From ee7e4f5a42bf4c989924d2351ee3c4734b5caad0 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Tue, 18 Nov 2008 12:51:25 +0100 Subject: [PATCH] Update for Linux 2.6.28 --- extensions/compat_xtables.c | 104 ++++++++++++++++++++++++++++++------ extensions/compat_xtables.h | 2 +- extensions/compat_xtnu.h | 67 ++++++++++++++++++----- extensions/ipset/ipt_SET.c | 102 ++++------------------------------- extensions/ipset/ipt_set.c | 104 +++--------------------------------- extensions/xt_CHAOS.c | 82 +++++++++++++++++++--------- extensions/xt_DELUDE.c | 7 ++- extensions/xt_DHCPADDR.c | 16 +++--- extensions/xt_ECHO.c | 5 +- extensions/xt_IPMARK.c | 12 ++--- extensions/xt_LOGMARK.c | 14 ++--- extensions/xt_SYSRQ.c | 21 ++++---- extensions/xt_TARPIT.c | 6 +-- extensions/xt_TEE.c | 14 ++--- extensions/xt_condition.c | 18 +++---- extensions/xt_fuzzy.c | 13 ++--- extensions/xt_geoip.c | 16 +++--- extensions/xt_ipp2p.c | 10 ++-- extensions/xt_portscan.c | 19 +++---- extensions/xt_quota2.c | 18 +++---- 20 files changed, 289 insertions(+), 361 deletions(-) diff --git a/extensions/compat_xtables.c b/extensions/compat_xtables.c index 491d9d9..16c22eb 100644 --- a/extensions/compat_xtables.c +++ b/extensions/compat_xtables.c @@ -30,14 +30,30 @@ static int xtnu_match_run(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const struct xt_match *cm, const void *matchinfo, int offset, unsigned int protoff, int *hotdrop) +#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27) +static bool xtnu_match_run(const struct sk_buff *skb, + const struct net_device *in, const struct net_device *out, + const struct xt_match *cm, const void *matchinfo, int offset, + unsigned int protoff, bool *hotdrop) +#endif +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27) { struct xtnu_match *nm = xtcompat_numatch(cm); bool lo_drop = false, lo_ret; + struct xt_match_param local_par = { + .in = in, + .out = out, + .match = cm, + .matchinfo = matchinfo, + .fragoff = offset, + .thoff = protoff, + .hotdrop = &lo_drop, + .family = NFPROTO_UNSPEC, /* don't have that info */ + }; if (nm == NULL || nm->match == NULL) return false; - lo_ret = nm->match(skb, in, out, nm, matchinfo, - offset, protoff, &lo_drop); + lo_ret = nm->match(skb, &local_par); *hotdrop = lo_drop; return lo_ret; } @@ -50,35 +66,51 @@ static int xtnu_match_check(const char *table, const void *entry, #elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22) static int xtnu_match_check(const char *table, const void *entry, const struct xt_match *cm, void *matchinfo, unsigned int hook_mask) +#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27) +static bool xtnu_match_check(const char *table, const void *entry, + const struct xt_match *cm, void *matchinfo, unsigned int hook_mask) #endif -#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22) +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27) { struct xtnu_match *nm = xtcompat_numatch(cm); + struct xt_mtchk_param local_par = { + .table = table, + .entryinfo = entry, + .match = cm, + .matchinfo = matchinfo, + .hook_mask = hook_mask, + .family = NFPROTO_UNSPEC, + }; if (nm == NULL) return false; if (nm->checkentry == NULL) return true; - return nm->checkentry(table, entry, nm, matchinfo, hook_mask); + return nm->checkentry(&local_par); } #endif #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) static void xtnu_match_destroy(const struct xt_match *cm, void *matchinfo, unsigned int matchinfosize) -#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22) +#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27) static void xtnu_match_destroy(const struct xt_match *cm, void *matchinfo) #endif -#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22) +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27) { struct xtnu_match *nm = xtcompat_numatch(cm); + struct xt_mtdtor_param local_par = { + .match = cm, + .matchinfo = matchinfo, + .family = NFPROTO_UNSPEC, + }; if (nm != NULL && nm->destroy != NULL) - nm->destroy(nm, matchinfo); + nm->destroy(&local_par); } #endif -#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22) +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27) int xtnu_register_match(struct xtnu_match *nt) { struct xt_match *ct; @@ -157,18 +189,36 @@ static unsigned int xtnu_target_run(struct sk_buff **pskb, static unsigned int xtnu_target_run(struct sk_buff **pskb, const struct net_device *in, const struct net_device *out, unsigned int hooknum, const struct xt_target *ct, const void *targinfo) -#else +#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27) static unsigned int xtnu_target_run(struct sk_buff *skb, const struct net_device *in, const struct net_device *out, unsigned int hooknum, const struct xt_target *ct, const void *targinfo) +#else +static unsigned int +xtnu_target_run(struct sk_buff *skb, const struct xt_target_param *par) #endif { +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27) struct xtnu_target *nt = xtcompat_nutarget(ct); + struct xt_target_param local_par = { + .in = in, + .out = out, + .hooknum = hooknum, + .target = ct, + .targinfo = targinfo, + .family = NFPROTO_UNSPEC, + }; +#else + struct xtnu_target *nt = xtcompat_nutarget(par->target); +#endif + if (nt != NULL && nt->target != NULL) #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23) - return nt->target(pskb, in, out, hooknum, nt, targinfo); + return nt->target(pskb, &local_par); +#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27) + return nt->target(&skb, &local_par); #else - return nt->target(&skb, in, out, hooknum, nt, targinfo); + return nt->target(&skb, par); #endif return XT_CONTINUE; } @@ -180,31 +230,50 @@ static int xtnu_target_check(const char *table, const void *entry, #elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22) static int xtnu_target_check(const char *table, const void *entry, const struct xt_target *ct, void *targinfo, unsigned int hook_mask) -#else +#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27) static bool xtnu_target_check(const char *table, const void *entry, const struct xt_target *ct, void *targinfo, unsigned int hook_mask) #endif +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27) { struct xtnu_target *nt = xtcompat_nutarget(ct); + struct xt_tgchk_param local_par = { + .table = table, + .entryinfo = entry, + .target = ct, + .targinfo = targinfo, + .hook_mask = hook_mask, + .family = NFPROTO_UNSPEC, + }; + if (nt == NULL) return false; if (nt->checkentry == NULL) /* this is valid, just like if there was no function */ return true; - return nt->checkentry(table, entry, nt, targinfo, hook_mask); + return nt->checkentry(&local_par); } +#endif #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) static void xtnu_target_destroy(const struct xt_target *ct, void *targinfo, unsigned int targinfosize) -#else +#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27) static void xtnu_target_destroy(const struct xt_target *ct, void *targinfo) #endif +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27) { struct xtnu_target *nt = xtcompat_nutarget(ct); + struct xt_tgdtor_param local_par = { + .target = ct, + .targinfo = targinfo, + .family = NFPROTO_UNSPEC, + }; + if (nt != NULL && nt->destroy != NULL) - nt->destroy(nt, targinfo); + nt->destroy(&local_par); } +#endif int xtnu_register_target(struct xtnu_target *nt) { @@ -228,8 +297,13 @@ int xtnu_register_target(struct xtnu_target *nt) ct->hooks = nt->hooks; ct->proto = nt->proto; ct->target = xtnu_target_run; +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27) ct->checkentry = xtnu_target_check; ct->destroy = xtnu_target_destroy; +#else + ct->checkentry = nt->checkentry; + ct->destroy = nt->destroy; +#endif ct->targetsize = nt->targetsize; ct->me = nt->me; diff --git a/extensions/compat_xtables.h b/extensions/compat_xtables.h index 84d29da..c0c6470 100644 --- a/extensions/compat_xtables.h +++ b/extensions/compat_xtables.h @@ -56,7 +56,7 @@ # define init_net__proc_net init_net.proc_net #endif -#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22) +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27) # define xt_match xtnu_match # define xt_register_match xtnu_register_match # define xt_unregister_match xtnu_unregister_match diff --git a/extensions/compat_xtnu.h b/extensions/compat_xtnu.h index 0a267c6..82510f1 100644 --- a/extensions/compat_xtnu.h +++ b/extensions/compat_xtnu.h @@ -27,17 +27,62 @@ enum { NFPROTO_DECNET = 12, NFPROTO_NUMPROTO, }; + +struct xt_match_param { + const struct net_device *in, *out; + const struct xt_match *match; + const void *matchinfo; + int fragoff; + unsigned int thoff; + bool *hotdrop; + u_int8_t family; +}; + +struct xt_mtchk_param { + const char *table; + const void *entryinfo; + const struct xt_match *match; + void *matchinfo; + unsigned int hook_mask; + u_int8_t family; +}; + +struct xt_mtdtor_param { + const struct xt_match *match; + void *matchinfo; + u_int8_t family; +}; + +struct xt_target_param { + const struct net_device *in, *out; + unsigned int hooknum; + const struct xt_target *target; + const void *targinfo; + u_int8_t family; +}; + +struct xt_tgchk_param { + const char *table; + const void *entryinfo; + const struct xt_target *target; + void *targinfo; + unsigned int hook_mask; + u_int8_t family; +}; + +struct xt_tgdtor_param { + const struct xt_target *target; + void *targinfo; + u_int8_t family; +}; #endif struct xtnu_match { struct list_head list; char name[XT_FUNCTION_MAXNAMELEN - 1 - sizeof(void *)]; - bool (*match)(const struct sk_buff *, const struct net_device *, - const struct net_device *, const struct xtnu_match *, - const void *, int, unsigned int, bool *); - bool (*checkentry)(const char *, const void *, - const struct xtnu_match *, void *, unsigned int); - void (*destroy)(const struct xtnu_match *, void *); + bool (*match)(const struct sk_buff *, const struct xt_match_param *); + bool (*checkentry)(const struct xt_mtchk_param *); + void (*destroy)(const struct xt_mtdtor_param *); struct module *me; const char *table; unsigned int matchsize, hooks; @@ -50,12 +95,10 @@ struct xtnu_match { struct xtnu_target { struct list_head list; char name[XT_FUNCTION_MAXNAMELEN - 1 - sizeof(void *)]; - unsigned int (*target)(struct sk_buff **, const struct net_device *, - const struct net_device *, unsigned int, - const struct xtnu_target *, const void *); - bool (*checkentry)(const char *, const void *, - const struct xtnu_target *, void *, unsigned int); - void (*destroy)(const struct xtnu_target *, void *); + unsigned int (*target)(struct sk_buff **, + const struct xt_target_param *); + bool (*checkentry)(const struct xt_tgchk_param *); + void (*destroy)(const struct xt_tgdtor_param *); struct module *me; const char *table; unsigned int targetsize, hooks; diff --git a/extensions/ipset/ipt_SET.c b/extensions/ipset/ipt_SET.c index 1d45622..6960309 100644 --- a/extensions/ipset/ipt_SET.c +++ b/extensions/ipset/ipt_SET.c @@ -26,103 +26,29 @@ #include #endif #include "ipt_set.h" +#include "../compat_xtables.h" static unsigned int -#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) -target(struct sk_buff **pskb, - unsigned int hooknum, - const struct net_device *in, - const struct net_device *out, - const void *targinfo, - void *userinfo) -#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17) -target(struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - unsigned int hooknum, - const void *targinfo, - void *userinfo) -#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) -target(struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - unsigned int hooknum, - const struct xt_target *target, - const void *targinfo, - void *userinfo) -#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,24) -target(struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - unsigned int hooknum, - const struct xt_target *target, - const void *targinfo) -#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,24) */ -target(struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - unsigned int hooknum, - const struct xt_target *target, - const void *targinfo) -#endif +target(struct sk_buff **pskb, const struct xt_target_param *par) { - const struct ipt_set_info_target *info = targinfo; -#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,24) - struct sk_buff *skb = *pskb; -#endif + const struct ipt_set_info_target *info = par->targinfo; - if (info->add_set.index != IP_SET_INVALID_ID) ip_set_addip_kernel(info->add_set.index, - skb, + *pskb, info->add_set.flags); if (info->del_set.index != IP_SET_INVALID_ID) ip_set_delip_kernel(info->del_set.index, - skb, + *pskb, info->del_set.flags); return XT_CONTINUE; } -#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,16) -static int -checkentry(const char *tablename, - const struct ipt_entry *e, - void *targinfo, - unsigned int targinfosize, - unsigned int hook_mask) -#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17) -static int -checkentry(const char *tablename, - const void *e, - void *targinfo, - unsigned int targinfosize, - unsigned int hook_mask) -#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) -static int -checkentry(const char *tablename, - const void *e, - const struct xt_target *target, - void *targinfo, - unsigned int targinfosize, - unsigned int hook_mask) -#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,23) -static int -checkentry(const char *tablename, - const void *e, - const struct xt_target *target, - void *targinfo, - unsigned int hook_mask) -#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23) */ static bool -checkentry(const char *tablename, - const void *e, - const struct xt_target *target, - void *targinfo, - unsigned int hook_mask) -#endif +checkentry(const struct xt_tgchk_param *par) { - struct ipt_set_info_target *info = targinfo; + struct ipt_set_info_target *info = par->targinfo; ip_set_id_t index; #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17) @@ -158,19 +84,9 @@ checkentry(const char *tablename, return 1; } -#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17) -static void destroy(void *targetinfo, - unsigned int targetsize) -#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) -static void destroy(const struct xt_target *target, - void *targetinfo, - unsigned int targetsize) -#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19) */ -static void destroy(const struct xt_target *target, - void *targetinfo) -#endif +static void destroy(const struct xt_tgdtor_param *par) { - struct ipt_set_info_target *info = targetinfo; + struct ipt_set_info_target *info = par->targinfo; #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17) if (targetsize != IPT_ALIGN(sizeof(struct ipt_set_info_target))) { diff --git a/extensions/ipset/ipt_set.c b/extensions/ipset/ipt_set.c index 5cde205..c8af290 100644 --- a/extensions/ipset/ipt_set.c +++ b/extensions/ipset/ipt_set.c @@ -25,6 +25,7 @@ #endif #include "ip_set.h" #include "ipt_set.h" +#include "../compat_xtables.h" static inline int match_set(const struct ipt_set_info *info, @@ -36,101 +37,20 @@ match_set(const struct ipt_set_info *info, return inv; } -#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) -static int -match(const struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - const void *matchinfo, - int offset, - const void *hdr, - u_int16_t datalen, - int *hotdrop) -#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,16) -static int -match(const struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - const void *matchinfo, - int offset, - int *hotdrop) -#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17) -static int -match(const struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - const void *matchinfo, - int offset, - unsigned int protoff, - int *hotdrop) -#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,23) -static int -match(const struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - const struct xt_match *match, - const void *matchinfo, - int offset, - unsigned int protoff, - int *hotdrop) -#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23) */ static bool -match(const struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - const struct xt_match *match, - const void *matchinfo, - int offset, - unsigned int protoff, - bool *hotdrop) -#endif +match(const struct sk_buff *skb, const struct xt_match_param *par) { - const struct ipt_set_info_match *info = matchinfo; + const struct ipt_set_info_match *info = par->matchinfo; return match_set(&info->match_set, skb, info->match_set.flags[0] & IPSET_MATCH_INV); } -#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,16) -static int -checkentry(const char *tablename, - const struct ipt_ip *ip, - void *matchinfo, - unsigned int matchsize, - unsigned int hook_mask) -#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17) -static int -checkentry(const char *tablename, - const void *inf, - void *matchinfo, - unsigned int matchsize, - unsigned int hook_mask) -#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) -static int -checkentry(const char *tablename, - const void *inf, - const struct xt_match *match, - void *matchinfo, - unsigned int matchsize, - unsigned int hook_mask) -#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,23) -static int -checkentry(const char *tablename, - const void *inf, - const struct xt_match *match, - void *matchinfo, - unsigned int hook_mask) -#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23) */ static bool -checkentry(const char *tablename, - const void *inf, - const struct xt_match *match, - void *matchinfo, - unsigned int hook_mask) -#endif +checkentry(const struct xt_mtchk_param *par) { - struct ipt_set_info_match *info = matchinfo; + struct ipt_set_info_match *info = par->matchinfo; ip_set_id_t index; #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17) @@ -155,19 +75,9 @@ checkentry(const char *tablename, return 1; } -#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17) -static void destroy(void *matchinfo, - unsigned int matchsize) -#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) -static void destroy(const struct xt_match *match, - void *matchinfo, - unsigned int matchsize) -#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19) */ -static void destroy(const struct xt_match *match, - void *matchinfo) -#endif +static void destroy(const struct xt_mtdtor_param *par) { - struct ipt_set_info_match *info = matchinfo; + struct ipt_set_info_match *info = par->matchinfo; #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17) if (matchsize != IPT_ALIGN(sizeof(struct ipt_set_info_match))) { diff --git a/extensions/xt_CHAOS.c b/extensions/xt_CHAOS.c index 4512a28..fa67d6f 100644 --- a/extensions/xt_CHAOS.c +++ b/extensions/xt_CHAOS.c @@ -44,13 +44,13 @@ static const struct xt_tcp tcp_params = { }; /* CHAOS functions */ -static void xt_chaos_total(const struct xt_chaos_tginfo *info, - struct sk_buff *skb, const struct net_device *in, - const struct net_device *out, unsigned int hooknum) +static void +xt_chaos_total(struct sk_buff *skb, const struct xt_target_param *par) { + const struct xt_chaos_tginfo *info = par->targinfo; const struct iphdr *iph = ip_hdr(skb); - const int protoff = 4 * iph->ihl; - const int offset = ntohs(iph->frag_off) & IP_OFFSET; + const int thoff = 4 * iph->ihl; + const int fragoff = ntohs(iph->frag_off) & IP_OFFSET; typeof(xt_tarpit) destiny; bool ret; #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22) @@ -59,24 +59,44 @@ static void xt_chaos_total(const struct xt_chaos_tginfo *info, bool hotdrop = false; #endif - ret = xm_tcp->match(skb, in, out, xm_tcp, &tcp_params, - offset, protoff, &hotdrop); +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27) + ret = xm_tcp->match(skb, par->in, par->out, xm_tcp, &tcp_params, + fragoff, thoff, &hotdrop); +#else + { + struct xt_match_param local_par = { + .in = par->in, + .out = par->out, + .match = xm_tcp, + .matchinfo = &tcp_params, + .fragoff = fragoff, + .thoff = thoff, + .hotdrop = &hotdrop, + }; + ret = xm_tcp->match(skb, &local_par); + } +#endif if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage) return; destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude; #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) - destiny->target(&skb, in, out, hooknum, destiny, NULL, NULL); + destiny->target(&skb, par->in, par->out, par->hooknum, destiny, NULL, NULL); #elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23) - destiny->target(&skb, in, out, hooknum, destiny, NULL); + destiny->target(&skb, par->in, par->out, par->hooknum, destiny, NULL); +#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27) + destiny->target(skb, par->in, par->out, par->hooknum, destiny, NULL); #else - destiny->target(skb, in, out, hooknum, destiny, NULL); + { + struct xt_target_param local_par = *par; + local_par.target = destiny; + destiny->target(skb, &local_par); + } #endif } -static unsigned int chaos_tg(struct sk_buff **pskb, - const struct net_device *in, const struct net_device *out, - unsigned int hooknum, const struct xt_target *target, const void *targinfo) +static unsigned int +chaos_tg(struct sk_buff **pskb, const struct xt_target_param *par) { /* * Equivalent to: @@ -86,34 +106,44 @@ static unsigned int chaos_tg(struct sk_buff **pskb, * $delude_percentage -j DELUDE; * -A chaos -j DROP; */ - const struct xt_chaos_tginfo *info = targinfo; + const struct xt_chaos_tginfo *info = par->targinfo; struct sk_buff *skb = *pskb; const struct iphdr *iph = ip_hdr(skb); - if ((unsigned int)net_random() <= reject_percentage) + if ((unsigned int)net_random() <= reject_percentage) { #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) - return xt_reject->target(pskb, in, out, hooknum, - target->__compat_target, &reject_params, NULL); + return xt_reject->target(pskb, par->in, par->out, par->hooknum, + xt_reject, &reject_params, NULL); #elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23) - return xt_reject->target(pskb, in, out, hooknum, - target->__compat_target, &reject_params); + return xt_reject->target(pskb, par->in, par->out, par->hooknum, + xt_reject, &reject_params); +#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27) + return xt_reject->target(skb, par->in, par->out, par->hooknum, + xt_reject, &reject_params); #else - return xt_reject->target(skb, in, out, hooknum, - target->__compat_target, &reject_params); + struct xt_target_param local_par = { + .in = par->in, + .out = par->out, + .hooknum = par->hooknum, + .target = xt_reject, + .targinfo = &reject_params, + }; + return xt_reject->target(skb, &local_par); #endif + } /* TARPIT/DELUDE may not be called from the OUTPUT chain */ if (iph->protocol == IPPROTO_TCP && - info->variant != XTCHAOS_NORMAL && hooknum != NF_INET_LOCAL_OUT) - xt_chaos_total(info, skb, in, out, hooknum); + info->variant != XTCHAOS_NORMAL && + par->hooknum != NF_INET_LOCAL_OUT) + xt_chaos_total(skb, par); return NF_DROP; } -static bool chaos_tg_check(const char *tablename, const void *entry, - const struct xt_target *target, void *targinfo, unsigned int hook_mask) +static bool chaos_tg_check(const struct xt_tgchk_param *par) { - const struct xt_chaos_tginfo *info = targinfo; + const struct xt_chaos_tginfo *info = par->targinfo; if (info->variant == XTCHAOS_DELUDE && !have_delude) { printk(KERN_WARNING PFX "Error: Cannot use --delude when " diff --git a/extensions/xt_DELUDE.c b/extensions/xt_DELUDE.c index de03ee3..65d6a8a 100644 --- a/extensions/xt_DELUDE.c +++ b/extensions/xt_DELUDE.c @@ -143,14 +143,13 @@ static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook) kfree_skb(nskb); } -static unsigned int delude_tg(struct sk_buff **pskb, - const struct net_device *in, const struct net_device *out, - unsigned int hooknum, const struct xt_target *target, const void *targinfo) +static unsigned int +delude_tg(struct sk_buff **pskb, const struct xt_target_param *par) { /* WARNING: This code causes reentry within iptables. This means that the iptables jump stack is now crap. We must return an absolute verdict. --RR */ - delude_send_reset(*pskb, hooknum); + delude_send_reset(*pskb, par->hooknum); return NF_DROP; } diff --git a/extensions/xt_DHCPADDR.c b/extensions/xt_DHCPADDR.c index ff893e5..1ae9260 100644 --- a/extensions/xt_DHCPADDR.c +++ b/extensions/xt_DHCPADDR.c @@ -68,15 +68,14 @@ static bool ether_cmp(const unsigned char *lh, const unsigned char *rh, return true; } -static bool dhcpaddr_mt(const struct sk_buff *skb, const struct net_device *in, - const struct net_device *out, const struct xt_match *match, - const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop) +static bool +dhcpaddr_mt(const struct sk_buff *skb, const struct xt_match_param *par) { - const struct dhcpaddr_info *info = matchinfo; + const struct dhcpaddr_info *info = par->matchinfo; const struct dhcp_message *dh; struct dhcp_message dhcpbuf; - dh = skb_header_pointer(skb, protoff + sizeof(struct udphdr), + dh = skb_header_pointer(skb, par->thoff + sizeof(struct udphdr), sizeof(dhcpbuf), &dhcpbuf); if (dh == NULL) /* @@ -89,11 +88,10 @@ static bool dhcpaddr_mt(const struct sk_buff *skb, const struct net_device *in, return ether_cmp((const void *)dh->chaddr, info->addr, info->mask); } -static unsigned int dhcpaddr_tg(struct sk_buff **pskb, - const struct net_device *in, const struct net_device *out, - unsigned int hooknum, const struct xt_target *target, const void *targinfo) +static unsigned int +dhcpaddr_tg(struct sk_buff **pskb, const struct xt_target_param *par) { - const struct dhcpaddr_info *info = targinfo; + const struct dhcpaddr_info *info = par->targinfo; struct dhcp_message dhcpbuf, *dh; struct udphdr udpbuf, *udph; struct sk_buff *skb = *pskb; diff --git a/extensions/xt_ECHO.c b/extensions/xt_ECHO.c index 7d3c2fa..501e3fc 100644 --- a/extensions/xt_ECHO.c +++ b/extensions/xt_ECHO.c @@ -20,9 +20,8 @@ #include #include "compat_xtables.h" -static unsigned int echo_tg4(struct sk_buff **poldskb, - const struct net_device *in, const struct net_device *out, - unsigned int hooknum, const struct xt_target *target, const void *targinfo) +static unsigned int +echo_tg4(struct sk_buff **poldskb, const struct xt_target_param *par) { const struct sk_buff *oldskb = *poldskb; const struct udphdr *oldudp; diff --git a/extensions/xt_IPMARK.c b/extensions/xt_IPMARK.c index fa45fbc..c193a65 100644 --- a/extensions/xt_IPMARK.c +++ b/extensions/xt_IPMARK.c @@ -25,11 +25,9 @@ MODULE_ALIAS("ipt_IPMARK"); MODULE_ALIAS("ip6t_IPMARK"); static unsigned int -ipmark_tg4(struct sk_buff **pskb, const struct net_device *in, - const struct net_device *out, unsigned int hooknum, - const struct xt_target *target, const void *targinfo) +ipmark_tg4(struct sk_buff **pskb, const struct xt_target_param *par) { - const struct xt_ipmark_tginfo *ipmarkinfo = targinfo; + const struct xt_ipmark_tginfo *ipmarkinfo = par->targinfo; const struct sk_buff *skb = *pskb; const struct iphdr *iph = ip_hdr(skb); __u32 mark; @@ -63,11 +61,9 @@ static __u32 ipmark_from_ip6(const struct in6_addr *a, unsigned int s) } static unsigned int -ipmark_tg6(struct sk_buff **pskb, const struct net_device *in, - const struct net_device *out, unsigned int hooknum, - const struct xt_target *target, const void *targinfo) +ipmark_tg6(struct sk_buff **pskb, const struct xt_target_param *par) { - const struct xt_ipmark_tginfo *info = targinfo; + const struct xt_ipmark_tginfo *info = par->targinfo; const struct sk_buff *skb = *pskb; const struct ipv6hdr *iph = ipv6_hdr(skb); __u32 mark; diff --git a/extensions/xt_LOGMARK.c b/extensions/xt_LOGMARK.c index dc373d4..a0d4591 100644 --- a/extensions/xt_LOGMARK.c +++ b/extensions/xt_LOGMARK.c @@ -30,19 +30,17 @@ static const char *const dir_names[] = { }; static unsigned int -logmark_tg(struct sk_buff **pskb, const struct net_device *in, - const struct net_device *out, unsigned int hooknum, - const struct xt_target *target, const void *targinfo) +logmark_tg(struct sk_buff **pskb, const struct xt_target_param *par) { const struct sk_buff *skb = *pskb; - const struct xt_logmark_tginfo *info = targinfo; + const struct xt_logmark_tginfo *info = par->targinfo; const struct nf_conn *ct; enum ip_conntrack_info ctinfo; bool prev = false; printk("<%u>%.*s""hook=%s nfmark=0x%x secmark=0x%x classify=0x%x", info->level, (unsigned int)sizeof(info->prefix), info->prefix, - hook_names[hooknum], + hook_names[par->hooknum], skb_nfmark(skb), skb_secmark(skb), skb->priority); ct = nf_ct_get(skb, &ctinfo); @@ -83,11 +81,9 @@ logmark_tg(struct sk_buff **pskb, const struct net_device *in, } static bool -logmark_tg_check(const char *tablename, const void *e, - const struct xt_target *target, void *targinfo, - unsigned int hook_mask) +logmark_tg_check(const struct xt_tgchk_param *par) { - const struct xt_logmark_tginfo *info = targinfo; + const struct xt_logmark_tginfo *info = par->targinfo; if (info->level >= 8) { pr_debug("LOGMARK: level %u >= 8\n", info->level); diff --git a/extensions/xt_SYSRQ.c b/extensions/xt_SYSRQ.c index bfa2923..6036dfe 100644 --- a/extensions/xt_SYSRQ.c +++ b/extensions/xt_SYSRQ.c @@ -58,9 +58,8 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len) return NF_ACCEPT; } -static unsigned int sysrq_tg4(struct sk_buff **pskb, - const struct net_device *in, const struct net_device *out, - unsigned int hooknum, const struct xt_target *target, const void *targinfo) +static unsigned int +sysrq_tg4(struct sk_buff **pskb, const struct xt_target_param *par) { struct sk_buff *skb = *pskb; const struct iphdr *iph; @@ -80,9 +79,8 @@ static unsigned int sysrq_tg4(struct sk_buff **pskb, return sysrq_tg((void *)udph + sizeof(struct udphdr), len); } -static unsigned int sysrq_tg6(struct sk_buff **pskb, - const struct net_device *in, const struct net_device *out, - unsigned int hooknum, const struct xt_target *target, const void *targinfo) +static unsigned int +sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par) { struct sk_buff *skb = *pskb; const struct ipv6hdr *iph; @@ -102,18 +100,17 @@ static unsigned int sysrq_tg6(struct sk_buff **pskb, return sysrq_tg(udph + sizeof(struct udphdr), len); } -static bool sysrq_tg_check(const char *table, const void *ventry, - const struct xt_target *target, void *targinfo, unsigned int hook_mask) +static bool sysrq_tg_check(const struct xt_tgchk_param *par) { - if (target->family == NFPROTO_IPV4) { - const struct ipt_entry *entry = ventry; + if (par->target->family == NFPROTO_IPV4) { + const struct ipt_entry *entry = par->entryinfo; if ((entry->ip.proto != IPPROTO_UDP && entry->ip.proto != IPPROTO_UDPLITE) || entry->ip.invflags & XT_INV_PROTO) goto out; - } else if (target->family == NFPROTO_IPV6) { - const struct ip6t_entry *entry = ventry; + } else if (par->target->family == NFPROTO_IPV6) { + const struct ip6t_entry *entry = par->entryinfo; if ((entry->ipv6.proto != IPPROTO_UDP && entry->ipv6.proto != IPPROTO_UDPLITE) || diff --git a/extensions/xt_TARPIT.c b/extensions/xt_TARPIT.c index a4a7624..fa3006c 100644 --- a/extensions/xt_TARPIT.c +++ b/extensions/xt_TARPIT.c @@ -188,9 +188,7 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook) } static unsigned int -tarpit_tg(struct sk_buff **pskb, const struct net_device *in, - const struct net_device *out, unsigned int hooknum, - const struct xt_target *target, const void *targinfo) +tarpit_tg(struct sk_buff **pskb, const struct xt_target_param *par) { const struct sk_buff *skb = *pskb; const struct iphdr *iph = ip_hdr(skb); @@ -220,7 +218,7 @@ tarpit_tg(struct sk_buff **pskb, const struct net_device *in, if (iph->frag_off & htons(IP_OFFSET)) return NF_DROP; - tarpit_tcp(*pskb, hooknum); + tarpit_tcp(*pskb, par->hooknum); return NF_DROP; } diff --git a/extensions/xt_TEE.c b/extensions/xt_TEE.c index 4fe1cca..20d5d8a 100644 --- a/extensions/xt_TEE.c +++ b/extensions/xt_TEE.c @@ -142,11 +142,9 @@ static void tee_ip_direct_send(struct sk_buff *skb) * packets when we see they already have that ->nfct. */ static unsigned int -tee_tg(struct sk_buff **pskb, const struct net_device *in, - const struct net_device *out, unsigned int hooknum, - const struct xt_target *target, const void *targinfo) +tee_tg(struct sk_buff **pskb, const struct xt_target_param *par) { - const struct xt_tee_tginfo *info = targinfo; + const struct xt_tee_tginfo *info = par->targinfo; struct sk_buff *skb = *pskb; #ifdef WITH_CONNTRACK @@ -169,7 +167,7 @@ tee_tg(struct sk_buff **pskb, const struct net_device *in, * If we are in INPUT, the checksum must be recalculated since * the length could have changed as a result of defragmentation. */ - if (hooknum == NF_INET_LOCAL_IN) { + if (par->hooknum == NF_INET_LOCAL_IN) { struct iphdr *iph = ip_hdr(skb); iph->check = 0; iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl); @@ -208,11 +206,9 @@ tee_tg(struct sk_buff **pskb, const struct net_device *in, return XT_CONTINUE; } -static bool tee_tg_check(const char *tablename, const void *entry, - const struct xt_target *target, void *targinfo, - unsigned int hook_mask) +static bool tee_tg_check(const struct xt_tgchk_param *par) { - const struct xt_tee_tginfo *info = targinfo; + const struct xt_tee_tginfo *info = par->targinfo; /* 0.0.0.0 and :: not allowed */ return memcmp(&info->gw, &zero_address, sizeof(zero_address)) != 0; diff --git a/extensions/xt_condition.c b/extensions/xt_condition.c index 91d1e65..cfcaa13 100644 --- a/extensions/xt_condition.c +++ b/extensions/xt_condition.c @@ -97,12 +97,9 @@ static int condition_proc_write(struct file *file, const char __user *buffer, } static bool -condition_mt(const struct sk_buff *skb, const struct net_device *in, - const struct net_device *out, const struct xt_match *match, - const void *matchinfo, int offset, unsigned int protoff, - bool *hotdrop) +condition_mt(const struct sk_buff *skb, const struct xt_match_param *par) { - const struct xt_condition_mtinfo *info = matchinfo; + const struct xt_condition_mtinfo *info = par->matchinfo; const struct condition_variable *var = info->condvar; bool x; @@ -113,12 +110,9 @@ condition_mt(const struct sk_buff *skb, const struct net_device *in, return x ^ info->invert; } -static bool -condition_mt_check(const char *tablename, const void *entry, - const struct xt_match *match, void *matchinfo, - unsigned int hook_mask) +static bool condition_mt_check(const struct xt_mtchk_param *par) { - struct xt_condition_mtinfo *info = matchinfo; + struct xt_condition_mtinfo *info = par->matchinfo; struct condition_variable *var; /* Forbid certain names */ @@ -184,9 +178,9 @@ condition_mt_check(const char *tablename, const void *entry, return true; } -static void condition_mt_destroy(const struct xt_match *match, void *matchinfo) +static void condition_mt_destroy(const struct xt_mtdtor_param *par) { - const struct xt_condition_mtinfo *info = matchinfo; + const struct xt_condition_mtinfo *info = par->matchinfo; struct condition_variable *var = info->condvar; down(&proc_lock); diff --git a/extensions/xt_fuzzy.c b/extensions/xt_fuzzy.c index b09afe1..237af67 100644 --- a/extensions/xt_fuzzy.c +++ b/extensions/xt_fuzzy.c @@ -60,12 +60,9 @@ static uint8_t mf_low(uint32_t tx, uint32_t mini, uint32_t maxi) } static bool -fuzzy_mt(const struct sk_buff *skb, const struct net_device *in, - const struct net_device *out, const struct xt_match *match, - const void *matchinfo, int offset, unsigned int protoff, - bool *hotdrop) +fuzzy_mt(const struct sk_buff *skb, const struct xt_match_param *par) { - struct xt_fuzzy_mtinfo *info = (void *)matchinfo; + struct xt_fuzzy_mtinfo *info = (void *)par->matchinfo; unsigned long amount; uint8_t howhigh, howlow, random_number; @@ -128,11 +125,9 @@ fuzzy_mt(const struct sk_buff *skb, const struct net_device *in, return false; } -static bool -fuzzy_mt_check(const char *table, const void *ip, const struct xt_match *match, - void *matchinfo, unsigned int hook_mask) +static bool fuzzy_mt_check(const struct xt_mtchk_param *par) { - const struct xt_fuzzy_mtinfo *info = matchinfo; + const struct xt_fuzzy_mtinfo *info = par->matchinfo; if (info->minimum_rate < FUZZY_MIN_RATE || info->maximum_rate > FUZZY_MAX_RATE || diff --git a/extensions/xt_geoip.c b/extensions/xt_geoip.c index 1cf0b86..19c4b1c 100644 --- a/extensions/xt_geoip.c +++ b/extensions/xt_geoip.c @@ -135,11 +135,10 @@ static bool geoip_bsearch(const struct geoip_subnet *range, return false; } -static bool xt_geoip_mt(const struct sk_buff *skb, const struct net_device *in, - const struct net_device *out, const struct xt_match *match, - const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop) +static bool +xt_geoip_mt(const struct sk_buff *skb, const struct xt_match_param *par) { - const struct xt_geoip_match_info *info = matchinfo; + const struct xt_geoip_match_info *info = par->matchinfo; const struct geoip_country_kernel *node; const struct iphdr *iph = ip_hdr(skb); unsigned int i; @@ -169,10 +168,9 @@ static bool xt_geoip_mt(const struct sk_buff *skb, const struct net_device *in, return info->flags & XT_GEOIP_INV; } -static bool xt_geoip_mt_checkentry(const char *table, const void *entry, - const struct xt_match *match, void *matchinfo, unsigned int hook_mask) +static bool xt_geoip_mt_checkentry(const struct xt_mtchk_param *par) { - struct xt_geoip_match_info *info = matchinfo; + struct xt_geoip_match_info *info = par->matchinfo; struct geoip_country_kernel *node; unsigned int i; @@ -197,9 +195,9 @@ static bool xt_geoip_mt_checkentry(const char *table, const void *entry, return true; } -static void xt_geoip_mt_destroy(const struct xt_match *match, void *matchinfo) +static void xt_geoip_mt_destroy(const struct xt_mtdtor_param *par) { - struct xt_geoip_match_info *info = matchinfo; + struct xt_geoip_match_info *info = par->matchinfo; struct geoip_country_kernel *node; unsigned int i; diff --git a/extensions/xt_ipp2p.c b/extensions/xt_ipp2p.c index 5472de5..5ea367c 100644 --- a/extensions/xt_ipp2p.c +++ b/extensions/xt_ipp2p.c @@ -785,11 +785,9 @@ static const struct { }; static bool -ipp2p_mt(const struct sk_buff *skb, const struct net_device *in, - const struct net_device *out, const struct xt_match *match, - const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop) +ipp2p_mt(const struct sk_buff *skb, const struct xt_match_param *par) { - const struct ipt_p2p_info *info = matchinfo; + const struct ipt_p2p_info *info = par->matchinfo; const unsigned char *haystack; const struct iphdr *ip = ip_hdr(skb); bool p2p_result = false; @@ -797,9 +795,9 @@ ipp2p_mt(const struct sk_buff *skb, const struct net_device *in, unsigned int hlen = ntohs(ip->tot_len) - ip_hdrlen(skb); /* hlen = packet-data length */ /* must not be a fragment */ - if (offset != 0) { + if (par->fragoff != 0) { if (info->debug) - printk("IPP2P.match: offset found %i \n", offset); + printk("IPP2P.match: offset found %d\n", par->fragoff); return 0; } diff --git a/extensions/xt_portscan.c b/extensions/xt_portscan.c index e9581be..3b133aa 100644 --- a/extensions/xt_portscan.c +++ b/extensions/xt_portscan.c @@ -171,18 +171,16 @@ static inline unsigned int portscan_mt_full(int mark, return mark; } -static bool portscan_mt(const struct sk_buff *skb, - const struct net_device *in, const struct net_device *out, - const struct xt_match *match, const void *matchinfo, int offset, - unsigned int protoff, bool *hotdrop) +static bool +portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par) { - const struct xt_portscan_mtinfo *info = matchinfo; + const struct xt_portscan_mtinfo *info = par->matchinfo; enum ip_conntrack_info ctstate; const struct tcphdr *tcph; struct nf_conn *ctdata; struct tcphdr tcph_buf; - tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf); + tcph = skb_header_pointer(skb, par->thoff, sizeof(tcph_buf), &tcph_buf); if (tcph == NULL) return false; @@ -207,8 +205,8 @@ static bool portscan_mt(const struct sk_buff *skb, unsigned int n; n = portscan_mt_full(ctdata->mark & connmark_mask, ctstate, - in == init_net__loopback_dev, tcph, - skb->len - protoff - 4 * tcph->doff); + par->in == init_net__loopback_dev, tcph, + skb->len - par->thoff - 4 * tcph->doff); ctdata->mark = (ctdata->mark & ~connmark_mask) | n; skb_nfmark(skb) = (skb_nfmark(skb) & ~packet_mask) ^ mark_seen; @@ -219,10 +217,9 @@ static bool portscan_mt(const struct sk_buff *skb, (info->match_gr && ctdata->mark == mark_grscan); } -static bool portscan_mt_check(const char *tablename, const void *entry, - const struct xt_match *match, void *matchinfo, unsigned int hook_mask) +static bool portscan_mt_check(const struct xt_mtchk_param *par) { - const struct xt_portscan_mtinfo *info = matchinfo; + const struct xt_portscan_mtinfo *info = par->matchinfo; if ((info->match_stealth & ~1) || (info->match_syn & ~1) || (info->match_cn & ~1) || (info->match_gr & ~1)) { diff --git a/extensions/xt_quota2.c b/extensions/xt_quota2.c index 1604f95..a202297 100644 --- a/extensions/xt_quota2.c +++ b/extensions/xt_quota2.c @@ -120,12 +120,9 @@ static struct quota_counter *q2_get_counter(const struct xt_quota_mtinfo2 *q) return NULL; } -static bool -quota_mt2_check(const char *tablename, const void *entry, - const struct xt_match *match, void *matchinfo, - unsigned int hook_mask) +static bool quota_mt2_check(const struct xt_mtchk_param *par) { - struct xt_quota_mtinfo2 *q = matchinfo; + struct xt_quota_mtinfo2 *q = par->matchinfo; if (q->flags & ~XT_QUOTA_MASK) return false; @@ -146,9 +143,9 @@ quota_mt2_check(const char *tablename, const void *entry, return true; } -static void quota_mt2_destroy(const struct xt_match *match, void *matchinfo) +static void quota_mt2_destroy(const struct xt_mtdtor_param *par) { - struct xt_quota_mtinfo2 *q = matchinfo; + struct xt_quota_mtinfo2 *q = par->matchinfo; struct quota_counter *e = q->master; spin_lock_bh(&counter_list_lock); @@ -164,12 +161,9 @@ static void quota_mt2_destroy(const struct xt_match *match, void *matchinfo) } static bool -quota_mt2(const struct sk_buff *skb, const struct net_device *in, - const struct net_device *out, const struct xt_match *match, - const void *matchinfo, int offset, unsigned int protoff, - bool *hotdrop) +quota_mt2(const struct sk_buff *skb, const struct xt_match_param *par) { - struct xt_quota_mtinfo2 *q = (void *)matchinfo; + struct xt_quota_mtinfo2 *q = (void *)par->matchinfo; struct quota_counter *e = q->master; bool ret = q->flags & XT_QUOTA_INVERT;