Engelhardt wrote: >> >>>Switch the return type of target functions to boolean. > > > Log correction: return type of xt_target's checkentry(). I already fixed that :) From kaber at trash.net Mon Jun 4 17:30:15 2007 From: kaber at trash.net (Patrick McHardy) Date: Mon Jun 4 18:37:08 2007 Subject: [PATCH 5/4] Use bools for xt_match In-Reply-To: References: Message-ID: <46643007.7040902@trash.net> Jan Engelhardt wrote: > Hi, this one slipped by (I am just going through some more cleanups), > hence, an extra 5th patch on the bools stuff. Folded into 2/4, thanks. If you have more corrections please include which patch they belong to. From jengelh at linux01.gwdg.de Mon Jun 4 17:34:27 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jun 4 18:38:23 2007 Subject: [PATCH 5/4] Use bools for xt_match In-Reply-To: <46643007.7040902@trash.net> References: <46643007.7040902@trash.net> Message-ID: On Jun 4 2007 17:30, Patrick McHardy wrote: >Jan Engelhardt wrote: >> Hi, this one slipped by (I am just going through some more cleanups), >> hence, an extra 5th patch on the bools stuff. > >Folded into 2/4, thanks. If you have more corrections please include >which patch they belong to. If you use an SCM (rather than floating patches), then folding is impossible is not it? (Unless you use extra SCM trickery like "git reset".) Jan -- From kaber at trash.net Mon Jun 4 17:33:45 2007 From: kaber at trash.net (Patrick McHardy) Date: Mon Jun 4 18:40:39 2007 Subject: [PATCH 5/4] Use bools for xt_match In-Reply-To: References: <46643007.7040902@trash.net> Message-ID: <466430D9.70006@trash.net> Jan Engelhardt wrote: > On Jun 4 2007 17:30, Patrick McHardy wrote: > >>Jan Engelhardt wrote: >> >>>Hi, this one slipped by (I am just going through some more cleanups), >>>hence, an extra 5th patch on the bools stuff. >> >>Folded into 2/4, thanks. If you have more corrections please include >>which patch they belong to. > > > If you use an SCM (rather than floating patches), then folding is impossible > is not it? (Unless you use extra SCM trickery like "git reset".) stgit. Saves huge amounts of time when trying to keep a clean history. From jengelh at linux01.gwdg.de Mon Jun 4 17:43:42 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jun 4 18:47:37 2007 Subject: [PATCH 5/4] Use bools for xt_match In-Reply-To: <466430D9.70006@trash.net> References: <46643007.7040902@trash.net> <466430D9.70006@trash.net> Message-ID: On Jun 4 2007 17:33, Patrick McHardy wrote: >>> >>>Folded into 2/4, thanks. If you have more corrections please include >>>which patch they belong to. >> >> If you use an SCM (rather than floating patches), then folding is impossible >> is not it? (Unless you use extra SCM trickery like "git reset".) > >stgit. Saves huge amounts of time when trying to keep a clean history. But that only works until merge, does not it? (I for my part use quilt on top of git (tracking only), I tell ya, that's fun ;-) Jan -- From kaber at trash.net Mon Jun 4 17:43:19 2007 From: kaber at trash.net (Patrick McHardy) Date: Mon Jun 4 18:50:13 2007 Subject: [PATCH 5/4] Use bools for xt_match In-Reply-To: References: <46643007.7040902@trash.net> <466430D9.70006@trash.net> Message-ID: <46643317.1070204@trash.net> Jan Engelhardt wrote: > On Jun 4 2007 17:33, Patrick McHardy wrote: > >>>>Folded into 2/4, thanks. If you have more corrections please include >>>>which patch they belong to. >>> >>>If you use an SCM (rather than floating patches), then folding is impossible >>>is not it? (Unless you use extra SCM trickery like "git reset".) >> >>stgit. Saves huge amounts of time when trying to keep a clean history. > > > But that only works until merge, does not it? (I for my part use > quilt on top of git (tracking only), I tell ya, that's fun ;-) Of course. But once I've merged a tree I throw it away. (Actually you can uncommit patches that don't originate in your tree, but it of course can't change patches in Linus' tree :)) From eric at inl.fr Mon Jun 4 18:05:18 2007 From: eric at inl.fr (Eric Leblond) Date: Mon Jun 4 19:09:00 2007 Subject: Bug in conntrack -U In-Reply-To: <4663E267.1030900@netfilter.org> References: <1180707433.4733.7.camel@ghlodit.inl.fr> <4663E267.1030900@netfilter.org> Message-ID: <36058.193.251.55.235.1180973118.squirrel@mail.inl.fr> Hi, > Eric Leblond wrote: >> I've found a problem with conntrack-tools. Running : >> conntrack -U -m 20 -s 192.168.50.140 -d 192.168.50.129 -p tcp >> --orig-port-src 43515 --orig-port-dst 22 >> returns > > The problem seems to be in libnetfilter_conntrack. The patch attached > should fix the problem. Thanks for the report. It works great ! Good work from you as usual ! BR, -- Eric From jengelh at linux01.gwdg.de Mon Jun 4 21:09:36 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jun 4 22:13:34 2007 Subject: [PATCH 0/3] Misc cleanups Message-ID: Hi, along comes... another bunch of patches. Cleanups this time. [1/3] netfilter-have-some-const-tags.diff [2/3] netfilter-remove-inline.diff [3/3] netfilter-remove-redundant-braces.diff Jan -- From jengelh at linux01.gwdg.de Mon Jun 4 21:11:38 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jun 4 22:15:41 2007 Subject: [PATCH 1/3] Misc cleanups In-Reply-To: References: Message-ID: Make a number of variables const and/or remove unneeded casts. Signed-off-by: Jan Engelhardt --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 10 +++++----- net/ipv4/netfilter/ipt_LOG.c | 24 +++++++++++++++--------- net/ipv4/netfilter/ipt_MASQUERADE.c | 11 ++++++----- net/ipv4/netfilter/ipt_REJECT.c | 2 +- net/ipv4/netfilter/ipt_TOS.c | 3 ++- net/ipv4/netfilter/ipt_TTL.c | 2 +- net/ipv4/netfilter/ipt_ULOG.c | 6 +++--- net/ipv4/netfilter/ipt_ah.c | 3 ++- net/ipv4/netfilter/ipt_ecn.c | 3 ++- net/ipv4/netfilter/ipt_recent.c | 2 +- net/ipv4/netfilter/nf_nat_helper.c | 4 ++-- net/ipv6/netfilter/ip6t_HL.c | 2 +- net/ipv6/netfilter/ip6t_LOG.c | 29 +++++++++++++++++++---------- net/ipv6/netfilter/ip6t_REJECT.c | 2 +- net/ipv6/netfilter/ip6t_ah.c | 3 ++- net/ipv6/netfilter/ip6t_frag.c | 3 ++- net/ipv6/netfilter/ip6t_hbh.c | 9 ++++++--- net/ipv6/netfilter/ip6t_mh.c | 3 ++- net/ipv6/netfilter/ip6t_rt.c | 10 ++++++---- net/netfilter/core.c | 6 +++--- net/netfilter/xt_CONNMARK.c | 6 +++--- net/netfilter/xt_CONNSECMARK.c | 4 ++-- net/netfilter/xt_MARK.c | 8 ++++---- net/netfilter/xt_NFLOG.c | 2 +- net/netfilter/xt_connbytes.c | 2 +- net/netfilter/xt_connmark.c | 8 ++++---- net/netfilter/xt_conntrack.c | 8 ++++---- net/netfilter/xt_dccp.c | 2 +- net/netfilter/xt_hashlimit.c | 30 ++++++++++++++++++------------ net/netfilter/xt_helper.c | 6 +++--- net/netfilter/xt_limit.c | 7 ++++--- net/netfilter/xt_mark.c | 4 ++-- net/netfilter/xt_physdev.c | 2 +- net/netfilter/xt_policy.c | 6 +++--- net/netfilter/xt_quota.c | 5 +++-- net/netfilter/xt_realm.c | 2 +- net/netfilter/xt_statistic.c | 2 +- 37 files changed, 138 insertions(+), 103 deletions(-) Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_CLUSTERIP.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_CLUSTERIP.c @@ -235,12 +235,12 @@ clusterip_del_node(struct clusterip_conf #endif static inline u_int32_t -clusterip_hashfn(struct sk_buff *skb, struct clusterip_config *config) +clusterip_hashfn(const struct sk_buff *skb, const struct clusterip_config *config) { - struct iphdr *iph = ip_hdr(skb); + const struct iphdr *iph = ip_hdr(skb); unsigned long hashval; u_int16_t sport, dport; - u_int16_t *ports; + const u_int16_t *ports; switch (iph->protocol) { case IPPROTO_TCP: @@ -249,7 +249,7 @@ clusterip_hashfn(struct sk_buff *skb, st case IPPROTO_SCTP: case IPPROTO_DCCP: case IPPROTO_ICMP: - ports = (void *)iph+iph->ihl*4; + ports = (const void *)iph+iph->ihl*4; sport = ports[0]; dport = ports[1]; break; @@ -289,7 +289,7 @@ clusterip_hashfn(struct sk_buff *skb, st } static inline int -clusterip_responsible(struct clusterip_config *config, u_int32_t hash) +clusterip_responsible(const struct clusterip_config *config, u_int32_t hash) { return test_bit(hash - 1, &config->local_nodes); } Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_LOG.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_LOG.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_LOG.c @@ -41,7 +41,8 @@ static void dump_packet(const struct nf_ const struct sk_buff *skb, unsigned int iphoff) { - struct iphdr _iph, *ih; + struct iphdr _iph; + const struct iphdr *ih; unsigned int logflags; if (info->type == NF_LOG_TYPE_LOG) @@ -100,7 +101,8 @@ static void dump_packet(const struct nf_ switch (ih->protocol) { case IPPROTO_TCP: { - struct tcphdr _tcph, *th; + struct tcphdr _tcph; + const struct tcphdr *th; /* Max length: 10 "PROTO=TCP " */ printk("PROTO=TCP "); @@ -151,7 +153,7 @@ static void dump_packet(const struct nf_ if ((logflags & IPT_LOG_TCPOPT) && th->doff * 4 > sizeof(struct tcphdr)) { unsigned char _opt[4 * 15 - sizeof(struct tcphdr)]; - unsigned char *op; + const unsigned char *op; unsigned int i, optsize; optsize = th->doff * 4 - sizeof(struct tcphdr); @@ -173,7 +175,8 @@ static void dump_packet(const struct nf_ } case IPPROTO_UDP: case IPPROTO_UDPLITE: { - struct udphdr _udph, *uh; + struct udphdr _udph; + const struct udphdr *uh; if (ih->protocol == IPPROTO_UDP) /* Max length: 10 "PROTO=UDP " */ @@ -200,7 +203,8 @@ static void dump_packet(const struct nf_ break; } case IPPROTO_ICMP: { - struct icmphdr _icmph, *ich; + struct icmphdr _icmph; + const struct icmphdr *ich; static const size_t required_len[NR_ICMP_TYPES+1] = { [ICMP_ECHOREPLY] = 4, [ICMP_DEST_UNREACH] @@ -285,7 +289,8 @@ static void dump_packet(const struct nf_ } /* Max Length */ case IPPROTO_AH: { - struct ip_auth_hdr _ahdr, *ah; + struct ip_auth_hdr _ahdr; + const struct ip_auth_hdr *ah; if (ntohs(ih->frag_off) & IP_OFFSET) break; @@ -307,7 +312,8 @@ static void dump_packet(const struct nf_ break; } case IPPROTO_ESP: { - struct ip_esp_hdr _esph, *eh; + struct ip_esp_hdr _esph; + const struct ip_esp_hdr *eh; /* Max length: 10 "PROTO=ESP " */ printk("PROTO=ESP "); @@ -385,8 +391,8 @@ ipt_log_packet(unsigned int pf, out ? out->name : ""); #ifdef CONFIG_BRIDGE_NETFILTER if (skb->nf_bridge) { - struct net_device *physindev = skb->nf_bridge->physindev; - struct net_device *physoutdev = skb->nf_bridge->physoutdev; + const struct net_device *physindev = skb->nf_bridge->physindev; + const struct net_device *physoutdev = skb->nf_bridge->physoutdev; if (physindev && in != physindev) printk("PHYSIN=%s ", physindev->name); Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_MASQUERADE.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_MASQUERADE.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_MASQUERADE.c @@ -70,7 +70,7 @@ masquerade_target(struct sk_buff **pskb, enum ip_conntrack_info ctinfo; struct nf_nat_range newrange; const struct nf_nat_multi_range_compat *mr; - struct rtable *rt; + const struct rtable *rt; __be32 newsrc; NF_CT_ASSERT(hooknum == NF_IP_POST_ROUTING); @@ -88,7 +88,7 @@ masquerade_target(struct sk_buff **pskb, return NF_ACCEPT; mr = targinfo; - rt = (struct rtable *)(*pskb)->dst; + rt = (const struct rtable *)(*pskb)->dst; newsrc = inet_select_addr(out, rt->rt_gateway, RT_SCOPE_UNIVERSE); if (!newsrc) { printk("MASQUERADE: %s ate my IP address\n", out->name); @@ -112,7 +112,7 @@ masquerade_target(struct sk_buff **pskb, static inline int device_cmp(struct nf_conn *i, void *ifindex) { - struct nf_conn_nat *nat = nfct_nat(i); + const struct nf_conn_nat *nat = nfct_nat(i); int ret; if (!nat) @@ -129,7 +129,7 @@ static int masq_device_event(struct noti unsigned long event, void *ptr) { - struct net_device *dev = ptr; + const struct net_device *dev = ptr; if (event == NETDEV_DOWN) { /* Device was downed. Search entire table for @@ -147,7 +147,8 @@ static int masq_inet_event(struct notifi unsigned long event, void *ptr) { - struct net_device *dev = ((struct in_ifaddr *)ptr)->ifa_dev->dev; + const struct net_device *dev = + ((const struct in_ifaddr *)ptr)->ifa_dev->dev; if (event == NETDEV_DOWN) { /* IP address was deleted. Search entire table for Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_REJECT.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_REJECT.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_REJECT.c @@ -122,7 +122,7 @@ static void send_reset(struct sk_buff *o tcph->check = 0; tcph->check = tcp_v4_check(sizeof(struct tcphdr), niph->saddr, niph->daddr, - csum_partial((char *)tcph, + csum_partial(tcph, sizeof(struct tcphdr), 0)); /* Set DF, id = 0 */ Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_TOS.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_TOS.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_TOS.c @@ -50,7 +50,8 @@ checkentry(const char *tablename, void *targinfo, unsigned int hook_mask) { - const u_int8_t tos = ((struct ipt_tos_target_info *)targinfo)->tos; + const u_int8_t tos = + ((const struct ipt_tos_target_info *)targinfo)->tos; if (tos != IPTOS_LOWDELAY && tos != IPTOS_THROUGHPUT Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_TTL.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_TTL.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_TTL.c @@ -68,7 +68,7 @@ static bool ipt_ttl_checkentry(const cha void *targinfo, unsigned int hook_mask) { - struct ipt_TTL_info *info = targinfo; + const struct ipt_TTL_info *info = targinfo; if (info->mode > IPT_TTL_MAXMODE) { printk(KERN_WARNING "ipt_TTL: invalid or unknown Mode %u\n", Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ULOG.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_ULOG.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ULOG.c @@ -334,7 +334,7 @@ static bool ipt_ulog_checkentry(const ch void *targinfo, unsigned int hookmask) { - struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) targinfo; + const struct ipt_ulog_info *loginfo = targinfo; if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') { DEBUGP("ipt_ULOG: prefix term %i\n", @@ -359,7 +359,7 @@ struct compat_ipt_ulog_info { static void compat_from_user(void *dst, void *src) { - struct compat_ipt_ulog_info *cl = src; + const struct compat_ipt_ulog_info *cl = src; struct ipt_ulog_info l = { .nl_group = cl->nl_group, .copy_range = cl->copy_range, @@ -372,7 +372,7 @@ static void compat_from_user(void *dst, static int compat_to_user(void __user *dst, void *src) { - struct ipt_ulog_info *l = src; + const struct ipt_ulog_info *l = src; struct compat_ipt_ulog_info cl = { .nl_group = l->nl_group, .copy_range = l->copy_range, Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ah.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_ah.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ah.c @@ -46,7 +46,8 @@ match(const struct sk_buff *skb, unsigned int protoff, bool *hotdrop) { - struct ip_auth_hdr _ahdr, *ah; + struct ip_auth_hdr _ahdr; + const struct ip_auth_hdr *ah; const struct ipt_ah *ahinfo = matchinfo; /* Must not be a fragment. */ Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ecn.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_ecn.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ecn.c @@ -32,7 +32,8 @@ static inline bool match_tcp(const struc const struct ipt_ecn_info *einfo, bool *hotdrop) { - struct tcphdr _tcph, *th; + struct tcphdr _tcph; + const struct tcphdr *th; /* In practice, TCP match does this, so can't fail. But let's * be good citizens. Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_recent.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_recent.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_recent.c @@ -323,7 +323,7 @@ struct recent_iter_state { static void *recent_seq_start(struct seq_file *seq, loff_t *pos) { struct recent_iter_state *st = seq->private; - struct recent_table *t = st->table; + const struct recent_table *t = st->table; struct recent_entry *e; loff_t p = *pos; Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/nf_nat_helper.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/nf_nat_helper.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/nf_nat_helper.c @@ -190,7 +190,7 @@ nf_nat_mangle_tcp_packet(struct sk_buff tcph->check = 0; tcph->check = tcp_v4_check(datalen, iph->saddr, iph->daddr, - csum_partial((char *)tcph, + csum_partial(tcph, datalen, 0)); } } else @@ -278,7 +278,7 @@ nf_nat_mangle_udp_packet(struct sk_buff udph->check = 0; udph->check = csum_tcpudp_magic(iph->saddr, iph->daddr, datalen, IPPROTO_UDP, - csum_partial((char *)udph, + csum_partial(udph, datalen, 0)); if (!udph->check) udph->check = CSUM_MANGLED_0; Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_HL.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_HL.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_HL.c @@ -64,7 +64,7 @@ static bool ip6t_hl_checkentry(const cha void *targinfo, unsigned int hook_mask) { - struct ip6t_HL_info *info = targinfo; + const struct ip6t_HL_info *info = targinfo; if (info->mode > IP6T_HL_MAXMODE) { printk(KERN_WARNING "ip6t_HL: invalid or unknown Mode %u\n", Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_LOG.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_LOG.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_LOG.c @@ -48,7 +48,8 @@ static void dump_packet(const struct nf_ { u_int8_t currenthdr; int fragment; - struct ipv6hdr _ip6h, *ih; + struct ipv6hdr _ip6h; + const struct ipv6hdr *ih; unsigned int ptr; unsigned int hdrlen = 0; unsigned int logflags; @@ -78,7 +79,8 @@ static void dump_packet(const struct nf_ ptr = ip6hoff + sizeof(struct ipv6hdr); currenthdr = ih->nexthdr; while (currenthdr != NEXTHDR_NONE && ip6t_ext_hdr(currenthdr)) { - struct ipv6_opt_hdr _hdr, *hp; + struct ipv6_opt_hdr _hdr; + const struct ipv6_opt_hdr *hp; hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr); if (hp == NULL) { @@ -92,7 +94,8 @@ static void dump_packet(const struct nf_ switch (currenthdr) { case IPPROTO_FRAGMENT: { - struct frag_hdr _fhdr, *fh; + struct frag_hdr _fhdr; + const struct frag_hdr *fh; printk("FRAG:"); fh = skb_header_pointer(skb, ptr, sizeof(_fhdr), @@ -131,7 +134,8 @@ static void dump_packet(const struct nf_ /* Max Length */ case IPPROTO_AH: if (logflags & IP6T_LOG_IPOPT) { - struct ip_auth_hdr _ahdr, *ah; + struct ip_auth_hdr _ahdr; + const struct ip_auth_hdr *ah; /* Max length: 3 "AH " */ printk("AH "); @@ -162,7 +166,8 @@ static void dump_packet(const struct nf_ break; case IPPROTO_ESP: if (logflags & IP6T_LOG_IPOPT) { - struct ip_esp_hdr _esph, *eh; + struct ip_esp_hdr _esph; + const struct ip_esp_hdr *eh; /* Max length: 4 "ESP " */ printk("ESP "); @@ -202,7 +207,8 @@ static void dump_packet(const struct nf_ switch (currenthdr) { case IPPROTO_TCP: { - struct tcphdr _tcph, *th; + struct tcphdr _tcph; + const struct tcphdr *th; /* Max length: 10 "PROTO=TCP " */ printk("PROTO=TCP "); @@ -250,7 +256,8 @@ static void dump_packet(const struct nf_ if ((logflags & IP6T_LOG_TCPOPT) && th->doff * 4 > sizeof(struct tcphdr)) { - u_int8_t _opt[60 - sizeof(struct tcphdr)], *op; + u_int8_t _opt[60 - sizeof(struct tcphdr)]; + const u_int8_t *op; unsigned int i; unsigned int optsize = th->doff * 4 - sizeof(struct tcphdr); @@ -273,7 +280,8 @@ static void dump_packet(const struct nf_ } case IPPROTO_UDP: case IPPROTO_UDPLITE: { - struct udphdr _udph, *uh; + struct udphdr _udph; + const struct udphdr *uh; if (currenthdr == IPPROTO_UDP) /* Max length: 10 "PROTO=UDP " */ @@ -298,7 +306,8 @@ static void dump_packet(const struct nf_ break; } case IPPROTO_ICMPV6: { - struct icmp6hdr _icmp6h, *ic; + struct icmp6hdr _icmp6h; + const struct icmp6hdr *ic; /* Max length: 13 "PROTO=ICMPv6 " */ printk("PROTO=ICMPv6 "); @@ -413,7 +422,7 @@ ip6t_log_packet(unsigned int pf, if (skb->dev->type == ARPHRD_SIT) { const struct iphdr *iph = - (struct iphdr *)skb_mac_header(skb); + (const struct iphdr *)skb_mac_header(skb); printk("TUNNEL=%u.%u.%u.%u->%u.%u.%u.%u ", NIPQUAD(iph->saddr), NIPQUAD(iph->daddr)); Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_REJECT.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_REJECT.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_REJECT.c @@ -159,7 +159,7 @@ static void send_reset(struct sk_buff *o tcph->check = csum_ipv6_magic(&ipv6_hdr(nskb)->saddr, &ipv6_hdr(nskb)->daddr, sizeof(struct tcphdr), IPPROTO_TCP, - csum_partial((char *)tcph, + csum_partial(tcph, sizeof(struct tcphdr), 0)); nf_ct_attach(nskb, oldskb); Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_ah.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_ah.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_ah.c @@ -51,7 +51,8 @@ match(const struct sk_buff *skb, unsigned int protoff, bool *hotdrop) { - struct ip_auth_hdr *ah, _ah; + struct ip_auth_hdr _ah; + const struct ip_auth_hdr *ah; const struct ip6t_ah *ahinfo = matchinfo; unsigned int ptr; unsigned int hdrlen = 0; Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_frag.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_frag.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_frag.c @@ -50,7 +50,8 @@ match(const struct sk_buff *skb, unsigned int protoff, bool *hotdrop) { - struct frag_hdr _frag, *fh; + struct frag_hdr _frag; + const struct frag_hdr *fh; const struct ip6t_frag *fraginfo = matchinfo; unsigned int ptr; int err; Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_hbh.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_hbh.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_hbh.c @@ -57,14 +57,17 @@ match(const struct sk_buff *skb, unsigned int protoff, bool *hotdrop) { - struct ipv6_opt_hdr _optsh, *oh; + struct ipv6_opt_hdr _optsh; + const struct ipv6_opt_hdr *oh; const struct ip6t_opts *optinfo = matchinfo; unsigned int temp; unsigned int ptr; unsigned int hdrlen = 0; bool ret = false; - u8 _opttype, *tp = NULL; - u8 _optlen, *lp = NULL; + u8 _opttype; + u8 _optlen; + const u_int8_t *tp = NULL; + const u_int8_t *lp = NULL; unsigned int optlen; int err; Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_mh.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_mh.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_mh.c @@ -47,7 +47,8 @@ match(const struct sk_buff *skb, unsigned int protoff, bool *hotdrop) { - struct ip6_mh _mh, *mh; + struct ip6_mh _mh; + const struct ip6_mh *mh; const struct ip6t_mh *mhinfo = matchinfo; /* Must not be a fragment. */ Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_rt.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_rt.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_rt.c @@ -52,13 +52,15 @@ match(const struct sk_buff *skb, unsigned int protoff, bool *hotdrop) { - struct ipv6_rt_hdr _route, *rh; + struct ipv6_rt_hdr _route; + const struct ipv6_rt_hdr *rh; const struct ip6t_rt *rtinfo = matchinfo; unsigned int temp; unsigned int ptr; unsigned int hdrlen = 0; bool ret = false; - struct in6_addr *ap, _addr; + struct in6_addr _addr; + const struct in6_addr *ap; int err; err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL); @@ -100,9 +102,9 @@ match(const struct sk_buff *skb, !!(rtinfo->invflags & IP6T_RT_INV_LEN)))); DEBUGP("res %02X %02X %02X ", (rtinfo->flags & IP6T_RT_RES), - ((struct rt0_hdr *)rh)->reserved, + ((const struct rt0_hdr *)rh)->reserved, !((rtinfo->flags & IP6T_RT_RES) && - (((struct rt0_hdr *)rh)->reserved))); + (((const struct rt0_hdr *)rh)->reserved))); ret = (rh != NULL) && Index: linux-2.6.22-rc3-git6/net/netfilter/core.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/core.c +++ linux-2.6.22-rc3-git6/net/netfilter/core.c @@ -229,13 +229,13 @@ void nf_proto_csum_replace4(__sum16 *sum { __be32 diff[] = { ~from, to }; if (skb->ip_summed != CHECKSUM_PARTIAL) { - *sum = csum_fold(csum_partial((char *)diff, sizeof(diff), + *sum = csum_fold(csum_partial(diff, sizeof(diff), ~csum_unfold(*sum))); if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr) - skb->csum = ~csum_partial((char *)diff, sizeof(diff), + skb->csum = ~csum_partial(diff, sizeof(diff), ~skb->csum); } else if (pseudohdr) - *sum = ~csum_fold(csum_partial((char *)diff, sizeof(diff), + *sum = ~csum_fold(csum_partial(diff, sizeof(diff), csum_unfold(*sum))); } EXPORT_SYMBOL(nf_proto_csum_replace4); Index: linux-2.6.22-rc3-git6/net/netfilter/xt_CONNMARK.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_CONNMARK.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_CONNMARK.c @@ -83,7 +83,7 @@ checkentry(const char *tablename, void *targinfo, unsigned int hook_mask) { - struct xt_connmark_target_info *matchinfo = targinfo; + const struct xt_connmark_target_info *matchinfo = targinfo; if (nf_ct_l3proto_try_module_get(target->family) < 0) { printk(KERN_WARNING "can't load conntrack support for " @@ -121,7 +121,7 @@ struct compat_xt_connmark_target_info { static void compat_from_user(void *dst, void *src) { - struct compat_xt_connmark_target_info *cm = src; + const struct compat_xt_connmark_target_info *cm = src; struct xt_connmark_target_info m = { .mark = cm->mark, .mask = cm->mask, @@ -132,7 +132,7 @@ static void compat_from_user(void *dst, static int compat_to_user(void __user *dst, void *src) { - struct xt_connmark_target_info *m = src; + const struct xt_connmark_target_info *m = src; struct compat_xt_connmark_target_info cm = { .mark = m->mark, .mask = m->mask, Index: linux-2.6.22-rc3-git6/net/netfilter/xt_CONNSECMARK.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_CONNSECMARK.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_CONNSECMARK.c @@ -33,7 +33,7 @@ MODULE_ALIAS("ip6t_CONNSECMARK"); * If the packet has a security mark and the connection does not, copy * the security mark from the packet to the connection. */ -static void secmark_save(struct sk_buff *skb) +static void secmark_save(const struct sk_buff *skb) { if (skb->secmark) { struct nf_conn *ct; @@ -89,7 +89,7 @@ static bool checkentry(const char *table const struct xt_target *target, void *targinfo, unsigned int hook_mask) { - struct xt_connsecmark_target_info *info = targinfo; + const struct xt_connsecmark_target_info *info = targinfo; if (nf_ct_l3proto_try_module_get(target->family) < 0) { printk(KERN_WARNING "can't load conntrack support for " Index: linux-2.6.22-rc3-git6/net/netfilter/xt_MARK.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_MARK.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_MARK.c @@ -72,7 +72,7 @@ checkentry_v0(const char *tablename, void *targinfo, unsigned int hook_mask) { - struct xt_mark_target_info *markinfo = targinfo; + const struct xt_mark_target_info *markinfo = targinfo; if (markinfo->mark > 0xffffffff) { printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n"); @@ -88,7 +88,7 @@ checkentry_v1(const char *tablename, void *targinfo, unsigned int hook_mask) { - struct xt_mark_target_info_v1 *markinfo = targinfo; + const struct xt_mark_target_info_v1 *markinfo = targinfo; if (markinfo->mode != XT_MARK_SET && markinfo->mode != XT_MARK_AND @@ -114,7 +114,7 @@ struct compat_xt_mark_target_info_v1 { static void compat_from_user_v1(void *dst, void *src) { - struct compat_xt_mark_target_info_v1 *cm = src; + const struct compat_xt_mark_target_info_v1 *cm = src; struct xt_mark_target_info_v1 m = { .mark = cm->mark, .mode = cm->mode, @@ -124,7 +124,7 @@ static void compat_from_user_v1(void *ds static int compat_to_user_v1(void __user *dst, void *src) { - struct xt_mark_target_info_v1 *m = src; + const struct xt_mark_target_info_v1 *m = src; struct compat_xt_mark_target_info_v1 cm = { .mark = m->mark, .mode = m->mode, Index: linux-2.6.22-rc3-git6/net/netfilter/xt_NFLOG.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_NFLOG.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_NFLOG.c @@ -43,7 +43,7 @@ nflog_checkentry(const char *tablename, const struct xt_target *target, void *targetinfo, unsigned int hookmask) { - struct xt_nflog_info *info = targetinfo; + const struct xt_nflog_info *info = targetinfo; if (info->flags & ~XT_NFLOG_MASK) return false; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_connbytes.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_connbytes.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_connbytes.c @@ -26,7 +26,7 @@ match(const struct sk_buff *skb, bool *hotdrop) { const struct xt_connbytes_info *sinfo = matchinfo; - struct nf_conn *ct; + const struct nf_conn *ct; enum ip_conntrack_info ctinfo; u_int64_t what = 0; /* initialize to make gcc happy */ u_int64_t bytes = 0; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_connmark.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_connmark.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_connmark.c @@ -41,7 +41,7 @@ match(const struct sk_buff *skb, bool *hotdrop) { const struct xt_connmark_info *info = matchinfo; - struct nf_conn *ct; + const struct nf_conn *ct; enum ip_conntrack_info ctinfo; ct = nf_ct_get(skb, &ctinfo); @@ -58,7 +58,7 @@ checkentry(const char *tablename, void *matchinfo, unsigned int hook_mask) { - struct xt_connmark_info *cm = matchinfo; + const struct xt_connmark_info *cm = matchinfo; if (cm->mark > 0xffffffff || cm->mask > 0xffffffff) { printk(KERN_WARNING "connmark: only support 32bit mark\n"); @@ -88,7 +88,7 @@ struct compat_xt_connmark_info { static void compat_from_user(void *dst, void *src) { - struct compat_xt_connmark_info *cm = src; + const struct compat_xt_connmark_info *cm = src; struct xt_connmark_info m = { .mark = cm->mark, .mask = cm->mask, @@ -99,7 +99,7 @@ static void compat_from_user(void *dst, static int compat_to_user(void __user *dst, void *src) { - struct xt_connmark_info *m = src; + const struct xt_connmark_info *m = src; struct compat_xt_connmark_info cm = { .mark = m->mark, .mask = m->mask, Index: linux-2.6.22-rc3-git6/net/netfilter/xt_conntrack.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_conntrack.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_conntrack.c @@ -30,11 +30,11 @@ match(const struct sk_buff *skb, bool *hotdrop) { const struct xt_conntrack_info *sinfo = matchinfo; - struct nf_conn *ct; + const struct nf_conn *ct; enum ip_conntrack_info ctinfo; unsigned int statebit; - ct = nf_ct_get((struct sk_buff *)skb, &ctinfo); + ct = nf_ct_get(skb, &ctinfo); #define FWINV(bool,invflg) ((bool) ^ !!(sinfo->invflags & invflg)) @@ -150,7 +150,7 @@ struct compat_xt_conntrack_info static void compat_from_user(void *dst, void *src) { - struct compat_xt_conntrack_info *cm = src; + const struct compat_xt_conntrack_info *cm = src; struct xt_conntrack_info m = { .statemask = cm->statemask, .statusmask = cm->statusmask, @@ -167,7 +167,7 @@ static void compat_from_user(void *dst, static int compat_to_user(void __user *dst, void *src) { - struct xt_conntrack_info *m = src; + const struct xt_conntrack_info *m = src; struct compat_xt_conntrack_info cm = { .statemask = m->statemask, .statusmask = m->statusmask, Index: linux-2.6.22-rc3-git6/net/netfilter/xt_dccp.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_dccp.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_dccp.c @@ -39,7 +39,7 @@ dccp_find_option(u_int8_t option, bool *hotdrop) { /* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */ - unsigned char *op; + const unsigned char *op; unsigned int optoff = __dccp_hdr_len(dh); unsigned int optlen = dh->dccph_doff*4 - __dccp_hdr_len(dh); unsigned int i; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_hashlimit.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_hashlimit.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_hashlimit.c @@ -95,7 +95,7 @@ static HLIST_HEAD(hashlimit_htables); static struct kmem_cache *hashlimit_cachep __read_mostly; static inline bool dst_cmp(const struct dsthash_ent *ent, - struct dsthash_dst *b) + const struct dsthash_dst *b) { return !memcmp(&ent->dst, b, sizeof(ent->dst)); } @@ -107,7 +107,8 @@ hash_dst(const struct xt_hashlimit_htabl } static struct dsthash_ent * -dsthash_find(const struct xt_hashlimit_htable *ht, struct dsthash_dst *dst) +dsthash_find(const struct xt_hashlimit_htable *ht, + const struct dsthash_dst *dst) { struct dsthash_ent *ent; struct hlist_node *pos; @@ -123,7 +124,8 @@ dsthash_find(const struct xt_hashlimit_h /* allocate dsthash_ent, initialize dst, put in htable and lock it */ static struct dsthash_ent * -dsthash_alloc_init(struct xt_hashlimit_htable *ht, struct dsthash_dst *dst) +dsthash_alloc_init(struct xt_hashlimit_htable *ht, + const struct dsthash_dst *dst) { struct dsthash_ent *ent; @@ -228,19 +230,21 @@ static int htable_create(struct xt_hashl return 0; } -static bool select_all(struct xt_hashlimit_htable *ht, struct dsthash_ent *he) +static bool select_all(const struct xt_hashlimit_htable *ht, + const struct dsthash_ent *he) { return 1; } -static bool select_gc(struct xt_hashlimit_htable *ht, struct dsthash_ent *he) +static bool select_gc(const struct xt_hashlimit_htable *ht, + const struct dsthash_ent *he) { return (jiffies >= he->expires); } static void htable_selective_cleanup(struct xt_hashlimit_htable *ht, - bool (*select)(struct xt_hashlimit_htable *ht, - struct dsthash_ent *he)) + bool (*select)(const struct xt_hashlimit_htable *ht, + const struct dsthash_ent *he)) { unsigned int i; @@ -283,7 +287,8 @@ static void htable_destroy(struct xt_has vfree(hinfo); } -static struct xt_hashlimit_htable *htable_find_get(char *name, int family) +static struct xt_hashlimit_htable *htable_find_get(const char *name, + int family) { struct xt_hashlimit_htable *hinfo; struct hlist_node *pos; @@ -368,7 +373,8 @@ static inline void rateinfo_recalc(struc } static int -hashlimit_init_dst(struct xt_hashlimit_htable *hinfo, struct dsthash_dst *dst, +hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo, + struct dsthash_dst *dst, const struct sk_buff *skb, unsigned int protoff) { __be16 _ports[2], *ports; @@ -443,8 +449,8 @@ hashlimit_match(const struct sk_buff *sk unsigned int protoff, bool *hotdrop) { - struct xt_hashlimit_info *r = - ((struct xt_hashlimit_info *)matchinfo)->u.master; + const struct xt_hashlimit_info *r = + ((const struct xt_hashlimit_info *)matchinfo)->u.master; struct xt_hashlimit_htable *hinfo = r->hinfo; unsigned long now = jiffies; struct dsthash_ent *dh; @@ -543,7 +549,7 @@ hashlimit_checkentry(const char *tablena static void hashlimit_destroy(const struct xt_match *match, void *matchinfo) { - struct xt_hashlimit_info *r = matchinfo; + const struct xt_hashlimit_info *r = matchinfo; htable_put(r->hinfo); } Index: linux-2.6.22-rc3-git6/net/netfilter/xt_helper.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_helper.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_helper.c @@ -39,12 +39,12 @@ match(const struct sk_buff *skb, bool *hotdrop) { const struct xt_helper_info *info = matchinfo; - struct nf_conn *ct; - struct nf_conn_help *master_help; + const struct nf_conn *ct; + const struct nf_conn_help *master_help; enum ip_conntrack_info ctinfo; bool ret = info->invert; - ct = nf_ct_get((struct sk_buff *)skb, &ctinfo); + ct = nf_ct_get(skb, &ctinfo); if (!ct) { DEBUGP("xt_helper: Eek! invalid conntrack?\n"); return ret; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_limit.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_limit.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_limit.c @@ -67,7 +67,8 @@ ipt_limit_match(const struct sk_buff *sk unsigned int protoff, bool *hotdrop) { - struct xt_rateinfo *r = ((struct xt_rateinfo *)matchinfo)->master; + struct xt_rateinfo *r = + ((const struct xt_rateinfo *)matchinfo)->master; unsigned long now = jiffies; spin_lock_bh(&limit_lock); @@ -144,7 +145,7 @@ struct compat_xt_rateinfo { * master pointer, which does not need to be preserved. */ static void compat_from_user(void *dst, void *src) { - struct compat_xt_rateinfo *cm = src; + const struct compat_xt_rateinfo *cm = src; struct xt_rateinfo m = { .avg = cm->avg, .burst = cm->burst, @@ -158,7 +159,7 @@ static void compat_from_user(void *dst, static int compat_to_user(void __user *dst, void *src) { - struct xt_rateinfo *m = src; + const struct xt_rateinfo *m = src; struct compat_xt_rateinfo cm = { .avg = m->avg, .burst = m->burst, Index: linux-2.6.22-rc3-git6/net/netfilter/xt_mark.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_mark.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_mark.c @@ -60,7 +60,7 @@ struct compat_xt_mark_info { static void compat_from_user(void *dst, void *src) { - struct compat_xt_mark_info *cm = src; + const struct compat_xt_mark_info *cm = src; struct xt_mark_info m = { .mark = cm->mark, .mask = cm->mask, @@ -71,7 +71,7 @@ static void compat_from_user(void *dst, static int compat_to_user(void __user *dst, void *src) { - struct xt_mark_info *m = src; + const struct xt_mark_info *m = src; struct compat_xt_mark_info cm = { .mark = m->mark, .mask = m->mask, Index: linux-2.6.22-rc3-git6/net/netfilter/xt_physdev.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_physdev.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_physdev.c @@ -36,7 +36,7 @@ match(const struct sk_buff *skb, const struct xt_physdev_info *info = matchinfo; bool ret; const char *indev, *outdev; - struct nf_bridge_info *nf_bridge; + const struct nf_bridge_info *nf_bridge; /* Not a bridged IP packet or no info available yet: * LOCAL_OUT/mangle and LOCAL_OUT/nat don't know if Index: linux-2.6.22-rc3-git6/net/netfilter/xt_policy.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_policy.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_policy.c @@ -34,7 +34,7 @@ xt_addr_cmp(const union xt_policy_addr * } static inline bool -match_xfrm_state(struct xfrm_state *x, const struct xt_policy_elem *e, +match_xfrm_state(const struct xfrm_state *x, const struct xt_policy_elem *e, unsigned short family) { #define MATCH_ADDR(x,y,z) (!e->match.x || \ @@ -55,7 +55,7 @@ match_policy_in(const struct sk_buff *sk unsigned short family) { const struct xt_policy_elem *e; - struct sec_path *sp = skb->sp; + const struct sec_path *sp = skb->sp; int strict = info->flags & XT_POLICY_MATCH_STRICT; int i, pos; @@ -85,7 +85,7 @@ match_policy_out(const struct sk_buff *s unsigned short family) { const struct xt_policy_elem *e; - struct dst_entry *dst = skb->dst; + const struct dst_entry *dst = skb->dst; int strict = info->flags & XT_POLICY_MATCH_STRICT; int i, pos; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_quota.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_quota.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_quota.c @@ -22,7 +22,8 @@ match(const struct sk_buff *skb, const struct xt_match *match, const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop) { - struct xt_quota_info *q = ((struct xt_quota_info *)matchinfo)->master; + struct xt_quota_info *q = + ((const struct xt_quota_info *)matchinfo)->master; bool ret = q->flags & XT_QUOTA_INVERT; spin_lock_bh("a_lock); @@ -43,7 +44,7 @@ checkentry(const char *tablename, const const struct xt_match *match, void *matchinfo, unsigned int hook_mask) { - struct xt_quota_info *q = (struct xt_quota_info *)matchinfo; + struct xt_quota_info *q = matchinfo; if (q->flags & ~XT_QUOTA_MASK) return false; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_realm.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_realm.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_realm.c @@ -32,7 +32,7 @@ match(const struct sk_buff *skb, bool *hotdrop) { const struct xt_realm_info *info = matchinfo; - struct dst_entry *dst = skb->dst; + const struct dst_entry *dst = skb->dst; return (info->id == (dst->tclassid & info->mask)) ^ info->invert; } Index: linux-2.6.22-rc3-git6/net/netfilter/xt_statistic.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_statistic.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_statistic.c @@ -57,7 +57,7 @@ checkentry(const char *tablename, const const struct xt_match *match, void *matchinfo, unsigned int hook_mask) { - struct xt_statistic_info *info = (struct xt_statistic_info *)matchinfo; + struct xt_statistic_info *info = matchinfo; if (info->mode > XT_STATISTIC_MODE_MAX || info->flags & ~XT_STATISTIC_MASK) From jengelh at linux01.gwdg.de Mon Jun 4 21:13:00 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jun 4 22:17:42 2007 Subject: [PATCH 2/3] Misc cleanups In-Reply-To: References: Message-ID: Removes inline. device_cmp: the function's address is taken (call to nf_ct_iterate_cleanup) alloc_null_binding: referenced externally Signed-off-by: Jan Engelhardt --- net/ipv4/netfilter/ipt_MASQUERADE.c | 2 +- net/ipv4/netfilter/nf_nat_rule.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_MASQUERADE.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_MASQUERADE.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_MASQUERADE.c @@ -109,7 +109,7 @@ masquerade_target(struct sk_buff **pskb, return nf_nat_setup_info(ct, &newrange, hooknum); } -static inline int +static int device_cmp(struct nf_conn *i, void *ifindex) { const struct nf_conn_nat *nat = nfct_nat(i); Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/nf_nat_rule.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/nf_nat_rule.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/nf_nat_rule.c @@ -172,7 +172,7 @@ static bool ipt_dnat_checkentry(const ch return true; } -inline unsigned int +unsigned int alloc_null_binding(struct nf_conn *ct, unsigned int hooknum) { /* Force range to this IP; let proto decide mapping for From jengelh at linux01.gwdg.de Mon Jun 4 21:14:29 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jun 4 22:18:47 2007 Subject: [PATCH 3/3] Misc cleanups In-Reply-To: References: Message-ID: Removes redundant parentheses and braces. (And add one pair in a xt_tcpudp.c macro.) Signed-off-by: Jan Engelhardt --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 11 ++++------- net/ipv4/netfilter/ipt_ECN.c | 4 ++-- net/ipv4/netfilter/ipt_TTL.c | 2 +- net/ipv4/netfilter/ipt_ULOG.c | 8 +++----- net/ipv4/netfilter/ipt_iprange.c | 8 ++++---- net/ipv4/netfilter/ipt_recent.c | 9 +++------ net/ipv4/netfilter/ipt_ttl.c | 12 ++++-------- net/ipv6/netfilter/ip6t_HL.c | 2 +- net/ipv6/netfilter/ip6t_REJECT.c | 2 +- net/ipv6/netfilter/ip6t_ah.c | 12 ++++++------ net/ipv6/netfilter/ip6t_eui64.c | 6 +++--- net/ipv6/netfilter/ip6t_frag.c | 18 +++++++++--------- net/ipv6/netfilter/ip6t_hbh.c | 2 +- net/ipv6/netfilter/ip6t_hl.c | 8 ++++---- net/ipv6/netfilter/ip6t_ipv6header.c | 6 +++--- net/ipv6/netfilter/ip6t_owner.c | 6 ++---- net/ipv6/netfilter/ip6t_rt.c | 16 ++++++++-------- net/netfilter/xt_DSCP.c | 2 +- net/netfilter/xt_TCPMSS.c | 4 ++-- net/netfilter/xt_connbytes.c | 4 ++-- net/netfilter/xt_connmark.c | 2 +- net/netfilter/xt_dccp.c | 10 +++++----- net/netfilter/xt_hashlimit.c | 2 +- net/netfilter/xt_length.c | 4 ++-- net/netfilter/xt_mac.c | 10 +++++----- net/netfilter/xt_pkttype.c | 4 ++-- net/netfilter/xt_sctp.c | 23 +++++++++-------------- net/netfilter/xt_tcpudp.c | 2 +- 28 files changed, 90 insertions(+), 109 deletions(-) Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_CLUSTERIP.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_CLUSTERIP.c @@ -122,9 +122,8 @@ __clusterip_config_find(__be32 clusterip list_for_each(pos, &clusterip_configs) { struct clusterip_config *c = list_entry(pos, struct clusterip_config, list); - if (c->clusterip == clusterip) { + if (c->clusterip == clusterip) return c; - } } return NULL; @@ -155,9 +154,8 @@ clusterip_config_init_nodelist(struct cl { int n; - for (n = 0; n < i->num_local_nodes; n++) { + for (n = 0; n < i->num_local_nodes; n++) set_bit(i->local_nodes[n] - 1, &c->local_nodes); - } } static struct clusterip_config * @@ -254,10 +252,9 @@ clusterip_hashfn(const struct sk_buff *s dport = ports[1]; break; default: - if (net_ratelimit()) { + if (net_ratelimit()) printk(KERN_NOTICE "CLUSTERIP: unknown protocol `%u'\n", iph->protocol); - } sport = dport = 0; } @@ -285,7 +282,7 @@ clusterip_hashfn(const struct sk_buff *s } /* node numbers are 1..n, not 0..n */ - return ((hashval % config->num_total_nodes)+1); + return (hashval % config->num_total_nodes) + 1; } static inline int Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ECN.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_ECN.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ECN.c @@ -58,8 +58,8 @@ set_ect_tcp(struct sk_buff **pskb, const if ((!(einfo->operation & IPT_ECN_OP_SET_ECE) || tcph->ece == einfo->proto.tcp.ece) && - ((!(einfo->operation & IPT_ECN_OP_SET_CWR) || - tcph->cwr == einfo->proto.tcp.cwr))) + (!(einfo->operation & IPT_ECN_OP_SET_CWR) || + tcph->cwr == einfo->proto.tcp.cwr)) return true; if (!skb_make_writable(pskb, ip_hdrlen(*pskb) + sizeof(*tcph))) Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_TTL.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_TTL.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_TTL.c @@ -75,7 +75,7 @@ static bool ipt_ttl_checkentry(const cha info->mode); return false; } - if ((info->mode != IPT_TTL_SET) && (info->ttl == 0)) + if (info->mode != IPT_TTL_SET && info->ttl == 0) return false; return true; } Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ULOG.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_ULOG.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ULOG.c @@ -180,11 +180,10 @@ static void ipt_ulog_packet(unsigned int /* calculate the size of the skb needed */ if ((loginfo->copy_range == 0) || - (loginfo->copy_range > skb->len)) { + (loginfo->copy_range > skb->len)) copy_len = skb->len; - } else { + else copy_len = loginfo->copy_range; - } size = NLMSG_SPACE(sizeof(*pm) + copy_len); @@ -257,9 +256,8 @@ static void ipt_ulog_packet(unsigned int BUG(); /* check if we are building multi-part messages */ - if (ub->qlen > 1) { + if (ub->qlen > 1) ub->lastnlh->nlmsg_flags |= NLM_F_MULTI; - } ub->lastnlh = nlh; Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_iprange.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_iprange.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_iprange.c @@ -35,8 +35,8 @@ match(const struct sk_buff *skb, const struct iphdr *iph = ip_hdr(skb); if (info->flags & IPRANGE_SRC) { - if (((ntohl(iph->saddr) < ntohl(info->src.min_ip)) - || (ntohl(iph->saddr) > ntohl(info->src.max_ip))) + if ((ntohl(iph->saddr) < ntohl(info->src.min_ip) + || ntohl(iph->saddr) > ntohl(info->src.max_ip)) ^ !!(info->flags & IPRANGE_SRC_INV)) { DEBUGP("src IP %u.%u.%u.%u NOT in range %s" "%u.%u.%u.%u-%u.%u.%u.%u\n", @@ -48,8 +48,8 @@ match(const struct sk_buff *skb, } } if (info->flags & IPRANGE_DST) { - if (((ntohl(iph->daddr) < ntohl(info->dst.min_ip)) - || (ntohl(iph->daddr) > ntohl(info->dst.max_ip))) + if ((ntohl(iph->daddr) < ntohl(info->dst.min_ip) + || ntohl(iph->daddr) > ntohl(info->dst.max_ip)) ^ !!(info->flags & IPRANGE_DST_INV)) { DEBUGP("dst IP %u.%u.%u.%u NOT in range %s" "%u.%u.%u.%u-%u.%u.%u.%u\n", Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_recent.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_recent.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_recent.c @@ -163,10 +163,9 @@ static void recent_table_flush(struct re struct recent_entry *e, *next; unsigned int i; - for (i = 0; i < ip_list_hash_size; i++) { + for (i = 0; i < ip_list_hash_size; i++) list_for_each_entry_safe(e, next, &t->iphash[i], list) recent_entry_remove(t, e); - } } static bool @@ -329,12 +328,10 @@ static void *recent_seq_start(struct seq spin_lock_bh(&recent_lock); - for (st->bucket = 0; st->bucket < ip_list_hash_size; st->bucket++) { - list_for_each_entry(e, &t->iphash[st->bucket], list) { + for (st->bucket = 0; st->bucket < ip_list_hash_size; st->bucket++) + list_for_each_entry(e, &t->iphash[st->bucket], list) if (p-- == 0) return e; - } - } return NULL; } Index: linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ttl.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv4/netfilter/ipt_ttl.c +++ linux-2.6.22-rc3-git6/net/ipv4/netfilter/ipt_ttl.c @@ -28,17 +28,13 @@ static bool match(const struct sk_buff * switch (info->mode) { case IPT_TTL_EQ: - return (ttl == info->ttl); - break; + return ttl == info->ttl; case IPT_TTL_NE: - return (!(ttl == info->ttl)); - break; + return ttl != info->ttl; case IPT_TTL_LT: - return (ttl < info->ttl); - break; + return ttl < info->ttl; case IPT_TTL_GT: - return (ttl > info->ttl); - break; + return ttl > info->ttl; default: printk(KERN_WARNING "ipt_ttl: unknown mode %d\n", info->mode); Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_HL.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_HL.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_HL.c @@ -71,7 +71,7 @@ static bool ip6t_hl_checkentry(const cha info->mode); return false; } - if ((info->mode != IP6T_HL_SET) && (info->hop_limit == 0)) { + if (info->mode != IP6T_HL_SET && info->hop_limit == 0) { printk(KERN_WARNING "ip6t_HL: increment/decrement doesn't " "make sense with value 0\n"); return false; Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_REJECT.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_REJECT.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_REJECT.c @@ -69,7 +69,7 @@ static void send_reset(struct sk_buff *o otcplen = oldskb->len - tcphoff; /* IP header checks: fragment, too short. */ - if ((proto != IPPROTO_TCP) || (otcplen < sizeof(struct tcphdr))) { + if (proto != IPPROTO_TCP || otcplen < sizeof(struct tcphdr)) { DEBUGP("ip6t_REJECT: proto(%d) != IPPROTO_TCP, or too short. otcplen = %d\n", proto, otcplen); return; Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_ah.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_ah.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_ah.c @@ -78,9 +78,9 @@ match(const struct sk_buff *skb, DEBUGP("SPI %u %08X\n", ntohl(ah->spi), ntohl(ah->spi)); DEBUGP("IPv6 AH spi %02X ", - (spi_match(ahinfo->spis[0], ahinfo->spis[1], - ntohl(ah->spi), - !!(ahinfo->invflags & IP6T_AH_INV_SPI)))); + spi_match(ahinfo->spis[0], ahinfo->spis[1], + ntohl(ah->spi), + !!(ahinfo->invflags & IP6T_AH_INV_SPI))); DEBUGP("len %02X %04X %02X ", ahinfo->hdrlen, hdrlen, (!ahinfo->hdrlen || @@ -92,9 +92,9 @@ match(const struct sk_buff *skb, return (ah != NULL) && - (spi_match(ahinfo->spis[0], ahinfo->spis[1], - ntohl(ah->spi), - !!(ahinfo->invflags & IP6T_AH_INV_SPI))) + spi_match(ahinfo->spis[0], ahinfo->spis[1], + ntohl(ah->spi), + !!(ahinfo->invflags & IP6T_AH_INV_SPI)) && (!ahinfo->hdrlen || (ahinfo->hdrlen == hdrlen) ^ Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_eui64.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_eui64.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_eui64.c @@ -33,7 +33,7 @@ match(const struct sk_buff *skb, int i = 0; if (!(skb_mac_header(skb) >= skb->head && - (skb_mac_header(skb) + ETH_HLEN) <= skb->data) && + skb_mac_header(skb) + ETH_HLEN <= skb->data) && offset != 0) { *hotdrop = true; return false; @@ -50,8 +50,8 @@ match(const struct sk_buff *skb, eui64[0] |= 0x02; i = 0; - while ((ipv6_hdr(skb)->saddr.s6_addr[8 + i] == eui64[i]) - && (i < 8)) + while (ipv6_hdr(skb)->saddr.s6_addr[8 + i] == eui64[i] + && i < 8) i++; if (i == 8) Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_frag.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_frag.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_frag.c @@ -77,35 +77,35 @@ match(const struct sk_buff *skb, ntohl(fh->identification)); DEBUGP("IPv6 FRAG id %02X ", - (id_match(fraginfo->ids[0], fraginfo->ids[1], + id_match(fraginfo->ids[0], fraginfo->ids[1], ntohl(fh->identification), - !!(fraginfo->invflags & IP6T_FRAG_INV_IDS)))); + !!(fraginfo->invflags & IP6T_FRAG_INV_IDS))); DEBUGP("res %02X %02X%04X %02X ", - (fraginfo->flags & IP6T_FRAG_RES), fh->reserved, + fraginfo->flags & IP6T_FRAG_RES, fh->reserved, ntohs(fh->frag_off) & 0x6, !((fraginfo->flags & IP6T_FRAG_RES) && (fh->reserved || (ntohs(fh->frag_off) & 0x06)))); DEBUGP("first %02X %02X %02X ", - (fraginfo->flags & IP6T_FRAG_FST), + fraginfo->flags & IP6T_FRAG_FST, ntohs(fh->frag_off) & ~0x7, !((fraginfo->flags & IP6T_FRAG_FST) && (ntohs(fh->frag_off) & ~0x7))); DEBUGP("mf %02X %02X %02X ", - (fraginfo->flags & IP6T_FRAG_MF), + fraginfo->flags & IP6T_FRAG_MF, ntohs(fh->frag_off) & IP6_MF, !((fraginfo->flags & IP6T_FRAG_MF) && !((ntohs(fh->frag_off) & IP6_MF)))); DEBUGP("last %02X %02X %02X\n", - (fraginfo->flags & IP6T_FRAG_NMF), + fraginfo->flags & IP6T_FRAG_NMF, ntohs(fh->frag_off) & IP6_MF, !((fraginfo->flags & IP6T_FRAG_NMF) && (ntohs(fh->frag_off) & IP6_MF))); return (fh != NULL) && - (id_match(fraginfo->ids[0], fraginfo->ids[1], - ntohl(fh->identification), - !!(fraginfo->invflags & IP6T_FRAG_INV_IDS))) + id_match(fraginfo->ids[0], fraginfo->ids[1], + ntohl(fh->identification), + !!(fraginfo->invflags & IP6T_FRAG_INV_IDS)) && !((fraginfo->flags & IP6T_FRAG_RES) && (fh->reserved || (ntohs(fh->frag_off) & 0x6))) Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_hbh.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_hbh.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_hbh.c @@ -160,7 +160,7 @@ match(const struct sk_buff *skb, DEBUGP("len%04X \n", optlen); if ((ptr > skb->len - optlen || hdrlen < optlen) && - (temp < optinfo->optsnr - 1)) { + temp < optinfo->optsnr - 1) { DEBUGP("new pointer is too large! \n"); break; } Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_hl.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_hl.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_hl.c @@ -29,16 +29,16 @@ static bool match(const struct sk_buff * switch (info->mode) { case IP6T_HL_EQ: - return (ip6h->hop_limit == info->hop_limit); + return ip6h->hop_limit == info->hop_limit; break; case IP6T_HL_NE: - return (!(ip6h->hop_limit == info->hop_limit)); + return ip6h->hop_limit != info->hop_limit; break; case IP6T_HL_LT: - return (ip6h->hop_limit < info->hop_limit); + return ip6h->hop_limit < info->hop_limit; break; case IP6T_HL_GT: - return (ip6h->hop_limit > info->hop_limit); + return ip6h->hop_limit > info->hop_limit; break; default: printk(KERN_WARNING "ip6t_hl: unknown mode %d\n", Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_ipv6header.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_ipv6header.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_ipv6header.c @@ -74,9 +74,9 @@ ipv6header_match(const struct sk_buff *s BUG_ON(hp == NULL); /* Calculate the header length */ - if (nexthdr == NEXTHDR_FRAGMENT) { + if (nexthdr == NEXTHDR_FRAGMENT) hdrlen = 8; - } else if (nexthdr == NEXTHDR_AUTH) + else if (nexthdr == NEXTHDR_AUTH) hdrlen = (hp->hdrlen + 2) << 2; else hdrlen = ipv6_optlen(hp); @@ -110,7 +110,7 @@ ipv6header_match(const struct sk_buff *s break; } - if ((nexthdr != NEXTHDR_NONE) && (nexthdr != NEXTHDR_ESP)) + if (nexthdr != NEXTHDR_NONE && nexthdr != NEXTHDR_ESP) temp |= MASK_PROTO; if (info->modeflag) Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_owner.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_owner.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_owner.c @@ -38,17 +38,15 @@ match(const struct sk_buff *skb, if (!skb->sk || !skb->sk->sk_socket || !skb->sk->sk_socket->file) return false; - if (info->match & IP6T_OWNER_UID) { + if (info->match & IP6T_OWNER_UID) if ((skb->sk->sk_socket->file->f_uid != info->uid) ^ !!(info->invert & IP6T_OWNER_UID)) return false; - } - if (info->match & IP6T_OWNER_GID) { + if (info->match & IP6T_OWNER_GID) if ((skb->sk->sk_socket->file->f_gid != info->gid) ^ !!(info->invert & IP6T_OWNER_GID)) return false; - } return true; } Index: linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_rt.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/ipv6/netfilter/ip6t_rt.c +++ linux-2.6.22-rc3-git6/net/ipv6/netfilter/ip6t_rt.c @@ -87,9 +87,9 @@ match(const struct sk_buff *skb, DEBUGP("SGS_LEFT %u %02X\n", rh->segments_left, rh->segments_left); DEBUGP("IPv6 RT segsleft %02X ", - (segsleft_match(rtinfo->segsleft[0], rtinfo->segsleft[1], - rh->segments_left, - !!(rtinfo->invflags & IP6T_RT_INV_SGS)))); + segsleft_match(rtinfo->segsleft[0], rtinfo->segsleft[1], + rh->segments_left, + !!(rtinfo->invflags & IP6T_RT_INV_SGS))); DEBUGP("type %02X %02X %02X ", rtinfo->rt_type, rh->type, (!(rtinfo->flags & IP6T_RT_TYP) || @@ -97,11 +97,11 @@ match(const struct sk_buff *skb, !!(rtinfo->invflags & IP6T_RT_INV_TYP)))); DEBUGP("len %02X %04X %02X ", rtinfo->hdrlen, hdrlen, - (!(rtinfo->flags & IP6T_RT_LEN) || + !(rtinfo->flags & IP6T_RT_LEN) || ((rtinfo->hdrlen == hdrlen) ^ - !!(rtinfo->invflags & IP6T_RT_INV_LEN)))); + !!(rtinfo->invflags & IP6T_RT_INV_LEN))); DEBUGP("res %02X %02X %02X ", - (rtinfo->flags & IP6T_RT_RES), + rtinfo->flags & IP6T_RT_RES, ((const struct rt0_hdr *)rh)->reserved, !((rtinfo->flags & IP6T_RT_RES) && (((const struct rt0_hdr *)rh)->reserved))); @@ -188,8 +188,8 @@ match(const struct sk_buff *skb, break; } DEBUGP("temp=%d #%d\n", temp, rtinfo->addrnr); - if ((temp == rtinfo->addrnr) && - (temp == (unsigned int)((hdrlen - 8) / 16))) + if (temp == rtinfo->addrnr && + temp == (unsigned int)((hdrlen - 8) / 16)) return ret; else return false; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_DSCP.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_DSCP.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_DSCP.c @@ -74,7 +74,7 @@ static bool checkentry(const char *table { const u_int8_t dscp = ((struct xt_DSCP_info *)targinfo)->dscp; - if ((dscp > XT_DSCP_MAX)) { + if (dscp > XT_DSCP_MAX) { printk(KERN_WARNING "DSCP: dscp %x out of range\n", dscp); return false; } Index: linux-2.6.22-rc3-git6/net/netfilter/xt_TCPMSS.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_TCPMSS.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_TCPMSS.c @@ -93,7 +93,7 @@ tcpmss_mangle_packet(struct sk_buff **ps return 0; opt[i+2] = (newmss & 0xff00) >> 8; - opt[i+3] = (newmss & 0x00ff); + opt[i+3] = newmss & 0x00ff; nf_proto_csum_replace2(&tcph->check, *pskb, htons(oldmss), htons(newmss), 0); @@ -126,7 +126,7 @@ tcpmss_mangle_packet(struct sk_buff **ps opt[0] = TCPOPT_MSS; opt[1] = TCPOLEN_MSS; opt[2] = (newmss & 0xff00) >> 8; - opt[3] = (newmss & 0x00ff); + opt[3] = newmss & 0x00ff; nf_proto_csum_replace4(&tcph->check, *pskb, 0, *((__be32 *)opt), 0); Index: linux-2.6.22-rc3-git6/net/netfilter/xt_connbytes.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_connbytes.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_connbytes.c @@ -90,9 +90,9 @@ match(const struct sk_buff *skb, } if (sinfo->count.to) - return (what <= sinfo->count.to && what >= sinfo->count.from); + return what <= sinfo->count.to && what >= sinfo->count.from; else - return (what >= sinfo->count.from); + return what >= sinfo->count.from; } static bool check(const char *tablename, Index: linux-2.6.22-rc3-git6/net/netfilter/xt_connmark.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_connmark.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_connmark.c @@ -48,7 +48,7 @@ match(const struct sk_buff *skb, if (!ct) return false; - return (((ct->mark) & info->mask) == info->mark) ^ info->invert; + return ((ct->mark & info->mask) == info->mark) ^ info->invert; } static bool Index: linux-2.6.22-rc3-git6/net/netfilter/xt_dccp.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_dccp.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_dccp.c @@ -81,7 +81,7 @@ dccp_find_option(u_int8_t option, static inline bool match_types(const struct dccp_hdr *dh, u_int16_t typemask) { - return (typemask & (1 << dh->dccph_type)); + return typemask & (1 << dh->dccph_type); } static inline bool @@ -113,11 +113,11 @@ match(const struct sk_buff *skb, return false; } - return DCCHECK(((ntohs(dh->dccph_sport) >= info->spts[0]) - && (ntohs(dh->dccph_sport) <= info->spts[1])), + return DCCHECK(ntohs(dh->dccph_sport) >= info->spts[0] + && ntohs(dh->dccph_sport) <= info->spts[1], XT_DCCP_SRC_PORTS, info->flags, info->invflags) - && DCCHECK(((ntohs(dh->dccph_dport) >= info->dpts[0]) - && (ntohs(dh->dccph_dport) <= info->dpts[1])), + && DCCHECK(ntohs(dh->dccph_dport) >= info->dpts[0] + && ntohs(dh->dccph_dport) <= info->dpts[1], XT_DCCP_DEST_PORTS, info->flags, info->invflags) && DCCHECK(match_types(dh, info->typemask), XT_DCCP_TYPE, info->flags, info->invflags) Index: linux-2.6.22-rc3-git6/net/netfilter/xt_hashlimit.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_hashlimit.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_hashlimit.c @@ -239,7 +239,7 @@ static bool select_all(const struct xt_h static bool select_gc(const struct xt_hashlimit_htable *ht, const struct dsthash_ent *he) { - return (jiffies >= he->expires); + return jiffies >= he->expires; } static void htable_selective_cleanup(struct xt_hashlimit_htable *ht, Index: linux-2.6.22-rc3-git6/net/netfilter/xt_length.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_length.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_length.c @@ -47,8 +47,8 @@ match6(const struct sk_buff *skb, bool *hotdrop) { const struct xt_length_info *info = matchinfo; - const u_int16_t pktlen = (ntohs(ipv6_hdr(skb)->payload_len) + - sizeof(struct ipv6hdr)); + const u_int16_t pktlen = ntohs(ipv6_hdr(skb)->payload_len) + + sizeof(struct ipv6hdr); return (pktlen >= info->min && pktlen <= info->max) ^ info->invert; } Index: linux-2.6.22-rc3-git6/net/netfilter/xt_mac.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_mac.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_mac.c @@ -37,11 +37,11 @@ match(const struct sk_buff *skb, const struct xt_mac_info *info = matchinfo; /* Is mac pointer valid? */ - return (skb_mac_header(skb) >= skb->head && - (skb_mac_header(skb) + ETH_HLEN) <= skb->data - /* If so, compare... */ - && ((!compare_ether_addr(eth_hdr(skb)->h_source, info->srcaddr)) - ^ info->invert)); + return skb_mac_header(skb) >= skb->head && + skb_mac_header(skb) + ETH_HLEN <= skb->data + /* If so, compare... */ + && ((!compare_ether_addr(eth_hdr(skb)->h_source, info->srcaddr)) + ^ info->invert); } static struct xt_match xt_mac_match[] = { Index: linux-2.6.22-rc3-git6/net/netfilter/xt_pkttype.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_pkttype.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_pkttype.c @@ -34,9 +34,9 @@ static bool match(const struct sk_buff * const struct xt_pkttype_info *info = matchinfo; if (skb->pkt_type == PACKET_LOOPBACK) - type = (MULTICAST(ip_hdr(skb)->daddr) + type = MULTICAST(ip_hdr(skb)->daddr) ? PACKET_MULTICAST - : PACKET_BROADCAST); + : PACKET_BROADCAST; else type = skb->pkt_type; Index: linux-2.6.22-rc3-git6/net/netfilter/xt_sctp.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_sctp.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_sctp.c @@ -31,11 +31,9 @@ match_flags(const struct xt_sctp_flag_in { int i; - for (i = 0; i < flag_count; i++) { - if (flag_info[i].chunktype == chunktype) { + for (i = 0; i < flag_count; i++) + if (flag_info[i].chunktype == chunktype) return (chunkflags & flag_info[i].flag_mask) == flag_info[i].flag; - } - } return true; } @@ -56,9 +54,8 @@ match_packet(const struct sk_buff *skb, int i = 0; #endif - if (chunk_match_type == SCTP_CHUNK_MATCH_ALL) { + if (chunk_match_type == SCTP_CHUNK_MATCH_ALL) SCTP_CHUNKMAP_COPY(chunkmapcopy, chunkmap); - } do { sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch); @@ -86,16 +83,14 @@ match_packet(const struct sk_buff *skb, case SCTP_CHUNK_MATCH_ALL: if (match_flags(flag_info, flag_count, - sch->type, sch->flags)) { + sch->type, sch->flags)) SCTP_CHUNKMAP_CLEAR(chunkmapcopy, sch->type); - } break; case SCTP_CHUNK_MATCH_ONLY: if (!match_flags(flag_info, flag_count, - sch->type, sch->flags)) { + sch->type, sch->flags)) return false; - } break; } } else { @@ -145,11 +140,11 @@ match(const struct sk_buff *skb, } duprintf("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest)); - return SCCHECK(((ntohs(sh->source) >= info->spts[0]) - && (ntohs(sh->source) <= info->spts[1])), + return SCCHECK(ntohs(sh->source) >= info->spts[0] + && ntohs(sh->source) <= info->spts[1], XT_SCTP_SRC_PORTS, info->flags, info->invflags) - && SCCHECK(((ntohs(sh->dest) >= info->dpts[0]) - && (ntohs(sh->dest) <= info->dpts[1])), + && SCCHECK(ntohs(sh->dest) >= info->dpts[0] + && ntohs(sh->dest) <= info->dpts[1], XT_SCTP_DEST_PORTS, info->flags, info->invflags) && SCCHECK(match_packet(skb, protoff + sizeof (sctp_sctphdr_t), info->chunkmap, info->chunk_match_type, Index: linux-2.6.22-rc3-git6/net/netfilter/xt_tcpudp.c =================================================================== --- linux-2.6.22-rc3-git6.orig/net/netfilter/xt_tcpudp.c +++ linux-2.6.22-rc3-git6/net/netfilter/xt_tcpudp.c @@ -95,7 +95,7 @@ tcp_match(const struct sk_buff *skb, return false; } -#define FWINVTCP(bool,invflg) ((bool) ^ !!(tcpinfo->invflags & invflg)) +#define FWINVTCP(bool,invflg) ((bool) ^ !!(tcpinfo->invflags & (invflg))) th = skb_header_pointer(skb, protoff, sizeof(_tcph), &_tcph); if (th == NULL) { From jengelh at linux01.gwdg.de Tue Jun 5 09:07:23 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue Jun 5 10:11:39 2007 Subject: [PATCH 1/2] xt_u32 (kernel) - match arbitrary bits and bytes of a packet In-Reply-To: <4662F908.4090401@trash.net> References: <4662F908.4090401@trash.net> Message-ID: Hi, On Jun 3 2007 19:23, Patrick McHardy wrote: >Also > > u_int32_t min; > u_int32_t max; > >please (and everywhere else of course). Might get a bit verbose. Question: ipt_u32/xt_u32 uses a spinlock_bh to protect the buffer to which a packet is copied to before analyzing. >> + spin_lock_bh(&xt_u32_lock); >> + >> + head = skb_header_pointer(skb, 0, min(skb->len, >> + sizeof(xt_u32_buffer)), xt_u32_buffer); I'd like to hear opinions about: * open coding skb_header_pointer In the "hlen - offset >= len" case in skb_header_pointer(), it just returns a pointer to the existing skb without copying, in which case we would not need to take a lock at all. * use percpu buffers, with or without opencoding skb_header_pointer so that cpus/threads do not have to wait for another -m u32 to finish. Jan -- From jengelh at linux01.gwdg.de Tue Jun 5 10:33:15 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue Jun 5 11:37:25 2007 Subject: [PATCH 1/2] xt_connlimit (kernel) - connection limiting In-Reply-To: <4662FBB6.9060000@trash.net> References: <4662FBB6.9060000@trash.net> Message-ID: Hi, On Jun 3 2007 19:34, Patrick McHardy wrote: >Jan Engelhardt wrote: >> Adds the connlimit match that has been in POM-NG for a long time. > >This has about half the points I mentioned last time unfixed, >starting with proper use of list.h. #include ... struct xt_connlimit_conn { struct list_head list; struct nf_conntrack_tuple tuple; }; struct xt_connlimit_data { struct list_head iphash[256]; spinlock_t lock; }; That looks like lists to me. Please enlighten me where you think lists were missing. I remember "last time" as http://lists.netfilter.org/pipermail/netfilter-devel/2006-December/026341.html http://lists.netfilter.org/pipermail/netfilter-devel/2007-January/026577.html where you did not thought negatively about connlimit. Please let me know of the post you were referring to. Thanks! Jan -- From noalevy at gmail.com Tue Jun 5 00:43:59 2007 From: noalevy at gmail.com (noa levy) Date: Tue Jun 5 12:02:08 2007 Subject: SNAT before IPSec Message-ID: <8bd3dfad0706041543s1a6863ddpc1fd4fb1fd05f6a2@mail.gmail.com> Hi All, I have a setup where I need to SNAT traffic that will be going out via an IPSec tunnel. The NAT must take place before the IPSec encryption+encapsulation, so I need the packet to first go through SNAT and then match an IPSec policy. After being IPSec-ified, I need the packets to go through routing again. My question: SNAT takes place in POST_ROUTING. Can IPSec be applied after that? I have read that after IPSec the packet gets injected to LOCAL_OUT again, but when does the actual IPSec policy decision take place? Won't it happen *before* SNAT? Can I control it? Thanks, Noa From jengelh at linux01.gwdg.de Tue Jun 5 12:16:12 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue Jun 5 13:20:15 2007 Subject: [PATCH] xt_gateway match In-Reply-To: <200706041133.l54BXqv07802@server1.secure-linux-server.com> References: <200706041133.l54BXqv07802@server1.secure-linux-server.com> Message-ID: On Jun 4 2007 11:14, Amin Azez wrote: > >Thanks for looking at this, Jan. I'm away from a testing box right now, >but I think you got a test wrong. The gateway test is meant to exclude >cases where the neighbour table matches AND the daddr matches, because >that means the packet wasn't routed to that target AS a gateway. > >For nexthop we don't want to match daddr regardless, only if it is also >matching the neighbor table. > >Gateway: match neighbourtable and not match daddr >Nexthop: match neighbour table. Ok I am a bit narrow on this, anyway, I checked again and it looks like, yes, there was something wrong. I fixed it to: if (memcmp(&info->gateway, &neigh->primary_key, tbl->key_len) != 0) return false; if (!(info->flags & XT_GATEWAY_ROUTE)) return true; iph = ip_hdr(skb); if (iph->daddr != info->gateway) return true; return false; which should be matching memcmp(&info->gateway, &skb->dst->neighbour->primary_key, skb->dst->neighbour->tbl->key_len) == 0 && ((info->flags & IPT_GATEWAY_ROUTE) == 0 || iph->daddr != info->gateway) Will resend with that. Jan -- From jengelh at linux01.gwdg.de Tue Jun 5 13:12:29 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue Jun 5 14:16:31 2007 Subject: xt_u32 20070605 Message-ID: Hi! cleanups as you requested. I hope I did not miss any. * 2007-06-05: uses kmalloc for the big buffer * 2007-06-05: added inversion Jan -- From jengelh at linux01.gwdg.de Tue Jun 5 13:12:51 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue Jun 5 14:17:01 2007 Subject: xt_u32 20070605 (kernel) In-Reply-To: References: Message-ID: Subject: Add the U32 match from POM-NG Along comes... xt_u32, a revamped ipt_u32 from POM-NG, Plus: * 2007-06-02: added ipv6 support * 2007-06-05: uses kmalloc for the big buffer * 2007-06-05: added inversion Signed-off-by: Jan Engelhardt --- include/linux/netfilter/xt_u32.h | 37 +++++++++ net/netfilter/Kconfig | 13 +++ net/netfilter/Makefile | 1 net/netfilter/xt_u32.c | 151 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 202 insertions(+) Index: linux-2.6.22-rc4/include/linux/netfilter/xt_u32.h =================================================================== --- /dev/null +++ linux-2.6.22-rc4/include/linux/netfilter/xt_u32.h @@ -0,0 +1,37 @@ +#ifndef _XT_U32_H +#define _XT_U32_H 1 + +enum xt_u32_ops { + XT_U32_AND, + XT_U32_LEFTSH, + XT_U32_RIGHTSH, + XT_U32_AT, +}; + +struct xt_u32_location_element { + uint32_t number; + uint8_t nextop; +}; + +struct xt_u32_value_element { + uint32_t min, max; +}; + +/* + * Any way to allow for an arbitrary number of elements? + * For now, I settle with a limit of 10 each. + */ +#define XT_U32_MAXSIZE 10 + +struct xt_u32_test { + struct xt_u32_location_element location[XT_U32_MAXSIZE+1]; + struct xt_u32_value_element value[XT_U32_MAXSIZE+1]; + uint8_t nnums, nvalues; +}; + +struct xt_u32 { + struct xt_u32_test tests[XT_U32_MAXSIZE+1]; + uint8_t ntests, invert; +}; + +#endif /* _XT_U32_H */ Index: linux-2.6.22-rc4/net/netfilter/Kconfig =================================================================== --- linux-2.6.22-rc4.orig/net/netfilter/Kconfig +++ linux-2.6.22-rc4/net/netfilter/Kconfig @@ -635,6 +635,19 @@ config NETFILTER_XT_MATCH_TCPMSS To compile it as a module, choose M here. If unsure, say N. +config NETFILTER_XT_MATCH_U32 + tristate '"u32" match support' + depends on NETFILTER_XTABLES + ---help--- + u32 allows you to extract quantities of up to 4 bytes from a packet, + AND them with specified masks, shift them by specified amounts and + test whether the results are in any of a set of specified ranges. + The specification of what to extract is general enough to skip over + headers with lengths stored in the packet, as in IP or TCP header + lengths. + + Details and examples are in the kernel module source. + config NETFILTER_XT_MATCH_HASHLIMIT tristate '"hashlimit" match support' depends on NETFILTER_XTABLES && (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) Index: linux-2.6.22-rc4/net/netfilter/Makefile =================================================================== --- linux-2.6.22-rc4.orig/net/netfilter/Makefile +++ linux-2.6.22-rc4/net/netfilter/Makefile @@ -72,4 +72,5 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STATISTI obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o +obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o Index: linux-2.6.22-rc4/net/netfilter/xt_u32.c =================================================================== --- /dev/null +++ linux-2.6.22-rc4/net/netfilter/xt_u32.c @@ -0,0 +1,151 @@ +/* + * xt_u32 - kernel module to match u32 packet content + * + * Original author: Don Cohen + * ? Jan Engelhardt , 2007 + */ + +#include +#include +#include +#include +#include +#include +#include + +/* This is slow, but it's simple. --RR */ + +static DEFINE_SPINLOCK(xt_u32_lock); +static unsigned int xt_u32_buffer_size = 64 * 1024; +static char *xt_u32_buffer; + +static bool xt_u32_match_it(const struct xt_u32 *data, + const struct sk_buff *skb) +{ + const struct xt_u32_test *ct; + const unsigned char *base; + const unsigned char *head; + unsigned int testind; + unsigned int nnums; + unsigned int nvals; + unsigned int i; + u_int32_t pos; + u_int32_t val; + u_int32_t at; + + base = head = skb_header_pointer(skb, 0, skb->len, xt_u32_buffer); + BUG_ON(head == NULL); + + /* + * Small example: "0 >> 28 == 4 && 8 & 0xFF0000 >> 16 = 6, 17" + * (=IPv4 and (TCP or UDP)). Outer loop runs over the "&&" operands. + */ + for (testind = 0; testind < data->ntests; ++testind) { + ct = &data->tests[testind]; + at = 0; + pos = ct->location[0].number; + + if (at + pos + 3 > skb->len || at + pos < 0) + return false; + + val = (base[pos] << 24) | (base[pos+1] << 16) | + (base[pos+2] << 8) | base[pos+3]; + nnums = ct->nnums; + + /* Inner loop runs over "&", "<<", ">>" and "@" operands */ + for (i = 1; i < nnums; ++i) { + u_int32_t number = ct->location[i].number; + switch (ct->location[i].nextop) { + case XT_U32_AND: + val &= number; + break; + case XT_U32_LEFTSH: + val <<= number; + break; + case XT_U32_RIGHTSH: + val >>= number; + break; + case XT_U32_AT: + at += val; + pos = number; + if (at + pos + 3 > skb->len || at + pos < 0) + return false; + + val = (base[at+pos] << 24) | + (base[at+pos+1] << 16) | + (base[at+pos+2] << 8) | base[at+pos+3]; + break; + } + } + + /* Run over the "," and ":" operands */ + nvals = ct->nvalues; + for (i = 0; i < nvals; ++i) + if (ct->value[i].min <= val && val <= ct->value[i].max) + break; + + if (i >= ct->nvalues) + return false; + } + + return true; +} + +static bool xt_u32_match(const struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, + const struct xt_match *match, const void *matchinfo, + int offset, unsigned int protoff, bool *hotdrop) +{ + const struct xt_u32 *data = matchinfo; + bool ret; + + spin_lock_bh(&xt_u32_lock); + ret = xt_u32_match_it(data, skb); + spin_unlock_bh(&xt_u32_lock); + + return ret ^ data->invert; +} + +static struct xt_match xt_u32_reg[] = { + { + .name = "u32", + .family = AF_INET, + .match = xt_u32_match, + .matchsize = sizeof(struct xt_u32), + .me = THIS_MODULE, + }, + { + .name = "u32", + .family = AF_INET6, + .match = xt_u32_match, + .matchsize = sizeof(struct xt_u32), + .me = THIS_MODULE, + }, +}; + +static int __init xt_u32_init(void) +{ + xt_u32_buffer = kmalloc(xt_u32_buffer_size, GFP_KERNEL); + if (xt_u32_buffer == NULL) + return -ENOMEM; + return xt_register_matches(xt_u32_reg, ARRAY_SIZE(xt_u32_reg)); +} + +static void __exit xt_u32_exit(void) +{ + xt_unregister_matches(xt_u32_reg, ARRAY_SIZE(xt_u32_reg)); + kfree(xt_u32_buffer); + return; +} + +module_init(xt_u32_init); +module_exit(xt_u32_exit); +module_param_named(buffer_size, xt_u32_buffer_size, uint, S_IRUGO); +MODULE_PARM_DESC(buffer_size, "Buffer size to hold a packet " + "(default: 65536 bytes)"); +MODULE_AUTHOR("Don Cohen "); +MODULE_DESCRIPTION("netfilter u32 match module"); +MODULE_LICENSE("GPL"); +MODULE_ALIAS("ipt_u32"); +MODULE_ALIAS("ip6t_u32"); From jengelh at linux01.gwdg.de Tue Jun 5 13:13:41 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue Jun 5 14:18:05 2007 Subject: xt_u32 20070605 (iptables) In-Reply-To: References: Message-ID: Refreshed u32 patch for iptables. This time: Added libip6t_u32. Signed-off-by: Jan Engelhardt --- symlink extensions/.u32-test6 -> extensions/.u32-test symlink extensions/libip6t_u32.man -> extensions/libipt_u32.man extensions/.u32-test | 2 extensions/libip6t_u32.c | 291 ++++++++++++++++++++++++++++++++++++++++++++++ extensions/libipt_u32.c | 291 ++++++++++++++++++++++++++++++++++++++++++++++ extensions/libipt_u32.man | 129 ++++++++++++++++++++ 4 files changed, 713 insertions(+) Index: iptables/extensions/.u32-test =================================================================== --- /dev/null +++ iptables/extensions/.u32-test @@ -0,0 +1,2 @@ +#!/bin/sh +[ -f "$KERNEL_DIR/include/linux/netfilter/xt_u32.h" ] && echo u32 Index: iptables/extensions/libip6t_u32.c =================================================================== --- /dev/null +++ iptables/extensions/libip6t_u32.c @@ -0,0 +1,291 @@ +/* Shared library add-on to iptables to add u32 matching, + * generalized matching on values found at packet offsets + * + * Detailed doc is in the kernel module source + * net/netfilter/xt_u32.c + * + * (C) 2002 by Don Cohen + * ? Jan Engelhardt , 2007 + * Released under the terms of GNU GPL v2 + */ +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +static const struct option u32_opts[] = { + {"u32", 1, NULL, '1'}, + {NULL}, +}; + +/* Function which prints out usage message. */ +static void u32_help(void) +{ + printf( + "u32 v%s options:\n" + "[!] --u32 tests\n" + "\t\t\t""tests := location \"=\" value | tests \"&&\" location \"=\" value\n" + "\t\t\t""value := range | value \",\" range\n" + "\t\t\t""range := number | number \":\" number\n" + "\t\t\t""location := number | location operator number\n" + "\t\t\t""operator := \"&\" | \"<<\" | \">>\" | \"@\"\n", + IPTABLES_VERSION); + return; +} + +/* shared printing code */ +static void u32_dump(const struct xt_u32 *data) +{ + const struct xt_u32_test *ct; + unsigned int testind, i; + + for (testind = 0; testind < data->ntests; ++testind) { + ct = &data->tests[testind]; + + if (testind > 0) + printf("&&"); + + printf("0x%x", ct->location[0].number); + for (i = 1; i < ct->nnums; ++i) { + switch (ct->location[i].nextop) { + case XT_U32_AND: + printf("&"); + break; + case XT_U32_LEFTSH: + printf("<<"); + break; + case XT_U32_RIGHTSH: + printf(">>"); + break; + case XT_U32_AT: + printf("@"); + break; + } + printf("0x%x", ct->location[i].number); + } + + printf("="); + for (i = 0; i < ct->nvalues; ++i) { + if (i > 0) + printf(","); + if (ct->value[i].min == ct->value[i].max) + printf("0x%x", ct->value[i].min); + else + printf("0x%x:0x%x", ct->value[i].min, + ct->value[i].max); + } + } + printf(" "); +} + +/* string_to_number is not quite what we need here ... */ +static uint32_t parse_number(char **s, int pos) +{ + uint32_t number; + char *end; + errno = 0; + + number = strtoul(*s, &end, 0); + if (end == *s) + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: expected number", pos); + if (errno) + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: error reading number", pos); + *s = end; + return number; +} + +/* Function which parses command options; returns true if it ate an option */ +static int u32_parse(int c, char **argv, int invert, unsigned int *flags, + const struct ip6t_entry *entry, unsigned int *nfcache, + struct ip6t_entry_match **match) +{ + struct xt_u32 *data = (void *)(*match)->data; + unsigned int testind = 0, locind = 0, valind = 0; + struct xt_u32_test *ct = &data->tests[testind]; /* current test */ + char *arg = argv[optind-1]; /* the argument string */ + char *start = arg; + int state = 0; + + if (c != '1') + return 0; + + data->invert = invert; + + /* + * states: + * 0 = looking for numbers and operations, + * 1 = looking for ranges + */ + while (1) { + /* read next operand/number or range */ + while (isspace(*arg)) + ++arg; + + if (*arg == '\0') { + /* end of argument found */ + if (state == 0) + exit_error(PARAMETER_PROBLEM, + "u32: input ended in location spec"); + if (valind == 0) + exit_error(PARAMETER_PROBLEM, + "u32: test ended with no value spec"); + + ct->nnums = locind; + ct->nvalues = valind; + data->ntests = ++testind; + + if (testind > XT_U32_MAXSIZE) + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: too many \"&&\"s", + arg - start); + return 1; + } + + if (state == 0) { + /* + * reading location: read a number if nothing read yet, + * otherwise either op number or = to end location spec + */ + if (*arg == '=') { + if (locind == 0) { + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: " + "location spec missing", + arg - start); + } else { + ++arg; + state = 1; + } + } else { + if (locind != 0) { + /* need op before number */ + if (*arg == '&') { + ct->location[locind].nextop = XT_U32_AND; + } else if (*arg == '<') { + if (*++arg != '<') + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: a second < expected", arg - start); + ct->location[locind].nextop = XT_U32_LEFTSH; + } else if (*arg == '>') { + if (*++arg != '>') + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: a second > expected", arg - start); + ct->location[locind].nextop = XT_U32_RIGHTSH; + } else if (*arg == '@') { + ct->location[locind].nextop = XT_U32_AT; + } else { + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: operator expected", arg - start); + } + ++arg; + } + /* now a number; string_to_number skips white space? */ + ct->location[locind].number = + parse_number(&arg, arg - start); + if (++locind > XT_U32_MAXSIZE) + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: too many operators", arg - start); + } + } else { + /* + * state 1 - reading values: read a range if nothing + * read yet, otherwise either ,range or && to end + * test spec + */ + if (*arg == '&') { + if (*++arg != '&') + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: a second & was expected", arg - start); + if (valind == 0) { + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: value spec missing", arg - start); + } else { + ct->nnums = locind; + ct->nvalues = valind; + ct = &data->tests[++testind]; + if (testind > XT_U32_MAXSIZE) + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: too many \"&&\"s", arg - start); + ++arg; + state = 0; + locind = 0; + valind = 0; + } + } else { /* read value range */ + if (valind > 0) { /* need , before number */ + if (*arg != ',') + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: expected , or &&", arg - start); + ++arg; + } + ct->value[valind].min = + parse_number(&arg, arg - start); + + while (isspace(*arg)) + ++arg; + + if (*arg == ':') { + ++arg; + ct->value[valind].max = + parse_number(&arg, arg-start); + } else { + ct->value[valind].max = + ct->value[valind].min; + } + + if (++valind > XT_U32_MAXSIZE) + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: too many \",\"s", arg - start); + } + } + } +} + +/* Final check; must specify something. */ +static void u32_final_check(unsigned int flags) +{ +} + +/* Prints out the matchinfo. */ +static void u32_print(const struct ip6t_ip6 *ip, + const struct ip6t_entry_match *match, int numeric) +{ + printf("u32 "); + u32_dump((const void *)match->data); +} + +/* Saves the union ipt_matchinfo in parsable form to stdout. */ +static void u32_save(const struct ip6t_ip6 *ip, + const struct ip6t_entry_match *match) +{ + printf("--u32 "); + u32_dump((const void *)match->data); +} + +static struct ip6tables_match u32_reg = { + .name = "u32", + .version = IPTABLES_VERSION, + .size = IP6T_ALIGN(sizeof(struct xt_u32)), + .userspacesize = IP6T_ALIGN(sizeof(struct xt_u32)), + .help = u32_help, + .parse = u32_parse, + .final_check = u32_final_check, + .print = u32_print, + .save = u32_save, + .extra_opts = u32_opts, +}; + +static __attribute__((constructor)) void libip6t_u32_init(void) +{ + register_match6(&u32_reg); + return; +} Index: iptables/extensions/libipt_u32.c =================================================================== --- /dev/null +++ iptables/extensions/libipt_u32.c @@ -0,0 +1,291 @@ +/* Shared library add-on to iptables to add u32 matching, + * generalized matching on values found at packet offsets + * + * Detailed doc is in the kernel module source + * net/netfilter/xt_u32.c + * + * (C) 2002 by Don Cohen + * ? Jan Engelhardt , 2007 + * Released under the terms of GNU GPL v2 + */ +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +static const struct option u32_opts[] = { + {"u32", 1, NULL, '1'}, + {NULL}, +}; + +/* Function which prints out usage message. */ +static void u32_help(void) +{ + printf( + "u32 v%s options:\n" + "[!] --u32 tests\n" + "\t\t\t""tests := location \"=\" value | tests \"&&\" location \"=\" value\n" + "\t\t\t""value := range | value \",\" range\n" + "\t\t\t""range := number | number \":\" number\n" + "\t\t\t""location := number | location operator number\n" + "\t\t\t""operator := \"&\" | \"<<\" | \">>\" | \"@\"\n", + IPTABLES_VERSION); + return; +} + +/* shared printing code */ +static void u32_dump(const struct xt_u32 *data) +{ + const struct xt_u32_test *ct; + unsigned int testind, i; + + for (testind = 0; testind < data->ntests; ++testind) { + ct = &data->tests[testind]; + + if (testind > 0) + printf("&&"); + + printf("0x%x", ct->location[0].number); + for (i = 1; i < ct->nnums; ++i) { + switch (ct->location[i].nextop) { + case XT_U32_AND: + printf("&"); + break; + case XT_U32_LEFTSH: + printf("<<"); + break; + case XT_U32_RIGHTSH: + printf(">>"); + break; + case XT_U32_AT: + printf("@"); + break; + } + printf("0x%x", ct->location[i].number); + } + + printf("="); + for (i = 0; i < ct->nvalues; ++i) { + if (i > 0) + printf(","); + if (ct->value[i].min == ct->value[i].max) + printf("0x%x", ct->value[i].min); + else + printf("0x%x:0x%x", ct->value[i].min, + ct->value[i].max); + } + } + printf(" "); +} + +/* string_to_number is not quite what we need here ... */ +static uint32_t parse_number(char **s, int pos) +{ + uint32_t number; + char *end; + errno = 0; + + number = strtoul(*s, &end, 0); + if (end == *s) + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: expected number", pos); + if (errno) + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: error reading number", pos); + *s = end; + return number; +} + +/* Function which parses command options; returns true if it ate an option */ +static int u32_parse(int c, char **argv, int invert, unsigned int *flags, + const struct ipt_entry *entry, unsigned int *nfcache, + struct ipt_entry_match **match) +{ + struct xt_u32 *data = (void *)(*match)->data; + unsigned int testind = 0, locind = 0, valind = 0; + struct xt_u32_test *ct = &data->tests[testind]; /* current test */ + char *arg = argv[optind-1]; /* the argument string */ + char *start = arg; + int state = 0; + + if (c != '1') + return 0; + + data->invert = invert; + + /* + * states: + * 0 = looking for numbers and operations, + * 1 = looking for ranges + */ + while (1) { + /* read next operand/number or range */ + while (isspace(*arg)) + ++arg; + + if (*arg == '\0') { + /* end of argument found */ + if (state == 0) + exit_error(PARAMETER_PROBLEM, + "u32: input ended in location spec"); + if (valind == 0) + exit_error(PARAMETER_PROBLEM, + "u32: test ended with no value spec"); + + ct->nnums = locind; + ct->nvalues = valind; + data->ntests = ++testind; + + if (testind > XT_U32_MAXSIZE) + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: too many \"&&\"s", + arg - start); + return 1; + } + + if (state == 0) { + /* + * reading location: read a number if nothing read yet, + * otherwise either op number or = to end location spec + */ + if (*arg == '=') { + if (locind == 0) { + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: " + "location spec missing", + arg - start); + } else { + ++arg; + state = 1; + } + } else { + if (locind != 0) { + /* need op before number */ + if (*arg == '&') { + ct->location[locind].nextop = XT_U32_AND; + } else if (*arg == '<') { + if (*++arg != '<') + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: a second < expected", arg - start); + ct->location[locind].nextop = XT_U32_LEFTSH; + } else if (*arg == '>') { + if (*++arg != '>') + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: a second > expected", arg - start); + ct->location[locind].nextop = XT_U32_RIGHTSH; + } else if (*arg == '@') { + ct->location[locind].nextop = XT_U32_AT; + } else { + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: operator expected", arg - start); + } + ++arg; + } + /* now a number; string_to_number skips white space? */ + ct->location[locind].number = + parse_number(&arg, arg - start); + if (++locind > XT_U32_MAXSIZE) + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: too many operators", arg - start); + } + } else { + /* + * state 1 - reading values: read a range if nothing + * read yet, otherwise either ,range or && to end + * test spec + */ + if (*arg == '&') { + if (*++arg != '&') + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: a second & was expected", arg - start); + if (valind == 0) { + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: value spec missing", arg - start); + } else { + ct->nnums = locind; + ct->nvalues = valind; + ct = &data->tests[++testind]; + if (testind > XT_U32_MAXSIZE) + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: too many \"&&\"s", arg - start); + ++arg; + state = 0; + locind = 0; + valind = 0; + } + } else { /* read value range */ + if (valind > 0) { /* need , before number */ + if (*arg != ',') + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: expected , or &&", arg - start); + ++arg; + } + ct->value[valind].min = + parse_number(&arg, arg - start); + + while (isspace(*arg)) + ++arg; + + if (*arg == ':') { + ++arg; + ct->value[valind].max = + parse_number(&arg, arg-start); + } else { + ct->value[valind].max = + ct->value[valind].min; + } + + if (++valind > XT_U32_MAXSIZE) + exit_error(PARAMETER_PROBLEM, + "u32: at char %d: too many \",\"s", arg - start); + } + } + } +} + +/* Final check; must specify something. */ +static void u32_final_check(unsigned int flags) +{ +} + +/* Prints out the matchinfo. */ +static void u32_print(const struct ipt_ip *ip, + const struct ipt_entry_match *match, int numeric) +{ + printf("u32 "); + u32_dump((const void *)match->data); +} + +/* Saves the union ipt_matchinfo in parsable form to stdout. */ +static void u32_save(const struct ipt_ip *ip, + const struct ipt_entry_match *match) +{ + printf("--u32 "); + u32_dump((const void *)match->data); +} + +static struct iptables_match u32_reg = { + .name = "u32", + .version = IPTABLES_VERSION, + .size = IPT_ALIGN(sizeof(struct xt_u32)), + .userspacesize = IPT_ALIGN(sizeof(struct xt_u32)), + .help = u32_help, + .parse = u32_parse, + .final_check = u32_final_check, + .print = u32_print, + .save = u32_save, + .extra_opts = u32_opts, +}; + +static __attribute__((constructor)) void libipt_u32_init(void) +{ + register_match(&u32_reg); + return; +} Index: iptables/extensions/libipt_u32.man =================================================================== --- /dev/null +++ iptables/extensions/libipt_u32.man @@ -0,0 +1,129 @@ +U32 tests whether quantities of up to 4 bytes extracted from a packet have +specified values. The specification of what to extract is general enough to +find data at given offsets from tcp headers or payloads. +.TP +[\fB!\fR]\fB --u32 \fItests\fR +The argument amounts to a program in a small language described below. +.IP +tests := location "=" value | tests "&&" location "=" value +.IP +value := range | value "," range +.IP +range := number | number ":" number +.PP +a single number, \fIn\fR, is interpreted the same as \fIn:n\fR. \fIn:m\fR is +interpreted as the range of numbers \fB>=n\fR and \fB<=m\fR. +.IP "" 4 +location := number | location operator number +.IP "" 4 +operator := "&" | "<<" | ">>" | "@" +.PP +The operators \fB&\fR, \fB<<\fR, \fB>>\fR and \fB&&\fR mean the same as in C. +The \fB=\fR is really a set membership operator and the value syntax describes +a set. The \fB@\fR operator is what allows moving to the next header and is +described further below. +.PP +There are currently some artificial implementation limits on the size of the +tests: +.IP " *" +no more than 10 of "\fB=\fR" (and 9 "\fB&&\fR"s) in the u32 argument +.IP " *" +no more than 10 ranges (and 9 commas) per value +.IP " *" +no more than 10 numbers (and 9 operators) per location +.PP +To describe the meaning of location, imagine the following machine that +interprets it. There are three registers: +.IP +A is of type \fBchar *\fR, initially the address of the IP header +.IP +B and C are unsigned 32 bit integers, initially zero +.PP +The instructions are: +.IP +number B = number; +.IP +C = (*(A+B)<<24) + (*(A+B+1)<<16) + (*(A+B+2)<<8) + *(A+B+3) +.IP +&number C = C & number +.IP +<< number C = C << number +.IP +>> number C = C >> number +.IP +@number A = A + C; then do the instruction number +.PP +Any access of memory outside [skb->head,skb->end] causes the match to fail. +Otherwise the result of the computation is the final value of C. +.PP +Whitespace is allowed but not required in the tests. However, the characters +that do occur there are likely to require shell quoting, so it is a good idea +to enclose the arguments in quotes. +.PP +Example: +.IP +match IP packets with total length >= 256 +.IP +The IP header contains a total length field in bytes 2-3. +.IP +--u32 "\fB0 & 0xFFFF = 0x100:0xFFFF\fR" +.IP +read bytes 0-3 +.IP +AND that with 0xFFFF (giving bytes 2-3), and test whether that is in the range +[0x100:0xFFFF] +.PP +Example: (more realistic, hence more complicated) +.IP +match ICMP packets with icmp type 0 +.IP +First test that it is an ICMP packet, true iff byte 9 (protocol) = 1 +.IP +--u32 "\fB6 & 0xFF = 1 &&\fR ... +.IP +read bytes 6-9, use \fB&\fR to throw away bytes 6-8 and compare the result to +1. Next test that it is not a fragment. (If so, it might be part of such a +packet but we cannot always tell.) N.B.: This test is generally needed if you +want to match anything beyond the IP header. The last 6 bits of byte 6 and all +of byte 7 are 0 iff this is a complete packet (not a fragment). Alternatively, +you can allow first fragments by only testing the last 5 bits of byte 6. +.IP + ... \fB4 & 0x3FFF = 0 &&\fR ... +.IP +Last test: the first byte past the IP header (the type) is 0. This is where we +have to use the @syntax. The length of the IP header (IHL) in 32 bit words is +stored in the right half of byte 0 of the IP header itself. +.IP + ... \fB0 >> 22 & 0x3C @ 0 >> 24 = 0\fR" +.IP +The first 0 means read bytes 0-3, \fB>>22\fR means shift that 22 bits to the +right. Shifting 24 bits would give the first byte, so only 22 bits is four +times that plus a few more bits. \fB&3C\fR then eliminates the two extra bits +on the right and the first four bits of the first byte. For instance, if IHL=5, +then the IP header is 20 (4 x 5) bytes long. In this case, bytes 0-1 are (in +binary) xxxx0101 yyzzzzzz, \fB>>22\fR gives the 10 bit value xxxx0101yy and +\fB&3C\fR gives 010100. \fB@\fR means to use this number as a new offset into +the packet, and read four bytes starting from there. This is the first 4 bytes +of the ICMP payload, of which byte 0 is the ICMP type. Therefore, we simply +shift the value 24 to the right to throw out all but the first byte and compare +the result with 0. +.PP +Example: +.IP +TCP payload bytes 8-12 is any of 1, 2, 5 or 8 +.IP +First we test that the packet is a tcp packet (similar to ICMP). +.IP +--u32 "\fB6 & 0xFF = 6 &&\fR ... +.IP +Next, test that it is not a fragment (same as above). +.IP + ... \fB0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 8 = 1,2,5,8\fR" +.IP +\fB0>>22&3C\fR as above computes the number of bytes in the IP header. \fB@\fR +makes this the new offset into the packet, which is the start of the TCP +header. The length of the TCP header (again in 32 bit words) is the left half +of byte 12 of the TCP header. The \fB12>>26&3C\fR computes this length in bytes +(similar to the IP header before). "@" makes this the new offset, which is the +start of the TCP payload. Finally, 8 reads bytes 8-12 of the payload and +\fB=\fR checks whether the result is any of 1, 2, 5 or 8. From jengelh at linux01.gwdg.de Tue Jun 5 13:15:50 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue Jun 5 14:20:01 2007 Subject: xt_connlimit 20070605 Message-ID: Hi! xt_connlimit cleanups as you requested. I hope I did not miss any either. * 2007-06-05: fixed: deadlock after OOM * 2007-06-05: UDP support Thanks, Jan -- From jengelh at linux01.gwdg.de Tue Jun 5 13:17:02 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue Jun 5 14:21:05 2007 Subject: xt_connlimit 20070605 (iptables) In-Reply-To: References: Message-ID: Subject: Add connlimit to iptables. Signed-off-by: Jan Engelhardt --- extensions/.connlimit-test | 2 extensions/libipt_connlimit.c | 129 ++++++++++++++++++++++++++++++++++++++++ extensions/libipt_connlimit.man | 21 ++++++ 3 files changed, 152 insertions(+) Index: iptables/extensions/.connlimit-test =================================================================== --- /dev/null +++ iptables/extensions/.connlimit-test @@ -0,0 +1,2 @@ +#!/bin/sh +[ -f "$KERNEL_DIR/include/linux/netfilter/xt_connlimit.h" ] && echo connlimit Index: iptables/extensions/libipt_connlimit.c =================================================================== --- /dev/null +++ iptables/extensions/libipt_connlimit.c @@ -0,0 +1,129 @@ +/* Shared library add-on to iptables to add connection limit support. */ +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/* Function which prints out usage message. */ +static void help(void) +{ + printf( +"connlimit v%s options:\n" +"[!] --connlimit-above n match if the number of existing tcp connections is (not) above n\n" +" --connlimit-mask n group hosts using mask\n" +"\n", IPTABLES_VERSION); +} + +static struct option opts[] = { + {"connlimit-above", 1, NULL, '1'}, + {"connlimit-mask", 1, NULL, '2'}, + {NULL}, +}; + +/* Function which parses command options; returns true if it + ate an option */ +static int parse(int c, char **argv, int invert, unsigned int *flags, + const struct ipt_entry *entry, unsigned int *nfcache, + struct ipt_entry_match **match) +{ + struct xt_connlimit_info *info = (void *)(*match)->data; + int i; + + if (!(*flags & 2)) + /* + * set default mask unless we have already seen a mask option + */ + info->mask = htonl(0xFFFFFFFF); + + switch (c) { + case '1': + check_inverse(optarg, &invert, &optind, 0); + info->limit = strtoul(argv[optind-1], NULL, 0); + info->inverse = invert; + *flags |= 1; + break; + + case '2': + i = strtol(argv[optind-1], NULL, 0); + if (i < 0 || i > 32) + exit_error(PARAMETER_PROBLEM, + "--connlimit-mask must be between 0 and 32"); + + if (i == 0) + info->mask = 0; + else + info->mask = htonl(0xFFFFFFFF << (32 - i)); + + *flags |= 2; + break; + + default: + return 0; + } + + return 1; +} + +/* Final check */ +static void final_check(unsigned int flags) +{ + if (!(flags & 1)) + exit_error(PARAMETER_PROBLEM, "You must specify `--connlimit-above'"); +} + +static int count_bits(u_int32_t mask) +{ + int i, bits; + + for (bits = 0, i = 31; i >= 0; i--) { + if (mask & htonl((u_int32_t)1 << i)) { + bits++; + continue; + } + break; + } + return bits; +} + +/* Prints out the matchinfo. */ +static void print(const struct ipt_ip *ip, const struct ipt_entry_match *match, + int numeric) +{ + const struct xt_connlimit_info *info = (const void *)match->data; + + printf("#conn/%d %s %d ", count_bits(info->mask), + info->inverse ? "<" : ">", info->limit); +} + +/* Saves the matchinfo in parsable form to stdout. */ +static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) +{ + const struct xt_connlimit_info *info = (const void *)match->data; + + printf("%s--connlimit-above %u --connlimit-mask %u ", + info->inverse ? "! " : "", info->limit, + count_bits(info->mask)); +} + +static struct iptables_match connlimit = { + .name = "connlimit", + .version = IPTABLES_VERSION, + .size = IPT_ALIGN(sizeof(struct xt_connlimit_info)), + .userspacesize = offsetof(struct xt_connlimit_info, data), + .help = help, + .parse = parse, + .final_check = final_check, + .print = print, + .save = save, + .extra_opts = opts, +}; + +static __attribute__((constructor)) void libipt_connlimit_init(void) +{ + register_match(&connlimit); +} Index: iptables/extensions/libipt_connlimit.man =================================================================== --- /dev/null +++ iptables/extensions/libipt_connlimit.man @@ -0,0 +1,21 @@ +Allows you to restrict the number of parallel TCP connections to a +server per client IP address (or address block). +.TP +[\fB!\fR] \fB--connlimit-above \fIn\fR +match if the number of existing tcp connections is (not) above n +.TP +.BI "--connlimit-mask " "bits" +group hosts using mask +.P +Examples: +.TP +# allow 2 telnet connections per client host +iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT +.TP +# you can also match the other way around: +iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT +.TP +# limit the nr of parallel http requests to 16 per class C sized \ +network (24 bit netmask) +iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 +--connlimit-mask 24 -j REJECT From jengelh at linux01.gwdg.de Tue Jun 5 13:17:40 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue Jun 5 14:21:48 2007 Subject: xt_gateway 20070605 Message-ID: Hi! xt_gateway, with the (hopefully) fixed condition logic. Thanks, Jan -- From jengelh at linux01.gwdg.de Tue Jun 5 13:17:57 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue Jun 5 14:22:04 2007 Subject: xt_gateway 20070605 (kernel) In-Reply-To: