diff --git a/configure.ac b/configure.ac index 014dc8a..55422b2 100644 --- a/configure.ac +++ b/configure.ac @@ -63,7 +63,7 @@ if test -n "$kbuilddir"; then echo "WARNING: Version detection did not succeed. Continue at own luck."; else echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir"; - if test "$kmajor" -gt 3 -o "$kmajor" -eq 3 -a "$kminor" -gt 2; then + if test "$kmajor" -gt 3 -o "$kmajor" -eq 3 -a "$kminor" -gt 3; then echo "WARNING: You are trying a newer kernel. Results may vary. :-)"; elif test "$kmajor" -eq 3; then :; diff --git a/doc/changelog.txt b/doc/changelog.txt index 6f9aa38..ae4c234 100644 --- a/doc/changelog.txt +++ b/doc/changelog.txt @@ -5,6 +5,8 @@ Fixes: - compat_xtables: fixed mistranslation of checkentry return values (affected kernels < 2.6.23) - xt_SYSRQ: fix compile error when crypto is turned off +Enhancements: +- Support for Linux 3.3 v1.41 (2012-01-04) diff --git a/extensions/libxt_DNETMAP.c b/extensions/libxt_DNETMAP.c index ddfb7a6..0f91b4a 100644 --- a/extensions/libxt_DNETMAP.c +++ b/extensions/libxt_DNETMAP.c @@ -11,7 +11,7 @@ #include #include #include -#include +#include #include "xt_DNETMAP.h" #define MODULENAME "DNETMAP" @@ -65,7 +65,7 @@ static int netmask2bits(u_int32_t netmask) static void DNETMAP_init(struct xt_entry_target *t) { struct xt_DNETMAP_tginfo *tginfo = (void *)&t->data; - struct nf_nat_multi_range *mr = &tginfo->prefix; + struct nf_nat_ipv4_multi_range_compat *mr = &tginfo->prefix; /* Actually, it's 0, but it's ignored at the moment. */ mr->rangesize = 1; @@ -74,14 +74,14 @@ static void DNETMAP_init(struct xt_entry_target *t) } /* Parses network address */ -static void parse_prefix(char *arg, struct nf_nat_range *range) +static void parse_prefix(char *arg, struct nf_nat_ipv4_range *range) { char *slash; const struct in_addr *ip; u_int32_t netmask; unsigned int bits; - range->flags |= IP_NAT_RANGE_MAP_IPS; + range->flags |= NF_NAT_RANGE_MAP_IPS; slash = strchr(arg, '/'); if (slash) *slash = '\0'; @@ -129,7 +129,7 @@ static int DNETMAP_parse(int c, char **argv, int invert, unsigned int *flags, const void *entry, struct xt_entry_target **target) { struct xt_DNETMAP_tginfo *tginfo = (void *)(*target)->data; - struct nf_nat_multi_range *mr = &tginfo->prefix; + struct nf_nat_ipv4_multi_range_compat *mr = &tginfo->prefix; char *end; switch (c) { @@ -171,8 +171,8 @@ static void DNETMAP_print_addr(const void *ip, int numeric) { struct xt_DNETMAP_tginfo *tginfo = (void *)&target->data; - const struct nf_nat_multi_range *mr = &tginfo->prefix; - const struct nf_nat_range *r = &mr->range[0]; + const struct nf_nat_ipv4_multi_range_compat *mr = &tginfo->prefix; + const struct nf_nat_ipv4_range *r = &mr->range[0]; struct in_addr a; int bits; diff --git a/extensions/xt_DNETMAP.h b/extensions/xt_DNETMAP.h index 04250be..274b083 100644 --- a/extensions/xt_DNETMAP.h +++ b/extensions/xt_DNETMAP.h @@ -8,11 +8,7 @@ enum { }; struct xt_DNETMAP_tginfo { -#ifdef __KERNEL__ struct nf_nat_ipv4_multi_range_compat prefix; -#else - struct nf_nat_multi_range_compat prefix; -#endif __u8 flags; __s16 ttl; }; diff --git a/extensions/xt_ECHO.c b/extensions/xt_ECHO.c index 1d81165..efbceff 100644 --- a/extensions/xt_ECHO.c +++ b/extensions/xt_ECHO.c @@ -92,8 +92,8 @@ echo_tg6(struct sk_buff **poldskb, const struct xt_action_param *par) memset(&fl, 0, sizeof(fl)); fl.flowi6_proto = newip->nexthdr; - ipv6_addr_copy(&fl.saddr, &newip->saddr); - ipv6_addr_copy(&fl.daddr, &newip->daddr); + memcpy(&fl.saddr, &newip->saddr, sizeof(fl.saddr)); + memcpy(&fl.daddr, &newip->daddr, sizeof(fl.daddr)); fl.fl6_sport = newudp->source; fl.fl6_dport = newudp->dest; security_skb_classify_flow((struct sk_buff *)oldskb, flowi6_to_flowi(&fl)); diff --git a/include/linux/netfilter/nf_conntrack_tuple_common.h b/include/linux/netfilter/nf_conntrack_tuple_common.h new file mode 100644 index 0000000..2f6bbc5 --- /dev/null +++ b/include/linux/netfilter/nf_conntrack_tuple_common.h @@ -0,0 +1,39 @@ +#ifndef _NF_CONNTRACK_TUPLE_COMMON_H +#define _NF_CONNTRACK_TUPLE_COMMON_H + +enum ip_conntrack_dir { + IP_CT_DIR_ORIGINAL, + IP_CT_DIR_REPLY, + IP_CT_DIR_MAX +}; + +/* The protocol-specific manipulable parts of the tuple: always in + * network order + */ +union nf_conntrack_man_proto { + /* Add other protocols here. */ + __be16 all; + + struct { + __be16 port; + } tcp; + struct { + __be16 port; + } udp; + struct { + __be16 id; + } icmp; + struct { + __be16 port; + } dccp; + struct { + __be16 port; + } sctp; + struct { + __be16 key; /* GRE key is 32bit, PPtP only uses 16bit */ + } gre; +}; + +#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL) + +#endif /* _NF_CONNTRACK_TUPLE_COMMON_H */ diff --git a/include/linux/netfilter/nf_nat.h b/include/linux/netfilter/nf_nat.h new file mode 100644 index 0000000..8df2d13 --- /dev/null +++ b/include/linux/netfilter/nf_nat.h @@ -0,0 +1,25 @@ +#ifndef _NETFILTER_NF_NAT_H +#define _NETFILTER_NF_NAT_H + +#include +#include + +#define NF_NAT_RANGE_MAP_IPS 1 +#define NF_NAT_RANGE_PROTO_SPECIFIED 2 +#define NF_NAT_RANGE_PROTO_RANDOM 4 +#define NF_NAT_RANGE_PERSISTENT 8 + +struct nf_nat_ipv4_range { + unsigned int flags; + __be32 min_ip; + __be32 max_ip; + union nf_conntrack_man_proto min; + union nf_conntrack_man_proto max; +}; + +struct nf_nat_ipv4_multi_range_compat { + unsigned int rangesize; + struct nf_nat_ipv4_range range[1]; +}; + +#endif /* _NETFILTER_NF_NAT_H */ diff --git a/include/net/netfilter/nf_conntrack_tuple.h b/include/net/netfilter/nf_conntrack_tuple.h deleted file mode 100644 index 81776e7..0000000 --- a/include/net/netfilter/nf_conntrack_tuple.h +++ /dev/null @@ -1,215 +0,0 @@ -/* - * Definitions and Declarations for tuple. - * - * 16 Dec 2003: Yasuyuki Kozakai @USAGI - * - generalize L3 protocol dependent part. - * - * Derived from include/linux/netfiter_ipv4/ip_conntrack_tuple.h - */ - -#ifndef _NF_CONNTRACK_TUPLE_H -#define _NF_CONNTRACK_TUPLE_H - -#include -#include -/*#include */ - -/* A `tuple' is a structure containing the information to uniquely - identify a connection. ie. if two packets have the same tuple, they - are in the same connection; if not, they are not. - - We divide the structure along "manipulatable" and - "non-manipulatable" lines, for the benefit of the NAT code. -*/ - -#define NF_CT_TUPLE_L3SIZE ARRAY_SIZE(((union nf_inet_addr *)NULL)->all) - -/* The protocol-specific manipulable parts of the tuple: always in - network order! */ -union nf_conntrack_man_proto { - /* Add other protocols here. */ - __be16 all; - - struct { - __be16 port; - } tcp; - struct { - __be16 port; - } udp; - struct { - __be16 id; - } icmp; - struct { - __be16 port; - } dccp; - struct { - __be16 port; - } sctp; - struct { - __be16 key; /* GRE key is 32bit, PPtP only uses 16bit */ - } gre; -}; - -/* The manipulable part of the tuple. */ -struct nf_conntrack_man { - union nf_inet_addr u3; - union nf_conntrack_man_proto u; - /* Layer 3 protocol */ - u_int16_t l3num; -}; - -/* This contains the information to distinguish a connection. */ -struct nf_conntrack_tuple { - struct nf_conntrack_man src; - - /* These are the parts of the tuple which are fixed. */ - struct { - union nf_inet_addr u3; - union { - /* Add other protocols here. */ - __be16 all; - - struct { - __be16 port; - } tcp; - struct { - __be16 port; - } udp; - struct { - u_int8_t type, code; - } icmp; - struct { - __be16 port; - } dccp; - struct { - __be16 port; - } sctp; - struct { - __be16 key; - } gre; - } u; - - /* The protocol. */ - u_int8_t protonum; - - /* The direction (for tuplehash) */ - u_int8_t dir; - } dst; -}; - -struct nf_conntrack_tuple_mask { - struct { - union nf_inet_addr u3; - union nf_conntrack_man_proto u; - } src; -}; - -#ifdef __KERNEL__ - -static inline void nf_ct_dump_tuple_ip(const struct nf_conntrack_tuple *t) -{ -#ifdef DEBUG - printk("tuple %p: %u %pI4:%hu -> %pI4:%hu\n", - t, t->dst.protonum, - &t->src.u3.ip, ntohs(t->src.u.all), - &t->dst.u3.ip, ntohs(t->dst.u.all)); -#endif -} - -static inline void nf_ct_dump_tuple_ipv6(const struct nf_conntrack_tuple *t) -{ -#ifdef DEBUG - printk("tuple %p: %u %pI6 %hu -> %pI6 %hu\n", - t, t->dst.protonum, - t->src.u3.all, ntohs(t->src.u.all), - t->dst.u3.all, ntohs(t->dst.u.all)); -#endif -} - -static inline void nf_ct_dump_tuple(const struct nf_conntrack_tuple *t) -{ - switch (t->src.l3num) { - case AF_INET: - nf_ct_dump_tuple_ip(t); - break; - case AF_INET6: - nf_ct_dump_tuple_ipv6(t); - break; - } -} - -/* If we're the first tuple, it's the original dir. */ -#define NF_CT_DIRECTION(h) \ - ((enum ip_conntrack_dir)(h)->tuple.dst.dir) - -/* Connections have two entries in the hash table: one for each way */ -struct nf_conntrack_tuple_hash { - struct hlist_nulls_node hnnode; - struct nf_conntrack_tuple tuple; -}; - -static inline bool __nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1, - const struct nf_conntrack_tuple *t2) -{ - return (nf_inet_addr_cmp(&t1->src.u3, &t2->src.u3) && - t1->src.u.all == t2->src.u.all && - t1->src.l3num == t2->src.l3num); -} - -static inline bool __nf_ct_tuple_dst_equal(const struct nf_conntrack_tuple *t1, - const struct nf_conntrack_tuple *t2) -{ - return (nf_inet_addr_cmp(&t1->dst.u3, &t2->dst.u3) && - t1->dst.u.all == t2->dst.u.all && - t1->dst.protonum == t2->dst.protonum); -} - -static inline bool nf_ct_tuple_equal(const struct nf_conntrack_tuple *t1, - const struct nf_conntrack_tuple *t2) -{ - return __nf_ct_tuple_src_equal(t1, t2) && - __nf_ct_tuple_dst_equal(t1, t2); -} - -static inline bool -nf_ct_tuple_mask_equal(const struct nf_conntrack_tuple_mask *m1, - const struct nf_conntrack_tuple_mask *m2) -{ - return (nf_inet_addr_cmp(&m1->src.u3, &m2->src.u3) && - m1->src.u.all == m2->src.u.all); -} - -static inline bool -nf_ct_tuple_src_mask_cmp(const struct nf_conntrack_tuple *t1, - const struct nf_conntrack_tuple *t2, - const struct nf_conntrack_tuple_mask *mask) -{ - int count; - - for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++) { - if ((t1->src.u3.all[count] ^ t2->src.u3.all[count]) & - mask->src.u3.all[count]) - return false; - } - - if ((t1->src.u.all ^ t2->src.u.all) & mask->src.u.all) - return false; - - if (t1->src.l3num != t2->src.l3num || - t1->dst.protonum != t2->dst.protonum) - return false; - - return true; -} - -static inline bool -nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t, - const struct nf_conntrack_tuple *tuple, - const struct nf_conntrack_tuple_mask *mask) -{ - return nf_ct_tuple_src_mask_cmp(t, tuple, mask) && - __nf_ct_tuple_dst_equal(t, tuple); -} -#endif /* __KERNEL__ */ - -#endif /* _NF_CONNTRACK_TUPLE_H */ diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h deleted file mode 100644 index f5f09f0..0000000 --- a/include/net/netfilter/nf_nat.h +++ /dev/null @@ -1,93 +0,0 @@ -#ifndef _NF_NAT_H -#define _NF_NAT_H -#include -#include - -#define NF_NAT_MAPPING_TYPE_MAX_NAMELEN 16 - -enum nf_nat_manip_type { - IP_NAT_MANIP_SRC, - IP_NAT_MANIP_DST -}; - -/* SRC manip occurs POST_ROUTING or LOCAL_IN */ -#define HOOK2MANIP(hooknum) ((hooknum) != NF_INET_POST_ROUTING && \ - (hooknum) != NF_INET_LOCAL_IN) - -#define IP_NAT_RANGE_MAP_IPS 1 -#define IP_NAT_RANGE_PROTO_SPECIFIED 2 -#define IP_NAT_RANGE_PROTO_RANDOM 4 -#define IP_NAT_RANGE_PERSISTENT 8 - -/* NAT sequence number modifications */ -struct nf_nat_seq { - /* position of the last TCP sequence number modification (if any) */ - u_int32_t correction_pos; - - /* sequence number offset before and after last modification */ - int16_t offset_before, offset_after; -}; - -/* Single range specification. */ -struct nf_nat_range { - /* Set to OR of flags above. */ - unsigned int flags; - - /* Inclusive: network order. */ - __be32 min_ip, max_ip; - - /* Inclusive: network order */ - union nf_conntrack_man_proto min, max; -}; - -/* For backwards compat: don't use in modern code. */ -struct nf_nat_multi_range_compat { - unsigned int rangesize; /* Must be 1. */ - - /* hangs off end. */ - struct nf_nat_range range[1]; -}; - -#ifdef __KERNEL__ -#include -#include -#include - -/* per conntrack: nat application helper private data */ -union nf_conntrack_nat_help { - /* insert nat helper private data here */ - struct nf_nat_pptp nat_pptp_info; -}; - -struct nf_conn; - -/* The structure embedded in the conntrack structure. */ -struct nf_conn_nat { - struct hlist_node bysource; - struct nf_nat_seq seq[IP_CT_DIR_MAX]; - struct nf_conn *ct; - union nf_conntrack_nat_help help; -#if defined(CONFIG_IP_NF_TARGET_MASQUERADE) || \ - defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE) - int masq_index; -#endif -}; - -/* Set up the info structure to map into this range. */ -extern unsigned int nf_nat_setup_info(struct nf_conn *ct, - const struct nf_nat_range *range, - enum nf_nat_manip_type maniptype); - -/* Is this tuple already taken? (not by us)*/ -extern int nf_nat_used_tuple(const struct nf_conntrack_tuple *tuple, - const struct nf_conn *ignored_conntrack); - -static inline struct nf_conn_nat *nfct_nat(const struct nf_conn *ct) -{ - return nf_ct_ext_find(ct, NF_CT_EXT_NAT); -} - -#else /* !__KERNEL__: iptables wants this to compile. */ -#define nf_nat_multi_range nf_nat_multi_range_compat -#endif /*__KERNEL__*/ -#endif