* [NETFILTER 00/22]: Netfilter update/fixes @ 2007-02-12 10:36 Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 01/22]: Properly use RCU in nf_ct_attach Patrick McHardy ` (22 more replies) 0 siblings, 23 replies; 24+ messages in thread From: Patrick McHardy @ 2007-02-12 10:36 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, Patrick McHardy Hi Dave, following are a number of fixes for netfilter, fixing RCU issues all over the place, including the invalid preemption assumptions in the NF_CT_STAT_INC macro. Additionally there are a few minor enhancements for things I noticed while going over the code: replacement of a few unnecessary spinlocks by mutexes, some cleanup for nf_log.c and some return value cleanup for unregistration functions. With these patches I think there should be nothing left holding back the preemptable RCU merge from netfilter's perspective. Please apply, thanks. include/linux/netfilter.h | 4 include/linux/netfilter_ipv4/ip_conntrack.h | 6 include/net/netfilter/nf_conntrack.h | 6 include/net/netfilter/nf_conntrack_l3proto.h | 4 include/net/netfilter/nf_conntrack_l4proto.h | 2 net/bridge/netfilter/ebt_log.c | 2 net/bridge/netfilter/ebt_ulog.c | 2 net/ipv4/netfilter/Kconfig | 8 net/ipv4/netfilter/ip_conntrack_core.c | 53 +++--- net/ipv4/netfilter/ip_conntrack_standalone.c | 9 - net/ipv4/netfilter/ip_nat_core.c | 74 ++++---- net/ipv4/netfilter/ipt_LOG.c | 2 net/ipv4/netfilter/ipt_ULOG.c | 2 net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 2 net/ipv4/netfilter/nf_nat_core.c | 75 ++++---- net/ipv6/netfilter/Kconfig | 3 net/ipv6/netfilter/ip6t_LOG.c | 2 net/ipv6/netfilter/ip6t_mh.c | 7 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 4 net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 1 net/netfilter/Kconfig | 12 + net/netfilter/core.c | 45 +++-- net/netfilter/nf_conntrack_core.c | 72 +++++--- net/netfilter/nf_conntrack_expect.c | 2 net/netfilter/nf_conntrack_ftp.c | 14 - net/netfilter/nf_conntrack_h323_main.c | 20 +- net/netfilter/nf_conntrack_irc.c | 2 net/netfilter/nf_conntrack_l3proto_generic.c | 2 net/netfilter/nf_conntrack_netbios_ns.c | 2 net/netfilter/nf_conntrack_netlink.c | 106 ++++++------ net/netfilter/nf_conntrack_pptp.c | 2 net/netfilter/nf_conntrack_proto.c | 73 ++------ net/netfilter/nf_conntrack_proto_sctp.c | 72 ++++---- net/netfilter/nf_conntrack_proto_tcp.c | 210 ++++++++++++------------- net/netfilter/nf_conntrack_sip.c | 6 net/netfilter/nf_conntrack_standalone.c | 2 net/netfilter/nf_conntrack_tftp.c | 2 net/netfilter/nf_internals.h | 2 net/netfilter/nf_log.c | 69 ++++---- net/netfilter/nf_queue.c | 22 +- net/netfilter/nf_sockopt.c | 12 - net/netfilter/nfnetlink.c | 10 - net/netfilter/nfnetlink_log.c | 54 +++--- net/netfilter/nfnetlink_queue.c | 84 +++++----- net/netfilter/x_tables.c | 12 - net/netfilter/xt_CLASSIFY.c | 12 - net/netfilter/xt_MARK.c | 4 net/netfilter/xt_NFQUEUE.c | 4 net/netfilter/xt_NOTRACK.c | 4 net/netfilter/xt_SECMARK.c | 2 net/netfilter/xt_conntrack.c | 32 +-- net/netfilter/xt_dccp.c | 20 +- net/netfilter/xt_hashlimit.c | 8 net/netfilter/xt_helper.c | 18 +- net/netfilter/xt_length.c | 4 net/netfilter/xt_limit.c | 2 net/netfilter/xt_mac.c | 7 net/netfilter/xt_mark.c | 6 net/netfilter/xt_multiport.c | 2 net/netfilter/xt_physdev.c | 2 net/netfilter/xt_policy.c | 24 +- net/netfilter/xt_quota.c | 4 net/netfilter/xt_realm.c | 2 net/netfilter/xt_sctp.c | 30 +-- net/netfilter/xt_string.c | 8 net/netfilter/xt_tcpmss.c | 4 66 files changed, 709 insertions(+), 667 deletions(-) Masahide NAKAMURA: [NETFILTER]: ip6t_mh: drop piggyback payload packet on MH packets Patrick McHardy: [NETFILTER]: Properly use RCU in nf_ct_attach [NETFILTER]: Remove unnecessary synchronize_net() in nf_register_hook [NETFILTER]: Switch nf_register_afinfo/nf_unregister_afinfo to mutex [NETFILTER]: Switch nf_register_hook/nf_unregister_hook to mutex [NETFILTER]: nf_log: use rcu_assign_pointer for RCU protected pointer [NETFILTER]: nf_log: make nf_log_unregister_pf return void [NETFILTER]: nf_log: switch logger registration/unregistration to mutex [NETFILTER]: nf_log: minor cleanups [NETFILTER]: ip_nat: properly use RCU API for ip_nat_protos array [NETFILTER]: nf_nat: properly use RCU API for nf_nat_protos array [NETFILTER]: ip_conntrack: properly use RCU API for ip_ct_protos array [NETFILTER]: nf_conntrack: properly use RCU API for nf_ct_protos/nf_ct_l3protos arrays [NETFILTER]: ip_conntrack: fix invalid conntrack statistics RCU assumption [NETFILTER]: nf_conntrack: fix invalid conntrack statistics RCU assumption [NETFILTER]: ip_conntrack: properly use RCU for ip_conntrack_destroyed callback [NETFILTER]: nf_conntrack: properly use RCU for nf_conntrack_destroyed callback [NETFILTER]: nf_conntrack: change nf_conntrack_l[34]proto_unregister to void [NETFILTER]: xt_mac/xt_CLASSIFY: use IPv6 hook names for IPv6 registration [NETFILTER]: Kconfig: improve dependency handling [NETFILTER]: nf_conntrack_tcp: make sysctl variables static YOSHIFUJI Hideaki: [NETFILTER]: Fix whitespace errors ^ permalink raw reply [flat|nested] 24+ messages in thread
* [NETFILTER 01/22]: Properly use RCU in nf_ct_attach 2007-02-12 10:36 [NETFILTER 00/22]: Netfilter update/fixes Patrick McHardy @ 2007-02-12 10:36 ` Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 02/22]: Remove unnecessary synchronize_net() in nf_register_hook Patrick McHardy ` (21 subsequent siblings) 22 siblings, 0 replies; 24+ messages in thread From: Patrick McHardy @ 2007-02-12 10:36 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, Patrick McHardy [NETFILTER]: Properly use RCU in nf_ct_attach Use rcu_assign_pointer/rcu_dereference for ip_ct_attach pointer instead of self-made RCU and use rcu_read_lock to make sure the conntrack module doesn't disappear below us while calling it, since this function can be called from outside the netfilter hooks. Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit aa70e344f883b6fb4283024afa9af13376162ed3 tree f353ef51191c23f210f508b4edf1a7008e164e53 parent 70cdc55ed5432048c25025283f064323e3ae94f4 author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:35:23 +0100 committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:35:23 +0100 net/ipv4/netfilter/ip_conntrack_core.c | 4 ++-- net/netfilter/core.c | 9 ++++++--- net/netfilter/nf_conntrack_core.c | 4 ++-- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c index 2e6e421..933b878 100644 --- a/net/ipv4/netfilter/ip_conntrack_core.c +++ b/net/ipv4/netfilter/ip_conntrack_core.c @@ -1355,7 +1355,7 @@ static void free_conntrack_hash(struct l supposed to kill the mall. */ void ip_conntrack_cleanup(void) { - ip_ct_attach = NULL; + rcu_assign_pointer(ip_ct_attach, NULL); /* This makes sure all current packets have passed through netfilter framework. Roll on, two-stage module @@ -1516,7 +1516,7 @@ int __init ip_conntrack_init(void) write_unlock_bh(&ip_conntrack_lock); /* For use by ipt_REJECT */ - ip_ct_attach = ip_conntrack_attach; + rcu_assign_pointer(ip_ct_attach, ip_conntrack_attach); /* Set up fake conntrack: - to never be deleted, not in any hashes */ diff --git a/net/netfilter/core.c b/net/netfilter/core.c index 291b8c6..ad24d0c 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c @@ -248,9 +248,12 @@ void nf_ct_attach(struct sk_buff *new, s { void (*attach)(struct sk_buff *, struct sk_buff *); - if (skb->nfct && (attach = ip_ct_attach) != NULL) { - mb(); /* Just to be sure: must be read before executing this */ - attach(new, skb); + if (skb->nfct) { + rcu_read_lock(); + attach = rcu_dereference(ip_ct_attach); + if (attach) + attach(new, skb); + rcu_read_unlock(); } } EXPORT_SYMBOL(nf_ct_attach); diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 9b02ec4..59bcab1 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -1105,7 +1105,7 @@ void nf_conntrack_cleanup(void) { int i; - ip_ct_attach = NULL; + rcu_assign_pointer(ip_ct_attach, NULL); /* This makes sure all current packets have passed through netfilter framework. Roll on, two-stage module @@ -1273,7 +1273,7 @@ int __init nf_conntrack_init(void) write_unlock_bh(&nf_conntrack_lock); /* For use by REJECT target */ - ip_ct_attach = __nf_conntrack_attach; + rcu_assign_pointer(ip_ct_attach, __nf_conntrack_attach); /* Set up fake conntrack: - to never be deleted, not in any hashes */ ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [NETFILTER 02/22]: Remove unnecessary synchronize_net() in nf_register_hook 2007-02-12 10:36 [NETFILTER 00/22]: Netfilter update/fixes Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 01/22]: Properly use RCU in nf_ct_attach Patrick McHardy @ 2007-02-12 10:36 ` Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 03/22]: Switch nf_register_afinfo/nf_unregister_afinfo to mutex Patrick McHardy ` (20 subsequent siblings) 22 siblings, 0 replies; 24+ messages in thread From: Patrick McHardy @ 2007-02-12 10:36 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, Patrick McHardy [NETFILTER]: Remove unnecessary synchronize_net() in nf_register_hook We're only adding to the list, no need to synchronize. Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit 4e6bba5661fe72e2c570701be4fcf4f2fabfdff2 tree 12e74ddf2a81a31aa4b5d59ba39c6fd0b14d7f5d parent aa70e344f883b6fb4283024afa9af13376162ed3 author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:35:30 +0100 committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:35:30 +0100 net/netfilter/core.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) diff --git a/net/netfilter/core.c b/net/netfilter/core.c index ad24d0c..a66bd6a 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c @@ -69,8 +69,6 @@ int nf_register_hook(struct nf_hook_ops } list_add_rcu(®->list, i->prev); spin_unlock_bh(&nf_hook_lock); - - synchronize_net(); return 0; } EXPORT_SYMBOL(nf_register_hook); ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [NETFILTER 03/22]: Switch nf_register_afinfo/nf_unregister_afinfo to mutex 2007-02-12 10:36 [NETFILTER 00/22]: Netfilter update/fixes Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 01/22]: Properly use RCU in nf_ct_attach Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 02/22]: Remove unnecessary synchronize_net() in nf_register_hook Patrick McHardy @ 2007-02-12 10:36 ` Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 04/22]: Switch nf_register_hook/nf_unregister_hook " Patrick McHardy ` (19 subsequent siblings) 22 siblings, 0 replies; 24+ messages in thread From: Patrick McHardy @ 2007-02-12 10:36 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, Patrick McHardy [NETFILTER]: Switch nf_register_afinfo/nf_unregister_afinfo to mutex The spinlock is only used in process context (register/unregister), switch to a mutex. Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit ccead672bf5800d7418940aea9c0e6a231bc1f09 tree 9908ac59b324b764b4e7caaf17dc8472df8e52d9 parent 4e6bba5661fe72e2c570701be4fcf4f2fabfdff2 author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:36:15 +0100 committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:36:15 +0100 net/netfilter/core.c | 15 ++++++++++----- 1 files changed, 10 insertions(+), 5 deletions(-) diff --git a/net/netfilter/core.c b/net/netfilter/core.c index a66bd6a..716603f 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c @@ -22,29 +22,34 @@ #include <linux/if.h> #include <linux/netdevice.h> #include <linux/inetdevice.h> #include <linux/proc_fs.h> +#include <linux/mutex.h> #include <net/sock.h> #include "nf_internals.h" -static DEFINE_SPINLOCK(afinfo_lock); +static DEFINE_MUTEX(afinfo_mutex); struct nf_afinfo *nf_afinfo[NPROTO] __read_mostly; EXPORT_SYMBOL(nf_afinfo); int nf_register_afinfo(struct nf_afinfo *afinfo) { - spin_lock(&afinfo_lock); + int err; + + err = mutex_lock_interruptible(&afinfo_mutex); + if (err < 0) + return err; rcu_assign_pointer(nf_afinfo[afinfo->family], afinfo); - spin_unlock(&afinfo_lock); + mutex_unlock(&afinfo_mutex); return 0; } EXPORT_SYMBOL_GPL(nf_register_afinfo); void nf_unregister_afinfo(struct nf_afinfo *afinfo) { - spin_lock(&afinfo_lock); + mutex_lock(&afinfo_mutex); rcu_assign_pointer(nf_afinfo[afinfo->family], NULL); - spin_unlock(&afinfo_lock); + mutex_unlock(&afinfo_mutex); synchronize_rcu(); } EXPORT_SYMBOL_GPL(nf_unregister_afinfo); ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [NETFILTER 04/22]: Switch nf_register_hook/nf_unregister_hook to mutex 2007-02-12 10:36 [NETFILTER 00/22]: Netfilter update/fixes Patrick McHardy ` (2 preceding siblings ...) 2007-02-12 10:36 ` [NETFILTER 03/22]: Switch nf_register_afinfo/nf_unregister_afinfo to mutex Patrick McHardy @ 2007-02-12 10:36 ` Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 05/22]: nf_log: use rcu_assign_pointer for RCU protected pointer Patrick McHardy ` (18 subsequent siblings) 22 siblings, 0 replies; 24+ messages in thread From: Patrick McHardy @ 2007-02-12 10:36 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, Patrick McHardy [NETFILTER]: Switch nf_register_hook/nf_unregister_hook to mutex The spinlock is only used in process context (register/unregister) since RCU is used for the nf_hook lists, switch to a mutex. Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit 4694a2599998f08af77aa1a1ee2c6d6bc2020913 tree b5d2752f7e5f66afd4b7d4bcd2402f1e1c9bfae9 parent ccead672bf5800d7418940aea9c0e6a231bc1f09 author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:36:19 +0100 committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:36:19 +0100 net/netfilter/core.c | 13 ++++++++----- 1 files changed, 8 insertions(+), 5 deletions(-) diff --git a/net/netfilter/core.c b/net/netfilter/core.c index 716603f..f61e0c2 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c @@ -61,28 +61,31 @@ EXPORT_SYMBOL_GPL(nf_unregister_afinfo); * packets come back: if the hook is gone, the packet is discarded. */ struct list_head nf_hooks[NPROTO][NF_MAX_HOOKS] __read_mostly; EXPORT_SYMBOL(nf_hooks); -static DEFINE_SPINLOCK(nf_hook_lock); +static DEFINE_MUTEX(nf_hook_mutex); int nf_register_hook(struct nf_hook_ops *reg) { struct list_head *i; + int err; - spin_lock_bh(&nf_hook_lock); + err = mutex_lock_interruptible(&nf_hook_mutex); + if (err < 0) + return err; list_for_each(i, &nf_hooks[reg->pf][reg->hooknum]) { if (reg->priority < ((struct nf_hook_ops *)i)->priority) break; } list_add_rcu(®->list, i->prev); - spin_unlock_bh(&nf_hook_lock); + mutex_unlock(&nf_hook_mutex); return 0; } EXPORT_SYMBOL(nf_register_hook); void nf_unregister_hook(struct nf_hook_ops *reg) { - spin_lock_bh(&nf_hook_lock); + mutex_lock(&nf_hook_mutex); list_del_rcu(®->list); - spin_unlock_bh(&nf_hook_lock); + mutex_unlock(&nf_hook_mutex); synchronize_net(); } ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [NETFILTER 05/22]: nf_log: use rcu_assign_pointer for RCU protected pointer 2007-02-12 10:36 [NETFILTER 00/22]: Netfilter update/fixes Patrick McHardy ` (3 preceding siblings ...) 2007-02-12 10:36 ` [NETFILTER 04/22]: Switch nf_register_hook/nf_unregister_hook " Patrick McHardy @ 2007-02-12 10:36 ` Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 06/22]: nf_log: make nf_log_unregister_pf return void Patrick McHardy ` (17 subsequent siblings) 22 siblings, 0 replies; 24+ messages in thread From: Patrick McHardy @ 2007-02-12 10:36 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, Patrick McHardy [NETFILTER]: nf_log: use rcu_assign_pointer for RCU protected pointer Also replace synchronize_net() calls by synchronize_rcu() since the RCU protected data is also used for sysfs. Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit a3d379f952d0861a1e0d876f69f301d5174f7990 tree 2f439287b3e9388ef7f186ea108868a05f119f4d parent 4694a2599998f08af77aa1a1ee2c6d6bc2020913 author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:36:34 +0100 committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:36:34 +0100 net/netfilter/nf_log.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c index 8901b3a..d6c6a8d 100644 --- a/net/netfilter/nf_log.c +++ b/net/netfilter/nf_log.c @@ -46,11 +46,11 @@ int nf_log_unregister_pf(int pf) return -EINVAL; spin_lock(&nf_log_lock); - nf_logging[pf] = NULL; + rcu_assign_pointer(nf_logging[pf], NULL); spin_unlock(&nf_log_lock); /* Give time to concurrent readers. */ - synchronize_net(); + synchronize_rcu(); return 0; } @@ -63,11 +63,11 @@ void nf_log_unregister_logger(struct nf_ spin_lock(&nf_log_lock); for (i = 0; i < NPROTO; i++) { if (nf_logging[i] == logger) - nf_logging[i] = NULL; + rcu_assign_pointer(nf_logging[i], NULL); } spin_unlock(&nf_log_lock); - synchronize_net(); + synchronize_rcu(); } EXPORT_SYMBOL(nf_log_unregister_logger); ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [NETFILTER 06/22]: nf_log: make nf_log_unregister_pf return void 2007-02-12 10:36 [NETFILTER 00/22]: Netfilter update/fixes Patrick McHardy ` (4 preceding siblings ...) 2007-02-12 10:36 ` [NETFILTER 05/22]: nf_log: use rcu_assign_pointer for RCU protected pointer Patrick McHardy @ 2007-02-12 10:36 ` Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 07/22]: nf_log: switch logger registration/unregistration to mutex Patrick McHardy ` (16 subsequent siblings) 22 siblings, 0 replies; 24+ messages in thread From: Patrick McHardy @ 2007-02-12 10:36 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, Patrick McHardy [NETFILTER]: nf_log: make nf_log_unregister_pf return void Since the only user of nf_log_unregister_pf (nfnetlink_log) doesn't check the return value, change it to void and bail out silently when a non-existant address family is supplied. Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit ca4c6357b4568c1b8644385828a542475a86c5fa tree f5068e54682875208ff5d05cf7af434094daf545 parent a3d379f952d0861a1e0d876f69f301d5174f7990 author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:37:02 +0100 committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:37:02 +0100 include/linux/netfilter.h | 2 +- net/netfilter/nf_log.c | 7 ++----- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h index d4c4c51..18a6790 100644 --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h @@ -172,7 +172,7 @@ struct nf_logger { /* Function to register/unregister log function. */ int nf_log_register(int pf, struct nf_logger *logger); -int nf_log_unregister_pf(int pf); +void nf_log_unregister_pf(int pf); void nf_log_unregister_logger(struct nf_logger *logger); /* Calls the registered backend logging function */ diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c index d6c6a8d..c159ef9 100644 --- a/net/netfilter/nf_log.c +++ b/net/netfilter/nf_log.c @@ -40,19 +40,16 @@ int nf_log_register(int pf, struct nf_lo } EXPORT_SYMBOL(nf_log_register); -int nf_log_unregister_pf(int pf) +void nf_log_unregister_pf(int pf) { if (pf >= NPROTO) - return -EINVAL; - + return; spin_lock(&nf_log_lock); rcu_assign_pointer(nf_logging[pf], NULL); spin_unlock(&nf_log_lock); /* Give time to concurrent readers. */ synchronize_rcu(); - - return 0; } EXPORT_SYMBOL(nf_log_unregister_pf); ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [NETFILTER 07/22]: nf_log: switch logger registration/unregistration to mutex 2007-02-12 10:36 [NETFILTER 00/22]: Netfilter update/fixes Patrick McHardy ` (5 preceding siblings ...) 2007-02-12 10:36 ` [NETFILTER 06/22]: nf_log: make nf_log_unregister_pf return void Patrick McHardy @ 2007-02-12 10:36 ` Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 08/22]: nf_log: minor cleanups Patrick McHardy ` (15 subsequent siblings) 22 siblings, 0 replies; 24+ messages in thread From: Patrick McHardy @ 2007-02-12 10:36 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, Patrick McHardy [NETFILTER]: nf_log: switch logger registration/unregistration to mutex The spinlock is only used in process context (register/unregister), switch to a mutex. Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit 99c46fbd857a8a2d01987650bd1492b5379ac250 tree c91f6d98b4d9035255bf89e8153745eec7cb9349 parent ca4c6357b4568c1b8644385828a542475a86c5fa author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:37:13 +0100 committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:37:13 +0100 net/netfilter/nf_log.c | 26 +++++++++++++++----------- 1 files changed, 15 insertions(+), 11 deletions(-) diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c index c159ef9..b942cd5 100644 --- a/net/netfilter/nf_log.c +++ b/net/netfilter/nf_log.c @@ -15,27 +15,31 @@ #include "nf_internals.h" #define NF_LOG_PREFIXLEN 128 static struct nf_logger *nf_logging[NPROTO]; /* = NULL */ -static DEFINE_SPINLOCK(nf_log_lock); +static DEFINE_MUTEX(nf_log_mutex); /* return EBUSY if somebody else is registered, EEXIST if the same logger * is registred, 0 on success. */ int nf_log_register(int pf, struct nf_logger *logger) { - int ret = -EBUSY; + int ret; if (pf >= NPROTO) return -EINVAL; /* Any setup of logging members must be done before * substituting pointer. */ - spin_lock(&nf_log_lock); - if (!nf_logging[pf]) { + ret = mutex_lock_interruptible(&nf_log_mutex); + if (ret < 0) + return ret; + + if (!nf_logging[pf]) rcu_assign_pointer(nf_logging[pf], logger); - ret = 0; - } else if (nf_logging[pf] == logger) + else if (nf_logging[pf] == logger) ret = -EEXIST; + else + ret = -EBUSY; - spin_unlock(&nf_log_lock); + mutex_unlock(&nf_log_mutex); return ret; } EXPORT_SYMBOL(nf_log_register); @@ -44,9 +48,9 @@ void nf_log_unregister_pf(int pf) { if (pf >= NPROTO) return; - spin_lock(&nf_log_lock); + mutex_lock(&nf_log_mutex); rcu_assign_pointer(nf_logging[pf], NULL); - spin_unlock(&nf_log_lock); + mutex_unlock(&nf_log_mutex); /* Give time to concurrent readers. */ synchronize_rcu(); @@ -57,12 +61,12 @@ void nf_log_unregister_logger(struct nf_ { int i; - spin_lock(&nf_log_lock); + mutex_lock(&nf_log_mutex); for (i = 0; i < NPROTO; i++) { if (nf_logging[i] == logger) rcu_assign_pointer(nf_logging[i], NULL); } - spin_unlock(&nf_log_lock); + mutex_unlock(&nf_log_mutex); synchronize_rcu(); } ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [NETFILTER 08/22]: nf_log: minor cleanups 2007-02-12 10:36 [NETFILTER 00/22]: Netfilter update/fixes Patrick McHardy ` (6 preceding siblings ...) 2007-02-12 10:36 ` [NETFILTER 07/22]: nf_log: switch logger registration/unregistration to mutex Patrick McHardy @ 2007-02-12 10:36 ` Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 09/22]: ip_nat: properly use RCU API for ip_nat_protos array Patrick McHardy ` (14 subsequent siblings) 22 siblings, 0 replies; 24+ messages in thread From: Patrick McHardy @ 2007-02-12 10:36 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, Patrick McHardy [NETFILTER]: nf_log: minor cleanups - rename nf_logging to nf_loggers since its an array of registered loggers - rename nf_log_unregister_logger() to nf_log_unregister() to make it symetrical to nf_log_register() and convert all users Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit 5187c6343d6eac0b2fc995bfb607f817565ec258 tree c0290f3d2891089ca4f7d231cd21d3e081890ddc parent 99c46fbd857a8a2d01987650bd1492b5379ac250 author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:37:47 +0100 committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:37:47 +0100 include/linux/netfilter.h | 2 +- net/bridge/netfilter/ebt_log.c | 2 +- net/bridge/netfilter/ebt_ulog.c | 2 +- net/ipv4/netfilter/ipt_LOG.c | 2 +- net/ipv4/netfilter/ipt_ULOG.c | 2 +- net/ipv6/netfilter/ip6t_LOG.c | 2 +- net/netfilter/nf_log.c | 22 +++++++++++----------- net/netfilter/nfnetlink_log.c | 2 +- 8 files changed, 18 insertions(+), 18 deletions(-) diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h index 18a6790..70d3b4f 100644 --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h @@ -172,8 +172,8 @@ struct nf_logger { /* Function to register/unregister log function. */ int nf_log_register(int pf, struct nf_logger *logger); +void nf_log_unregister(struct nf_logger *logger); void nf_log_unregister_pf(int pf); -void nf_log_unregister_logger(struct nf_logger *logger); /* Calls the registered backend logging function */ void nf_log_packet(int pf, diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c index f9a5ae9..45712ae 100644 --- a/net/bridge/netfilter/ebt_log.c +++ b/net/bridge/netfilter/ebt_log.c @@ -208,7 +208,7 @@ static int __init ebt_log_init(void) static void __exit ebt_log_fini(void) { - nf_log_unregister_logger(&ebt_log_logger); + nf_log_unregister(&ebt_log_logger); ebt_unregister_watcher(&log); } diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c index 2e4cb24..8e15cc4 100644 --- a/net/bridge/netfilter/ebt_ulog.c +++ b/net/bridge/netfilter/ebt_ulog.c @@ -323,7 +323,7 @@ static void __exit ebt_ulog_fini(void) ebt_ulog_buff_t *ub; int i; - nf_log_unregister_logger(&ebt_ulog_logger); + nf_log_unregister(&ebt_ulog_logger); ebt_unregister_watcher(&ulog); for (i = 0; i < EBT_ULOG_MAXNLGROUPS; i++) { ub = &ulog_buffers[i]; diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c index f4a62f2..d9c37fd 100644 --- a/net/ipv4/netfilter/ipt_LOG.c +++ b/net/ipv4/netfilter/ipt_LOG.c @@ -489,7 +489,7 @@ static int __init ipt_log_init(void) static void __exit ipt_log_fini(void) { - nf_log_unregister_logger(&ipt_log_logger); + nf_log_unregister(&ipt_log_logger); xt_unregister_target(&ipt_log_reg); } diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c index 3a1eacc..a26404d 100644 --- a/net/ipv4/netfilter/ipt_ULOG.c +++ b/net/ipv4/netfilter/ipt_ULOG.c @@ -419,7 +419,7 @@ static void __exit ipt_ulog_fini(void) DEBUGP("ipt_ULOG: cleanup_module\n"); if (nflog) - nf_log_unregister_logger(&ipt_ulog_logger); + nf_log_unregister(&ipt_ulog_logger); xt_unregister_target(&ipt_ulog_reg); sock_release(nflognl->sk_socket); diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c index dc9ec93..afaa039 100644 --- a/net/ipv6/netfilter/ip6t_LOG.c +++ b/net/ipv6/netfilter/ip6t_LOG.c @@ -501,7 +501,7 @@ static int __init ip6t_log_init(void) static void __exit ip6t_log_fini(void) { - nf_log_unregister_logger(&ip6t_logger); + nf_log_unregister(&ip6t_logger); xt_unregister_target(&ip6t_log_reg); } diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c index b942cd5..0db2fd8 100644 --- a/net/netfilter/nf_log.c +++ b/net/netfilter/nf_log.c @@ -14,7 +14,7 @@ #include "nf_internals.h" #define NF_LOG_PREFIXLEN 128 -static struct nf_logger *nf_logging[NPROTO]; /* = NULL */ +static struct nf_logger *nf_loggers[NPROTO]; static DEFINE_MUTEX(nf_log_mutex); /* return EBUSY if somebody else is registered, EEXIST if the same logger @@ -32,9 +32,9 @@ int nf_log_register(int pf, struct nf_lo if (ret < 0) return ret; - if (!nf_logging[pf]) - rcu_assign_pointer(nf_logging[pf], logger); - else if (nf_logging[pf] == logger) + if (!nf_loggers[pf]) + rcu_assign_pointer(nf_loggers[pf], logger); + else if (nf_loggers[pf] == logger) ret = -EEXIST; else ret = -EBUSY; @@ -49,7 +49,7 @@ void nf_log_unregister_pf(int pf) if (pf >= NPROTO) return; mutex_lock(&nf_log_mutex); - rcu_assign_pointer(nf_logging[pf], NULL); + rcu_assign_pointer(nf_loggers[pf], NULL); mutex_unlock(&nf_log_mutex); /* Give time to concurrent readers. */ @@ -57,20 +57,20 @@ void nf_log_unregister_pf(int pf) } EXPORT_SYMBOL(nf_log_unregister_pf); -void nf_log_unregister_logger(struct nf_logger *logger) +void nf_log_unregister(struct nf_logger *logger) { int i; mutex_lock(&nf_log_mutex); for (i = 0; i < NPROTO; i++) { - if (nf_logging[i] == logger) - rcu_assign_pointer(nf_logging[i], NULL); + if (nf_loggers[i] == logger) + rcu_assign_pointer(nf_loggers[i], NULL); } mutex_unlock(&nf_log_mutex); synchronize_rcu(); } -EXPORT_SYMBOL(nf_log_unregister_logger); +EXPORT_SYMBOL(nf_log_unregister); void nf_log_packet(int pf, unsigned int hooknum, @@ -85,7 +85,7 @@ void nf_log_packet(int pf, struct nf_logger *logger; rcu_read_lock(); - logger = rcu_dereference(nf_logging[pf]); + logger = rcu_dereference(nf_loggers[pf]); if (logger) { va_start(args, fmt); vsnprintf(prefix, sizeof(prefix), fmt, args); @@ -132,7 +132,7 @@ static int seq_show(struct seq_file *s, loff_t *pos = v; const struct nf_logger *logger; - logger = rcu_dereference(nf_logging[*pos]); + logger = rcu_dereference(nf_loggers[*pos]); if (!logger) return seq_printf(s, "%2lld NONE\n", *pos); diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c index d1505dd..6511bb0 100644 --- a/net/netfilter/nfnetlink_log.c +++ b/net/netfilter/nfnetlink_log.c @@ -1077,7 +1077,7 @@ cleanup_netlink_notifier: static void __exit nfnetlink_log_fini(void) { - nf_log_unregister_logger(&nfulnl_logger); + nf_log_unregister(&nfulnl_logger); #ifdef CONFIG_PROC_FS remove_proc_entry("nfnetlink_log", proc_net_netfilter); #endif ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [NETFILTER 09/22]: ip_nat: properly use RCU API for ip_nat_protos array 2007-02-12 10:36 [NETFILTER 00/22]: Netfilter update/fixes Patrick McHardy ` (7 preceding siblings ...) 2007-02-12 10:36 ` [NETFILTER 08/22]: nf_log: minor cleanups Patrick McHardy @ 2007-02-12 10:36 ` Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 10/22]: nf_nat: properly use RCU API for nf_nat_protos array Patrick McHardy ` (13 subsequent siblings) 22 siblings, 0 replies; 24+ messages in thread From: Patrick McHardy @ 2007-02-12 10:36 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, Patrick McHardy [NETFILTER]: ip_nat: properly use RCU API for ip_nat_protos array Replace preempt_{enable,disable} based RCU by proper use of the RCU API and add missing rcu_read_lock/rcu_read_unlock calls in paths used outside of packet processing context (nfnetlink_conntrack). Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit 6930ac084caa4aff8d702716b80a2b59212efb78 tree 527cf137f820f9aeecacc7fbfe6621bef49a333f parent 5187c6343d6eac0b2fc995bfb607f817565ec258 author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:43:27 +0100 committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:43:27 +0100 net/ipv4/netfilter/ip_nat_core.c | 61 ++++++++++++++++++-------------------- 1 files changed, 29 insertions(+), 32 deletions(-) diff --git a/net/ipv4/netfilter/ip_nat_core.c b/net/ipv4/netfilter/ip_nat_core.c index 275a4d3..85ae0ca 100644 --- a/net/ipv4/netfilter/ip_nat_core.c +++ b/net/ipv4/netfilter/ip_nat_core.c @@ -50,7 +50,7 @@ static struct ip_nat_protocol *ip_nat_pr static inline struct ip_nat_protocol * __ip_nat_proto_find(u_int8_t protonum) { - return ip_nat_protos[protonum]; + return rcu_dereference(ip_nat_protos[protonum]); } struct ip_nat_protocol * @@ -58,13 +58,11 @@ ip_nat_proto_find_get(u_int8_t protonum) { struct ip_nat_protocol *p; - /* we need to disable preemption to make sure 'p' doesn't get - * removed until we've grabbed the reference */ - preempt_disable(); + rcu_read_lock(); p = __ip_nat_proto_find(protonum); if (!try_module_get(p->me)) p = &ip_nat_unknown_protocol; - preempt_enable(); + rcu_read_unlock(); return p; } @@ -120,8 +118,8 @@ static int in_range(const struct ip_conntrack_tuple *tuple, const struct ip_nat_range *range) { - struct ip_nat_protocol *proto = - __ip_nat_proto_find(tuple->dst.protonum); + struct ip_nat_protocol *proto; + int ret = 0; /* If we are supposed to map IPs, then we must be in the range specified, otherwise let this drag us onto a new src IP. */ @@ -131,12 +129,15 @@ in_range(const struct ip_conntrack_tuple return 0; } + rcu_read_lock(); + proto = __ip_nat_proto_find(tuple->dst.protonum); if (!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED) || proto->in_range(tuple, IP_NAT_MANIP_SRC, &range->min, &range->max)) - return 1; + ret = 1; + rcu_read_unlock(); - return 0; + return ret; } static inline int @@ -260,27 +261,25 @@ get_unique_tuple(struct ip_conntrack_tup /* 3) The per-protocol part of the manip is made to map into the range to make a unique tuple. */ - proto = ip_nat_proto_find_get(orig_tuple->dst.protonum); + rcu_read_lock(); + proto = __ip_nat_proto_find(orig_tuple->dst.protonum); /* Change protocol info to have some randomization */ if (range->flags & IP_NAT_RANGE_PROTO_RANDOM) { proto->unique_tuple(tuple, range, maniptype, conntrack); - ip_nat_proto_put(proto); - return; + goto out; } /* Only bother mapping if it's not already in range and unique */ if ((!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED) || proto->in_range(tuple, maniptype, &range->min, &range->max)) - && !ip_nat_used_tuple(tuple, conntrack)) { - ip_nat_proto_put(proto); - return; - } + && !ip_nat_used_tuple(tuple, conntrack)) + goto out; /* Last change: get protocol to try to obtain unique tuple. */ proto->unique_tuple(tuple, range, maniptype, conntrack); - - ip_nat_proto_put(proto); +out: + rcu_read_unlock(); } unsigned int @@ -360,12 +359,11 @@ manip_pkt(u_int16_t proto, iph = (void *)(*pskb)->data + iphdroff; /* Manipulate protcol part. */ - p = ip_nat_proto_find_get(proto); - if (!p->manip_pkt(pskb, iphdroff, target, maniptype)) { - ip_nat_proto_put(p); + + /* rcu_read_lock()ed by nf_hook_slow */ + p = __ip_nat_proto_find(proto); + if (!p->manip_pkt(pskb, iphdroff, target, maniptype)) return 0; - } - ip_nat_proto_put(p); iph = (void *)(*pskb)->data + iphdroff; @@ -515,7 +513,7 @@ int ip_nat_protocol_register(struct ip_n ret = -EBUSY; goto out; } - ip_nat_protos[proto->protonum] = proto; + rcu_assign_pointer(ip_nat_protos[proto->protonum], proto); out: write_unlock_bh(&ip_nat_lock); return ret; @@ -526,11 +524,10 @@ EXPORT_SYMBOL(ip_nat_protocol_register); void ip_nat_protocol_unregister(struct ip_nat_protocol *proto) { write_lock_bh(&ip_nat_lock); - ip_nat_protos[proto->protonum] = &ip_nat_unknown_protocol; + rcu_assign_pointer(ip_nat_protos[proto->protonum], + &ip_nat_unknown_protocol); write_unlock_bh(&ip_nat_lock); - - /* Someone could be still looking at the proto in a bh. */ - synchronize_net(); + synchronize_rcu(); } EXPORT_SYMBOL(ip_nat_protocol_unregister); @@ -594,10 +591,10 @@ static int __init ip_nat_init(void) /* Sew in builtin protocols. */ write_lock_bh(&ip_nat_lock); for (i = 0; i < MAX_IP_NAT_PROTO; i++) - ip_nat_protos[i] = &ip_nat_unknown_protocol; - ip_nat_protos[IPPROTO_TCP] = &ip_nat_protocol_tcp; - ip_nat_protos[IPPROTO_UDP] = &ip_nat_protocol_udp; - ip_nat_protos[IPPROTO_ICMP] = &ip_nat_protocol_icmp; + rcu_assign_pointer(ip_nat_protos[i], &ip_nat_unknown_protocol); + rcu_assign_pointer(ip_nat_protos[IPPROTO_TCP], &ip_nat_protocol_tcp); + rcu_assign_pointer(ip_nat_protos[IPPROTO_UDP], &ip_nat_protocol_udp); + rcu_assign_pointer(ip_nat_protos[IPPROTO_ICMP], &ip_nat_protocol_icmp); write_unlock_bh(&ip_nat_lock); for (i = 0; i < ip_nat_htable_size; i++) { ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [NETFILTER 10/22]: nf_nat: properly use RCU API for nf_nat_protos array 2007-02-12 10:36 [NETFILTER 00/22]: Netfilter update/fixes Patrick McHardy ` (8 preceding siblings ...) 2007-02-12 10:36 ` [NETFILTER 09/22]: ip_nat: properly use RCU API for ip_nat_protos array Patrick McHardy @ 2007-02-12 10:36 ` Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 11/22]: ip_conntrack: properly use RCU API for ip_ct_protos array Patrick McHardy ` (12 subsequent siblings) 22 siblings, 0 replies; 24+ messages in thread From: Patrick McHardy @ 2007-02-12 10:36 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, Patrick McHardy [NETFILTER]: nf_nat: properly use RCU API for nf_nat_protos array Replace preempt_{enable,disable} based RCU by proper use of the RCU API and add missing rcu_read_lock/rcu_read_unlock calls in paths used outside of packet processing context (nfnetlink_conntrack). Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit 8592a4e696c2d452053b005a7b8a84e29a7462af tree c900a38cb8b11b3f4c78776f416cec8b7adbfd6c parent 6930ac084caa4aff8d702716b80a2b59212efb78 author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:44:58 +0100 committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:44:58 +0100 net/ipv4/netfilter/nf_nat_core.c | 59 ++++++++++++++++++-------------------- 1 files changed, 28 insertions(+), 31 deletions(-) diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c index cf10108..6d0061f 100644 --- a/net/ipv4/netfilter/nf_nat_core.c +++ b/net/ipv4/netfilter/nf_nat_core.c @@ -53,7 +53,7 @@ static struct nf_nat_protocol *nf_nat_pr static inline struct nf_nat_protocol * __nf_nat_proto_find(u_int8_t protonum) { - return nf_nat_protos[protonum]; + return rcu_dereference(nf_nat_protos[protonum]); } struct nf_nat_protocol * @@ -61,13 +61,11 @@ nf_nat_proto_find_get(u_int8_t protonum) { struct nf_nat_protocol *p; - /* we need to disable preemption to make sure 'p' doesn't get - * removed until we've grabbed the reference */ - preempt_disable(); + rcu_read_lock(); p = __nf_nat_proto_find(protonum); if (!try_module_get(p->me)) p = &nf_nat_unknown_protocol; - preempt_enable(); + rcu_read_unlock(); return p; } @@ -126,8 +124,8 @@ in_range(const struct nf_conntrack_tuple const struct nf_nat_range *range) { struct nf_nat_protocol *proto; + int ret = 0; - proto = __nf_nat_proto_find(tuple->dst.protonum); /* If we are supposed to map IPs, then we must be in the range specified, otherwise let this drag us onto a new src IP. */ if (range->flags & IP_NAT_RANGE_MAP_IPS) { @@ -136,12 +134,15 @@ in_range(const struct nf_conntrack_tuple return 0; } + rcu_read_lock(); + proto = __nf_nat_proto_find(tuple->dst.protonum); if (!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED) || proto->in_range(tuple, IP_NAT_MANIP_SRC, &range->min, &range->max)) - return 1; + ret = 1; + rcu_read_unlock(); - return 0; + return ret; } static inline int @@ -268,27 +269,25 @@ get_unique_tuple(struct nf_conntrack_tup /* 3) The per-protocol part of the manip is made to map into the range to make a unique tuple. */ - proto = nf_nat_proto_find_get(orig_tuple->dst.protonum); + rcu_read_lock(); + proto = __nf_nat_proto_find(orig_tuple->dst.protonum); /* Change protocol info to have some randomization */ if (range->flags & IP_NAT_RANGE_PROTO_RANDOM) { proto->unique_tuple(tuple, range, maniptype, ct); - nf_nat_proto_put(proto); - return; + goto out; } /* Only bother mapping if it's not already in range and unique */ if ((!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED) || proto->in_range(tuple, maniptype, &range->min, &range->max)) && - !nf_nat_used_tuple(tuple, ct)) { - nf_nat_proto_put(proto); - return; - } + !nf_nat_used_tuple(tuple, ct)) + goto out; /* Last change: get protocol to try to obtain unique tuple. */ proto->unique_tuple(tuple, range, maniptype, ct); - - nf_nat_proto_put(proto); +out: + rcu_read_unlock(); } unsigned int @@ -369,12 +368,11 @@ manip_pkt(u_int16_t proto, iph = (void *)(*pskb)->data + iphdroff; /* Manipulate protcol part. */ - p = nf_nat_proto_find_get(proto); - if (!p->manip_pkt(pskb, iphdroff, target, maniptype)) { - nf_nat_proto_put(p); + + /* rcu_read_lock()ed by nf_hook_slow */ + p = __nf_nat_proto_find(proto); + if (!p->manip_pkt(pskb, iphdroff, target, maniptype)) return 0; - } - nf_nat_proto_put(p); iph = (void *)(*pskb)->data + iphdroff; @@ -529,7 +527,7 @@ int nf_nat_protocol_register(struct nf_n ret = -EBUSY; goto out; } - nf_nat_protos[proto->protonum] = proto; + rcu_assign_pointer(nf_nat_protos[proto->protonum], proto); out: write_unlock_bh(&nf_nat_lock); return ret; @@ -540,11 +538,10 @@ EXPORT_SYMBOL(nf_nat_protocol_register); void nf_nat_protocol_unregister(struct nf_nat_protocol *proto) { write_lock_bh(&nf_nat_lock); - nf_nat_protos[proto->protonum] = &nf_nat_unknown_protocol; + rcu_assign_pointer(nf_nat_protos[proto->protonum], + &nf_nat_unknown_protocol); write_unlock_bh(&nf_nat_lock); - - /* Someone could be still looking at the proto in a bh. */ - synchronize_net(); + synchronize_rcu(); } EXPORT_SYMBOL(nf_nat_protocol_unregister); @@ -608,10 +605,10 @@ static int __init nf_nat_init(void) /* Sew in builtin protocols. */ write_lock_bh(&nf_nat_lock); for (i = 0; i < MAX_IP_NAT_PROTO; i++) - nf_nat_protos[i] = &nf_nat_unknown_protocol; - nf_nat_protos[IPPROTO_TCP] = &nf_nat_protocol_tcp; - nf_nat_protos[IPPROTO_UDP] = &nf_nat_protocol_udp; - nf_nat_protos[IPPROTO_ICMP] = &nf_nat_protocol_icmp; + rcu_assign_pointer(nf_nat_protos[i], &nf_nat_unknown_protocol); + rcu_assign_pointer(nf_nat_protos[IPPROTO_TCP], &nf_nat_protocol_tcp); + rcu_assign_pointer(nf_nat_protos[IPPROTO_UDP], &nf_nat_protocol_udp); + rcu_assign_pointer(nf_nat_protos[IPPROTO_ICMP], &nf_nat_protocol_icmp); write_unlock_bh(&nf_nat_lock); for (i = 0; i < nf_nat_htable_size; i++) { ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [NETFILTER 11/22]: ip_conntrack: properly use RCU API for ip_ct_protos array 2007-02-12 10:36 [NETFILTER 00/22]: Netfilter update/fixes Patrick McHardy ` (9 preceding siblings ...) 2007-02-12 10:36 ` [NETFILTER 10/22]: nf_nat: properly use RCU API for nf_nat_protos array Patrick McHardy @ 2007-02-12 10:36 ` Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 12/22]: nf_conntrack: properly use RCU API for nf_ct_protos/nf_ct_l3protos arrays Patrick McHardy ` (11 subsequent siblings) 22 siblings, 0 replies; 24+ messages in thread From: Patrick McHardy @ 2007-02-12 10:36 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, Patrick McHardy [NETFILTER]: ip_conntrack: properly use RCU API for ip_ct_protos array Replace preempt_{enable,disable} based RCU by proper use of the RCU API and add missing rcu_read_lock/rcu_read_unlock calls in all paths not obviously only used within packet process context (nfnetlink_conntrack). Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit f99ec74e0c460f0969f028c2853d2d31178ba3aa tree 4a0534a350b1f4067cc2c4b1ef450dace12b9da7 parent 8592a4e696c2d452053b005a7b8a84e29a7462af author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:56:31 +0100 committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:56:31 +0100 net/ipv4/netfilter/ip_conntrack_core.c | 26 ++++++++++++++++++-------- net/ipv4/netfilter/ip_conntrack_standalone.c | 9 ++++----- net/ipv4/netfilter/ip_nat_core.c | 6 ++++-- 3 files changed, 26 insertions(+), 15 deletions(-) diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c index 933b878..ed87812 100644 --- a/net/ipv4/netfilter/ip_conntrack_core.c +++ b/net/ipv4/netfilter/ip_conntrack_core.c @@ -318,9 +318,11 @@ destroy_conntrack(struct nf_conntrack *n /* To make sure we don't get any weird locking issues here: * destroy_conntrack() MUST NOT be called with a write lock * to ip_conntrack_lock!!! -HW */ + rcu_read_lock(); proto = __ip_conntrack_proto_find(ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.protonum); if (proto && proto->destroy) proto->destroy(ct); + rcu_read_unlock(); if (ip_conntrack_destroyed) ip_conntrack_destroyed(ct); @@ -595,13 +597,13 @@ ip_conntrack_proto_find_get(u_int8_t pro { struct ip_conntrack_protocol *p; - preempt_disable(); + rcu_read_lock(); p = __ip_conntrack_proto_find(protocol); if (p) { if (!try_module_get(p->me)) p = &ip_conntrack_generic_protocol; } - preempt_enable(); + rcu_read_unlock(); return p; } @@ -831,6 +833,7 @@ #if 0 } #endif + /* rcu_read_lock()ed by nf_hook_slow */ proto = __ip_conntrack_proto_find((*pskb)->nh.iph->protocol); /* It may be an special packet, error, unclean... @@ -876,8 +879,15 @@ #endif int invert_tuplepr(struct ip_conntrack_tuple *inverse, const struct ip_conntrack_tuple *orig) { - return ip_ct_invert_tuple(inverse, orig, - __ip_conntrack_proto_find(orig->dst.protonum)); + struct ip_conntrack_protocol *proto; + int ret; + + rcu_read_lock(); + proto = __ip_conntrack_proto_find(orig->dst.protonum); + ret = ip_ct_invert_tuple(inverse, orig, proto); + rcu_read_unlock(); + + return ret; } /* Would two expected things clash? */ @@ -1508,11 +1518,11 @@ int __init ip_conntrack_init(void) /* Don't NEED lock here, but good form anyway. */ write_lock_bh(&ip_conntrack_lock); for (i = 0; i < MAX_IP_CT_PROTO; i++) - ip_ct_protos[i] = &ip_conntrack_generic_protocol; + rcu_assign_pointer(ip_ct_protos[i], &ip_conntrack_generic_protocol); /* Sew in builtin protocols. */ - ip_ct_protos[IPPROTO_TCP] = &ip_conntrack_protocol_tcp; - ip_ct_protos[IPPROTO_UDP] = &ip_conntrack_protocol_udp; - ip_ct_protos[IPPROTO_ICMP] = &ip_conntrack_protocol_icmp; + rcu_assign_pointer(ip_ct_protos[IPPROTO_TCP], &ip_conntrack_protocol_tcp); + rcu_assign_pointer(ip_ct_protos[IPPROTO_UDP], &ip_conntrack_protocol_udp); + rcu_assign_pointer(ip_ct_protos[IPPROTO_ICMP], &ip_conntrack_protocol_icmp); write_unlock_bh(&ip_conntrack_lock); /* For use by ipt_REJECT */ diff --git a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c index 5903588..d0045e4 100644 --- a/net/ipv4/netfilter/ip_conntrack_standalone.c +++ b/net/ipv4/netfilter/ip_conntrack_standalone.c @@ -796,7 +796,7 @@ int ip_conntrack_protocol_register(struc ret = -EBUSY; goto out; } - ip_ct_protos[proto->proto] = proto; + rcu_assign_pointer(ip_ct_protos[proto->proto], proto); out: write_unlock_bh(&ip_conntrack_lock); return ret; @@ -805,11 +805,10 @@ int ip_conntrack_protocol_register(struc void ip_conntrack_protocol_unregister(struct ip_conntrack_protocol *proto) { write_lock_bh(&ip_conntrack_lock); - ip_ct_protos[proto->proto] = &ip_conntrack_generic_protocol; + rcu_assign_pointer(ip_ct_protos[proto->proto], + &ip_conntrack_generic_protocol); write_unlock_bh(&ip_conntrack_lock); - - /* Somebody could be still looking at the proto in bh. */ - synchronize_net(); + synchronize_rcu(); /* Remove all contrack entries for this protocol */ ip_ct_iterate_cleanup(kill_proto, &proto->proto); diff --git a/net/ipv4/netfilter/ip_nat_core.c b/net/ipv4/netfilter/ip_nat_core.c index 85ae0ca..18daabc 100644 --- a/net/ipv4/netfilter/ip_nat_core.c +++ b/net/ipv4/netfilter/ip_nat_core.c @@ -420,6 +420,7 @@ int ip_nat_icmp_reply_translation(struct struct icmphdr icmp; struct iphdr ip; } *inside; + struct ip_conntrack_protocol *proto; struct ip_conntrack_tuple inner, target; int hdrlen = (*pskb)->nh.iph->ihl * 4; enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); @@ -455,10 +456,11 @@ int ip_nat_icmp_reply_translation(struct DEBUGP("icmp_reply_translation: translating error %p manp %u dir %s\n", *pskb, manip, dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY"); + /* rcu_read_lock()ed by nf_hook_slow */ + proto = __ip_conntrack_proto_find(inside->ip.protocol); if (!ip_ct_get_tuple(&inside->ip, *pskb, (*pskb)->nh.iph->ihl*4 + sizeof(struct icmphdr) + inside->ip.ihl*4, - &inner, - __ip_conntrack_proto_find(inside->ip.protocol))) + &inner, proto)) return 0; /* Change inner back to look like incoming packet. We do the ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [NETFILTER 12/22]: nf_conntrack: properly use RCU API for nf_ct_protos/nf_ct_l3protos arrays 2007-02-12 10:36 [NETFILTER 00/22]: Netfilter update/fixes Patrick McHardy ` (10 preceding siblings ...) 2007-02-12 10:36 ` [NETFILTER 11/22]: ip_conntrack: properly use RCU API for ip_ct_protos array Patrick McHardy @ 2007-02-12 10:36 ` Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 13/22]: ip_conntrack: fix invalid conntrack statistics RCU assumption Patrick McHardy ` (10 subsequent siblings) 22 siblings, 0 replies; 24+ messages in thread From: Patrick McHardy @ 2007-02-12 10:36 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, Patrick McHardy [NETFILTER]: nf_conntrack: properly use RCU API for nf_ct_protos/nf_ct_l3protos arrays Replace preempt_{enable,disable} based RCU by proper use of the RCU API and add missing rcu_read_lock/rcu_read_unlock calls in all paths not obviously only used within packet process context (nfnetlink_conntrack). Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit 2f34e7966f36432f6915ab7eee85116439a3944e tree 829a240f1c040ef8a712d7e159adb473934320f7 parent f99ec74e0c460f0969f028c2853d2d31178ba3aa author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:01:11 +0100 committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:01:11 +0100 include/net/netfilter/nf_conntrack_l3proto.h | 2 + net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 2 + net/ipv4/netfilter/nf_nat_core.c | 9 ++++--- net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 1 + net/netfilter/nf_conntrack_core.c | 27 +++++++++++++++----- net/netfilter/nf_conntrack_proto.c | 33 ++++++++++-------------- 6 files changed, 44 insertions(+), 30 deletions(-) diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h index 664ddcf..ba760fe 100644 --- a/include/net/netfilter/nf_conntrack_l3proto.h +++ b/include/net/netfilter/nf_conntrack_l3proto.h @@ -106,7 +106,7 @@ __nf_ct_l3proto_find(u_int16_t l3proto) { if (unlikely(l3proto >= AF_MAX)) return &nf_conntrack_l3proto_generic; - return nf_ct_l3protos[l3proto]; + return rcu_dereference(nf_ct_l3protos[l3proto]); } #endif /*_NF_CONNTRACK_L3PROTO_H*/ diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c index 677b6c8..e5aa4d8 100644 --- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c +++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c @@ -170,7 +170,9 @@ icmp_error_message(struct sk_buff *skb, return -NF_ACCEPT; } + /* rcu_read_lock()ed by nf_hook_slow */ innerproto = __nf_ct_l4proto_find(PF_INET, inside->ip.protocol); + dataoff = skb->nh.iph->ihl*4 + sizeof(inside->icmp); /* Are they talking about one of our connections? */ if (!nf_ct_get_tuple(skb, dataoff, dataoff + inside->ip.ihl*4, PF_INET, diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c index 6d0061f..5156d5d 100644 --- a/net/ipv4/netfilter/nf_nat_core.c +++ b/net/ipv4/netfilter/nf_nat_core.c @@ -429,6 +429,7 @@ int nf_nat_icmp_reply_translation(struct struct icmphdr icmp; struct iphdr ip; } *inside; + struct nf_conntrack_l4proto *l4proto; struct nf_conntrack_tuple inner, target; int hdrlen = (*pskb)->nh.iph->ihl * 4; enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); @@ -464,16 +465,16 @@ int nf_nat_icmp_reply_translation(struct DEBUGP("icmp_reply_translation: translating error %p manp %u dir %s\n", *pskb, manip, dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY"); + /* rcu_read_lock()ed by nf_hook_slow */ + l4proto = __nf_ct_l4proto_find(PF_INET, inside->ip.protocol); + if (!nf_ct_get_tuple(*pskb, (*pskb)->nh.iph->ihl*4 + sizeof(struct icmphdr), (*pskb)->nh.iph->ihl*4 + sizeof(struct icmphdr) + inside->ip.ihl*4, (u_int16_t)AF_INET, inside->ip.protocol, - &inner, - l3proto, - __nf_ct_l4proto_find((u_int16_t)PF_INET, - inside->ip.protocol))) + &inner, l3proto, l4proto)) return 0; /* Change inner back to look like incoming packet. We do the diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c index b08622c..19bdb7c 100644 --- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c +++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c @@ -182,6 +182,7 @@ icmpv6_error_message(struct sk_buff *skb return -NF_ACCEPT; } + /* rcu_read_lock()ed by nf_hook_slow */ inproto = __nf_ct_l4proto_find(PF_INET6, inprotonum); /* Are they talking about one of our connections? */ diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 59bcab1..3deeb90 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -332,13 +332,16 @@ destroy_conntrack(struct nf_conntrack *n /* To make sure we don't get any weird locking issues here: * destroy_conntrack() MUST NOT be called with a write lock * to nf_conntrack_lock!!! -HW */ + rcu_read_lock(); l3proto = __nf_ct_l3proto_find(ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.l3num); if (l3proto && l3proto->destroy) l3proto->destroy(ct); - l4proto = __nf_ct_l4proto_find(ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.l3num, ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.protonum); + l4proto = __nf_ct_l4proto_find(ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.l3num, + ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.protonum); if (l4proto && l4proto->destroy) l4proto->destroy(ct); + rcu_read_unlock(); if (nf_conntrack_destroyed) nf_conntrack_destroyed(ct); @@ -647,9 +650,14 @@ struct nf_conn *nf_conntrack_alloc(const const struct nf_conntrack_tuple *repl) { struct nf_conntrack_l3proto *l3proto; + struct nf_conn *ct; + rcu_read_lock(); l3proto = __nf_ct_l3proto_find(orig->src.l3num); - return __nf_conntrack_alloc(orig, repl, l3proto, 0); + ct = __nf_conntrack_alloc(orig, repl, l3proto, 0); + rcu_read_unlock(); + + return ct; } EXPORT_SYMBOL_GPL(nf_conntrack_alloc); @@ -817,7 +825,9 @@ nf_conntrack_in(int pf, unsigned int hoo return NF_ACCEPT; } + /* rcu_read_lock()ed by nf_hook_slow */ l3proto = __nf_ct_l3proto_find((u_int16_t)pf); + if ((ret = l3proto->prepare(pskb, hooknum, &dataoff, &protonum)) <= 0) { DEBUGP("not prepared to track yet or error occured\n"); return -ret; @@ -872,10 +882,15 @@ EXPORT_SYMBOL_GPL(nf_conntrack_in); int nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse, const struct nf_conntrack_tuple *orig) { - return nf_ct_invert_tuple(inverse, orig, - __nf_ct_l3proto_find(orig->src.l3num), - __nf_ct_l4proto_find(orig->src.l3num, - orig->dst.protonum)); + int ret; + + rcu_read_lock(); + ret = nf_ct_invert_tuple(inverse, orig, + __nf_ct_l3proto_find(orig->src.l3num), + __nf_ct_l4proto_find(orig->src.l3num, + orig->dst.protonum)); + rcu_read_unlock(); + return ret; } EXPORT_SYMBOL_GPL(nf_ct_invert_tuplepr); diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c index 1a61b72..4dab3fa 100644 --- a/net/netfilter/nf_conntrack_proto.c +++ b/net/netfilter/nf_conntrack_proto.c @@ -66,7 +66,7 @@ __nf_ct_l4proto_find(u_int16_t l3proto, if (unlikely(l3proto >= AF_MAX || nf_ct_protos[l3proto] == NULL)) return &nf_conntrack_l4proto_generic; - return nf_ct_protos[l3proto][l4proto]; + return rcu_dereference(nf_ct_protos[l3proto][l4proto]); } EXPORT_SYMBOL_GPL(__nf_ct_l4proto_find); @@ -77,11 +77,11 @@ nf_ct_l4proto_find_get(u_int16_t l3proto { struct nf_conntrack_l4proto *p; - preempt_disable(); + rcu_read_lock(); p = __nf_ct_l4proto_find(l3proto, l4proto); if (!try_module_get(p->me)) p = &nf_conntrack_l4proto_generic; - preempt_enable(); + rcu_read_unlock(); return p; } @@ -98,11 +98,11 @@ nf_ct_l3proto_find_get(u_int16_t l3proto { struct nf_conntrack_l3proto *p; - preempt_disable(); + rcu_read_lock(); p = __nf_ct_l3proto_find(l3proto); if (!try_module_get(p->me)) p = &nf_conntrack_l3proto_generic; - preempt_enable(); + rcu_read_unlock(); return p; } @@ -137,10 +137,8 @@ void nf_ct_l3proto_module_put(unsigned s { struct nf_conntrack_l3proto *p; - preempt_disable(); + /* rcu_read_lock not necessary since the caller holds a reference */ p = __nf_ct_l3proto_find(l3proto); - preempt_enable(); - module_put(p->me); } EXPORT_SYMBOL_GPL(nf_ct_l3proto_module_put); @@ -202,7 +200,7 @@ int nf_conntrack_l3proto_register(struct ret = -EBUSY; goto out_unlock; } - nf_ct_l3protos[proto->l3proto] = proto; + rcu_assign_pointer(nf_ct_l3protos[proto->l3proto], proto); write_unlock_bh(&nf_conntrack_lock); ret = nf_ct_l3proto_register_sysctl(proto); @@ -233,14 +231,13 @@ int nf_conntrack_l3proto_unregister(stru goto out; } - nf_ct_l3protos[proto->l3proto] = &nf_conntrack_l3proto_generic; + rcu_assign_pointer(nf_ct_l3protos[proto->l3proto], + &nf_conntrack_l3proto_generic); write_unlock_bh(&nf_conntrack_lock); + synchronize_rcu(); nf_ct_l3proto_unregister_sysctl(proto); - /* Somebody could be still looking at the proto in bh. */ - synchronize_net(); - /* Remove all contrack entries for this protocol */ nf_ct_iterate_cleanup(kill_l3proto, proto); @@ -356,7 +353,7 @@ retry: goto retry; } - nf_ct_protos[l4proto->l3proto][l4proto->l4proto] = l4proto; + rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto], l4proto); write_unlock_bh(&nf_conntrack_lock); ret = nf_ct_l4proto_register_sysctl(l4proto); @@ -392,15 +389,13 @@ int nf_conntrack_l4proto_unregister(stru ret = -EBUSY; goto out; } - nf_ct_protos[l4proto->l3proto][l4proto->l4proto] - = &nf_conntrack_l4proto_generic; + rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto], + &nf_conntrack_l4proto_generic); write_unlock_bh(&nf_conntrack_lock); + synchronize_rcu(); nf_ct_l4proto_unregister_sysctl(l4proto); - /* Somebody could be still looking at the proto in bh. */ - synchronize_net(); - /* Remove all contrack entries for this protocol */ nf_ct_iterate_cleanup(kill_l4proto, l4proto); ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [NETFILTER 13/22]: ip_conntrack: fix invalid conntrack statistics RCU assumption 2007-02-12 10:36 [NETFILTER 00/22]: Netfilter update/fixes Patrick McHardy ` (11 preceding siblings ...) 2007-02-12 10:36 ` [NETFILTER 12/22]: nf_conntrack: properly use RCU API for nf_ct_protos/nf_ct_l3protos arrays Patrick McHardy @ 2007-02-12 10:36 ` Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 14/22]: nf_conntrack: " Patrick McHardy ` (9 subsequent siblings) 22 siblings, 0 replies; 24+ messages in thread From: Patrick McHardy @ 2007-02-12 10:36 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, Patrick McHardy [NETFILTER]: ip_conntrack: fix invalid conntrack statistics RCU assumption CONNTRACK_STAT_INC assumes rcu_read_lock in nf_hook_slow disables preemption as well, making it legal to use __get_cpu_var without disabling preemption manually. The assumption is not correct anymore with preemptable RCU, additionally we need to protect against softirqs when not holding ip_conntrack_lock. Add CONNTRACK_STAT_INC_ATOMIC macro, which disables local softirqs, and use where necessary. Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit ff0856c0c2e24e278b0611df2d66f66d5c0d1fd6 tree d5899481f22f436368fa121ac617a08fc53941f4 parent 2f34e7966f36432f6915ab7eee85116439a3944e author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:03:24 +0100 committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:03:24 +0100 include/linux/netfilter_ipv4/ip_conntrack.h | 6 ++++++ net/ipv4/netfilter/ip_conntrack_core.c | 14 +++++++------- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h index 33581c1..da9274e 100644 --- a/include/linux/netfilter_ipv4/ip_conntrack.h +++ b/include/linux/netfilter_ipv4/ip_conntrack.h @@ -301,6 +301,12 @@ extern unsigned int ip_conntrack_htable_ extern int ip_conntrack_checksum; #define CONNTRACK_STAT_INC(count) (__get_cpu_var(ip_conntrack_stat).count++) +#define CONNTRACK_STAT_INC_ATOMIC(count) \ +do { \ + local_bh_disable(); \ + __get_cpu_var(ip_conntrack_stat).count++; \ + local_bh_enable(); \ +} while (0) #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS #include <linux/notifier.h> diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c index ed87812..d1368db 100644 --- a/net/ipv4/netfilter/ip_conntrack_core.c +++ b/net/ipv4/netfilter/ip_conntrack_core.c @@ -538,7 +538,7 @@ static int early_drop(struct list_head * if (del_timer(&ct->timeout)) { death_by_timeout((unsigned long)ct); dropped = 1; - CONNTRACK_STAT_INC(early_drop); + CONNTRACK_STAT_INC_ATOMIC(early_drop); } ip_conntrack_put(ct); return dropped; @@ -805,7 +805,7 @@ unsigned int ip_conntrack_in(unsigned in /* Previously seen (loopback or untracked)? Ignore. */ if ((*pskb)->nfct) { - CONNTRACK_STAT_INC(ignore); + CONNTRACK_STAT_INC_ATOMIC(ignore); return NF_ACCEPT; } @@ -841,20 +841,20 @@ #endif * core what to do with the packet. */ if (proto->error != NULL && (ret = proto->error(*pskb, &ctinfo, hooknum)) <= 0) { - CONNTRACK_STAT_INC(error); - CONNTRACK_STAT_INC(invalid); + CONNTRACK_STAT_INC_ATOMIC(error); + CONNTRACK_STAT_INC_ATOMIC(invalid); return -ret; } if (!(ct = resolve_normal_ct(*pskb, proto,&set_reply,hooknum,&ctinfo))) { /* Not valid part of a connection */ - CONNTRACK_STAT_INC(invalid); + CONNTRACK_STAT_INC_ATOMIC(invalid); return NF_ACCEPT; } if (IS_ERR(ct)) { /* Too stressed to deal. */ - CONNTRACK_STAT_INC(drop); + CONNTRACK_STAT_INC_ATOMIC(drop); return NF_DROP; } @@ -866,7 +866,7 @@ #endif * the netfilter core what to do*/ nf_conntrack_put((*pskb)->nfct); (*pskb)->nfct = NULL; - CONNTRACK_STAT_INC(invalid); + CONNTRACK_STAT_INC_ATOMIC(invalid); return -ret; } ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [NETFILTER 14/22]: nf_conntrack: fix invalid conntrack statistics RCU assumption 2007-02-12 10:36 [NETFILTER 00/22]: Netfilter update/fixes Patrick McHardy ` (12 preceding siblings ...) 2007-02-12 10:36 ` [NETFILTER 13/22]: ip_conntrack: fix invalid conntrack statistics RCU assumption Patrick McHardy @ 2007-02-12 10:36 ` Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 15/22]: ip_conntrack: properly use RCU for ip_conntrack_destroyed callback Patrick McHardy ` (8 subsequent siblings) 22 siblings, 0 replies; 24+ messages in thread From: Patrick McHardy @ 2007-02-12 10:36 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, Patrick McHardy [NETFILTER]: nf_conntrack: fix invalid conntrack statistics RCU assumption NF_CT_STAT_INC assumes rcu_read_lock in nf_hook_slow disables preemption as well, making it legal to use __get_cpu_var without disabling preemption manually. The assumption is not correct anymore with preemptable RCU, additionally we need to protect against softirqs when not holding nf_conntrack_lock. Add NF_CT_STAT_INC_ATOMIC macro, which disables local softirqs, and use where necessary. Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit bab7afccc8d458cc09b3a5bb4224358cbd4f188a tree 537777d83e0b45a4fa17aa148113c9b275823806 parent ff0856c0c2e24e278b0611df2d66f66d5c0d1fd6 author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:04:50 +0100 committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:04:50 +0100 include/net/netfilter/nf_conntrack.h | 6 ++++++ net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 4 ++-- net/netfilter/nf_conntrack_core.c | 14 +++++++------- 3 files changed, 15 insertions(+), 9 deletions(-) diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index 68ec274..0e690e3 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h @@ -257,6 +257,12 @@ extern int nf_conntrack_max; DECLARE_PER_CPU(struct ip_conntrack_stat, nf_conntrack_stat); #define NF_CT_STAT_INC(count) (__get_cpu_var(nf_conntrack_stat).count++) +#define NF_CT_STAT_INC_ATOMIC(count) \ +do { \ + local_bh_disable(); \ + __get_cpu_var(nf_conntrack_stat).count++; \ + local_bh_enable(); \ +} while (0) /* no helper, no nat */ #define NF_CT_F_BASIC 0 diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c index a2353ed..4b7be4b 100644 --- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c +++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c @@ -154,8 +154,8 @@ ipv6_prepare(struct sk_buff **pskb, unsi */ if ((protoff < 0) || (protoff > (*pskb)->len)) { DEBUGP("ip6_conntrack_core: can't find proto in pkt\n"); - NF_CT_STAT_INC(error); - NF_CT_STAT_INC(invalid); + NF_CT_STAT_INC_ATOMIC(error); + NF_CT_STAT_INC_ATOMIC(invalid); return -NF_ACCEPT; } diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 3deeb90..d59640e 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -563,7 +563,7 @@ static int early_drop(struct list_head * if (del_timer(&ct->timeout)) { death_by_timeout((unsigned long)ct); dropped = 1; - NF_CT_STAT_INC(early_drop); + NF_CT_STAT_INC_ATOMIC(early_drop); } nf_ct_put(ct); return dropped; @@ -821,7 +821,7 @@ nf_conntrack_in(int pf, unsigned int hoo /* Previously seen (loopback or untracked)? Ignore. */ if ((*pskb)->nfct) { - NF_CT_STAT_INC(ignore); + NF_CT_STAT_INC_ATOMIC(ignore); return NF_ACCEPT; } @@ -840,8 +840,8 @@ nf_conntrack_in(int pf, unsigned int hoo * core what to do with the packet. */ if (l4proto->error != NULL && (ret = l4proto->error(*pskb, dataoff, &ctinfo, pf, hooknum)) <= 0) { - NF_CT_STAT_INC(error); - NF_CT_STAT_INC(invalid); + NF_CT_STAT_INC_ATOMIC(error); + NF_CT_STAT_INC_ATOMIC(invalid); return -ret; } @@ -849,13 +849,13 @@ nf_conntrack_in(int pf, unsigned int hoo &set_reply, &ctinfo); if (!ct) { /* Not valid part of a connection */ - NF_CT_STAT_INC(invalid); + NF_CT_STAT_INC_ATOMIC(invalid); return NF_ACCEPT; } if (IS_ERR(ct)) { /* Too stressed to deal. */ - NF_CT_STAT_INC(drop); + NF_CT_STAT_INC_ATOMIC(drop); return NF_DROP; } @@ -868,7 +868,7 @@ nf_conntrack_in(int pf, unsigned int hoo DEBUGP("nf_conntrack_in: Can't track with proto module\n"); nf_conntrack_put((*pskb)->nfct); (*pskb)->nfct = NULL; - NF_CT_STAT_INC(invalid); + NF_CT_STAT_INC_ATOMIC(invalid); return -ret; } ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [NETFILTER 15/22]: ip_conntrack: properly use RCU for ip_conntrack_destroyed callback 2007-02-12 10:36 [NETFILTER 00/22]: Netfilter update/fixes Patrick McHardy ` (13 preceding siblings ...) 2007-02-12 10:36 ` [NETFILTER 14/22]: nf_conntrack: " Patrick McHardy @ 2007-02-12 10:36 ` Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 16/22]: nf_conntrack: properly use RCU for nf_conntrack_destroyed callback Patrick McHardy ` (7 subsequent siblings) 22 siblings, 0 replies; 24+ messages in thread From: Patrick McHardy @ 2007-02-12 10:36 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, Patrick McHardy [NETFILTER]: ip_conntrack: properly use RCU for ip_conntrack_destroyed callback Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit 26462f9a42bcf2230a68d84dec3a048bc5a9a1af tree 89f615281c88a2f541583337f1fb700a7a3c1874 parent bab7afccc8d458cc09b3a5bb4224358cbd4f188a author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:06:55 +0100 committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:06:55 +0100 net/ipv4/netfilter/ip_conntrack_core.c | 9 ++++++--- net/ipv4/netfilter/ip_nat_core.c | 7 ++++--- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c index d1368db..5e9caaf 100644 --- a/net/ipv4/netfilter/ip_conntrack_core.c +++ b/net/ipv4/netfilter/ip_conntrack_core.c @@ -303,6 +303,7 @@ destroy_conntrack(struct nf_conntrack *n struct ip_conntrack *ct = (struct ip_conntrack *)nfct; struct ip_conntrack_protocol *proto; struct ip_conntrack_helper *helper; + typeof(ip_conntrack_destroyed) destroyed; DEBUGP("destroy_conntrack(%p)\n", ct); IP_NF_ASSERT(atomic_read(&nfct->use) == 0); @@ -322,10 +323,12 @@ destroy_conntrack(struct nf_conntrack *n proto = __ip_conntrack_proto_find(ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.protonum); if (proto && proto->destroy) proto->destroy(ct); - rcu_read_unlock(); - if (ip_conntrack_destroyed) - ip_conntrack_destroyed(ct); + destroyed = rcu_dereference(ip_conntrack_destroyed); + if (destroyed) + destroyed(ct); + + rcu_read_unlock(); write_lock_bh(&ip_conntrack_lock); /* Expectations will have been removed in clean_from_lists, diff --git a/net/ipv4/netfilter/ip_nat_core.c b/net/ipv4/netfilter/ip_nat_core.c index 18daabc..40737fd 100644 --- a/net/ipv4/netfilter/ip_nat_core.c +++ b/net/ipv4/netfilter/ip_nat_core.c @@ -604,8 +604,8 @@ static int __init ip_nat_init(void) } /* FIXME: Man, this is a hack. <SIGH> */ - IP_NF_ASSERT(ip_conntrack_destroyed == NULL); - ip_conntrack_destroyed = &ip_nat_cleanup_conntrack; + IP_NF_ASSERT(rcu_dereference(ip_conntrack_destroyed) == NULL); + rcu_assign_pointer(ip_conntrack_destroyed, ip_nat_cleanup_conntrack); /* Initialize fake conntrack so that NAT will skip it */ ip_conntrack_untracked.status |= IPS_NAT_DONE_MASK; @@ -623,7 +623,8 @@ static int clean_nat(struct ip_conntrack static void __exit ip_nat_cleanup(void) { ip_ct_iterate_cleanup(&clean_nat, NULL); - ip_conntrack_destroyed = NULL; + rcu_assign_pointer(ip_conntrack_destroyed, NULL); + synchronize_rcu(); vfree(bysource); } ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [NETFILTER 16/22]: nf_conntrack: properly use RCU for nf_conntrack_destroyed callback 2007-02-12 10:36 [NETFILTER 00/22]: Netfilter update/fixes Patrick McHardy ` (14 preceding siblings ...) 2007-02-12 10:36 ` [NETFILTER 15/22]: ip_conntrack: properly use RCU for ip_conntrack_destroyed callback Patrick McHardy @ 2007-02-12 10:36 ` Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 17/22]: nf_conntrack: change nf_conntrack_l[34]proto_unregister to void Patrick McHardy ` (6 subsequent siblings) 22 siblings, 0 replies; 24+ messages in thread From: Patrick McHardy @ 2007-02-12 10:36 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, Patrick McHardy [NETFILTER]: nf_conntrack: properly use RCU for nf_conntrack_destroyed callback Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit 2428570e4fc9d689faeb4a96ba7b34352f0a6e2c tree 7224fd0620ed1a49075a55da0c3b08cd77334313 parent 26462f9a42bcf2230a68d84dec3a048bc5a9a1af author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:07:18 +0100 committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:07:18 +0100 net/ipv4/netfilter/nf_nat_core.c | 7 ++++--- net/netfilter/nf_conntrack_core.c | 9 ++++++--- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c index 5156d5d..2c01378 100644 --- a/net/ipv4/netfilter/nf_nat_core.c +++ b/net/ipv4/netfilter/nf_nat_core.c @@ -617,8 +617,8 @@ static int __init nf_nat_init(void) } /* FIXME: Man, this is a hack. <SIGH> */ - NF_CT_ASSERT(nf_conntrack_destroyed == NULL); - nf_conntrack_destroyed = &nf_nat_cleanup_conntrack; + NF_CT_ASSERT(rcu_dereference(nf_conntrack_destroyed) == NULL); + rcu_assign_pointer(nf_conntrack_destroyed, nf_nat_cleanup_conntrack); /* Initialize fake conntrack so that NAT will skip it */ nf_conntrack_untracked.status |= IPS_NAT_DONE_MASK; @@ -642,7 +642,8 @@ static int clean_nat(struct nf_conn *i, static void __exit nf_nat_cleanup(void) { nf_ct_iterate_cleanup(&clean_nat, NULL); - nf_conntrack_destroyed = NULL; + rcu_assign_pointer(nf_conntrack_destroyed, NULL); + synchronize_rcu(); vfree(bysource); nf_ct_l3proto_put(l3proto); } diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index d59640e..0cc1505 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -318,6 +318,7 @@ destroy_conntrack(struct nf_conntrack *n struct nf_conn_help *help = nfct_help(ct); struct nf_conntrack_l3proto *l3proto; struct nf_conntrack_l4proto *l4proto; + typeof(nf_conntrack_destroyed) destroyed; DEBUGP("destroy_conntrack(%p)\n", ct); NF_CT_ASSERT(atomic_read(&nfct->use) == 0); @@ -341,10 +342,12 @@ destroy_conntrack(struct nf_conntrack *n ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.protonum); if (l4proto && l4proto->destroy) l4proto->destroy(ct); - rcu_read_unlock(); - if (nf_conntrack_destroyed) - nf_conntrack_destroyed(ct); + destroyed = rcu_dereference(nf_conntrack_destroyed); + if (destroyed) + destroyed(ct); + + rcu_read_unlock(); write_lock_bh(&nf_conntrack_lock); /* Expectations will have been removed in clean_from_lists, ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [NETFILTER 17/22]: nf_conntrack: change nf_conntrack_l[34]proto_unregister to void 2007-02-12 10:36 [NETFILTER 00/22]: Netfilter update/fixes Patrick McHardy ` (15 preceding siblings ...) 2007-02-12 10:36 ` [NETFILTER 16/22]: nf_conntrack: properly use RCU for nf_conntrack_destroyed callback Patrick McHardy @ 2007-02-12 10:36 ` Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 18/22]: xt_mac/xt_CLASSIFY: use IPv6 hook names for IPv6 registration Patrick McHardy ` (5 subsequent siblings) 22 siblings, 0 replies; 24+ messages in thread From: Patrick McHardy @ 2007-02-12 10:36 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, Patrick McHardy [NETFILTER]: nf_conntrack: change nf_conntrack_l[34]proto_unregister to void No caller checks the return value, and since its usually called within the module unload path there's nothing a module could do about errors anyway, so BUG on invalid conditions and return void. Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit 4b4109fff045b66b7bc0a696fc020f0cc22bad0e tree 88928fbaa762aca7dfce1d0b4138fc9372487e4e parent 2428570e4fc9d689faeb4a96ba7b34352f0a6e2c author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:07:30 +0100 committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:07:30 +0100 include/net/netfilter/nf_conntrack_l3proto.h | 2 + include/net/netfilter/nf_conntrack_l4proto.h | 2 + net/netfilter/nf_conntrack_proto.c | 40 +++++--------------------- 3 files changed, 9 insertions(+), 35 deletions(-) diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h index ba760fe..eb575cb 100644 --- a/include/net/netfilter/nf_conntrack_l3proto.h +++ b/include/net/netfilter/nf_conntrack_l3proto.h @@ -89,7 +89,7 @@ extern struct nf_conntrack_l3proto *nf_c /* Protocol registration. */ extern int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto); -extern int nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto); +extern void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto); extern struct nf_conntrack_l3proto * nf_ct_l3proto_find_get(u_int16_t l3proto); diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h index fc8af08..8415182 100644 --- a/include/net/netfilter/nf_conntrack_l4proto.h +++ b/include/net/netfilter/nf_conntrack_l4proto.h @@ -109,7 +109,7 @@ extern void nf_ct_l4proto_put(struct nf_ /* Protocol registration. */ extern int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *proto); -extern int nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *proto); +extern void nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *proto); /* Generic netlink helpers */ extern int nf_ct_port_tuple_to_nfattr(struct sk_buff *skb, diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c index 4dab3fa..456155f 100644 --- a/net/netfilter/nf_conntrack_proto.c +++ b/net/netfilter/nf_conntrack_proto.c @@ -215,22 +215,12 @@ out: } EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_register); -int nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto) +void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto) { - int ret = 0; - - if (proto->l3proto >= AF_MAX) { - ret = -EBUSY; - goto out; - } + BUG_ON(proto->l3proto >= AF_MAX); write_lock_bh(&nf_conntrack_lock); - if (nf_ct_l3protos[proto->l3proto] != proto) { - write_unlock_bh(&nf_conntrack_lock); - ret = -EBUSY; - goto out; - } - + BUG_ON(nf_ct_l3protos[proto->l3proto] != proto); rcu_assign_pointer(nf_ct_l3protos[proto->l3proto], &nf_conntrack_l3proto_generic); write_unlock_bh(&nf_conntrack_lock); @@ -240,9 +230,6 @@ int nf_conntrack_l3proto_unregister(stru /* Remove all contrack entries for this protocol */ nf_ct_iterate_cleanup(kill_l3proto, proto); - -out: - return ret; } EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_unregister); @@ -368,27 +355,17 @@ out: } EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_register); -int nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *l4proto) +void nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *l4proto) { - int ret = 0; - - if (l4proto->l3proto >= PF_MAX) { - ret = -EBUSY; - goto out; - } + BUG_ON(l4proto->l3proto >= PF_MAX); if (l4proto == &nf_conntrack_l4proto_generic) { nf_ct_l4proto_unregister_sysctl(l4proto); - goto out; + return; } write_lock_bh(&nf_conntrack_lock); - if (nf_ct_protos[l4proto->l3proto][l4proto->l4proto] - != l4proto) { - write_unlock_bh(&nf_conntrack_lock); - ret = -EBUSY; - goto out; - } + BUG_ON(nf_ct_protos[l4proto->l3proto][l4proto->l4proto] != l4proto); rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto], &nf_conntrack_l4proto_generic); write_unlock_bh(&nf_conntrack_lock); @@ -398,8 +375,5 @@ int nf_conntrack_l4proto_unregister(stru /* Remove all contrack entries for this protocol */ nf_ct_iterate_cleanup(kill_l4proto, l4proto); - -out: - return ret; } EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_unregister); ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [NETFILTER 18/22]: xt_mac/xt_CLASSIFY: use IPv6 hook names for IPv6 registration 2007-02-12 10:36 [NETFILTER 00/22]: Netfilter update/fixes Patrick McHardy ` (16 preceding siblings ...) 2007-02-12 10:36 ` [NETFILTER 17/22]: nf_conntrack: change nf_conntrack_l[34]proto_unregister to void Patrick McHardy @ 2007-02-12 10:36 ` Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 19/22]: Kconfig: improve dependency handling Patrick McHardy ` (4 subsequent siblings) 22 siblings, 0 replies; 24+ messages in thread From: Patrick McHardy @ 2007-02-12 10:36 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, Patrick McHardy [NETFILTER]: xt_mac/xt_CLASSIFY: use IPv6 hook names for IPv6 registration Use NF_IP6_ instead of NF_IP_. The values are identical, this is merely cleanup. Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit 0a03715d7befc80612212ee80723dcce8b75f3c1 tree 1ddf22e671682d94ad017f0a9f7f4a74566c60bd parent 4b4109fff045b66b7bc0a696fc020f0cc22bad0e author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:07:51 +0100 committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:07:51 +0100 net/netfilter/xt_CLASSIFY.c | 8 +++++--- net/netfilter/xt_mac.c | 7 ++++--- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c index 195e929..4007bbe 100644 --- a/net/netfilter/xt_CLASSIFY.c +++ b/net/netfilter/xt_CLASSIFY.c @@ -15,6 +15,8 @@ #include <linux/skbuff.h> #include <linux/ip.h> #include <net/checksum.h> +#include <linux/netfilter_ipv4.h> +#include <linux/netfilter_ipv6.h> #include <linux/netfilter/x_tables.h> #include <linux/netfilter/xt_CLASSIFY.h> @@ -55,9 +57,9 @@ static struct xt_target xt_classify_targ .target = target, .targetsize = sizeof(struct xt_classify_target_info), .table = "mangle", - .hooks = (1 << NF_IP_LOCAL_OUT) | - (1 << NF_IP_FORWARD) | - (1 << NF_IP_POST_ROUTING), + .hooks = (1 << NF_IP6_LOCAL_OUT) | + (1 << NF_IP6_FORWARD) | + (1 << NF_IP6_POST_ROUTING), .me = THIS_MODULE, }, }; diff --git a/net/netfilter/xt_mac.c b/net/netfilter/xt_mac.c index 425fc21..d430d90 100644 --- a/net/netfilter/xt_mac.c +++ b/net/netfilter/xt_mac.c @@ -14,6 +14,7 @@ #include <linux/if_ether.h> #include <linux/etherdevice.h> #include <linux/netfilter_ipv4.h> +#include <linux/netfilter_ipv6.h> #include <linux/netfilter/xt_mac.h> #include <linux/netfilter/x_tables.h> @@ -59,9 +60,9 @@ static struct xt_match xt_mac_match[] = .family = AF_INET6, .match = match, .matchsize = sizeof(struct xt_mac_info), - .hooks = (1 << NF_IP_PRE_ROUTING) | - (1 << NF_IP_LOCAL_IN) | - (1 << NF_IP_FORWARD), + .hooks = (1 << NF_IP6_PRE_ROUTING) | + (1 << NF_IP6_LOCAL_IN) | + (1 << NF_IP6_FORWARD), .me = THIS_MODULE, }, }; ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [NETFILTER 19/22]: Kconfig: improve dependency handling 2007-02-12 10:36 [NETFILTER 00/22]: Netfilter update/fixes Patrick McHardy ` (17 preceding siblings ...) 2007-02-12 10:36 ` [NETFILTER 18/22]: xt_mac/xt_CLASSIFY: use IPv6 hook names for IPv6 registration Patrick McHardy @ 2007-02-12 10:36 ` Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 20/22]: Fix whitespace errors Patrick McHardy ` (3 subsequent siblings) 22 siblings, 0 replies; 24+ messages in thread From: Patrick McHardy @ 2007-02-12 10:36 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, Patrick McHardy [NETFILTER]: Kconfig: improve dependency handling Instead of depending on internally needed options and letting users figure out what is needed, select them when needed: - IP_NF_IPTABLES, IP_NF_ARPTABLES and IP6_NF_IPTABLES select NETFILTER_XTABLES - NETFILTER_XT_TARGET_CONNMARK, NETFILTER_XT_MATCH_CONNMARK and IP_NF_TARGET_CLUSTERIP select NF_CONNTRACK_MARK - NETFILTER_XT_MATCH_CONNBYTES selects NF_CT_ACCT Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit a3987b41ed8c0275393942316c502e4cffbc0126 tree e5f23f16e4bdd9b454356a75269f8a3fb161082a parent 0a03715d7befc80612212ee80723dcce8b75f3c1 author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:08:00 +0100 committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:08:00 +0100 net/ipv4/netfilter/Kconfig | 8 +++++--- net/ipv6/netfilter/Kconfig | 3 ++- net/netfilter/Kconfig | 12 +++++++++--- 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index 9b08e7a..601808c 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig @@ -226,7 +226,7 @@ config IP_NF_QUEUE config IP_NF_IPTABLES tristate "IP tables support (required for filtering/masq/NAT)" - depends on NETFILTER_XTABLES + select NETFILTER_XTABLES help iptables is a general, extensible packet identification framework. The packet filtering and full NAT (masquerading, port forwarding, @@ -606,7 +606,9 @@ config IP_NF_TARGET_TTL config IP_NF_TARGET_CLUSTERIP tristate "CLUSTERIP target support (EXPERIMENTAL)" depends on IP_NF_MANGLE && EXPERIMENTAL - depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK_IPV4) + depends on IP_NF_CONNTRACK || NF_CONNTRACK_IPV4 + select IP_NF_CONNTRACK_MARK if IP_NF_CONNTRACK + select NF_CONNTRACK_MARK if NF_CONNTRACK_IPV4 help The CLUSTERIP target allows you to build load-balancing clusters of network servers without having a dedicated load-balancing @@ -629,7 +631,7 @@ config IP_NF_RAW # ARP tables config IP_NF_ARPTABLES tristate "ARP tables support" - depends on NETFILTER_XTABLES + select NETFILTER_XTABLES help arptables is a general, extensible packet identification framework. The ARP packet filtering and mangling (manipulation)subsystems diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig index cd549ae..da07e9a 100644 --- a/net/ipv6/netfilter/Kconfig +++ b/net/ipv6/netfilter/Kconfig @@ -42,7 +42,8 @@ config IP6_NF_QUEUE config IP6_NF_IPTABLES tristate "IP6 tables support (required for filtering)" - depends on INET && IPV6 && EXPERIMENTAL && NETFILTER_XTABLES + depends on INET && IPV6 && EXPERIMENTAL + select NETFILTER_XTABLES help ip6tables is a general, extensible packet identification framework. Currently only the packet filtering and packet mangling subsystem diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 748f7f0..253fce3 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -302,7 +302,9 @@ config NETFILTER_XT_TARGET_CONNMARK tristate '"CONNMARK" target support' depends on NETFILTER_XTABLES depends on IP_NF_MANGLE || IP6_NF_MANGLE - depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK) + depends on IP_NF_CONNTRACK || NF_CONNTRACK + select IP_NF_CONNTRACK_MARK if IP_NF_CONNTRACK + select NF_CONNTRACK_MARK if NF_CONNTRACK help This option adds a `CONNMARK' target, which allows one to manipulate the connection mark value. Similar to the MARK target, but @@ -434,7 +436,9 @@ config NETFILTER_XT_MATCH_COMMENT config NETFILTER_XT_MATCH_CONNBYTES tristate '"connbytes" per-connection counter match support' depends on NETFILTER_XTABLES - depends on (IP_NF_CONNTRACK && IP_NF_CT_ACCT) || (NF_CT_ACCT && NF_CONNTRACK) + depends on IP_NF_CONNTRACK || NF_CONNTRACK + select IP_NF_CT_ACCT if IP_NF_CONNTRACK + select NF_CT_ACCT if NF_CONNTRACK help This option adds a `connbytes' match, which allows you to match the number of bytes and/or packets for each direction within a connection. @@ -445,7 +449,9 @@ config NETFILTER_XT_MATCH_CONNBYTES config NETFILTER_XT_MATCH_CONNMARK tristate '"connmark" connection mark match support' depends on NETFILTER_XTABLES - depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK) + depends on IP_NF_CONNTRACK || NF_CONNTRACK + select IP_NF_CONNTRACK_MARK if IP_NF_CONNTRACK + select NF_CONNTRACK_MARK if NF_CONNTRACK help This option adds a `connmark' match, which allows you to match the connection mark value previously set for the session by `CONNMARK'. ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [NETFILTER 20/22]: Fix whitespace errors 2007-02-12 10:36 [NETFILTER 00/22]: Netfilter update/fixes Patrick McHardy ` (18 preceding siblings ...) 2007-02-12 10:36 ` [NETFILTER 19/22]: Kconfig: improve dependency handling Patrick McHardy @ 2007-02-12 10:36 ` Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 21/22]: ip6t_mh: drop piggyback payload packet on MH packets Patrick McHardy ` (2 subsequent siblings) 22 siblings, 0 replies; 24+ messages in thread From: Patrick McHardy @ 2007-02-12 10:36 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, Patrick McHardy [NETFILTER]: Fix whitespace errors Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit 353c941b0735b883510bfd7bb98fcd4fc8a0ee08 tree 14c9e7a24feed39641b2f97b6e2b247bd229062c parent a3987b41ed8c0275393942316c502e4cffbc0126 author YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Mon, 12 Feb 2007 11:08:07 +0100 committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:08:07 +0100 net/netfilter/core.c | 6 - net/netfilter/nf_conntrack_core.c | 18 +- net/netfilter/nf_conntrack_expect.c | 2 net/netfilter/nf_conntrack_ftp.c | 14 +- net/netfilter/nf_conntrack_h323_main.c | 20 +-- net/netfilter/nf_conntrack_irc.c | 2 net/netfilter/nf_conntrack_l3proto_generic.c | 2 net/netfilter/nf_conntrack_netbios_ns.c | 2 net/netfilter/nf_conntrack_netlink.c | 106 +++++++------- net/netfilter/nf_conntrack_pptp.c | 2 net/netfilter/nf_conntrack_proto_sctp.c | 72 +++++---- net/netfilter/nf_conntrack_proto_tcp.c | 204 +++++++++++++------------- net/netfilter/nf_conntrack_sip.c | 6 - net/netfilter/nf_conntrack_standalone.c | 2 net/netfilter/nf_conntrack_tftp.c | 2 net/netfilter/nf_internals.h | 2 net/netfilter/nf_log.c | 6 - net/netfilter/nf_queue.c | 22 +-- net/netfilter/nf_sockopt.c | 12 +- net/netfilter/nfnetlink.c | 10 + net/netfilter/nfnetlink_log.c | 52 +++---- net/netfilter/nfnetlink_queue.c | 84 +++++------ net/netfilter/x_tables.c | 12 +- net/netfilter/xt_CLASSIFY.c | 4 - net/netfilter/xt_MARK.c | 4 - net/netfilter/xt_NFQUEUE.c | 4 - net/netfilter/xt_NOTRACK.c | 4 - net/netfilter/xt_SECMARK.c | 2 net/netfilter/xt_conntrack.c | 32 ++-- net/netfilter/xt_dccp.c | 20 +-- net/netfilter/xt_hashlimit.c | 8 + net/netfilter/xt_helper.c | 18 +- net/netfilter/xt_length.c | 4 - net/netfilter/xt_limit.c | 2 net/netfilter/xt_mark.c | 6 - net/netfilter/xt_multiport.c | 2 net/netfilter/xt_physdev.c | 2 net/netfilter/xt_policy.c | 24 ++- net/netfilter/xt_quota.c | 4 - net/netfilter/xt_realm.c | 2 net/netfilter/xt_sctp.c | 30 ++-- net/netfilter/xt_string.c | 8 + net/netfilter/xt_tcpmss.c | 4 - 43 files changed, 422 insertions(+), 422 deletions(-) diff --git a/net/netfilter/core.c b/net/netfilter/core.c index f61e0c2..c3ebdbd 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c @@ -1,4 +1,4 @@ -/* netfilter.c: look after the filters for various protocols. +/* netfilter.c: look after the filters for various protocols. * Heavily influenced by the old firewall.c by David Bonn and Alan Cox. * * Thanks to Rob `CmdrTaco' Malda for not influencing this code in any @@ -141,14 +141,14 @@ unsigned int nf_iterate(struct list_head continue; /* Optimization: we don't need to hold module - reference here, since function can't sleep. --RR */ + reference here, since function can't sleep. --RR */ verdict = elem->hook(hook, skb, indev, outdev, okfn); if (verdict != NF_ACCEPT) { #ifdef CONFIG_NETFILTER_DEBUG if (unlikely((verdict & NF_VERDICT_MASK) > NF_MAX_VERDICT)) { NFDEBUG("Evil return from %p(%u).\n", - elem->hook, hook); + elem->hook, hook); continue; } #endif diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 0cc1505..32891eb 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -424,7 +424,7 @@ EXPORT_SYMBOL_GPL(nf_conntrack_find_get) static void __nf_conntrack_hash_insert(struct nf_conn *ct, unsigned int hash, - unsigned int repl_hash) + unsigned int repl_hash) { ct->id = ++nf_conntrack_next_id; list_add(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list, @@ -1066,7 +1066,7 @@ get_next_corpse(int (*iter)(struct nf_co if (iter(ct, data)) goto found; } - } + } list_for_each_entry(h, &unconfirmed, list) { ct = nf_ct_tuplehash_to_ctrack(h); if (iter(ct, data)) @@ -1107,7 +1107,7 @@ static void free_conntrack_hash(struct l if (vmalloced) vfree(hash); else - free_pages((unsigned long)hash, + free_pages((unsigned long)hash, get_order(sizeof(struct list_head) * size)); } @@ -1168,18 +1168,18 @@ static struct list_head *alloc_hashtable struct list_head *hash; unsigned int i; - *vmalloced = 0; - hash = (void*)__get_free_pages(GFP_KERNEL, + *vmalloced = 0; + hash = (void*)__get_free_pages(GFP_KERNEL, get_order(sizeof(struct list_head) * size)); - if (!hash) { + if (!hash) { *vmalloced = 1; printk(KERN_WARNING "nf_conntrack: falling back to vmalloc.\n"); hash = vmalloc(sizeof(struct list_head) * size); } if (hash) - for (i = 0; i < size; i++) + for (i = 0; i < size; i++) INIT_LIST_HEAD(&hash[i]); return hash; @@ -1286,9 +1286,9 @@ int __init nf_conntrack_init(void) /* Don't NEED lock here, but good form anyway. */ write_lock_bh(&nf_conntrack_lock); - for (i = 0; i < AF_MAX; i++) + for (i = 0; i < AF_MAX; i++) nf_ct_l3protos[i] = &nf_conntrack_l3proto_generic; - write_unlock_bh(&nf_conntrack_lock); + write_unlock_bh(&nf_conntrack_lock); /* For use by REJECT target */ rcu_assign_pointer(ip_ct_attach, __nf_conntrack_attach); diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c index 9cbf926..3139f45 100644 --- a/net/netfilter/nf_conntrack_expect.c +++ b/net/netfilter/nf_conntrack_expect.c @@ -130,7 +130,7 @@ void nf_ct_remove_expectations(struct nf if (i->master == ct && del_timer(&i->timeout)) { nf_ct_unlink_expect(i); nf_conntrack_expect_put(i); - } + } } } EXPORT_SYMBOL_GPL(nf_ct_remove_expectations); diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c index 92a9471..3089dfc 100644 --- a/net/netfilter/nf_conntrack_ftp.c +++ b/net/netfilter/nf_conntrack_ftp.c @@ -126,7 +126,7 @@ get_ipv6_addr(const char *src, size_t dl } static int try_number(const char *data, size_t dlen, u_int32_t array[], - int array_size, char sep, char term) + int array_size, char sep, char term) { u_int32_t i, len; @@ -413,8 +413,8 @@ static int help(struct sk_buff **pskb, goto out_update_nl; } - /* Initialize IP/IPv6 addr to expected address (it's not mentioned - in EPSV responses) */ + /* Initialize IP/IPv6 addr to expected address (it's not mentioned + in EPSV responses) */ cmd.l3num = ct->tuplehash[dir].tuple.src.l3num; memcpy(cmd.u3.all, &ct->tuplehash[dir].tuple.src.u3.all, sizeof(cmd.u3.all)); @@ -466,11 +466,11 @@ static int help(struct sk_buff **pskb, memcmp(&cmd.u3.all, &ct->tuplehash[dir].tuple.src.u3.all, sizeof(cmd.u3.all))) { /* Enrico Scholz's passive FTP to partially RNAT'd ftp - server: it really wants us to connect to a - different IP address. Simply don't record it for - NAT. */ + server: it really wants us to connect to a + different IP address. Simply don't record it for + NAT. */ if (cmd.l3num == PF_INET) { - DEBUGP("conntrack_ftp: NOT RECORDING: " NIPQUAD_FMT " != " NIPQUAD_FMT "\n", + DEBUGP("conntrack_ftp: NOT RECORDING: " NIPQUAD_FMT " != " NIPQUAD_FMT "\n", NIPQUAD(cmd.u3.ip), NIPQUAD(ct->tuplehash[dir].tuple.src.u3.ip)); } else { diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c index 6d85689..b284db7 100644 --- a/net/netfilter/nf_conntrack_h323_main.c +++ b/net/netfilter/nf_conntrack_h323_main.c @@ -49,7 +49,7 @@ MODULE_PARM_DESC(gkrouted_only, "only ac static int callforward_filter __read_mostly = 1; module_param(callforward_filter, bool, 0600); MODULE_PARM_DESC(callforward_filter, "only create call forwarding expectations " - "if both endpoints are on different sides " + "if both endpoints are on different sides " "(determined by routing information)"); /* Hooks for NAT */ @@ -300,7 +300,7 @@ static int expect_rtp_rtcp(struct sk_buf IPPROTO_UDP, NULL, &rtcp_port); if (memcmp(&ct->tuplehash[dir].tuple.src.u3, - &ct->tuplehash[!dir].tuple.dst.u3, + &ct->tuplehash[!dir].tuple.dst.u3, sizeof(ct->tuplehash[dir].tuple.src.u3)) && (nat_rtp_rtcp = rcu_dereference(nat_rtp_rtcp_hook)) && ct->status & IPS_NAT_MASK) { @@ -743,7 +743,7 @@ #if defined(CONFIG_IPV6) || defined(CONF rt2 = (struct rt6_info *)ip6_route_output(NULL, &fl2); if (rt2) { if (!memcmp(&rt1->rt6i_gateway, &rt2->rt6i_gateway, - sizeof(rt1->rt6i_gateway)) && + sizeof(rt1->rt6i_gateway)) && rt1->u.dst.dev == rt2->u.dst.dev) ret = 1; dst_release(&rt2->u.dst); @@ -780,7 +780,7 @@ static int expect_callforwarding(struct * we don't need to track the second call */ if (callforward_filter && callforward_do_filter(&addr, &ct->tuplehash[!dir].tuple.src.u3, - ct->tuplehash[!dir].tuple.src.l3num)) { + ct->tuplehash[!dir].tuple.src.l3num)) { DEBUGP("nf_ct_q931: Call Forwarding not tracked\n"); return 0; } @@ -840,7 +840,7 @@ static int process_setup(struct sk_buff if ((setup->options & eSetup_UUIE_destCallSignalAddress) && (set_h225_addr) && ct->status && IPS_NAT_MASK && get_h225_addr(ct, *data, &setup->destCallSignalAddress, - &addr, &port) && + &addr, &port) && memcmp(&addr, &ct->tuplehash[!dir].tuple.src.u3, sizeof(addr))) { DEBUGP("nf_ct_q931: set destCallSignalAddress " NIP6_FMT ":%hu->" NIP6_FMT ":%hu\n", @@ -858,7 +858,7 @@ static int process_setup(struct sk_buff if ((setup->options & eSetup_UUIE_sourceCallSignalAddress) && (set_h225_addr) && ct->status & IPS_NAT_MASK && get_h225_addr(ct, *data, &setup->sourceCallSignalAddress, - &addr, &port) && + &addr, &port) && memcmp(&addr, &ct->tuplehash[!dir].tuple.dst.u3, sizeof(addr))) { DEBUGP("nf_ct_q931: set sourceCallSignalAddress " NIP6_FMT ":%hu->" NIP6_FMT ":%hu\n", @@ -1282,7 +1282,7 @@ static int expect_q931(struct sk_buff ** for (i = 0; i < count; i++) { if (get_h225_addr(ct, *data, &taddr[i], &addr, &port) && memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, - sizeof(addr)) == 0 && port != 0) + sizeof(addr)) == 0 && port != 0) break; } @@ -1294,7 +1294,7 @@ static int expect_q931(struct sk_buff ** return -1; nf_conntrack_expect_init(exp, ct->tuplehash[!dir].tuple.src.l3num, gkrouted_only ? /* only accept calls from GK? */ - &ct->tuplehash[!dir].tuple.src.u3 : + &ct->tuplehash[!dir].tuple.src.u3 : NULL, &ct->tuplehash[!dir].tuple.dst.u3, IPPROTO_TCP, NULL, &port); @@ -1513,7 +1513,7 @@ static int process_arq(struct sk_buff ** set_h225_addr = rcu_dereference(set_h225_addr_hook); if ((arq->options & eAdmissionRequest_destCallSignalAddress) && get_h225_addr(ct, *data, &arq->destCallSignalAddress, - &addr, &port) && + &addr, &port) && !memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, sizeof(addr)) && port == info->sig_port[dir] && set_h225_addr && ct->status & IPS_NAT_MASK) { @@ -1526,7 +1526,7 @@ static int process_arq(struct sk_buff ** if ((arq->options & eAdmissionRequest_srcCallSignalAddress) && get_h225_addr(ct, *data, &arq->srcCallSignalAddress, - &addr, &port) && + &addr, &port) && !memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, sizeof(addr)) && set_h225_addr && ct->status & IPS_NAT_MASK) { /* Calling ARQ */ diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c index ed01db6..43ccd0e 100644 --- a/net/netfilter/nf_conntrack_irc.c +++ b/net/netfilter/nf_conntrack_irc.c @@ -57,7 +57,7 @@ #define MINMATCHLEN 5 #if 0 #define DEBUGP(format, args...) printk(KERN_DEBUG "%s:%s:" format, \ - __FILE__, __FUNCTION__ , ## args) + __FILE__, __FUNCTION__ , ## args) #else #define DEBUGP(format, args...) #endif diff --git a/net/netfilter/nf_conntrack_l3proto_generic.c b/net/netfilter/nf_conntrack_l3proto_generic.c index a3d31c3..cbd96f3 100644 --- a/net/netfilter/nf_conntrack_l3proto_generic.c +++ b/net/netfilter/nf_conntrack_l3proto_generic.c @@ -77,7 +77,7 @@ generic_prepare(struct sk_buff **pskb, u static u_int32_t generic_get_features(const struct nf_conntrack_tuple *tuple) - + { return NF_CT_F_BASIC; } diff --git a/net/netfilter/nf_conntrack_netbios_ns.c b/net/netfilter/nf_conntrack_netbios_ns.c index 2a48efd..bb26a65 100644 --- a/net/netfilter/nf_conntrack_netbios_ns.c +++ b/net/netfilter/nf_conntrack_netbios_ns.c @@ -43,7 +43,7 @@ module_param(timeout, uint, 0400); MODULE_PARM_DESC(timeout, "timeout for master connection/replies in seconds"); static int help(struct sk_buff **pskb, unsigned int protoff, - struct nf_conn *ct, enum ip_conntrack_info ctinfo) + struct nf_conn *ct, enum ip_conntrack_info ctinfo) { struct nf_conntrack_expect *exp; struct iphdr *iph = (*pskb)->nh.iph; diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index c64f029..48f0531 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -6,10 +6,10 @@ * (C) 2003 by Patrick Mchardy <kaber@trash.net> * (C) 2005-2006 by Pablo Neira Ayuso <pablo@eurodev.net> * - * I've reworked this stuff to use attributes instead of conntrack + * I've reworked this stuff to use attributes instead of conntrack * structures. 5.44 am. I need more tea. --pablo 05/07/11. * - * Initial connection tracking via netlink development funded and + * Initial connection tracking via netlink development funded and * generally made possible by Network Robots, Inc. (www.networkrobots.com) * * Further development of this code funded by Astaro AG (http://www.astaro.com) @@ -53,7 +53,7 @@ MODULE_LICENSE("GPL"); static char __initdata version[] = "0.93"; static inline int -ctnetlink_dump_tuples_proto(struct sk_buff *skb, +ctnetlink_dump_tuples_proto(struct sk_buff *skb, const struct nf_conntrack_tuple *tuple, struct nf_conntrack_l4proto *l4proto) { @@ -64,7 +64,7 @@ ctnetlink_dump_tuples_proto(struct sk_bu if (likely(l4proto->tuple_to_nfattr)) ret = l4proto->tuple_to_nfattr(skb, tuple); - + NFA_NEST_END(skb, nest_parms); return ret; @@ -135,7 +135,7 @@ ctnetlink_dump_timeout(struct sk_buff *s timeout = 0; else timeout = htonl(timeout_l / HZ); - + NFA_PUT(skb, CTA_TIMEOUT, sizeof(timeout), &timeout); return 0; @@ -154,7 +154,7 @@ ctnetlink_dump_protoinfo(struct sk_buff nf_ct_l4proto_put(l4proto); return 0; } - + nest_proto = NFA_NEST(skb, CTA_PROTOINFO); ret = l4proto->to_nfattr(skb, nest_proto, ct); @@ -178,7 +178,7 @@ ctnetlink_dump_helpinfo(struct sk_buff * if (!help || !help->helper) return 0; - + nest_helper = NFA_NEST(skb, CTA_HELP); NFA_PUT(skb, CTA_HELP_NAME, strlen(help->helper->name), help->helper->name); @@ -250,7 +250,7 @@ static inline int ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct) { __be32 use = htonl(atomic_read(&ct->ct_general.use)); - + NFA_PUT(skb, CTA_USE, sizeof(u_int32_t), &use); return 0; @@ -262,7 +262,7 @@ #define tuple(ct, dir) (&(ct)->tuplehash static int ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq, - int event, int nowait, + int event, int nowait, const struct nf_conn *ct) { struct nlmsghdr *nlh; @@ -277,7 +277,7 @@ ctnetlink_fill_info(struct sk_buff *skb, nfmsg = NLMSG_DATA(nlh); nlh->nlmsg_flags = (nowait && pid) ? NLM_F_MULTI : 0; - nfmsg->nfgen_family = + nfmsg->nfgen_family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num; nfmsg->version = NFNETLINK_V0; nfmsg->res_id = 0; @@ -286,7 +286,7 @@ ctnetlink_fill_info(struct sk_buff *skb, if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) goto nfattr_failure; NFA_NEST_END(skb, nest_parms); - + nest_parms = NFA_NEST(skb, CTA_TUPLE_REPLY); if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_REPLY)) < 0) goto nfattr_failure; @@ -314,7 +314,7 @@ nfattr_failure: #ifdef CONFIG_NF_CONNTRACK_EVENTS static int ctnetlink_conntrack_event(struct notifier_block *this, - unsigned long events, void *ptr) + unsigned long events, void *ptr) { struct nlmsghdr *nlh; struct nfgenmsg *nfmsg; @@ -364,7 +364,7 @@ static int ctnetlink_conntrack_event(str if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) goto nfattr_failure; NFA_NEST_END(skb, nest_parms); - + nest_parms = NFA_NEST(skb, CTA_TUPLE_REPLY); if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_REPLY)) < 0) goto nfattr_failure; @@ -383,16 +383,16 @@ static int ctnetlink_conntrack_event(str if (events & IPCT_PROTOINFO && ctnetlink_dump_protoinfo(skb, ct) < 0) - goto nfattr_failure; + goto nfattr_failure; if ((events & IPCT_HELPER || nfct_help(ct)) && ctnetlink_dump_helpinfo(skb, ct) < 0) - goto nfattr_failure; + goto nfattr_failure; #ifdef CONFIG_NF_CONNTRACK_MARK if ((events & IPCT_MARK || ct->mark) && ctnetlink_dump_mark(skb, ct) < 0) - goto nfattr_failure; + goto nfattr_failure; #endif if (events & IPCT_COUNTER_FILLING && @@ -450,7 +450,7 @@ restart: cb->args[1] = 0; } if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid, - cb->nlh->nlmsg_seq, + cb->nlh->nlmsg_seq, IPCTNL_MSG_CT_NEW, 1, ct) < 0) { nf_conntrack_get(&ct->ct_general); @@ -500,7 +500,7 @@ static const size_t cta_min_proto[CTA_PR }; static inline int -ctnetlink_parse_tuple_proto(struct nfattr *attr, +ctnetlink_parse_tuple_proto(struct nfattr *attr, struct nf_conntrack_tuple *tuple) { struct nfattr *tb[CTA_PROTO_MAX]; @@ -522,7 +522,7 @@ ctnetlink_parse_tuple_proto(struct nfatt ret = l4proto->nfattr_to_tuple(tb, tuple); nf_ct_l4proto_put(l4proto); - + return ret; } @@ -609,7 +609,7 @@ nfnetlink_parse_nat(struct nfattr *nat, int err; memset(range, 0, sizeof(*range)); - + nfattr_parse_nested(tb, CTA_NAT_MAX, nat); if (nfattr_bad_size(tb, CTA_NAT_MAX, cta_min_nat)) @@ -661,7 +661,7 @@ static const size_t cta_min[CTA_MAX] = { }; static int -ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb, +ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb, struct nlmsghdr *nlh, struct nfattr *cda[], int *errp) { struct nf_conntrack_tuple_hash *h; @@ -692,14 +692,14 @@ ctnetlink_del_conntrack(struct sock *ctn return -ENOENT; ct = nf_ct_tuplehash_to_ctrack(h); - + if (cda[CTA_ID-1]) { u_int32_t id = ntohl(*(__be32 *)NFA_DATA(cda[CTA_ID-1])); if (ct->id != id) { nf_ct_put(ct); return -ENOENT; } - } + } if (del_timer(&ct->timeout)) ct->timeout.function((unsigned long)ct); @@ -709,7 +709,7 @@ ctnetlink_del_conntrack(struct sock *ctn } static int -ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb, +ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb, struct nlmsghdr *nlh, struct nfattr *cda[], int *errp) { struct nf_conntrack_tuple_hash *h; @@ -765,7 +765,7 @@ #endif return -ENOMEM; } - err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq, + err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq, IPCTNL_MSG_CT_NEW, 1, ct); nf_ct_put(ct); if (err <= 0) @@ -793,12 +793,12 @@ ctnetlink_change_status(struct nf_conn * if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING)) /* unchangeable */ return -EINVAL; - + if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY)) /* SEEN_REPLY bit can only be set */ return -EINVAL; - + if (d & IPS_ASSURED && !(status & IPS_ASSURED)) /* ASSURED bit can only be set */ return -EINVAL; @@ -877,7 +877,7 @@ ctnetlink_change_helper(struct nf_conn * memset(&help->help, 0, sizeof(help->help)); } } - + help->helper = helper; return 0; @@ -887,7 +887,7 @@ static inline int ctnetlink_change_timeout(struct nf_conn *ct, struct nfattr *cda[]) { u_int32_t timeout = ntohl(*(__be32 *)NFA_DATA(cda[CTA_TIMEOUT-1])); - + if (!del_timer(&ct->timeout)) return -ETIME; @@ -955,7 +955,7 @@ #endif } static int -ctnetlink_create_conntrack(struct nfattr *cda[], +ctnetlink_create_conntrack(struct nfattr *cda[], struct nf_conntrack_tuple *otuple, struct nf_conntrack_tuple *rtuple) { @@ -965,7 +965,7 @@ ctnetlink_create_conntrack(struct nfattr ct = nf_conntrack_alloc(otuple, rtuple); if (ct == NULL || IS_ERR(ct)) - return -ENOMEM; + return -ENOMEM; if (!cda[CTA_TIMEOUT-1]) goto err; @@ -1003,13 +1003,13 @@ #endif return 0; -err: +err: nf_conntrack_free(ct); return err; } -static int -ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, +static int +ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, struct nlmsghdr *nlh, struct nfattr *cda[], int *errp) { struct nf_conntrack_tuple otuple, rtuple; @@ -1065,9 +1065,9 @@ out_unlock: return err; } -/*********************************************************************** - * EXPECT - ***********************************************************************/ +/*********************************************************************** + * EXPECT + ***********************************************************************/ static inline int ctnetlink_exp_dump_tuple(struct sk_buff *skb, @@ -1075,7 +1075,7 @@ ctnetlink_exp_dump_tuple(struct sk_buff enum ctattr_expect type) { struct nfattr *nest_parms = NFA_NEST(skb, type); - + if (ctnetlink_dump_tuples(skb, tuple) < 0) goto nfattr_failure; @@ -1085,7 +1085,7 @@ ctnetlink_exp_dump_tuple(struct sk_buff nfattr_failure: return -1; -} +} static inline int ctnetlink_exp_dump_mask(struct sk_buff *skb, @@ -1120,7 +1120,7 @@ nfattr_failure: static inline int ctnetlink_exp_dump_expect(struct sk_buff *skb, - const struct nf_conntrack_expect *exp) + const struct nf_conntrack_expect *exp) { struct nf_conn *master = exp->master; __be32 timeout = htonl((exp->timeout.expires - jiffies) / HZ); @@ -1134,20 +1134,20 @@ ctnetlink_exp_dump_expect(struct sk_buff &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple, CTA_EXPECT_MASTER) < 0) goto nfattr_failure; - + NFA_PUT(skb, CTA_EXPECT_TIMEOUT, sizeof(timeout), &timeout); NFA_PUT(skb, CTA_EXPECT_ID, sizeof(u_int32_t), &id); return 0; - + nfattr_failure: return -1; } static int ctnetlink_exp_fill_info(struct sk_buff *skb, u32 pid, u32 seq, - int event, - int nowait, + int event, + int nowait, const struct nf_conntrack_expect *exp) { struct nlmsghdr *nlh; @@ -1250,7 +1250,7 @@ ctnetlink_exp_dump_table(struct sk_buff goto out; *id = exp->id; } -out: +out: read_unlock_bh(&nf_conntrack_lock); return skb->len; @@ -1262,7 +1262,7 @@ static const size_t cta_min_exp[CTA_EXPE }; static int -ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb, +ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb, struct nlmsghdr *nlh, struct nfattr *cda[], int *errp) { struct nf_conntrack_tuple tuple; @@ -1279,7 +1279,7 @@ ctnetlink_get_expect(struct sock *ctnl, u32 rlen; if ((*errp = netlink_dump_start(ctnl, skb, nlh, - ctnetlink_exp_dump_table, + ctnetlink_exp_dump_table, ctnetlink_done)) != 0) return -EINVAL; rlen = NLMSG_ALIGN(nlh->nlmsg_len); @@ -1307,14 +1307,14 @@ ctnetlink_get_expect(struct sock *ctnl, nf_conntrack_expect_put(exp); return -ENOENT; } - } + } err = -ENOMEM; skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); if (!skb2) goto out; - err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).pid, + err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, 1, exp); if (err <= 0) @@ -1332,7 +1332,7 @@ out: } static int -ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb, +ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb, struct nlmsghdr *nlh, struct nfattr *cda[], int *errp) { struct nf_conntrack_expect *exp, *tmp; @@ -1366,7 +1366,7 @@ ctnetlink_del_expect(struct sock *ctnl, /* after list removal, usage count == 1 */ nf_conntrack_unexpect_related(exp); - /* have to put what we 'get' above. + /* have to put what we 'get' above. * after this line usage count == 0 */ nf_conntrack_expect_put(exp); } else if (cda[CTA_EXPECT_HELP_NAME-1]) { @@ -1449,7 +1449,7 @@ ctnetlink_create_expect(struct nfattr *c err = -ENOMEM; goto out; } - + exp->expectfn = NULL; exp->flags = 0; exp->master = ct; @@ -1460,7 +1460,7 @@ ctnetlink_create_expect(struct nfattr *c err = nf_conntrack_expect_related(exp); nf_conntrack_expect_put(exp); -out: +out: nf_ct_put(nf_ct_tuplehash_to_ctrack(h)); return err; } diff --git a/net/netfilter/nf_conntrack_pptp.c b/net/netfilter/nf_conntrack_pptp.c index c59df3b..115bcb5 100644 --- a/net/netfilter/nf_conntrack_pptp.c +++ b/net/netfilter/nf_conntrack_pptp.c @@ -520,7 +520,7 @@ conntrack_pptp_help(struct sk_buff **psk tcph = skb_header_pointer(*pskb, nexthdr_off, sizeof(_tcph), &_tcph); BUG_ON(!tcph); nexthdr_off += tcph->doff * 4; - datalen = tcplen - tcph->doff * 4; + datalen = tcplen - tcph->doff * 4; pptph = skb_header_pointer(*pskb, nexthdr_off, sizeof(_pptph), &_pptph); if (!pptph) { diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c index 76e2636..0133afa 100644 --- a/net/netfilter/nf_conntrack_proto_sctp.c +++ b/net/netfilter/nf_conntrack_proto_sctp.c @@ -1,9 +1,9 @@ /* * Connection tracking protocol helper module for SCTP. - * - * SCTP is defined in RFC 2960. References to various sections in this code + * + * SCTP is defined in RFC 2960. References to various sections in this code * are to this RFC. - * + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. @@ -45,7 +45,7 @@ #endif static DEFINE_RWLOCK(sctp_lock); /* FIXME: Examine ipfilter's timeouts and conntrack transitions more - closely. They're more complex. --RR + closely. They're more complex. --RR And so for me for SCTP :D -Kiran */ @@ -94,32 +94,32 @@ #define sSR SCTP_CONNTRACK_SHUTDOWN_RECD #define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT #define sIV SCTP_CONNTRACK_MAX -/* +/* These are the descriptions of the states: -NOTE: These state names are tantalizingly similar to the states of an +NOTE: These state names are tantalizingly similar to the states of an SCTP endpoint. But the interpretation of the states is a little different, -considering that these are the states of the connection and not of an end +considering that these are the states of the connection and not of an end point. Please note the subtleties. -Kiran NONE - Nothing so far. -COOKIE WAIT - We have seen an INIT chunk in the original direction, or also - an INIT_ACK chunk in the reply direction. +COOKIE WAIT - We have seen an INIT chunk in the original direction, or also + an INIT_ACK chunk in the reply direction. COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction. ESTABLISHED - We have seen a COOKIE_ACK in the reply direction. SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction. SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin. SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite - to that of the SHUTDOWN chunk. -CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of - the SHUTDOWN chunk. Connection is closed. + to that of the SHUTDOWN chunk. +CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of + the SHUTDOWN chunk. Connection is closed. */ /* TODO - - I have assumed that the first INIT is in the original direction. + - I have assumed that the first INIT is in the original direction. This messes things when an INIT comes in the reply direction in CLOSED state. - - Check the error type in the reply dir before transitioning from + - Check the error type in the reply dir before transitioning from cookie echoed to closed. - Sec 5.2.4 of RFC 2960 - Multi Homing support. @@ -237,7 +237,7 @@ static int do_basic_checks(struct nf_con for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { DEBUGP("Chunk Num: %d Type: %d\n", count, sch->type); - if (sch->type == SCTP_CID_INIT + if (sch->type == SCTP_CID_INIT || sch->type == SCTP_CID_INIT_ACK || sch->type == SCTP_CID_SHUTDOWN_COMPLETE) { flag = 1; @@ -277,42 +277,42 @@ static int new_state(enum ip_conntrack_d DEBUGP("Chunk type: %d\n", chunk_type); switch (chunk_type) { - case SCTP_CID_INIT: + case SCTP_CID_INIT: DEBUGP("SCTP_CID_INIT\n"); i = 0; break; - case SCTP_CID_INIT_ACK: + case SCTP_CID_INIT_ACK: DEBUGP("SCTP_CID_INIT_ACK\n"); i = 1; break; - case SCTP_CID_ABORT: + case SCTP_CID_ABORT: DEBUGP("SCTP_CID_ABORT\n"); i = 2; break; - case SCTP_CID_SHUTDOWN: + case SCTP_CID_SHUTDOWN: DEBUGP("SCTP_CID_SHUTDOWN\n"); i = 3; break; - case SCTP_CID_SHUTDOWN_ACK: + case SCTP_CID_SHUTDOWN_ACK: DEBUGP("SCTP_CID_SHUTDOWN_ACK\n"); i = 4; break; - case SCTP_CID_ERROR: + case SCTP_CID_ERROR: DEBUGP("SCTP_CID_ERROR\n"); i = 5; break; - case SCTP_CID_COOKIE_ECHO: + case SCTP_CID_COOKIE_ECHO: DEBUGP("SCTP_CID_COOKIE_ECHO\n"); i = 6; break; - case SCTP_CID_COOKIE_ACK: + case SCTP_CID_COOKIE_ACK: DEBUGP("SCTP_CID_COOKIE_ACK\n"); i = 7; break; - case SCTP_CID_SHUTDOWN_COMPLETE: + case SCTP_CID_SHUTDOWN_COMPLETE: DEBUGP("SCTP_CID_SHUTDOWN_COMPLETE\n"); i = 8; break; default: /* Other chunks like DATA, SACK, HEARTBEAT and its ACK do not cause a change in state */ - DEBUGP("Unknown chunk type, Will stay in %s\n", + DEBUGP("Unknown chunk type, Will stay in %s\n", sctp_conntrack_names[cur_state]); return cur_state; } - DEBUGP("dir: %d cur_state: %s chunk_type: %d new_state: %s\n", + DEBUGP("dir: %d cur_state: %s chunk_type: %d new_state: %s\n", dir, sctp_conntrack_names[cur_state], chunk_type, sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]); @@ -377,7 +377,7 @@ static int sctp_packet(struct nf_conn *c /* Sec 8.5.1 (C) */ if (!(sh->vtag == conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)]) && !(sh->vtag == conntrack->proto.sctp.vtag - [1 - CTINFO2DIR(ctinfo)] + [1 - CTINFO2DIR(ctinfo)] && (sch->flags & 1))) { write_unlock_bh(&sctp_lock); return -1; @@ -402,17 +402,17 @@ static int sctp_packet(struct nf_conn *c } /* If it is an INIT or an INIT ACK note down the vtag */ - if (sch->type == SCTP_CID_INIT + if (sch->type == SCTP_CID_INIT || sch->type == SCTP_CID_INIT_ACK) { sctp_inithdr_t _inithdr, *ih; ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t), - sizeof(_inithdr), &_inithdr); + sizeof(_inithdr), &_inithdr); if (ih == NULL) { write_unlock_bh(&sctp_lock); return -1; } - DEBUGP("Setting vtag %x for dir %d\n", + DEBUGP("Setting vtag %x for dir %d\n", ih->init_tag, !CTINFO2DIR(ctinfo)); conntrack->proto.sctp.vtag[!CTINFO2DIR(ctinfo)] = ih->init_tag; } @@ -466,7 +466,7 @@ static int sctp_new(struct nf_conn *conn newconntrack = SCTP_CONNTRACK_MAX; for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { /* Don't need lock here: this conntrack not in circulation yet */ - newconntrack = new_state(IP_CT_DIR_ORIGINAL, + newconntrack = new_state(IP_CT_DIR_ORIGINAL, SCTP_CONNTRACK_NONE, sch->type); /* Invalid: delete conntrack */ @@ -481,14 +481,14 @@ static int sctp_new(struct nf_conn *conn sctp_inithdr_t _inithdr, *ih; ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t), - sizeof(_inithdr), &_inithdr); + sizeof(_inithdr), &_inithdr); if (ih == NULL) return 0; - DEBUGP("Setting vtag %x for new conn\n", + DEBUGP("Setting vtag %x for new conn\n", ih->init_tag); - conntrack->proto.sctp.vtag[IP_CT_DIR_REPLY] = + conntrack->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag; } else { /* Sec 8.5.1 (A) */ @@ -498,7 +498,7 @@ static int sctp_new(struct nf_conn *conn /* If it is a shutdown ack OOTB packet, we expect a return shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */ else { - DEBUGP("Setting vtag %x for new conn OOTB\n", + DEBUGP("Setting vtag %x for new conn OOTB\n", sh->vtag); conntrack->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag; } @@ -698,7 +698,7 @@ int __init nf_conntrack_proto_sctp_init( cleanup_sctp4: nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4); out: - DEBUGP("SCTP conntrack module loading %s\n", + DEBUGP("SCTP conntrack module loading %s\n", ret ? "failed": "succeeded"); return ret; } diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index 6fccdcf..c2884f9 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c @@ -55,8 +55,8 @@ #endif /* Protects conntrack->proto.tcp */ static DEFINE_RWLOCK(tcp_lock); -/* "Be conservative in what you do, - be liberal in what you accept from others." +/* "Be conservative in what you do, + be liberal in what you accept from others." If it's non-zero, we mark only out of window RST segments as INVALID. */ int nf_ct_tcp_be_liberal __read_mostly = 0; @@ -64,8 +64,8 @@ int nf_ct_tcp_be_liberal __read_mostly = connections. */ int nf_ct_tcp_loose __read_mostly = 1; -/* Max number of the retransmitted packets without receiving an (acceptable) - ACK from the destination. If this number is reached, a shorter timer +/* Max number of the retransmitted packets without receiving an (acceptable) + ACK from the destination. If this number is reached, a shorter timer will be started. */ int nf_ct_tcp_max_retrans __read_mostly = 3; @@ -84,7 +84,7 @@ static const char *tcp_conntrack_names[] "CLOSE", "LISTEN" }; - + #define SECS * HZ #define MINS * 60 SECS #define HOURS * 60 MINS @@ -100,10 +100,10 @@ static unsigned int nf_ct_tcp_timeout_ti static unsigned int nf_ct_tcp_timeout_close __read_mostly = 10 SECS; /* RFC1122 says the R2 limit should be at least 100 seconds. - Linux uses 15 packets as limit, which corresponds + Linux uses 15 packets as limit, which corresponds to ~13-30min depending on RTO. */ static unsigned int nf_ct_tcp_timeout_max_retrans __read_mostly = 5 MINS; - + static unsigned int * tcp_timeouts[] = { NULL, /* TCP_CONNTRACK_NONE */ &nf_ct_tcp_timeout_syn_sent, /* TCP_CONNTRACK_SYN_SENT, */ @@ -116,7 +116,7 @@ static unsigned int * tcp_timeouts[] = { &nf_ct_tcp_timeout_close, /* TCP_CONNTRACK_CLOSE, */ NULL, /* TCP_CONNTRACK_LISTEN */ }; - + #define sNO TCP_CONNTRACK_NONE #define sSS TCP_CONNTRACK_SYN_SENT #define sSR TCP_CONNTRACK_SYN_RECV @@ -139,13 +139,13 @@ enum tcp_bit_set { TCP_RST_SET, TCP_NONE_SET, }; - + /* * The TCP state transition table needs a few words... * * We are the man in the middle. All the packets go through us * but might get lost in transit to the destination. - * It is assumed that the destinations can't receive segments + * It is assumed that the destinations can't receive segments * we haven't seen. * * The checked segment is in window, but our windows are *not* @@ -155,11 +155,11 @@ enum tcp_bit_set { * The meaning of the states are: * * NONE: initial state - * SYN_SENT: SYN-only packet seen + * SYN_SENT: SYN-only packet seen * SYN_RECV: SYN-ACK packet seen * ESTABLISHED: ACK packet seen * FIN_WAIT: FIN packet seen - * CLOSE_WAIT: ACK seen (after FIN) + * CLOSE_WAIT: ACK seen (after FIN) * LAST_ACK: FIN seen (after FIN) * TIME_WAIT: last ACK seen * CLOSE: closed connection @@ -167,8 +167,8 @@ enum tcp_bit_set { * LISTEN state is not used. * * Packets marked as IGNORED (sIG): - * if they may be either invalid or valid - * and the receiver may send back a connection + * if they may be either invalid or valid + * and the receiver may send back a connection * closing RST or a SYN/ACK. * * Packets marked as INVALID (sIV): @@ -185,7 +185,7 @@ static enum tcp_conntrack tcp_conntracks * sSS -> sSS Retransmitted SYN * sSR -> sIG Late retransmitted SYN? * sES -> sIG Error: SYNs in window outside the SYN_SENT state - * are errors. Receiver will reply with RST + * are errors. Receiver will reply with RST * and close the connection. * Or we are not in sync and hold a dead connection. * sFW -> sIG @@ -198,10 +198,10 @@ static enum tcp_conntrack tcp_conntracks /*synack*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }, /* * A SYN/ACK from the client is always invalid: - * - either it tries to set up a simultaneous open, which is + * - either it tries to set up a simultaneous open, which is * not supported; * - or the firewall has just been inserted between the two hosts - * during the session set-up. The SYN will be retransmitted + * during the session set-up. The SYN will be retransmitted * by the true client (or it'll time out). */ /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */ @@ -213,7 +213,7 @@ static enum tcp_conntrack tcp_conntracks * sSR -> sFW Close started. * sES -> sFW * sFW -> sLA FIN seen in both directions, waiting for - * the last ACK. + * the last ACK. * Migth be a retransmitted FIN as well... * sCW -> sLA * sLA -> sLA Retransmitted FIN. Remain in the same state. @@ -291,7 +291,7 @@ static enum tcp_conntrack tcp_conntracks /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */ /*rst*/ { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV }, /*none*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV } - } + } }; static int tcp_pkt_to_tuple(const struct sk_buff *skb, @@ -352,21 +352,21 @@ static unsigned int get_conntrack_index( /* TCP connection tracking based on 'Real Stateful TCP Packet Filtering in IP Filter' by Guido van Rooij. - + http://www.nluug.nl/events/sane2000/papers.html http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz - + The boundaries and the conditions are changed according to RFC793: the packet must intersect the window (i.e. segments may be after the right or before the left edge) and thus receivers may ACK segments after the right edge of the window. - td_maxend = max(sack + max(win,1)) seen in reply packets + td_maxend = max(sack + max(win,1)) seen in reply packets td_maxwin = max(max(win, 1)) + (sack - ack) seen in sent packets td_maxwin += seq + len - sender.td_maxend if seq + len > sender.td_maxend td_end = max(seq + len) seen in sent packets - + I. Upper bound for valid data: seq <= sender.td_maxend II. Lower bound for valid data: seq + len >= sender.td_end - receiver.td_maxwin III. Upper bound for valid ack: sack <= receiver.td_end @@ -374,8 +374,8 @@ static unsigned int get_conntrack_index( where sack is the highest right edge of sack block found in the packet. - The upper bound limit for a valid ack is not ignored - - we doesn't have to deal with fragments. + The upper bound limit for a valid ack is not ignored - + we doesn't have to deal with fragments. */ static inline __u32 segment_seq_plus_len(__u32 seq, @@ -388,19 +388,19 @@ static inline __u32 segment_seq_plus_len return (seq + len - dataoff - tcph->doff*4 + (tcph->syn ? 1 : 0) + (tcph->fin ? 1 : 0)); } - + /* Fixme: what about big packets? */ #define MAXACKWINCONST 66000 #define MAXACKWINDOW(sender) \ ((sender)->td_maxwin > MAXACKWINCONST ? (sender)->td_maxwin \ : MAXACKWINCONST) - + /* * Simplified tcp_parse_options routine from tcp_input.c */ static void tcp_options(const struct sk_buff *skb, unsigned int dataoff, - struct tcphdr *tcph, + struct tcphdr *tcph, struct ip_ct_tcp_state *state) { unsigned char buff[(15 * 4) - sizeof(struct tcphdr)]; @@ -414,7 +414,7 @@ static void tcp_options(const struct sk_ length, buff); BUG_ON(ptr == NULL); - state->td_scale = + state->td_scale = state->flags = 0; while (length > 0) { @@ -434,7 +434,7 @@ static void tcp_options(const struct sk_ if (opsize > length) break; /* don't parse partial options */ - if (opcode == TCPOPT_SACK_PERM + if (opcode == TCPOPT_SACK_PERM && opsize == TCPOLEN_SACK_PERM) state->flags |= IP_CT_TCP_FLAG_SACK_PERM; else if (opcode == TCPOPT_WINDOW @@ -457,7 +457,7 @@ static void tcp_options(const struct sk_ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff, struct tcphdr *tcph, __u32 *sack) { - unsigned char buff[(15 * 4) - sizeof(struct tcphdr)]; + unsigned char buff[(15 * 4) - sizeof(struct tcphdr)]; unsigned char *ptr; int length = (tcph->doff*4) - sizeof(struct tcphdr); __u32 tmp; @@ -472,10 +472,10 @@ static void tcp_sack(const struct sk_buf /* Fast path for timestamp-only option */ if (length == TCPOLEN_TSTAMP_ALIGNED*4 && *(__be32 *)ptr == - __constant_htonl((TCPOPT_NOP << 24) - | (TCPOPT_NOP << 16) - | (TCPOPT_TIMESTAMP << 8) - | TCPOLEN_TIMESTAMP)) + __constant_htonl((TCPOPT_NOP << 24) + | (TCPOPT_NOP << 16) + | (TCPOPT_TIMESTAMP << 8) + | TCPOLEN_TIMESTAMP)) return; while (length > 0) { @@ -495,15 +495,15 @@ static void tcp_sack(const struct sk_buf if (opsize > length) break; /* don't parse partial options */ - if (opcode == TCPOPT_SACK - && opsize >= (TCPOLEN_SACK_BASE - + TCPOLEN_SACK_PERBLOCK) - && !((opsize - TCPOLEN_SACK_BASE) - % TCPOLEN_SACK_PERBLOCK)) { - for (i = 0; - i < (opsize - TCPOLEN_SACK_BASE); - i += TCPOLEN_SACK_PERBLOCK) { - tmp = ntohl(*((__be32 *)(ptr+i)+1)); + if (opcode == TCPOPT_SACK + && opsize >= (TCPOLEN_SACK_BASE + + TCPOLEN_SACK_PERBLOCK) + && !((opsize - TCPOLEN_SACK_BASE) + % TCPOLEN_SACK_PERBLOCK)) { + for (i = 0; + i < (opsize - TCPOLEN_SACK_BASE); + i += TCPOLEN_SACK_PERBLOCK) { + tmp = ntohl(*((__be32 *)(ptr+i)+1)); if (after(tmp, *sack)) *sack = tmp; @@ -516,12 +516,12 @@ static void tcp_sack(const struct sk_buf } } -static int tcp_in_window(struct ip_ct_tcp *state, - enum ip_conntrack_dir dir, - unsigned int index, - const struct sk_buff *skb, +static int tcp_in_window(struct ip_ct_tcp *state, + enum ip_conntrack_dir dir, + unsigned int index, + const struct sk_buff *skb, unsigned int dataoff, - struct tcphdr *tcph, + struct tcphdr *tcph, int pf) { struct ip_ct_tcp_state *sender = &state->seen[dir]; @@ -543,14 +543,14 @@ static int tcp_in_window(struct ip_ct_tc DEBUGP("tcp_in_window: START\n"); DEBUGP("tcp_in_window: src=%u.%u.%u.%u:%hu dst=%u.%u.%u.%u:%hu " "seq=%u ack=%u sack=%u win=%u end=%u\n", - NIPQUAD(iph->saddr), ntohs(tcph->source), + NIPQUAD(iph->saddr), ntohs(tcph->source), NIPQUAD(iph->daddr), ntohs(tcph->dest), seq, ack, sack, win, end); DEBUGP("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i " "receiver end=%u maxend=%u maxwin=%u scale=%i\n", sender->td_end, sender->td_maxend, sender->td_maxwin, - sender->td_scale, - receiver->td_end, receiver->td_maxend, receiver->td_maxwin, + sender->td_scale, + receiver->td_end, receiver->td_maxend, receiver->td_maxwin, receiver->td_scale); if (sender->td_end == 0) { @@ -561,26 +561,26 @@ static int tcp_in_window(struct ip_ct_tc /* * Outgoing SYN-ACK in reply to a SYN. */ - sender->td_end = + sender->td_end = sender->td_maxend = end; sender->td_maxwin = (win == 0 ? 1 : win); tcp_options(skb, dataoff, tcph, sender); - /* + /* * RFC 1323: * Both sides must send the Window Scale option * to enable window scaling in either direction. */ if (!(sender->flags & IP_CT_TCP_FLAG_WINDOW_SCALE && receiver->flags & IP_CT_TCP_FLAG_WINDOW_SCALE)) - sender->td_scale = + sender->td_scale = receiver->td_scale = 0; } else { /* * We are in the middle of a connection, * its history is lost for us. * Let's try to use the data from the packet. - */ + */ sender->td_end = end; sender->td_maxwin = (win == 0 ? 1 : win); sender->td_maxend = end + sender->td_maxwin; @@ -592,7 +592,7 @@ static int tcp_in_window(struct ip_ct_tc && after(end, sender->td_end)) { /* * RFC 793: "if a TCP is reinitialized ... then it need - * not wait at all; it must only be sure to use sequence + * not wait at all; it must only be sure to use sequence * numbers larger than those recently used." */ sender->td_end = @@ -607,8 +607,8 @@ static int tcp_in_window(struct ip_ct_tc * If there is no ACK, just pretend it was set and OK. */ ack = sack = receiver->td_end; - } else if (((tcp_flag_word(tcph) & (TCP_FLAG_ACK|TCP_FLAG_RST)) == - (TCP_FLAG_ACK|TCP_FLAG_RST)) + } else if (((tcp_flag_word(tcph) & (TCP_FLAG_ACK|TCP_FLAG_RST)) == + (TCP_FLAG_ACK|TCP_FLAG_RST)) && (ack == 0)) { /* * Broken TCP stacks, that set ACK in RST packets as well @@ -637,21 +637,21 @@ static int tcp_in_window(struct ip_ct_tc DEBUGP("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i " "receiver end=%u maxend=%u maxwin=%u scale=%i\n", sender->td_end, sender->td_maxend, sender->td_maxwin, - sender->td_scale, + sender->td_scale, receiver->td_end, receiver->td_maxend, receiver->td_maxwin, receiver->td_scale); DEBUGP("tcp_in_window: I=%i II=%i III=%i IV=%i\n", before(seq, sender->td_maxend + 1), after(end, sender->td_end - receiver->td_maxwin - 1), - before(sack, receiver->td_end + 1), - after(ack, receiver->td_end - MAXACKWINDOW(sender))); + before(sack, receiver->td_end + 1), + after(ack, receiver->td_end - MAXACKWINDOW(sender))); if (before(seq, sender->td_maxend + 1) && after(end, sender->td_end - receiver->td_maxwin - 1) && before(sack, receiver->td_end + 1) && after(ack, receiver->td_end - MAXACKWINDOW(sender))) { - /* + /* * Take into account window scaling (RFC 1323). */ if (!tcph->syn) @@ -676,7 +676,7 @@ static int tcp_in_window(struct ip_ct_tc receiver->td_maxend++; } - /* + /* * Check retransmissions. */ if (index == TCP_ACK_SET) { @@ -712,11 +712,11 @@ static int tcp_in_window(struct ip_ct_tc : "ACK is over the upper bound (ACKed data not seen yet)" : "SEQ is under the lower bound (already ACKed data retransmitted)" : "SEQ is over the upper bound (over the window of the receiver)"); - } - + } + DEBUGP("tcp_in_window: res=%i sender end=%u maxend=%u maxwin=%u " "receiver end=%u maxend=%u maxwin=%u\n", - res, sender->td_end, sender->td_maxend, sender->td_maxwin, + res, sender->td_end, sender->td_maxend, sender->td_maxwin, receiver->td_end, receiver->td_maxend, receiver->td_maxwin); return res; @@ -727,7 +727,7 @@ #ifdef CONFIG_NF_NAT_NEEDED /* Caller must linearize skb at tcp header. */ void nf_conntrack_tcp_update(struct sk_buff *skb, unsigned int dataoff, - struct nf_conn *conntrack, + struct nf_conn *conntrack, int dir) { struct tcphdr *tcph = (void *)skb->data + dataoff; @@ -750,7 +750,7 @@ #endif DEBUGP("tcp_update: sender end=%u maxend=%u maxwin=%u scale=%i " "receiver end=%u maxend=%u maxwin=%u scale=%i\n", sender->td_end, sender->td_maxend, sender->td_maxwin, - sender->td_scale, + sender->td_scale, receiver->td_end, receiver->td_maxend, receiver->td_maxwin, receiver->td_scale); } @@ -804,8 +804,8 @@ static int tcp_error(struct sk_buff *skb nf_log_packet(pf, 0, skb, NULL, NULL, NULL, "nf_ct_tcp: short packet "); return -NF_ACCEPT; - } - + } + /* Not whole TCP header or malformed packet */ if (th->doff*4 < sizeof(struct tcphdr) || tcplen < th->doff*4) { if (LOG_INVALID(IPPROTO_TCP)) @@ -813,7 +813,7 @@ static int tcp_error(struct sk_buff *skb "nf_ct_tcp: truncated/malformed packet "); return -NF_ACCEPT; } - + /* Checksum invalid? Ignore. * We skip checking packets on the outgoing path * because the checksum is assumed to be correct. @@ -870,28 +870,28 @@ static int tcp_packet(struct nf_conn *co * * a) SYN in ORIGINAL * b) SYN/ACK in REPLY - * c) ACK in reply direction after initial SYN in original. + * c) ACK in reply direction after initial SYN in original. */ if (index == TCP_SYNACK_SET && conntrack->proto.tcp.last_index == TCP_SYN_SET && conntrack->proto.tcp.last_dir != dir && ntohl(th->ack_seq) == - conntrack->proto.tcp.last_end) { - /* This SYN/ACK acknowledges a SYN that we earlier + conntrack->proto.tcp.last_end) { + /* This SYN/ACK acknowledges a SYN that we earlier * ignored as invalid. This means that the client and * the server are both in sync, while the firewall is * not. We kill this session and block the SYN/ACK so - * that the client cannot but retransmit its SYN and + * that the client cannot but retransmit its SYN and * thus initiate a clean new session. */ - write_unlock_bh(&tcp_lock); + write_unlock_bh(&tcp_lock); if (LOG_INVALID(IPPROTO_TCP)) nf_log_packet(pf, 0, skb, NULL, NULL, NULL, "nf_ct_tcp: killing out of sync session "); - if (del_timer(&conntrack->timeout)) - conntrack->timeout.function((unsigned long) - conntrack); - return -NF_DROP; + if (del_timer(&conntrack->timeout)) + conntrack->timeout.function((unsigned long) + conntrack); + return -NF_DROP; } conntrack->proto.tcp.last_index = index; conntrack->proto.tcp.last_dir = dir; @@ -921,13 +921,13 @@ static int tcp_packet(struct nf_conn *co IP_CT_TCP_FLAG_CLOSE_INIT) || after(ntohl(th->seq), conntrack->proto.tcp.seen[dir].td_end)) { - /* Attempt to reopen a closed connection. - * Delete this connection and look up again. */ - write_unlock_bh(&tcp_lock); - if (del_timer(&conntrack->timeout)) - conntrack->timeout.function((unsigned long) - conntrack); - return -NF_REPEAT; + /* Attempt to reopen a closed connection. + * Delete this connection and look up again. */ + write_unlock_bh(&tcp_lock); + if (del_timer(&conntrack->timeout)) + conntrack->timeout.function((unsigned long) + conntrack); + return -NF_REPEAT; } else { write_unlock_bh(&tcp_lock); if (LOG_INVALID(IPPROTO_TCP)) @@ -938,9 +938,9 @@ static int tcp_packet(struct nf_conn *co case TCP_CONNTRACK_CLOSE: if (index == TCP_RST_SET && ((test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status) - && conntrack->proto.tcp.last_index == TCP_SYN_SET) - || (!test_bit(IPS_ASSURED_BIT, &conntrack->status) - && conntrack->proto.tcp.last_index == TCP_ACK_SET)) + && conntrack->proto.tcp.last_index == TCP_SYN_SET) + || (!test_bit(IPS_ASSURED_BIT, &conntrack->status) + && conntrack->proto.tcp.last_index == TCP_ACK_SET)) && ntohl(th->ack_seq) == conntrack->proto.tcp.last_end) { /* RST sent to invalid SYN or ACK we had let through * at a) and c) above: @@ -1005,8 +1005,8 @@ static int tcp_packet(struct nf_conn *co && (old_state == TCP_CONNTRACK_SYN_RECV || old_state == TCP_CONNTRACK_ESTABLISHED) && new_state == TCP_CONNTRACK_ESTABLISHED) { - /* Set ASSURED if we see see valid ack in ESTABLISHED - after SYN_RECV or a valid answer for a picked up + /* Set ASSURED if we see see valid ack in ESTABLISHED + after SYN_RECV or a valid answer for a picked up connection. */ set_bit(IPS_ASSURED_BIT, &conntrack->status); nf_conntrack_event_cache(IPCT_STATUS, skb); @@ -1015,7 +1015,7 @@ static int tcp_packet(struct nf_conn *co return NF_ACCEPT; } - + /* Called when a new connection for this protocol found. */ static int tcp_new(struct nf_conn *conntrack, const struct sk_buff *skb, @@ -1071,7 +1071,7 @@ #endif if (conntrack->proto.tcp.seen[0].td_maxwin == 0) conntrack->proto.tcp.seen[0].td_maxwin = 1; conntrack->proto.tcp.seen[0].td_maxend = - conntrack->proto.tcp.seen[0].td_end + + conntrack->proto.tcp.seen[0].td_end + conntrack->proto.tcp.seen[0].td_maxwin; conntrack->proto.tcp.seen[0].td_scale = 0; @@ -1081,20 +1081,20 @@ #endif conntrack->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM | IP_CT_TCP_FLAG_BE_LIBERAL; } - + conntrack->proto.tcp.seen[1].td_end = 0; conntrack->proto.tcp.seen[1].td_maxend = 0; conntrack->proto.tcp.seen[1].td_maxwin = 1; - conntrack->proto.tcp.seen[1].td_scale = 0; + conntrack->proto.tcp.seen[1].td_scale = 0; /* tcp_packet will set them */ conntrack->proto.tcp.state = TCP_CONNTRACK_NONE; conntrack->proto.tcp.last_index = TCP_NONE_SET; - + DEBUGP("tcp_new: sender end=%u maxend=%u maxwin=%u scale=%i " "receiver end=%u maxend=%u maxwin=%u scale=%i\n", sender->td_end, sender->td_maxend, sender->td_maxwin, - sender->td_scale, + sender->td_scale, receiver->td_end, receiver->td_maxend, receiver->td_maxwin, receiver->td_scale); return 1; @@ -1110,7 +1110,7 @@ static int tcp_to_nfattr(struct sk_buff const struct nf_conn *ct) { struct nfattr *nest_parms; - + read_lock_bh(&tcp_lock); nest_parms = NFA_NEST(skb, CTA_PROTOINFO_TCP); NFA_PUT(skb, CTA_PROTOINFO_TCP_STATE, sizeof(u_int8_t), @@ -1140,7 +1140,7 @@ static int nfattr_to_tcp(struct nfattr * if (!attr) return 0; - nfattr_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr); + nfattr_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr); if (nfattr_bad_size(tb, CTA_PROTOINFO_TCP_MAX, cta_min_tcp)) return -EINVAL; @@ -1149,7 +1149,7 @@ static int nfattr_to_tcp(struct nfattr * return -EINVAL; write_lock_bh(&tcp_lock); - ct->proto.tcp.state = + ct->proto.tcp.state = *(u_int8_t *)NFA_DATA(tb[CTA_PROTOINFO_TCP_STATE-1]); write_unlock_bh(&tcp_lock); diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c index 9dec115..7aaa8c9 100644 --- a/net/netfilter/nf_conntrack_sip.c +++ b/net/netfilter/nf_conntrack_sip.c @@ -341,7 +341,7 @@ int ct_sip_get_info(struct nf_conn *ct, continue; } aux = ct_sip_search(hnfo->ln_str, dptr, hnfo->ln_strlen, - ct_sip_lnlen(dptr, limit), + ct_sip_lnlen(dptr, limit), hnfo->case_sensitive); if (!aux) { DEBUGP("'%s' not found in '%s'.\n", hnfo->ln_str, @@ -451,12 +451,12 @@ static int sip_help(struct sk_buff **psk /* We'll drop only if there are parse problems. */ if (!parse_addr(ct, dptr + matchoff, NULL, &addr, - dptr + datalen)) { + dptr + datalen)) { ret = NF_DROP; goto out; } if (ct_sip_get_info(ct, dptr, datalen, &matchoff, &matchlen, - POS_MEDIA) > 0) { + POS_MEDIA) > 0) { port = simple_strtoul(dptr + matchoff, NULL, 10); if (port < 1024) { diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index f1cb60f..7661246 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -472,7 +472,7 @@ #endif /* CNFIG_PROC_FS */ static void __exit nf_conntrack_standalone_fini(void) { #ifdef CONFIG_SYSCTL - unregister_sysctl_table(nf_ct_sysctl_header); + unregister_sysctl_table(nf_ct_sysctl_header); #endif #ifdef CONFIG_PROC_FS remove_proc_entry("nf_conntrack", proc_net_stat); diff --git a/net/netfilter/nf_conntrack_tftp.c b/net/netfilter/nf_conntrack_tftp.c index f5bffe2..37c4542 100644 --- a/net/netfilter/nf_conntrack_tftp.c +++ b/net/netfilter/nf_conntrack_tftp.c @@ -31,7 +31,7 @@ MODULE_PARM_DESC(ports, "Port numbers of #if 0 #define DEBUGP(format, args...) printk("%s:%s:" format, \ - __FILE__, __FUNCTION__ , ## args) + __FILE__, __FUNCTION__ , ## args) #else #define DEBUGP(format, args...) #endif diff --git a/net/netfilter/nf_internals.h b/net/netfilter/nf_internals.h index a981971..0df7fff 100644 --- a/net/netfilter/nf_internals.h +++ b/net/netfilter/nf_internals.h @@ -24,7 +24,7 @@ extern unsigned int nf_iterate(struct li /* nf_queue.c */ extern int nf_queue(struct sk_buff *skb, - struct list_head *elem, + struct list_head *elem, int pf, unsigned int hook, struct net_device *indev, struct net_device *outdev, diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c index 0db2fd8..90a1d74 100644 --- a/net/netfilter/nf_log.c +++ b/net/netfilter/nf_log.c @@ -41,7 +41,7 @@ int nf_log_register(int pf, struct nf_lo mutex_unlock(&nf_log_mutex); return ret; -} +} EXPORT_SYMBOL(nf_log_register); void nf_log_unregister_pf(int pf) @@ -83,7 +83,7 @@ void nf_log_packet(int pf, va_list args; char prefix[NF_LOG_PREFIXLEN]; struct nf_logger *logger; - + rcu_read_lock(); logger = rcu_dereference(nf_loggers[pf]); if (logger) { @@ -136,7 +136,7 @@ static int seq_show(struct seq_file *s, if (!logger) return seq_printf(s, "%2lld NONE\n", *pos); - + return seq_printf(s, "%2lld %s\n", *pos, logger->name); } diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c index 4d8936e..fb467b4 100644 --- a/net/netfilter/nf_queue.c +++ b/net/netfilter/nf_queue.c @@ -10,7 +10,7 @@ #include <net/protocol.h> #include "nf_internals.h" -/* +/* * A queue handler may be registered for each protocol. Each is protected by * long term mutex. The handler must provide an an outfn() to accept packets * for queueing and must reinject all packets it receives, no matter what. @@ -22,7 +22,7 @@ static DEFINE_RWLOCK(queue_handler_lock) /* return EBUSY when somebody else is registered, return EEXIST if the * same handler is registered, return 0 in case of success. */ int nf_register_queue_handler(int pf, struct nf_queue_handler *qh) -{ +{ int ret; if (pf >= NPROTO) @@ -52,7 +52,7 @@ int nf_unregister_queue_handler(int pf) write_lock_bh(&queue_handler_lock); queue_handler[pf] = NULL; write_unlock_bh(&queue_handler_lock); - + return 0; } EXPORT_SYMBOL(nf_unregister_queue_handler); @@ -70,8 +70,8 @@ void nf_unregister_queue_handlers(struct } EXPORT_SYMBOL_GPL(nf_unregister_queue_handlers); -/* - * Any packet that leaves via this function must come back +/* + * Any packet that leaves via this function must come back * through nf_reinject(). */ static int __nf_queue(struct sk_buff *skb, @@ -115,7 +115,7 @@ #endif return 1; } - *info = (struct nf_info) { + *info = (struct nf_info) { (struct nf_hook_ops *)elem, pf, hook, indev, outdev, okfn }; /* If it's going away, ignore hook. */ @@ -226,10 +226,10 @@ #endif module_put(info->elem->owner); list_for_each_rcu(i, &nf_hooks[info->pf][info->hook]) { - if (i == elem) - break; - } - + if (i == elem) + break; + } + if (i == &nf_hooks[info->pf][info->hook]) { /* The module which sent it to userspace is gone. */ NFDEBUG("%s: module disappeared, dropping packet.\n", @@ -252,7 +252,7 @@ #endif if (verdict == NF_ACCEPT) { next_hook: verdict = nf_iterate(&nf_hooks[info->pf][info->hook], - &skb, info->hook, + &skb, info->hook, info->indev, info->outdev, &elem, info->okfn, INT_MIN); } diff --git a/net/netfilter/nf_sockopt.c b/net/netfilter/nf_sockopt.c index c2e44e9..8b8ece7 100644 --- a/net/netfilter/nf_sockopt.c +++ b/net/netfilter/nf_sockopt.c @@ -32,13 +32,13 @@ int nf_register_sockopt(struct nf_sockop list_for_each(i, &nf_sockopts) { struct nf_sockopt_ops *ops = (struct nf_sockopt_ops *)i; if (ops->pf == reg->pf - && (overlap(ops->set_optmin, ops->set_optmax, + && (overlap(ops->set_optmin, ops->set_optmax, reg->set_optmin, reg->set_optmax) - || overlap(ops->get_optmin, ops->get_optmax, + || overlap(ops->get_optmin, ops->get_optmax, reg->get_optmin, reg->get_optmax))) { NFDEBUG("nf_sock overlap: %u-%u/%u-%u v %u-%u/%u-%u\n", - ops->set_optmin, ops->set_optmax, - ops->get_optmin, ops->get_optmax, + ops->set_optmin, ops->set_optmax, + ops->get_optmin, ops->get_optmax, reg->set_optmin, reg->set_optmax, reg->get_optmin, reg->get_optmax); ret = -EBUSY; @@ -73,7 +73,7 @@ void nf_unregister_sockopt(struct nf_soc EXPORT_SYMBOL(nf_unregister_sockopt); /* Call get/setsockopt() */ -static int nf_sockopt(struct sock *sk, int pf, int val, +static int nf_sockopt(struct sock *sk, int pf, int val, char __user *opt, int *len, int get) { struct list_head *i; @@ -107,7 +107,7 @@ static int nf_sockopt(struct sock *sk, i } mutex_unlock(&nf_sockopt_mutex); return -ENOPROTOOPT; - + out: mutex_lock(&nf_sockopt_mutex); ops->use--; diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c index 52fdfa2..f42bb13 100644 --- a/net/netfilter/nfnetlink.c +++ b/net/netfilter/nfnetlink.c @@ -105,7 +105,7 @@ static inline struct nfnl_callback * nfnetlink_find_client(u_int16_t type, struct nfnetlink_subsystem *ss) { u_int8_t cb_id = NFNL_MSG_TYPE(type); - + if (cb_id >= ss->cb_count) { DEBUGP("msgtype %u >= %u, returning\n", type, ss->cb_count); return NULL; @@ -187,7 +187,7 @@ nfnetlink_check_attributes(struct nfnetl /* implicit: if nlmsg_len == min_len, we return 0, and an empty * (zeroed) cda[] array. The message is valid, but empty. */ - return 0; + return 0; } int nfnetlink_has_listeners(unsigned int group) @@ -268,12 +268,12 @@ #endif } { - u_int16_t attr_count = + u_int16_t attr_count = ss->cb[NFNL_MSG_TYPE(nlh->nlmsg_type)].attr_count; struct nfattr *cda[attr_count]; memset(cda, 0, sizeof(struct nfattr *) * attr_count); - + err = nfnetlink_check_attributes(ss, nlh, cda); if (err < 0) goto err_inval; @@ -357,7 +357,7 @@ static int __init nfnetlink_init(void) printk("Netfilter messages via NETLINK v%s.\n", nfversion); nfnl = netlink_kernel_create(NETLINK_NETFILTER, NFNLGRP_MAX, - nfnetlink_rcv, THIS_MODULE); + nfnetlink_rcv, THIS_MODULE); if (!nfnl) { printk(KERN_ERR "cannot initialize nfnetlink!\n"); return -1; diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c index 6511bb0..f2298a6 100644 --- a/net/netfilter/nfnetlink_log.c +++ b/net/netfilter/nfnetlink_log.c @@ -75,7 +75,7 @@ struct nfulnl_instance { u_int32_t seq; /* instance-local sequential counter */ u_int16_t group_num; /* number of this queue */ u_int16_t flags; - u_int8_t copy_mode; + u_int8_t copy_mode; }; static DEFINE_RWLOCK(instances_lock); @@ -146,7 +146,7 @@ instance_create(u_int16_t group_num, int UDEBUG("entering (group_num=%u, pid=%d)\n", group_num, pid); - write_lock_bh(&instances_lock); + write_lock_bh(&instances_lock); if (__instance_lookup(group_num)) { inst = NULL; UDEBUG("aborting, instance already exists\n"); @@ -179,10 +179,10 @@ instance_create(u_int16_t group_num, int if (!try_module_get(THIS_MODULE)) goto out_free; - hlist_add_head(&inst->hlist, + hlist_add_head(&inst->hlist, &instance_table[instance_hashfn(group_num)]); - UDEBUG("newly added node: %p, next=%p\n", &inst->hlist, + UDEBUG("newly added node: %p, next=%p\n", &inst->hlist, inst->hlist.next); write_unlock_bh(&instances_lock); @@ -251,14 +251,14 @@ nfulnl_set_mode(struct nfulnl_instance * int status = 0; spin_lock_bh(&inst->lock); - + switch (mode) { case NFULNL_COPY_NONE: case NFULNL_COPY_META: inst->copy_mode = mode; inst->copy_range = 0; break; - + case NFULNL_COPY_PACKET: inst->copy_mode = mode; /* we're using struct nfattr which has 16bit nfa_len */ @@ -267,7 +267,7 @@ nfulnl_set_mode(struct nfulnl_instance * else inst->copy_range = range; break; - + default: status = -EINVAL; break; @@ -327,7 +327,7 @@ nfulnl_set_flags(struct nfulnl_instance return 0; } -static struct sk_buff *nfulnl_alloc_skb(unsigned int inst_size, +static struct sk_buff *nfulnl_alloc_skb(unsigned int inst_size, unsigned int pkt_size) { struct sk_buff *skb; @@ -387,7 +387,7 @@ __nfulnl_send(struct nfulnl_instance *in static void nfulnl_timer(unsigned long data) { - struct nfulnl_instance *inst = (struct nfulnl_instance *)data; + struct nfulnl_instance *inst = (struct nfulnl_instance *)data; UDEBUG("timer function called, flushing buffer\n"); @@ -399,9 +399,9 @@ static void nfulnl_timer(unsigned long d /* This is an inline function, we don't really care about a long * list of arguments */ -static inline int +static inline int __build_packet_message(struct nfulnl_instance *inst, - const struct sk_buff *skb, + const struct sk_buff *skb, unsigned int data_len, unsigned int pf, unsigned int hooknum, @@ -417,9 +417,9 @@ __build_packet_message(struct nfulnl_ins __be32 tmp_uint; UDEBUG("entered\n"); - + old_tail = inst->skb->tail; - nlh = NLMSG_PUT(inst->skb, 0, 0, + nlh = NLMSG_PUT(inst->skb, 0, 0, NFNL_SUBSYS_ULOG << 8 | NFULNL_MSG_PACKET, sizeof(struct nfgenmsg)); nfmsg = NLMSG_DATA(nlh); @@ -457,7 +457,7 @@ #else NFA_PUT(inst->skb, NFULA_IFINDEX_INDEV, sizeof(tmp_uint), &tmp_uint); if (skb->nf_bridge && skb->nf_bridge->physindev) { - tmp_uint = + tmp_uint = htonl(skb->nf_bridge->physindev->ifindex); NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSINDEV, sizeof(tmp_uint), &tmp_uint); @@ -488,7 +488,7 @@ #else NFA_PUT(inst->skb, NFULA_IFINDEX_OUTDEV, sizeof(tmp_uint), &tmp_uint); if (skb->nf_bridge) { - tmp_uint = + tmp_uint = htonl(skb->nf_bridge->physoutdev->ifindex); NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSOUTDEV, sizeof(tmp_uint), &tmp_uint); @@ -558,7 +558,7 @@ #endif if (skb_copy_bits(skb, 0, NFA_DATA(nfa), data_len)) BUG(); } - + nlh->nlmsg_len = inst->skb->tail - old_tail; return 0; @@ -599,7 +599,7 @@ nfulnl_log_packet(unsigned int pf, unsigned int nlbufsiz; unsigned int plen; - if (li_user && li_user->type == NF_LOG_TYPE_ULOG) + if (li_user && li_user->type == NF_LOG_TYPE_ULOG) li = li_user; else li = &default_loginfo; @@ -648,24 +648,24 @@ #endif /* per-rule qthreshold overrides per-instance */ if (qthreshold > li->u.ulog.qthreshold) qthreshold = li->u.ulog.qthreshold; - + switch (inst->copy_mode) { case NFULNL_COPY_META: case NFULNL_COPY_NONE: data_len = 0; break; - + case NFULNL_COPY_PACKET: - if (inst->copy_range == 0 + if (inst->copy_range == 0 || inst->copy_range > skb->len) data_len = skb->len; else data_len = inst->copy_range; - + size += NFA_SPACE(data_len); UDEBUG("copy_packet, therefore size now %u\n", size); break; - + default: spin_unlock_bh(&inst->lock); instance_put(inst); @@ -991,9 +991,9 @@ static int seq_show(struct seq_file *s, { const struct nfulnl_instance *inst = v; - return seq_printf(s, "%5d %6d %5d %1d %5d %6d %2d\n", + return seq_printf(s, "%5d %6d %5d %1d %5d %6d %2d\n", inst->group_num, - inst->peer_pid, inst->qlen, + inst->peer_pid, inst->qlen, inst->copy_mode, inst->copy_range, inst->flushtimeout, atomic_read(&inst->use)); } @@ -1041,10 +1041,10 @@ static int __init nfnetlink_log_init(voi #ifdef CONFIG_PROC_FS struct proc_dir_entry *proc_nful; #endif - + for (i = 0; i < INSTANCE_BUCKETS; i++) INIT_HLIST_HEAD(&instance_table[i]); - + /* it's not really all that important to have a random value, so * we can do this from the init function, even if there hasn't * been that much entropy yet */ diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index a88a017..2ea362c 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -129,7 +129,7 @@ instance_create(u_int16_t queue_num, int QDEBUG("entering for queue_num=%u, pid=%d\n", queue_num, pid); - write_lock_bh(&instances_lock); + write_lock_bh(&instances_lock); if (__instance_lookup(queue_num)) { inst = NULL; QDEBUG("aborting, instance already exists\n"); @@ -154,7 +154,7 @@ instance_create(u_int16_t queue_num, int if (!try_module_get(THIS_MODULE)) goto out_free; - hlist_add_head(&inst->hlist, + hlist_add_head(&inst->hlist, &instance_table[instance_hashfn(queue_num)]); write_unlock_bh(&instances_lock); @@ -239,14 +239,14 @@ __enqueue_entry(struct nfqnl_instance *q * entry if cmpfn is NULL. */ static inline struct nfqnl_queue_entry * -__find_entry(struct nfqnl_instance *queue, nfqnl_cmpfn cmpfn, +__find_entry(struct nfqnl_instance *queue, nfqnl_cmpfn cmpfn, unsigned long data) { struct list_head *p; list_for_each_prev(p, &queue->queue_list) { struct nfqnl_queue_entry *entry = (struct nfqnl_queue_entry *)p; - + if (!cmpfn || cmpfn(entry, data)) return entry; } @@ -279,7 +279,7 @@ static inline void __nfqnl_flush(struct nfqnl_instance *queue, int verdict) { struct nfqnl_queue_entry *entry; - + while ((entry = __find_dequeue_entry(queue, NULL, 0))) issue_verdict(entry, verdict); } @@ -289,14 +289,14 @@ __nfqnl_set_mode(struct nfqnl_instance * unsigned char mode, unsigned int range) { int status = 0; - + switch (mode) { case NFQNL_COPY_NONE: case NFQNL_COPY_META: queue->copy_mode = mode; queue->copy_range = 0; break; - + case NFQNL_COPY_PACKET: queue->copy_mode = mode; /* we're using struct nfattr which has 16bit nfa_len */ @@ -305,7 +305,7 @@ __nfqnl_set_mode(struct nfqnl_instance * else queue->copy_range = range; break; - + default: status = -EINVAL; @@ -318,7 +318,7 @@ find_dequeue_entry(struct nfqnl_instance nfqnl_cmpfn cmpfn, unsigned long data) { struct nfqnl_queue_entry *entry; - + spin_lock_bh(&queue->lock); entry = __find_dequeue_entry(queue, cmpfn, data); spin_unlock_bh(&queue->lock); @@ -369,13 +369,13 @@ #endif outdev = entinf->outdev; spin_lock_bh(&queue->lock); - + switch (queue->copy_mode) { case NFQNL_COPY_META: case NFQNL_COPY_NONE: data_len = 0; break; - + case NFQNL_COPY_PACKET: if ((entskb->ip_summed == CHECKSUM_PARTIAL || entskb->ip_summed == CHECKSUM_COMPLETE) && @@ -383,15 +383,15 @@ #endif spin_unlock_bh(&queue->lock); return NULL; } - if (queue->copy_range == 0 + if (queue->copy_range == 0 || queue->copy_range > entskb->len) data_len = entskb->len; else data_len = queue->copy_range; - + size += NFA_SPACE(data_len); break; - + default: *errp = -EINVAL; spin_unlock_bh(&queue->lock); @@ -403,9 +403,9 @@ #endif skb = alloc_skb(size, GFP_ATOMIC); if (!skb) goto nlmsg_failure; - + old_tail= skb->tail; - nlh = NLMSG_PUT(skb, 0, 0, + nlh = NLMSG_PUT(skb, 0, 0, NFNL_SUBSYS_QUEUE << 8 | NFQNL_MSG_PACKET, sizeof(struct nfgenmsg)); nfmsg = NLMSG_DATA(nlh); @@ -427,9 +427,9 @@ #ifndef CONFIG_BRIDGE_NETFILTER #else if (entinf->pf == PF_BRIDGE) { /* Case 1: indev is physical input device, we need to - * look for bridge group (when called from + * look for bridge group (when called from * netfilter_bridge) */ - NFA_PUT(skb, NFQA_IFINDEX_PHYSINDEV, sizeof(tmp_uint), + NFA_PUT(skb, NFQA_IFINDEX_PHYSINDEV, sizeof(tmp_uint), &tmp_uint); /* this is the bridge group "brX" */ tmp_uint = htonl(indev->br_port->br->dev->ifindex); @@ -457,7 +457,7 @@ #ifndef CONFIG_BRIDGE_NETFILTER #else if (entinf->pf == PF_BRIDGE) { /* Case 1: outdev is physical output device, we need to - * look for bridge group (when called from + * look for bridge group (when called from * netfilter_bridge) */ NFA_PUT(skb, NFQA_IFINDEX_PHYSOUTDEV, sizeof(tmp_uint), &tmp_uint); @@ -490,7 +490,7 @@ #endif struct nfqnl_msg_packet_hw phw; int len = entskb->dev->hard_header_parse(entskb, - phw.hw_addr); + phw.hw_addr); phw.hw_addrlen = htons(len); NFA_PUT(skb, NFQA_HWADDR, sizeof(phw), &phw); } @@ -520,7 +520,7 @@ #endif if (skb_copy_bits(entskb, 0, NFA_DATA(nfa), data_len)) BUG(); } - + nlh->nlmsg_len = skb->tail - old_tail; return skb; @@ -535,7 +535,7 @@ nfattr_failure: } static int -nfqnl_enqueue_packet(struct sk_buff *skb, struct nf_info *info, +nfqnl_enqueue_packet(struct sk_buff *skb, struct nf_info *info, unsigned int queuenum, void *data) { int status = -EINVAL; @@ -560,7 +560,7 @@ nfqnl_enqueue_packet(struct sk_buff *skb entry = kmalloc(sizeof(*entry), GFP_ATOMIC); if (entry == NULL) { if (net_ratelimit()) - printk(KERN_ERR + printk(KERN_ERR "nf_queue: OOM in nfqnl_enqueue_packet()\n"); status = -ENOMEM; goto err_out_put; @@ -573,18 +573,18 @@ nfqnl_enqueue_packet(struct sk_buff *skb nskb = nfqnl_build_packet_message(queue, entry, &status); if (nskb == NULL) goto err_out_free; - + spin_lock_bh(&queue->lock); - + if (!queue->peer_pid) - goto err_out_free_nskb; + goto err_out_free_nskb; if (queue->queue_total >= queue->queue_maxlen) { - queue->queue_dropped++; + queue->queue_dropped++; status = -ENOSPC; if (net_ratelimit()) - printk(KERN_WARNING "nf_queue: full at %d entries, " - "dropping packets(s). Dropped: %d\n", + printk(KERN_WARNING "nf_queue: full at %d entries, " + "dropping packets(s). Dropped: %d\n", queue->queue_total, queue->queue_dropped); goto err_out_free_nskb; } @@ -592,7 +592,7 @@ nfqnl_enqueue_packet(struct sk_buff *skb /* nfnetlink_unicast will either free the nskb or add it to a socket */ status = nfnetlink_unicast(nskb, queue->peer_pid, MSG_DONTWAIT); if (status < 0) { - queue->queue_user_dropped++; + queue->queue_user_dropped++; goto err_out_unlock; } @@ -603,8 +603,8 @@ nfqnl_enqueue_packet(struct sk_buff *skb return status; err_out_free_nskb: - kfree_skb(nskb); - + kfree_skb(nskb); + err_out_unlock: spin_unlock_bh(&queue->lock); @@ -629,11 +629,11 @@ nfqnl_mangle(void *data, int data_len, s return -EINVAL; if (diff > skb_tailroom(e->skb)) { struct sk_buff *newskb; - + newskb = skb_copy_expand(e->skb, - skb_headroom(e->skb), - diff, - GFP_ATOMIC); + skb_headroom(e->skb), + diff, + GFP_ATOMIC); if (newskb == NULL) { printk(KERN_WARNING "nf_queue: OOM " "in mangle, dropping packet\n"); @@ -676,7 +676,7 @@ static int dev_cmp(struct nfqnl_queue_entry *entry, unsigned long ifindex) { struct nf_info *entinf = entry->info; - + if (entinf->indev) if (entinf->indev->ifindex == ifindex) return 1; @@ -702,7 +702,7 @@ static void nfqnl_dev_drop(int ifindex) { int i; - + QDEBUG("entering for ifindex %u\n", ifindex); /* this only looks like we have to hold the readlock for a way too long @@ -717,7 +717,7 @@ nfqnl_dev_drop(int ifindex) hlist_for_each_entry(inst, tmp, head, hlist) { struct nfqnl_queue_entry *entry; - while ((entry = find_dequeue_entry(inst, dev_cmp, + while ((entry = find_dequeue_entry(inst, dev_cmp, ifindex)) != NULL) issue_verdict(entry, NF_DROP); } @@ -835,8 +835,8 @@ nfqnl_recv_verdict(struct sock *ctnl, st if (nfqa[NFQA_MARK-1]) entry->skb->mark = ntohl(*(__be32 *) - NFA_DATA(nfqa[NFQA_MARK-1])); - + NFA_DATA(nfqa[NFQA_MARK-1])); + issue_verdict(entry, verdict); instance_put(queue); return 0; @@ -1093,7 +1093,7 @@ static int __init nfnetlink_queue_init(v #ifdef CONFIG_PROC_FS struct proc_dir_entry *proc_nfqueue; #endif - + for (i = 0; i < INSTANCE_BUCKETS; i++) INIT_HLIST_HEAD(&instance_table[i]); diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index 8996584..6d04e35 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -305,7 +305,7 @@ int xt_find_revision(int af, const char EXPORT_SYMBOL_GPL(xt_find_revision); int xt_check_match(const struct xt_match *match, unsigned short family, - unsigned int size, const char *table, unsigned int hook_mask, + unsigned int size, const char *table, unsigned int hook_mask, unsigned short proto, int inv_proto) { if (XT_ALIGN(match->matchsize) != size) { @@ -377,7 +377,7 @@ int xt_compat_match_to_user(struct xt_en if (copy_to_user(cm, m, sizeof(*cm)) || put_user(msize, &cm->u.user.match_size)) - return -EFAULT; + return -EFAULT; if (match->compat_to_user) { if (match->compat_to_user((void __user *)cm->data, m->data)) @@ -432,7 +432,7 @@ int xt_compat_target_offset(struct xt_ta EXPORT_SYMBOL_GPL(xt_compat_target_offset); void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, - int *size) + int *size) { struct xt_target *target = t->u.kernel.target; struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t; @@ -467,7 +467,7 @@ int xt_compat_target_to_user(struct xt_e if (copy_to_user(ct, t, sizeof(*ct)) || put_user(tsize, &ct->u.user.target_size)) - return -EFAULT; + return -EFAULT; if (target->compat_to_user) { if (target->compat_to_user((void __user *)ct->data, t->data)) @@ -710,7 +710,7 @@ static void *xt_tgt_seq_start(struct seq if (mutex_lock_interruptible(&xt[af].mutex) != 0) return NULL; - + return xt_get_idx(list, seq, *pos); } @@ -723,7 +723,7 @@ static void *xt_tgt_seq_next(struct seq_ if (af >= NPROTO) return NULL; - + list = type2list(af, type); if (!list) return NULL; diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c index 4007bbe..3088483 100644 --- a/net/netfilter/xt_CLASSIFY.c +++ b/net/netfilter/xt_CLASSIFY.c @@ -48,7 +48,7 @@ static struct xt_target xt_classify_targ .table = "mangle", .hooks = (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) | - (1 << NF_IP_POST_ROUTING), + (1 << NF_IP_POST_ROUTING), .me = THIS_MODULE, }, { @@ -59,7 +59,7 @@ static struct xt_target xt_classify_targ .table = "mangle", .hooks = (1 << NF_IP6_LOCAL_OUT) | (1 << NF_IP6_FORWARD) | - (1 << NF_IP6_POST_ROUTING), + (1 << NF_IP6_POST_ROUTING), .me = THIS_MODULE, }, }; diff --git a/net/netfilter/xt_MARK.c b/net/netfilter/xt_MARK.c index cfc45af..4381780 100644 --- a/net/netfilter/xt_MARK.c +++ b/net/netfilter/xt_MARK.c @@ -50,11 +50,11 @@ target_v1(struct sk_buff **pskb, case XT_MARK_SET: mark = markinfo->mark; break; - + case XT_MARK_AND: mark = (*pskb)->mark & markinfo->mark; break; - + case XT_MARK_OR: mark = (*pskb)->mark | markinfo->mark; break; diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c index 39e1175..201155b 100644 --- a/net/netfilter/xt_NFQUEUE.c +++ b/net/netfilter/xt_NFQUEUE.c @@ -3,9 +3,9 @@ * (C) 2005 by Harald Welte <laforge@netfilter.org> * * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 as + * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. - * + * */ #include <linux/module.h> diff --git a/net/netfilter/xt_NOTRACK.c b/net/netfilter/xt_NOTRACK.c index 6d00dca..b874a20 100644 --- a/net/netfilter/xt_NOTRACK.c +++ b/net/netfilter/xt_NOTRACK.c @@ -22,8 +22,8 @@ target(struct sk_buff **pskb, if ((*pskb)->nfct != NULL) return XT_CONTINUE; - /* Attach fake conntrack entry. - If there is a real ct entry correspondig to this packet, + /* Attach fake conntrack entry. + If there is a real ct entry correspondig to this packet, it'll hang aroun till timing out. We don't deal with it for performance reasons. JK */ nf_ct_untrack(*pskb); diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c index f1131c3..705f0e8 100644 --- a/net/netfilter/xt_SECMARK.c +++ b/net/netfilter/xt_SECMARK.c @@ -55,7 +55,7 @@ static int checkentry_selinux(struct xt_ { int err; struct xt_secmark_target_selinux_info *sel = &info->u.sel; - + sel->selctx[SECMARK_SELCTX_MAX - 1] = '\0'; err = selinux_string_to_sid(sel->selctx, &sel->selsid); diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c index 3dc2357..2885c37 100644 --- a/net/netfilter/xt_conntrack.c +++ b/net/netfilter/xt_conntrack.c @@ -51,10 +51,10 @@ #define FWINV(bool, invflg) ((bool) ^ !! if (ct == &ip_conntrack_untracked) statebit = XT_CONNTRACK_STATE_UNTRACKED; else if (ct) - statebit = XT_CONNTRACK_STATE_BIT(ctinfo); - else - statebit = XT_CONNTRACK_STATE_INVALID; - + statebit = XT_CONNTRACK_STATE_BIT(ctinfo); + else + statebit = XT_CONNTRACK_STATE_INVALID; + if (sinfo->flags & XT_CONNTRACK_STATE) { if (ct) { if (test_bit(IPS_SRC_NAT_BIT, &ct->status)) @@ -77,7 +77,7 @@ #define FWINV(bool, invflg) ((bool) ^ !! FWINV(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum != sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum, XT_CONNTRACK_PROTO)) - return 0; + return 0; if (sinfo->flags & XT_CONNTRACK_ORIGSRC && FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip & @@ -147,10 +147,10 @@ #define FWINV(bool,invflg) ((bool) ^ !!( if (ct == &nf_conntrack_untracked) statebit = XT_CONNTRACK_STATE_UNTRACKED; else if (ct) - statebit = XT_CONNTRACK_STATE_BIT(ctinfo); - else - statebit = XT_CONNTRACK_STATE_INVALID; - + statebit = XT_CONNTRACK_STATE_BIT(ctinfo); + else + statebit = XT_CONNTRACK_STATE_INVALID; + if (sinfo->flags & XT_CONNTRACK_STATE) { if (ct) { if (test_bit(IPS_SRC_NAT_BIT, &ct->status)) @@ -171,41 +171,41 @@ #define FWINV(bool,invflg) ((bool) ^ !!( if (sinfo->flags & XT_CONNTRACK_PROTO && FWINV(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum != - sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum, + sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum, XT_CONNTRACK_PROTO)) - return 0; + return 0; if (sinfo->flags & XT_CONNTRACK_ORIGSRC && FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip & - sinfo->sipmsk[IP_CT_DIR_ORIGINAL].s_addr) != + sinfo->sipmsk[IP_CT_DIR_ORIGINAL].s_addr) != sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip, XT_CONNTRACK_ORIGSRC)) return 0; if (sinfo->flags & XT_CONNTRACK_ORIGDST && FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.ip & - sinfo->dipmsk[IP_CT_DIR_ORIGINAL].s_addr) != + sinfo->dipmsk[IP_CT_DIR_ORIGINAL].s_addr) != sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip, XT_CONNTRACK_ORIGDST)) return 0; if (sinfo->flags & XT_CONNTRACK_REPLSRC && FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip & - sinfo->sipmsk[IP_CT_DIR_REPLY].s_addr) != + sinfo->sipmsk[IP_CT_DIR_REPLY].s_addr) != sinfo->tuple[IP_CT_DIR_REPLY].src.ip, XT_CONNTRACK_REPLSRC)) return 0; if (sinfo->flags & XT_CONNTRACK_REPLDST && FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip & - sinfo->dipmsk[IP_CT_DIR_REPLY].s_addr) != + sinfo->dipmsk[IP_CT_DIR_REPLY].s_addr) != sinfo->tuple[IP_CT_DIR_REPLY].dst.ip, XT_CONNTRACK_REPLDST)) return 0; if (sinfo->flags & XT_CONNTRACK_STATUS && FWINV((ct->status & sinfo->statusmask) == 0, - XT_CONNTRACK_STATUS)) + XT_CONNTRACK_STATUS)) return 0; if(sinfo->flags & XT_CONNTRACK_EXPIRES) { diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c index 3e6cf43..2c9c0de 100644 --- a/net/netfilter/xt_dccp.c +++ b/net/netfilter/xt_dccp.c @@ -26,7 +26,7 @@ MODULE_DESCRIPTION("Match for DCCP proto MODULE_ALIAS("ipt_dccp"); #define DCCHECK(cond, option, flag, invflag) (!((flag) & (option)) \ - || (!!((invflag) & (option)) ^ (cond))) + || (!!((invflag) & (option)) ^ (cond))) static unsigned char *dccp_optbuf; static DEFINE_SPINLOCK(dccp_buflock); @@ -67,9 +67,9 @@ dccp_find_option(u_int8_t option, return 1; } - if (op[i] < 2) + if (op[i] < 2) i++; - else + else i += op[i+1]?:1; } @@ -106,18 +106,18 @@ match(const struct sk_buff *skb, if (offset) return 0; - + dh = skb_header_pointer(skb, protoff, sizeof(_dh), &_dh); if (dh == NULL) { *hotdrop = 1; return 0; - } + } - return DCCHECK(((ntohs(dh->dccph_sport) >= info->spts[0]) - && (ntohs(dh->dccph_sport) <= info->spts[1])), - XT_DCCP_SRC_PORTS, info->flags, info->invflags) - && DCCHECK(((ntohs(dh->dccph_dport) >= info->dpts[0]) - && (ntohs(dh->dccph_dport) <= info->dpts[1])), + return DCCHECK(((ntohs(dh->dccph_sport) >= info->spts[0]) + && (ntohs(dh->dccph_sport) <= info->spts[1])), + XT_DCCP_SRC_PORTS, info->flags, info->invflags) + && DCCHECK(((ntohs(dh->dccph_dport) >= info->dpts[0]) + && (ntohs(dh->dccph_dport) <= info->dpts[1])), XT_DCCP_DEST_PORTS, info->flags, info->invflags) && DCCHECK(match_types(dh, info->typemask), XT_DCCP_TYPE, info->flags, info->invflags) diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c index bd1f7a2..852e405 100644 --- a/net/netfilter/xt_hashlimit.c +++ b/net/netfilter/xt_hashlimit.c @@ -208,7 +208,7 @@ static int htable_create(struct xt_hashl spin_lock_init(&hinfo->lock); hinfo->pde = create_proc_entry(minfo->name, 0, family == AF_INET ? hashlimit_procdir4 : - hashlimit_procdir6); + hashlimit_procdir6); if (!hinfo->pde) { vfree(hinfo); return -1; @@ -240,7 +240,7 @@ static int select_gc(struct xt_hashlimit } static void htable_selective_cleanup(struct xt_hashlimit_htable *ht, - int (*select)(struct xt_hashlimit_htable *ht, + int (*select)(struct xt_hashlimit_htable *ht, struct dsthash_ent *he)) { unsigned int i; @@ -279,7 +279,7 @@ static void htable_destroy(struct xt_has /* remove proc entry */ remove_proc_entry(hinfo->pde->name, hinfo->family == AF_INET ? hashlimit_procdir4 : - hashlimit_procdir6); + hashlimit_procdir6); htable_selective_cleanup(hinfo, select_all); vfree(hinfo); } @@ -483,7 +483,7 @@ hashlimit_match(const struct sk_buff *sk return 1; } - spin_unlock_bh(&hinfo->lock); + spin_unlock_bh(&hinfo->lock); /* default case: we're overlimit, thus don't match */ return 0; diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c index 04bc32b..407d1d5 100644 --- a/net/netfilter/xt_helper.c +++ b/net/netfilter/xt_helper.c @@ -53,7 +53,7 @@ match(const struct sk_buff *skb, struct ip_conntrack *ct; enum ip_conntrack_info ctinfo; int ret = info->invert; - + ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo); if (!ct) { DEBUGP("xt_helper: Eek! invalid conntrack?\n"); @@ -67,19 +67,19 @@ match(const struct sk_buff *skb, read_lock_bh(&ip_conntrack_lock); if (!ct->master->helper) { - DEBUGP("xt_helper: master ct %p has no helper\n", + DEBUGP("xt_helper: master ct %p has no helper\n", exp->expectant); goto out_unlock; } - DEBUGP("master's name = %s , info->name = %s\n", + DEBUGP("master's name = %s , info->name = %s\n", ct->master->helper->name, info->name); if (info->name[0] == '\0') ret ^= 1; else - ret ^= !strncmp(ct->master->helper->name, info->name, - strlen(ct->master->helper->name)); + ret ^= !strncmp(ct->master->helper->name, info->name, + strlen(ct->master->helper->name)); out_unlock: read_unlock_bh(&ip_conntrack_lock); return ret; @@ -102,7 +102,7 @@ match(const struct sk_buff *skb, struct nf_conn_help *master_help; enum ip_conntrack_info ctinfo; int ret = info->invert; - + ct = nf_ct_get((struct sk_buff *)skb, &ctinfo); if (!ct) { DEBUGP("xt_helper: Eek! invalid conntrack?\n"); @@ -117,19 +117,19 @@ match(const struct sk_buff *skb, read_lock_bh(&nf_conntrack_lock); master_help = nfct_help(ct->master); if (!master_help || !master_help->helper) { - DEBUGP("xt_helper: master ct %p has no helper\n", + DEBUGP("xt_helper: master ct %p has no helper\n", exp->expectant); goto out_unlock; } - DEBUGP("master's name = %s , info->name = %s\n", + DEBUGP("master's name = %s , info->name = %s\n", ct->master->helper->name, info->name); if (info->name[0] == '\0') ret ^= 1; else ret ^= !strncmp(master_help->helper->name, info->name, - strlen(master_help->helper->name)); + strlen(master_help->helper->name)); out_unlock: read_unlock_bh(&nf_conntrack_lock); return ret; diff --git a/net/netfilter/xt_length.c b/net/netfilter/xt_length.c index 67fd30d..32fb998 100644 --- a/net/netfilter/xt_length.c +++ b/net/netfilter/xt_length.c @@ -32,7 +32,7 @@ match(const struct sk_buff *skb, { const struct xt_length_info *info = matchinfo; u_int16_t pktlen = ntohs(skb->nh.iph->tot_len); - + return (pktlen >= info->min && pktlen <= info->max) ^ info->invert; } @@ -48,7 +48,7 @@ match6(const struct sk_buff *skb, { const struct xt_length_info *info = matchinfo; u_int16_t pktlen = ntohs(skb->nh.ipv6h->payload_len) + sizeof(struct ipv6hdr); - + return (pktlen >= info->min && pktlen <= info->max) ^ info->invert; } diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c index fda7b7d..6fd8347 100644 --- a/net/netfilter/xt_limit.c +++ b/net/netfilter/xt_limit.c @@ -89,7 +89,7 @@ ipt_limit_match(const struct sk_buff *sk return 1; } - spin_unlock_bh(&limit_lock); + spin_unlock_bh(&limit_lock); return 0; } diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c index dfa1ee6..39911dd 100644 --- a/net/netfilter/xt_mark.c +++ b/net/netfilter/xt_mark.c @@ -36,10 +36,10 @@ match(const struct sk_buff *skb, static int checkentry(const char *tablename, - const void *entry, + const void *entry, const struct xt_match *match, - void *matchinfo, - unsigned int hook_mask) + void *matchinfo, + unsigned int hook_mask) { const struct xt_mark_info *minfo = matchinfo; diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c index 1602086..4dce2a8 100644 --- a/net/netfilter/xt_multiport.c +++ b/net/netfilter/xt_multiport.c @@ -91,7 +91,7 @@ ports_match_v1(const struct xt_multiport } } - return minfo->invert; + return minfo->invert; } static int diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c index b9b3ffc..35a0fe2 100644 --- a/net/netfilter/xt_physdev.c +++ b/net/netfilter/xt_physdev.c @@ -117,7 +117,7 @@ checkentry(const char *tablename, (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) || info->invert & XT_PHYSDEV_OP_BRIDGED) && hook_mask & ((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) | - (1 << NF_IP_POST_ROUTING))) { + (1 << NF_IP_POST_ROUTING))) { printk(KERN_WARNING "physdev match: using --physdev-out in the " "OUTPUT, FORWARD and POSTROUTING chains for non-bridged " "traffic is not supported anymore.\n"); diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c index 46bde2b..15b45a9 100644 --- a/net/netfilter/xt_policy.c +++ b/net/netfilter/xt_policy.c @@ -109,13 +109,13 @@ match_policy_out(const struct sk_buff *s } static int match(const struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - const struct xt_match *match, - const void *matchinfo, - int offset, - unsigned int protoff, - int *hotdrop) + const struct net_device *in, + const struct net_device *out, + const struct xt_match *match, + const void *matchinfo, + int offset, + unsigned int protoff, + int *hotdrop) { const struct xt_policy_info *info = matchinfo; int ret; @@ -134,27 +134,27 @@ static int match(const struct sk_buff *s } static int checkentry(const char *tablename, const void *ip_void, - const struct xt_match *match, - void *matchinfo, unsigned int hook_mask) + const struct xt_match *match, + void *matchinfo, unsigned int hook_mask) { struct xt_policy_info *info = matchinfo; if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) { printk(KERN_ERR "xt_policy: neither incoming nor " - "outgoing policy selected\n"); + "outgoing policy selected\n"); return 0; } /* hook values are equal for IPv4 and IPv6 */ if (hook_mask & (1 << NF_IP_PRE_ROUTING | 1 << NF_IP_LOCAL_IN) && info->flags & XT_POLICY_MATCH_OUT) { printk(KERN_ERR "xt_policy: output policy not valid in " - "PRE_ROUTING and INPUT\n"); + "PRE_ROUTING and INPUT\n"); return 0; } if (hook_mask & (1 << NF_IP_POST_ROUTING | 1 << NF_IP_LOCAL_OUT) && info->flags & XT_POLICY_MATCH_IN) { printk(KERN_ERR "xt_policy: input policy not valid in " - "POST_ROUTING and OUTPUT\n"); + "POST_ROUTING and OUTPUT\n"); return 0; } if (info->len > XT_POLICY_MAX_ELEM) { diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c index b75fa2c..bfdde06 100644 --- a/net/netfilter/xt_quota.c +++ b/net/netfilter/xt_quota.c @@ -30,8 +30,8 @@ match(const struct sk_buff *skb, q->quota -= skb->len; ret ^= 1; } else { - /* we do not allow even small packets from now on */ - q->quota = 0; + /* we do not allow even small packets from now on */ + q->quota = 0; } spin_unlock_bh("a_lock); diff --git a/net/netfilter/xt_realm.c b/net/netfilter/xt_realm.c index a80b7d1..97ffc2f 100644 --- a/net/netfilter/xt_realm.c +++ b/net/netfilter/xt_realm.c @@ -35,7 +35,7 @@ match(const struct sk_buff *skb, { const struct xt_realm_info *info = matchinfo; struct dst_entry *dst = skb->dst; - + return (info->id == (dst->tclassid & info->mask)) ^ info->invert; } diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c index 71bf036..f86d8d7 100644 --- a/net/netfilter/xt_sctp.c +++ b/net/netfilter/xt_sctp.c @@ -66,9 +66,9 @@ #endif duprintf("Dropping invalid SCTP packet.\n"); *hotdrop = 1; return 0; - } + } - duprintf("Chunk num: %d\toffset: %d\ttype: %d\tlength: %d\tflags: %x\n", + duprintf("Chunk num: %d\toffset: %d\ttype: %d\tlength: %d\tflags: %x\n", ++i, offset, sch->type, htons(sch->length), sch->flags); offset += (ntohs(sch->length) + 3) & ~3; @@ -78,21 +78,21 @@ #endif if (SCTP_CHUNKMAP_IS_SET(chunkmap, sch->type)) { switch (chunk_match_type) { case SCTP_CHUNK_MATCH_ANY: - if (match_flags(flag_info, flag_count, + if (match_flags(flag_info, flag_count, sch->type, sch->flags)) { return 1; } break; case SCTP_CHUNK_MATCH_ALL: - if (match_flags(flag_info, flag_count, + if (match_flags(flag_info, flag_count, sch->type, sch->flags)) { SCTP_CHUNKMAP_CLEAR(chunkmapcopy, sch->type); } break; case SCTP_CHUNK_MATCH_ONLY: - if (!match_flags(flag_info, flag_count, + if (!match_flags(flag_info, flag_count, sch->type, sch->flags)) { return 0; } @@ -136,24 +136,24 @@ match(const struct sk_buff *skb, duprintf("Dropping non-first fragment.. FIXME\n"); return 0; } - + sh = skb_header_pointer(skb, protoff, sizeof(_sh), &_sh); if (sh == NULL) { duprintf("Dropping evil TCP offset=0 tinygram.\n"); *hotdrop = 1; return 0; - } + } duprintf("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest)); - return SCCHECK(((ntohs(sh->source) >= info->spts[0]) - && (ntohs(sh->source) <= info->spts[1])), - XT_SCTP_SRC_PORTS, info->flags, info->invflags) - && SCCHECK(((ntohs(sh->dest) >= info->dpts[0]) - && (ntohs(sh->dest) <= info->dpts[1])), + return SCCHECK(((ntohs(sh->source) >= info->spts[0]) + && (ntohs(sh->source) <= info->spts[1])), + XT_SCTP_SRC_PORTS, info->flags, info->invflags) + && SCCHECK(((ntohs(sh->dest) >= info->dpts[0]) + && (ntohs(sh->dest) <= info->dpts[1])), XT_SCTP_DEST_PORTS, info->flags, info->invflags) && SCCHECK(match_packet(skb, protoff + sizeof (sctp_sctphdr_t), info->chunkmap, info->chunk_match_type, - info->flag_info, info->flag_count, + info->flag_info, info->flag_count, hotdrop), XT_SCTP_CHUNK_TYPES, info->flags, info->invflags); } @@ -170,9 +170,9 @@ checkentry(const char *tablename, return !(info->flags & ~XT_SCTP_VALID_FLAGS) && !(info->invflags & ~XT_SCTP_VALID_FLAGS) && !(info->invflags & ~info->flags) - && ((!(info->flags & XT_SCTP_CHUNK_TYPES)) || + && ((!(info->flags & XT_SCTP_CHUNK_TYPES)) || (info->chunk_match_type & - (SCTP_CHUNK_MATCH_ALL + (SCTP_CHUNK_MATCH_ALL | SCTP_CHUNK_MATCH_ANY | SCTP_CHUNK_MATCH_ONLY))); } diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c index 4453252..999a005 100644 --- a/net/netfilter/xt_string.c +++ b/net/netfilter/xt_string.c @@ -1,5 +1,5 @@ /* String matching match for iptables - * + * * (C) 2005 Pablo Neira Ayuso <pablo@eurodev.net> * * This program is free software; you can redistribute it and/or modify @@ -35,8 +35,8 @@ static int match(const struct sk_buff *s memset(&state, 0, sizeof(struct ts_state)); - return (skb_find_text((struct sk_buff *)skb, conf->from_offset, - conf->to_offset, conf->config, &state) + return (skb_find_text((struct sk_buff *)skb, conf->from_offset, + conf->to_offset, conf->config, &state) != UINT_MAX) ^ conf->invert; } @@ -55,7 +55,7 @@ static int checkentry(const char *tablen if (conf->from_offset > conf->to_offset) return 0; if (conf->algo[XT_STRING_MAX_ALGO_NAME_SIZE - 1] != '\0') - return 0; + return 0; if (conf->patlen > XT_STRING_MAX_PATTERN_SIZE) return 0; ts_conf = textsearch_prepare(conf->algo, conf->pattern, conf->patlen, diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c index a3682fe..80571d0 100644 --- a/net/netfilter/xt_tcpmss.c +++ b/net/netfilter/xt_tcpmss.c @@ -64,9 +64,9 @@ match(const struct sk_buff *skb, u_int16_t mssval; mssval = (op[i+2] << 8) | op[i+3]; - + return (mssval >= info->mss_min && - mssval <= info->mss_max) ^ info->invert; + mssval <= info->mss_max) ^ info->invert; } if (op[i] < 2) i++; ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [NETFILTER 21/22]: ip6t_mh: drop piggyback payload packet on MH packets 2007-02-12 10:36 [NETFILTER 00/22]: Netfilter update/fixes Patrick McHardy ` (19 preceding siblings ...) 2007-02-12 10:36 ` [NETFILTER 20/22]: Fix whitespace errors Patrick McHardy @ 2007-02-12 10:36 ` Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 22/22]: nf_conntrack_tcp: make sysctl variables static Patrick McHardy 2007-02-12 19:17 ` [NETFILTER 00/22]: Netfilter update/fixes David Miller 22 siblings, 0 replies; 24+ messages in thread From: Patrick McHardy @ 2007-02-12 10:36 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, Patrick McHardy [NETFILTER]: ip6t_mh: drop piggyback payload packet on MH packets Regarding RFC3775, MH payload proto field should be IPPROTO_NONE. Otherwise it must be discarded (and the receiver should send ICMP error). We assume filter should drop such piggyback everytime to disallow slipping through firewall rules, even the final receiver will discard it. Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit a7b4ff1031d3e62fad2b7da2068bb5deb2041325 tree ba6d4b4517999ebf0876a5618640276a6a251503 parent 353c941b0735b883510bfd7bb98fcd4fc8a0ee08 author Masahide NAKAMURA <nakam@linux-ipv6.org> Mon, 12 Feb 2007 11:08:11 +0100 committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:08:11 +0100 net/ipv6/netfilter/ip6t_mh.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c index 2c7efc6..c2a9098 100644 --- a/net/ipv6/netfilter/ip6t_mh.c +++ b/net/ipv6/netfilter/ip6t_mh.c @@ -66,6 +66,13 @@ match(const struct sk_buff *skb, return 0; } + if (mh->ip6mh_proto != IPPROTO_NONE) { + duprintf("Dropping invalid MH Payload Proto: %u\n", + mh->ip6mh_proto); + *hotdrop = 1; + return 0; + } + return type_match(mhinfo->types[0], mhinfo->types[1], mh->ip6mh_type, !!(mhinfo->invflags & IP6T_MH_INV_TYPE)); } ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [NETFILTER 22/22]: nf_conntrack_tcp: make sysctl variables static 2007-02-12 10:36 [NETFILTER 00/22]: Netfilter update/fixes Patrick McHardy ` (20 preceding siblings ...) 2007-02-12 10:36 ` [NETFILTER 21/22]: ip6t_mh: drop piggyback payload packet on MH packets Patrick McHardy @ 2007-02-12 10:36 ` Patrick McHardy 2007-02-12 19:17 ` [NETFILTER 00/22]: Netfilter update/fixes David Miller 22 siblings, 0 replies; 24+ messages in thread From: Patrick McHardy @ 2007-02-12 10:36 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, Patrick McHardy [NETFILTER]: nf_conntrack_tcp: make sysctl variables static sysctls are registered by the protocol module itself since 2.6.19, no need to have them visible to others. Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit ebdb23c15670f1d49d7466856f4db8fd00f6c3a9 tree 005b35c07855e3723b9d94ea77f203fb4e829924 parent a7b4ff1031d3e62fad2b7da2068bb5deb2041325 author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:08:17 +0100 committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:08:17 +0100 net/netfilter/nf_conntrack_proto_tcp.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index c2884f9..aff65aa 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c @@ -58,16 +58,16 @@ static DEFINE_RWLOCK(tcp_lock); /* "Be conservative in what you do, be liberal in what you accept from others." If it's non-zero, we mark only out of window RST segments as INVALID. */ -int nf_ct_tcp_be_liberal __read_mostly = 0; +static int nf_ct_tcp_be_liberal __read_mostly = 0; /* If it is set to zero, we disable picking up already established connections. */ -int nf_ct_tcp_loose __read_mostly = 1; +static int nf_ct_tcp_loose __read_mostly = 1; /* Max number of the retransmitted packets without receiving an (acceptable) ACK from the destination. If this number is reached, a shorter timer will be started. */ -int nf_ct_tcp_max_retrans __read_mostly = 3; +static int nf_ct_tcp_max_retrans __read_mostly = 3; /* FIXME: Examine ipfilter's timeouts and conntrack transitions more closely. They're more complex. --RR */ ^ permalink raw reply related [flat|nested] 24+ messages in thread
* Re: [NETFILTER 00/22]: Netfilter update/fixes 2007-02-12 10:36 [NETFILTER 00/22]: Netfilter update/fixes Patrick McHardy ` (21 preceding siblings ...) 2007-02-12 10:36 ` [NETFILTER 22/22]: nf_conntrack_tcp: make sysctl variables static Patrick McHardy @ 2007-02-12 19:17 ` David Miller 22 siblings, 0 replies; 24+ messages in thread From: David Miller @ 2007-02-12 19:17 UTC (permalink / raw) To: kaber; +Cc: netfilter-devel From: Patrick McHardy <kaber@trash.net> Date: Mon, 12 Feb 2007 11:36:21 +0100 (MET) > Hi Dave, > > following are a number of fixes for netfilter, fixing RCU issues all over the > place, including the invalid preemption assumptions in the NF_CT_STAT_INC macro. > Additionally there are a few minor enhancements for things I noticed while going > over the code: replacement of a few unnecessary spinlocks by mutexes, some > cleanup for nf_log.c and some return value cleanup for unregistration functions. > > With these patches I think there should be nothing left holding back the > preemptable RCU merge from netfilter's perspective. > > Please apply, thanks. Thanks a lot for doing this work Patrick. All applied, thanks again. ^ permalink raw reply [flat|nested] 24+ messages in thread
end of thread, other threads:[~2007-02-12 19:17 UTC | newest] Thread overview: 24+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2007-02-12 10:36 [NETFILTER 00/22]: Netfilter update/fixes Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 01/22]: Properly use RCU in nf_ct_attach Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 02/22]: Remove unnecessary synchronize_net() in nf_register_hook Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 03/22]: Switch nf_register_afinfo/nf_unregister_afinfo to mutex Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 04/22]: Switch nf_register_hook/nf_unregister_hook " Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 05/22]: nf_log: use rcu_assign_pointer for RCU protected pointer Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 06/22]: nf_log: make nf_log_unregister_pf return void Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 07/22]: nf_log: switch logger registration/unregistration to mutex Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 08/22]: nf_log: minor cleanups Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 09/22]: ip_nat: properly use RCU API for ip_nat_protos array Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 10/22]: nf_nat: properly use RCU API for nf_nat_protos array Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 11/22]: ip_conntrack: properly use RCU API for ip_ct_protos array Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 12/22]: nf_conntrack: properly use RCU API for nf_ct_protos/nf_ct_l3protos arrays Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 13/22]: ip_conntrack: fix invalid conntrack statistics RCU assumption Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 14/22]: nf_conntrack: " Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 15/22]: ip_conntrack: properly use RCU for ip_conntrack_destroyed callback Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 16/22]: nf_conntrack: properly use RCU for nf_conntrack_destroyed callback Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 17/22]: nf_conntrack: change nf_conntrack_l[34]proto_unregister to void Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 18/22]: xt_mac/xt_CLASSIFY: use IPv6 hook names for IPv6 registration Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 19/22]: Kconfig: improve dependency handling Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 20/22]: Fix whitespace errors Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 21/22]: ip6t_mh: drop piggyback payload packet on MH packets Patrick McHardy 2007-02-12 10:36 ` [NETFILTER 22/22]: nf_conntrack_tcp: make sysctl variables static Patrick McHardy 2007-02-12 19:17 ` [NETFILTER 00/22]: Netfilter update/fixes David Miller
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.