Hello community, here is the log from the commit of package xtables-addons for openSUSE:Factory checked in at Mon Apr 26 23:48:14 CEST 2010. -------- --- xtables-addons/xtables-addons.changes 2010-03-20 01:41:28.000000000 +0100 +++ xtables-addons/xtables-addons.changes 2010-04-26 14:22:13.000000000 +0200 @@ -1,0 +2,11 @@ +Mon Apr 26 12:15:08 UTC 2010 - jengelh@medozas.de + +- new upstream release 1.25 + * incorporated changes from upstream review into xt_TEE: + (rechecksumming in PREROUTING, decrease TTL on cloned packet, set + dont-fragment on cloned packets, free skb when route lookup + failed, do not limit use to mangle table, do not retain iif and + mark on cloned packet, new loop detection logic, use less + expensive pskb_copy) + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- xtables-addons-1.24.tar.bz2 New: ---- xtables-addons-1.25.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xtables-addons.spec ++++++ --- /var/tmp/diff_new_pack.EjFK7p/_old 2010-04-26 23:47:41.000000000 +0200 +++ /var/tmp/diff_new_pack.EjFK7p/_new 2010-04-26 23:47:41.000000000 +0200 @@ -1,5 +1,5 @@ # -# spec file for package xtables-addons (Version 1.24) +# spec file for package xtables-addons (Version 1.25) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -18,7 +18,7 @@ Name: xtables-addons -Version: 1.24 +Version: 1.25 Release: 1 Group: Productivity/Networking/Security Summary: IP Packet Filter Administration Extensions ++++++ xtables-addons-1.24.tar.bz2 -> xtables-addons-1.25.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-1.24/INSTALL new/xtables-addons-1.25/INSTALL --- old/xtables-addons-1.24/INSTALL 2010-03-17 02:50:23.000000000 +0100 +++ new/xtables-addons-1.25/INSTALL 2010-04-26 14:12:03.000000000 +0200 @@ -4,7 +4,7 @@ Xtables-addons uses the well-known configure(autotools) infrastructure in combination with the kernel's Kbuild system. - $ ./configure + $ ./configure --with-xtlibdir=SEE_BELOW $ make # make install @@ -55,7 +55,10 @@ Specifies the path to where the newly built extensions should be installed when `make install` is run. It uses the same - default as the Xtables/iptables package, ${libexecdir}/xtables. + default as the Xtables/iptables package, ${libexecdir}/xtables, + but you may need to specify this nevertheless, as autotools + defaults to using /usr/local as prefix, and distributions put + the files in differing locations. If you want to enable debugging, use diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-1.24/doc/changelog.txt new/xtables-addons-1.25/doc/changelog.txt --- old/xtables-addons-1.24/doc/changelog.txt 2010-03-17 02:50:23.000000000 +0100 +++ new/xtables-addons-1.25/doc/changelog.txt 2010-04-26 14:12:03.000000000 +0200 @@ -1,6 +1,15 @@ HEAD ==== +- TEE: do rechecksumming in PREROUTING too +- TEE: decrease TTL on cloned packet +- TEE: set dont-fragment on cloned packets +- TEE: free skb when route lookup failed +- TEE: do not limit use to mangle table +- TEE: do not retain iif and mark on cloned packet +- TEE: new loop detection logic +- TEE: use less expensive pskb_copy +- condition: remove unnecessary RCU protection Xtables-addons 1.24 (March 17 2010) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-1.24/extensions/ACCOUNT/xt_ACCOUNT.c new/xtables-addons-1.25/extensions/ACCOUNT/xt_ACCOUNT.c --- old/xtables-addons-1.24/extensions/ACCOUNT/xt_ACCOUNT.c 2010-03-17 02:50:23.000000000 +0100 +++ new/xtables-addons-1.25/extensions/ACCOUNT/xt_ACCOUNT.c 2010-04-26 14:12:03.000000000 +0200 @@ -264,7 +264,7 @@ return -1; } -static bool ipt_acc_checkentry(const struct xt_tgchk_param *par) +static int ipt_acc_checkentry(const struct xt_tgchk_param *par) { struct ipt_acc_info *info = par->targinfo; int table_nr; @@ -276,13 +276,13 @@ if (table_nr == -1) { printk("ACCOUNT: Table insert problem. Aborting\n"); - return false; + return -EINVAL; } /* Table nr caching so we don't have to do an extra string compare for every packet */ info->table_nr = table_nr; - return true; + return 0; } static void ipt_acc_destroy(const struct xt_tgdtor_param *par) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-1.24/extensions/Makefile.am new/xtables-addons-1.25/extensions/Makefile.am --- old/xtables-addons-1.24/extensions/Makefile.am 2010-03-17 02:50:23.000000000 +0100 +++ new/xtables-addons-1.25/extensions/Makefile.am 2010-04-26 14:12:03.000000000 +0200 @@ -7,6 +7,8 @@ _kcall = -C ${kbuilddir} M=${abs_srcdir} modules: + @echo -n "Xtables-addons ${PACKAGE_VERSION} - Linux " + @if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} --no-print-directory -s kernelrelease; fi; ${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} modules; fi; modules_install: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-1.24/extensions/Makefile.in new/xtables-addons-1.25/extensions/Makefile.in --- old/xtables-addons-1.24/extensions/Makefile.in 2010-03-17 02:53:26.000000000 +0100 +++ new/xtables-addons-1.25/extensions/Makefile.in 2010-04-26 14:13:55.000000000 +0200 @@ -374,6 +374,8 @@ .PHONY: modules modules_install clean_modules modules: + @echo -n "Xtables-addons ${PACKAGE_VERSION} - Linux " + @if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} --no-print-directory -s kernelrelease; fi; ${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} modules; fi; modules_install: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-1.24/extensions/compat_xtables.c new/xtables-addons-1.25/extensions/compat_xtables.c --- old/xtables-addons-1.24/extensions/compat_xtables.c 2010-03-17 02:50:23.000000000 +0100 +++ new/xtables-addons-1.25/extensions/compat_xtables.c 2010-04-26 14:12:03.000000000 +0200 @@ -84,6 +84,19 @@ return nm->checkentry(&local_par); } #endif +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \ + LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34) +static bool xtnu_match_check(const struct xt_mtchk_param *par) +{ + struct xtnu_match *nm = xtcompat_numatch(par->match); + + if (nm == NULL) + return false; + if (nm->checkentry == NULL) + return true; + return nm->checkentry(par) == 0 ? true : false; +} +#endif #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) static void xtnu_match_destroy(const struct xt_match *cm, void *matchinfo, @@ -105,7 +118,7 @@ } #endif -#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27) +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34) int xtnu_register_match(struct xtnu_match *nt) { struct xt_match *ct; @@ -127,9 +140,15 @@ ct->table = (char *)nt->table; ct->hooks = nt->hooks; ct->proto = nt->proto; +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27) ct->match = xtnu_match_run; ct->checkentry = xtnu_match_check; ct->destroy = xtnu_match_destroy; +#else + ct->match = nt->match; + ct->checkentry = xtnu_match_check; + ct->destroy = nt->destroy; +#endif ct->matchsize = nt->matchsize; ct->me = nt->me; @@ -250,6 +269,20 @@ } #endif +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \ + LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 34) +static bool xtnu_target_check(const struct xt_tgchk_param *par) +{ + struct xtnu_target *nt = xtcompat_nutarget(par->target); + + if (nt == NULL) + return false; + if (nt->checkentry == NULL) + return true; + return nt->checkentry(par) == 0 ? true : false; +} +#endif + #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) static void xtnu_target_destroy(const struct xt_target *ct, void *targinfo, unsigned int targinfosize) @@ -295,6 +328,9 @@ #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27) ct->checkentry = xtnu_target_check; ct->destroy = xtnu_target_destroy; +#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34) + ct->checkentry = xtnu_target_check; + ct->destroy = nt->destroy; #else ct->checkentry = nt->checkentry; ct->destroy = nt->destroy; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-1.24/extensions/compat_xtables.h new/xtables-addons-1.25/extensions/compat_xtables.h --- old/xtables-addons-1.24/extensions/compat_xtables.h 2010-03-17 02:50:23.000000000 +0100 +++ new/xtables-addons-1.25/extensions/compat_xtables.h 2010-04-26 14:12:03.000000000 +0200 @@ -60,7 +60,7 @@ # define init_net__proc_net init_net.proc_net #endif -#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27) +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34) # define xt_match xtnu_match # define xt_register_match xtnu_register_match # define xt_unregister_match xtnu_unregister_match diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-1.24/extensions/compat_xtnu.h new/xtables-addons-1.25/extensions/compat_xtnu.h --- old/xtables-addons-1.24/extensions/compat_xtnu.h 2010-03-17 02:50:23.000000000 +0100 +++ new/xtables-addons-1.25/extensions/compat_xtnu.h 2010-04-26 14:12:03.000000000 +0200 @@ -85,7 +85,7 @@ struct list_head list; char name[XT_FUNCTION_MAXNAMELEN - 1 - sizeof(void *)]; bool (*match)(const struct sk_buff *, const struct xt_match_param *); - bool (*checkentry)(const struct xt_mtchk_param *); + int (*checkentry)(const struct xt_mtchk_param *); void (*destroy)(const struct xt_mtdtor_param *); struct module *me; const char *table; @@ -101,7 +101,7 @@ char name[XT_FUNCTION_MAXNAMELEN - 1 - sizeof(void *)]; unsigned int (*target)(struct sk_buff **, const struct xt_target_param *); - bool (*checkentry)(const struct xt_tgchk_param *); + int (*checkentry)(const struct xt_tgchk_param *); void (*destroy)(const struct xt_tgdtor_param *); struct module *me; const char *table; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-1.24/extensions/ipset/ipt_SET.c new/xtables-addons-1.25/extensions/ipset/ipt_SET.c --- old/xtables-addons-1.24/extensions/ipset/ipt_SET.c 2010-03-17 02:50:23.000000000 +0100 +++ new/xtables-addons-1.25/extensions/ipset/ipt_SET.c 2010-04-26 14:12:03.000000000 +0200 @@ -45,7 +45,7 @@ return XT_CONTINUE; } -static bool +static int checkentry(const struct xt_tgchk_param *par) { struct ipt_set_info_target *info = par->targinfo; @@ -54,7 +54,7 @@ #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17) if (targinfosize != IPT_ALIGN(sizeof(*info))) { DP("bad target info size %u", targinfosize); - return 0; + return -EINVAL; } #endif @@ -63,7 +63,7 @@ if (index == IP_SET_INVALID_ID) { ip_set_printk("cannot find add_set index %u as target", info->add_set.index); - return 0; /* error */ + return -EINVAL; } } @@ -72,16 +72,16 @@ if (index == IP_SET_INVALID_ID) { ip_set_printk("cannot find del_set index %u as target", info->del_set.index); - return 0; /* error */ + return -EINVAL; } } if (info->add_set.flags[IP_SET_MAX_BINDINGS] != 0 || info->del_set.flags[IP_SET_MAX_BINDINGS] != 0) { ip_set_printk("That's nasty!"); - return 0; /* error */ + return -EINVAL; } - return 1; + return 0; } static void destroy(const struct xt_tgdtor_param *par) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-1.24/extensions/ipset/ipt_set.c new/xtables-addons-1.25/extensions/ipset/ipt_set.c --- old/xtables-addons-1.24/extensions/ipset/ipt_set.c 2010-03-17 02:50:23.000000000 +0100 +++ new/xtables-addons-1.25/extensions/ipset/ipt_set.c 2010-04-26 14:12:03.000000000 +0200 @@ -47,7 +47,7 @@ info->match_set.flags[0] & IPSET_MATCH_INV); } -static bool +static int checkentry(const struct xt_mtchk_param *par) { struct ipt_set_info_match *info = par->matchinfo; @@ -56,7 +56,7 @@ #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17) if (matchsize != IPT_ALIGN(sizeof(struct ipt_set_info_match))) { ip_set_printk("invalid matchsize %d", matchsize); - return 0; + return -EINVAL; } #endif @@ -65,14 +65,14 @@ if (index == IP_SET_INVALID_ID) { ip_set_printk("Cannot find set indentified by id %u to match", info->match_set.index); - return 0; /* error */ + return -ENOENT; } if (info->match_set.flags[IP_SET_MAX_BINDINGS] != 0) { ip_set_printk("That's nasty!"); - return 0; /* error */ + return -EINVAL; } - return 1; + return 0; } static void destroy(const struct xt_mtdtor_param *par) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-1.24/extensions/pknock/xt_pknock.c new/xtables-addons-1.25/extensions/pknock/xt_pknock.c --- old/xtables-addons-1.24/extensions/pknock/xt_pknock.c 2010-03-17 02:50:23.000000000 +0100 +++ new/xtables-addons-1.25/extensions/pknock/xt_pknock.c 2010-04-26 14:12:03.000000000 +0200 @@ -1064,9 +1064,9 @@ return ret; } -#define RETURN_ERR(err) do { printk(KERN_ERR PKNOCK err); return false; } while (false) +#define RETURN_ERR(err) do { printk(KERN_ERR PKNOCK err); return -EINVAL; } while (false) -static bool pknock_mt_check(const struct xt_mtchk_param *par) +static int pknock_mt_check(const struct xt_mtchk_param *par) { struct xt_pknock_mtinfo *info = par->matchinfo; @@ -1124,9 +1124,10 @@ } if (!add_rule(info)) + /* should ENOMEM here */ RETURN_ERR("add_rule() error in checkentry() function.\n"); - return true; + return 0; } static void pknock_mt_destroy(const struct xt_mtdtor_param *par) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-1.24/extensions/xt_CHAOS.c new/xtables-addons-1.25/extensions/xt_CHAOS.c --- old/xtables-addons-1.24/extensions/xt_CHAOS.c 2010-03-17 02:50:23.000000000 +0100 +++ new/xtables-addons-1.25/extensions/xt_CHAOS.c 2010-04-26 14:12:03.000000000 +0200 @@ -141,22 +141,22 @@ return NF_DROP; } -static bool chaos_tg_check(const struct xt_tgchk_param *par) +static int chaos_tg_check(const struct xt_tgchk_param *par) { const struct xt_chaos_tginfo *info = par->targinfo; if (info->variant == XTCHAOS_DELUDE && !have_delude) { printk(KERN_WARNING PFX "Error: Cannot use --delude when " "DELUDE module not available\n"); - return false; + return -EINVAL; } if (info->variant == XTCHAOS_TARPIT && !have_tarpit) { printk(KERN_WARNING PFX "Error: Cannot use --tarpit when " "TARPIT module not available\n"); - return false; + return -EINVAL; } - return true; + return 0; } static struct xt_target chaos_tg_reg = { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-1.24/extensions/xt_LOGMARK.c new/xtables-addons-1.25/extensions/xt_LOGMARK.c --- old/xtables-addons-1.24/extensions/xt_LOGMARK.c 2010-03-17 02:50:23.000000000 +0100 +++ new/xtables-addons-1.25/extensions/xt_LOGMARK.c 2010-04-26 14:12:03.000000000 +0200 @@ -81,17 +81,17 @@ return XT_CONTINUE; } -static bool +static int logmark_tg_check(const struct xt_tgchk_param *par) { const struct xt_logmark_tginfo *info = par->targinfo; if (info->level >= 8) { pr_debug("LOGMARK: level %u >= 8\n", info->level); - return false; + return -EINVAL; } - return true; + return 0; } static struct xt_target logmark_tg_reg[] __read_mostly = { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-1.24/extensions/xt_RAWNAT.c new/xtables-addons-1.25/extensions/xt_RAWNAT.c --- old/xtables-addons-1.24/extensions/xt_RAWNAT.c 2010-03-17 02:50:23.000000000 +0100 +++ new/xtables-addons-1.25/extensions/xt_RAWNAT.c 2010-04-26 14:12:03.000000000 +0200 @@ -283,15 +283,15 @@ } #endif -static bool rawnat_tg_check(const struct xt_tgchk_param *par) +static int rawnat_tg_check(const struct xt_tgchk_param *par) { if (strcmp(par->table, "raw") == 0 || strcmp(par->table, "rawpost") == 0) - return true; + return 0; printk(KERN_ERR KBUILD_MODNAME " may only be used in the \"raw\" or " "\"rawpost\" table.\n"); - return false; + return -EINVAL; } static struct xt_target rawnat_tg_reg[] __read_mostly = { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-1.24/extensions/xt_SYSRQ.c new/xtables-addons-1.25/extensions/xt_SYSRQ.c --- old/xtables-addons-1.24/extensions/xt_SYSRQ.c 2010-03-17 02:50:23.000000000 +0100 +++ new/xtables-addons-1.25/extensions/xt_SYSRQ.c 2010-04-26 14:12:03.000000000 +0200 @@ -253,9 +253,8 @@ } #endif -static bool sysrq_tg_check(const struct xt_tgchk_param *par) +static int sysrq_tg_check(const struct xt_tgchk_param *par) { - if (par->target->family == NFPROTO_IPV4) { const struct ipt_entry *entry = par->entryinfo; @@ -272,11 +271,11 @@ goto out; } - return true; + return 0; out: printk(KERN_ERR KBUILD_MODNAME ": only available for UDP and UDP-Lite"); - return false; + return -EINVAL; } static struct xt_target sysrq_tg_reg[] __read_mostly = { @@ -332,23 +331,14 @@ sysrq_digest_size = crypto_hash_digestsize(sysrq_tfm); sysrq_digest = kmalloc(sysrq_digest_size, GFP_KERNEL); ret = -ENOMEM; - if (sysrq_digest == NULL) { - printk(KERN_WARNING KBUILD_MODNAME - ": Cannot allocate digest\n"); + if (sysrq_digest == NULL) goto fail; - } sysrq_hexdigest = kmalloc(2 * sysrq_digest_size + 1, GFP_KERNEL); - if (sysrq_hexdigest == NULL) { - printk(KERN_WARNING KBUILD_MODNAME - ": Cannot allocate hexdigest\n"); + if (sysrq_hexdigest == NULL) goto fail; - } sysrq_digest_password = kmalloc(sizeof(sysrq_password), GFP_KERNEL); - if (sysrq_digest_password == NULL) { - printk(KERN_WARNING KBUILD_MODNAME - ": Cannot allocate password digest space\n"); + if (sysrq_digest_password == NULL) goto fail; - } do_gettimeofday(&now); sysrq_seqno = now.tv_sec; ret = xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg)); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-1.24/extensions/xt_TEE.c new/xtables-addons-1.25/extensions/xt_TEE.c --- old/xtables-addons-1.24/extensions/xt_TEE.c 2010-03-17 02:50:23.000000000 +0100 +++ new/xtables-addons-1.25/extensions/xt_TEE.c 2010-04-26 14:12:03.000000000 +0200 @@ -24,7 +24,6 @@ #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) # define WITH_CONNTRACK 1 # include <net/netfilter/nf_conntrack.h> -static struct nf_conn tee_track; #endif #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) # define WITH_IPV6 1 @@ -33,51 +32,23 @@ #include "compat_xtables.h" #include "xt_TEE.h" +static bool tee_active[NR_CPUS]; static const union nf_inet_addr tee_zero_address; -/* - * Try to route the packet according to the routing keys specified in - * route_info. Keys are : - * - ifindex : - * 0 if no oif preferred, - * otherwise set to the index of the desired oif - * - route_info->gateway : - * 0 if no gateway specified, - * otherwise set to the next host to which the pkt must be routed - * If success, skb->dev is the output device to which the packet must - * be sent and skb->dst is not NULL - * - * RETURN: false - if an error occured - * true - if the packet was succesfully routed to the - * destination desired - */ static bool tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info) { const struct iphdr *iph = ip_hdr(skb); - int err; struct rtable *rt; struct flowi fl; memset(&fl, 0, sizeof(fl)); - fl.iif = skb_ifindex(skb); -#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19) - fl.nl_u.ip4_u.fwmark = skb_nfmark(skb); -#else - fl.mark = skb_nfmark(skb); -#endif fl.nl_u.ip4_u.daddr = info->gw.ip; fl.nl_u.ip4_u.tos = RT_TOS(iph->tos); fl.nl_u.ip4_u.scope = RT_SCOPE_UNIVERSE; - /* Trying to route the packet using the standard routing table. */ - err = ip_route_output_key(&init_net, &rt, &fl); - if (err != 0) { - if (net_ratelimit()) - pr_debug(KBUILD_MODNAME - ": could not route packet (%d)", err); + if (ip_route_output_key(&init_net, &rt, &fl) != 0) return false; - } dst_release(skb_dst(skb)); skb_dst_set(skb, &rt->u.dst); @@ -123,79 +94,58 @@ skb = skb2; } - if (dst->hh != NULL) { + if (dst->hh != NULL) neigh_hh_output(dst->hh, skb); - } else if (dst->neighbour != NULL) { + else if (dst->neighbour != NULL) dst->neighbour->output(skb); - } else { - if (net_ratelimit()) - pr_debug(KBUILD_MODNAME "no hdr & no neighbour cache!\n"); + else kfree_skb(skb); - } } -/* - * To detect and deter routed packet loopback when using the --tee option, we - * take a page out of the raw.patch book: on the copied skb, we set up a fake - * ->nfct entry, pointing to the local &route_tee_track. We skip routing - * packets when we see they already have that ->nfct. - */ static unsigned int tee_tg4(struct sk_buff **pskb, const struct xt_target_param *par) { const struct xt_tee_tginfo *info = par->targinfo; struct sk_buff *skb = *pskb; + struct iphdr *iph; + unsigned int cpu = smp_processor_id(); -#ifdef WITH_CONNTRACK - if (skb->nfct == &tee_track.ct_general) { - /* - * Loopback - a packet we already routed, is to be - * routed another time. Avoid that, now. - */ - if (net_ratelimit()) - pr_debug(KBUILD_MODNAME "loopback - DROP!\n"); - return NF_DROP; - } -#endif - - if (!skb_make_writable(pskb, sizeof(struct iphdr))) - return NF_DROP; - skb = *pskb; - - /* - * If we are in INPUT, the checksum must be recalculated since - * the length could have changed as a result of defragmentation. - */ - if (par->hooknum == NF_INET_LOCAL_IN) { - struct iphdr *iph = ip_hdr(skb); - iph->check = 0; - iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl); - } - + if (tee_active[cpu]) + return XT_CONTINUE; /* * Copy the skb, and route the copy. Will later return %XT_CONTINUE for * the original skb, which should continue on its way as if nothing has * happened. The copy should be independently delivered to the TEE * --gateway. */ - skb = skb_copy(skb, GFP_ATOMIC); - if (skb == NULL) { - if (net_ratelimit()) - pr_debug(KBUILD_MODNAME "copy failed!\n"); + skb = pskb_copy(skb, GFP_ATOMIC); + if (skb == NULL) return XT_CONTINUE; - } + /* + * If we are in PREROUTING/INPUT, the checksum must be recalculated + * since the length could have changed as a result of defragmentation. + * + * We also decrease the TTL to mitigate potential TEE loops + * between two hosts. + * + * Set %IP_DF so that the original source is notified of a potentially + * decreased MTU on the clone route. IPv6 does this too. + */ + iph = ip_hdr(skb); + iph->frag_off |= htons(IP_DF); + if (par->hooknum == NF_INET_PRE_ROUTING || + par->hooknum == NF_INET_LOCAL_IN) + --iph->ttl; + ip_send_check(iph); #ifdef WITH_CONNTRACK /* - * Tell conntrack to forget this packet since it may get confused - * when a packet is leaving with dst address == our address. - * Good idea? Dunno. Need advice. - * - * NEW: mark the skb with our &tee_track, so we avoid looping - * on any already routed packet. + * Tell conntrack to forget this packet. It may have side effects to + * see the same packet twice, as for example, accounting the original + * connection for the cloned packet. */ nf_conntrack_put(skb->nfct); - skb->nfct = &tee_track.ct_general; + skb->nfct = &nf_conntrack_untracked.ct_general; skb->nfctinfo = IP_CT_NEW; nf_conntrack_get(skb->nfct); #endif @@ -216,9 +166,13 @@ * Also on purpose, no fragmentation is done, to preserve the * packet as best as possible. */ - if (tee_tg_route4(skb, info)) + if (tee_tg_route4(skb, info)) { + tee_active[cpu] = true; tee_tg_send(skb); - + tee_active[cpu] = false; + } else { + kfree_skb(skb); + } return XT_CONTINUE; } @@ -231,13 +185,6 @@ struct flowi fl; memset(&fl, 0, sizeof(fl)); - fl.iif = skb_ifindex(skb); - /* No mark in flowi before 2.6.19 */ -#if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 19) - fl.nl_u.ip6_u.fwmark = skb_nfmark(skb); -#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20) - fl.mark = skb_nfmark(skb); -#endif fl.nl_u.ip6_u.daddr = info->gw.in6; fl.nl_u.ip6_u.flowlabel = ((iph->flow_lbl[0] & 0xF) << 16) | (iph->flow_lbl[1] << 8) | iph->flow_lbl[2]; @@ -247,11 +194,8 @@ #else dst = ip6_route_output(dev_net(skb->dev), NULL, &fl); #endif - if (dst == NULL) { - if (net_ratelimit()) - printk(KERN_ERR "ip6_route_output failed for tee\n"); + if (dst == NULL) return false; - } dst_release(skb_dst(skb)); skb_dst_set(skb, dst); @@ -265,36 +209,43 @@ { const struct xt_tee_tginfo *info = par->targinfo; struct sk_buff *skb = *pskb; + unsigned int cpu = smp_processor_id(); - /* Try silence. */ -#ifdef WITH_CONNTRACK - if (skb->nfct == &tee_track.ct_general) - return NF_DROP; -#endif - - if ((skb = skb_copy(skb, GFP_ATOMIC)) == NULL) + if (tee_active[cpu]) + return XT_CONTINUE; + skb = pskb_copy(skb, GFP_ATOMIC); + if (skb == NULL) return XT_CONTINUE; #ifdef WITH_CONNTRACK nf_conntrack_put(skb->nfct); - skb->nfct = &tee_track.ct_general; + skb->nfct = &nf_conntrack_untracked.ct_general; skb->nfctinfo = IP_CT_NEW; nf_conntrack_get(skb->nfct); #endif - if (tee_tg_route6(skb, info)) + if (par->hooknum == NF_INET_PRE_ROUTING || + par->hooknum == NF_INET_LOCAL_IN) { + struct ipv6hdr *iph = ipv6_hdr(skb); + --iph->hop_limit; + } + if (tee_tg_route6(skb, info)) { + tee_active[cpu] = true; tee_tg_send(skb); - + tee_active[cpu] = false; + } else { + kfree_skb(skb); + } return XT_CONTINUE; } #endif /* WITH_IPV6 */ -static bool tee_tg_check(const struct xt_tgchk_param *par) +static int tee_tg_check(const struct xt_tgchk_param *par) { const struct xt_tee_tginfo *info = par->targinfo; /* 0.0.0.0 and :: not allowed */ - return memcmp(&info->gw, &tee_zero_address, - sizeof(tee_zero_address)) != 0; + return (memcmp(&info->gw, &tee_zero_address, + sizeof(tee_zero_address)) == 0) ? -EINVAL : 0; } static struct xt_target tee_tg_reg[] __read_mostly = { @@ -302,7 +253,6 @@ .name = "TEE", .revision = 0, .family = NFPROTO_IPV4, - .table = "mangle", .target = tee_tg4, .targetsize = sizeof(struct xt_tee_tginfo), .checkentry = tee_tg_check, @@ -313,7 +263,6 @@ .name = "TEE", .revision = 0, .family = NFPROTO_IPV6, - .table = "mangle", .target = tee_tg6, .targetsize = sizeof(struct xt_tee_tginfo), .checkentry = tee_tg_check, @@ -324,27 +273,12 @@ static int __init tee_tg_init(void) { -#ifdef WITH_CONNTRACK - /* - * Set up fake conntrack (stolen from raw.patch): - * - to never be deleted, not in any hashes - */ - atomic_set(&tee_track.ct_general.use, 1); - - /* - and look it like as a confirmed connection */ - set_bit(IPS_CONFIRMED_BIT, &tee_track.status); - - /* Initialize fake conntrack so that NAT will skip it */ - tee_track.status |= IPS_NAT_DONE_MASK; -#endif - return xt_register_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg)); } static void __exit tee_tg_exit(void) { xt_unregister_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg)); - /* [SC]: shoud not we cleanup tee_track here? */ } module_init(tee_tg_init); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-1.24/extensions/xt_condition.c new/xtables-addons-1.25/extensions/xt_condition.c --- old/xtables-addons-1.24/extensions/xt_condition.c 2010-03-17 02:50:23.000000000 +0100 +++ new/xtables-addons-1.25/extensions/xt_condition.c 2010-04-26 14:12:03.000000000 +0200 @@ -56,7 +56,7 @@ /* proc_lock is a user context only semaphore used for write access */ /* to the conditions' list. */ -static struct mutex proc_lock; +static DEFINE_MUTEX(proc_lock); static LIST_HEAD(conditions_list); static struct proc_dir_entry *proc_net_condition; @@ -100,16 +100,11 @@ { const struct xt_condition_mtinfo *info = par->matchinfo; const struct condition_variable *var = info->condvar; - bool x; - rcu_read_lock(); - x = rcu_dereference(var->enabled); - rcu_read_unlock(); - - return x ^ info->invert; + return var->enabled ^ info->invert; } -static bool condition_mt_check(const struct xt_mtchk_param *par) +static int condition_mt_check(const struct xt_mtchk_param *par) { struct xt_condition_mtinfo *info = par->matchinfo; struct condition_variable *var; @@ -121,21 +116,19 @@ printk(KERN_INFO KBUILD_MODNAME ": name not allowed or too " "long: \"%.*s\"\n", (unsigned int)sizeof(info->name), info->name); - return false; + return -EINVAL; } /* * Let's acquire the lock, check for the condition and add it * or increase the reference counter. */ - if (mutex_lock_interruptible(&proc_lock) != 0) - return false; - + mutex_lock(&proc_lock); list_for_each_entry(var, &conditions_list, list) { if (strcmp(info->name, var->status_proc->name) == 0) { var->refcount++; mutex_unlock(&proc_lock); info->condvar = var; - return true; + return 0; } } @@ -143,7 +136,7 @@ var = kmalloc(sizeof(struct condition_variable), GFP_KERNEL); if (var == NULL) { mutex_unlock(&proc_lock); - return false; + return -ENOMEM; } /* Create the condition variable's proc file entry. */ @@ -152,7 +145,7 @@ if (var->status_proc == NULL) { kfree(var); mutex_unlock(&proc_lock); - return false; + return -ENOMEM; } var->refcount = 1; @@ -164,12 +157,12 @@ wmb(); var->status_proc->read_proc = condition_proc_read; var->status_proc->write_proc = condition_proc_write; - list_add_rcu(&var->list, &conditions_list); + list_add(&var->list, &conditions_list); var->status_proc->uid = condition_uid_perms; var->status_proc->gid = condition_gid_perms; mutex_unlock(&proc_lock); info->condvar = var; - return true; + return 0; } static void condition_mt_destroy(const struct xt_mtdtor_param *par) @@ -179,16 +172,9 @@ mutex_lock(&proc_lock); if (--var->refcount == 0) { - list_del_rcu(&var->list); + list_del(&var->list); remove_proc_entry(var->status_proc->name, proc_net_condition); mutex_unlock(&proc_lock); - /* - * synchronize_rcu() would be good enough, but - * synchronize_net() guarantees that no packet - * will go out with the old rule after - * succesful removal. - */ - synchronize_net(); kfree(var); return; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-1.24/extensions/xt_fuzzy.c new/xtables-addons-1.25/extensions/xt_fuzzy.c --- old/xtables-addons-1.24/extensions/xt_fuzzy.c 2010-03-17 02:50:23.000000000 +0100 +++ new/xtables-addons-1.25/extensions/xt_fuzzy.c 2010-04-26 14:12:03.000000000 +0200 @@ -125,7 +125,7 @@ return false; } -static bool fuzzy_mt_check(const struct xt_mtchk_param *par) +static int fuzzy_mt_check(const struct xt_mtchk_param *par) { const struct xt_fuzzy_mtinfo *info = par->matchinfo; @@ -133,10 +133,10 @@ info->maximum_rate > FUZZY_MAX_RATE || info->minimum_rate >= info->maximum_rate) { printk(KERN_INFO KBUILD_MODNAME ": bad values, please check.\n"); - return false; + return -EDOM; } - return true; + return 0; } static struct xt_match fuzzy_mt_reg[] __read_mostly = { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-1.24/extensions/xt_geoip.c new/xtables-addons-1.25/extensions/xt_geoip.c --- old/xtables-addons-1.24/extensions/xt_geoip.c 2010-03-17 02:50:23.000000000 +0100 +++ new/xtables-addons-1.25/extensions/xt_geoip.c 2010-04-26 14:12:03.000000000 +0200 @@ -46,23 +46,28 @@ struct geoip_country_user umem; struct geoip_country_kernel *p; struct geoip_subnet *s; + int ret; if (copy_from_user(&umem, umem_ptr, sizeof(umem)) != 0) - return NULL; + return ERR_PTR(-EFAULT); p = kmalloc(sizeof(struct geoip_country_kernel), GFP_KERNEL); if (p == NULL) - return NULL; + return ERR_PTR(-ENOMEM); p->count = umem.count; p->cc = umem.cc; s = vmalloc(p->count * sizeof(struct geoip_subnet)); - if (s == NULL) + if (s == NULL) { + ret = -ENOMEM; goto free_p; + } if (copy_from_user(s, (const void __user *)(unsigned long)umem.subnets, - p->count * sizeof(struct geoip_subnet)) != 0) + p->count * sizeof(struct geoip_subnet)) != 0) { + ret = -EFAULT; goto free_s; + } p->subnets = s; atomic_set(&p->ref, 1); @@ -78,7 +83,7 @@ vfree(s); free_p: kfree(p); - return NULL; + return ERR_PTR(ret); } static void geoip_try_remove_node(struct geoip_country_kernel *p) @@ -168,7 +173,7 @@ return info->flags & XT_GEOIP_INV; } -static bool xt_geoip_mt_checkentry(const struct xt_mtchk_param *par) +static int xt_geoip_mt_checkentry(const struct xt_mtchk_param *par) { struct xt_geoip_match_info *info = par->matchinfo; struct geoip_country_kernel *node; @@ -176,13 +181,15 @@ for (i = 0; i < info->count; i++) { node = find_node(info->cc[i]); - if (node == NULL) - if ((node = geoip_add_node((const void __user *)(unsigned long)info->mem[i].user)) == NULL) { + if (node == NULL) { + node = geoip_add_node((const void __user *)(unsigned long)info->mem[i].user); + if (IS_ERR(node)) { printk(KERN_ERR - "xt_geoip: unable to load '%c%c' into memory\n", - COUNTRY(info->cc[i])); - return false; + "xt_geoip: unable to load '%c%c' into memory: %ld\n", + COUNTRY(info->cc[i]), PTR_ERR(node)); + return PTR_ERR(node); } + } /* Overwrite the now-useless pointer info->mem[i] with * a pointer to the node's kernelspace structure. @@ -192,7 +199,7 @@ info->mem[i].kernel = node; } - return true; + return 0; } static void xt_geoip_mt_destroy(const struct xt_mtdtor_param *par) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-1.24/extensions/xt_lscan.c new/xtables-addons-1.25/extensions/xt_lscan.c --- old/xtables-addons-1.24/extensions/xt_lscan.c 2010-03-17 02:50:23.000000000 +0100 +++ new/xtables-addons-1.25/extensions/xt_lscan.c 2010-04-26 14:12:03.000000000 +0200 @@ -216,16 +216,16 @@ (info->match_gr && ctdata->mark == mark_grscan); } -static bool lscan_mt_check(const struct xt_mtchk_param *par) +static int lscan_mt_check(const struct xt_mtchk_param *par) { const struct xt_lscan_mtinfo *info = par->matchinfo; if ((info->match_stealth & ~1) || (info->match_syn & ~1) || (info->match_cn & ~1) || (info->match_gr & ~1)) { printk(KERN_WARNING PFX "Invalid flags\n"); - return false; + return -EINVAL; } - return true; + return 0; } static struct xt_match lscan_mt_reg[] __read_mostly = { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-1.24/extensions/xt_quota2.c new/xtables-addons-1.25/extensions/xt_quota2.c --- old/xtables-addons-1.24/extensions/xt_quota2.c 2010-03-17 02:50:23.000000000 +0100 +++ new/xtables-addons-1.25/extensions/xt_quota2.c 2010-04-26 14:12:03.000000000 +0200 @@ -144,28 +144,28 @@ return NULL; } -static bool quota_mt2_check(const struct xt_mtchk_param *par) +static int quota_mt2_check(const struct xt_mtchk_param *par) { struct xt_quota_mtinfo2 *q = par->matchinfo; if (q->flags & ~XT_QUOTA_MASK) - return false; + return -EINVAL; q->name[sizeof(q->name)-1] = '\0'; if (*q->name == '.' || strchr(q->name, '/') != NULL) { printk(KERN_ERR "xt_quota<%u>: illegal name\n", par->match->revision); - return false; + return -EINVAL; } q->master = q2_get_counter(q); if (q->master == NULL) { printk(KERN_ERR "xt_quota<%u>: memory alloc failure\n", par->match->revision); - return false; + return -ENOMEM; } - return true; + return 0; } static void quota_mt2_destroy(const struct xt_mtdtor_param *par) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org