netfilter: merge some fixes from upstream
SVN-Revision: 15178
This commit is contained in:
parent
45e934262d
commit
e4f90e7fa6
1 changed files with 100 additions and 0 deletions
|
@ -0,0 +1,100 @@
|
||||||
|
--- a/net/ipv4/netfilter/arp_tables.c
|
||||||
|
+++ b/net/ipv4/netfilter/arp_tables.c
|
||||||
|
@@ -374,7 +374,9 @@ static int mark_source_chains(struct xt_
|
||||||
|
&& unconditional(&e->arp)) || visited) {
|
||||||
|
unsigned int oldpos, size;
|
||||||
|
|
||||||
|
- if (t->verdict < -NF_MAX_VERDICT - 1) {
|
||||||
|
+ if ((strcmp(t->target.u.user.name,
|
||||||
|
+ ARPT_STANDARD_TARGET) == 0) &&
|
||||||
|
+ t->verdict < -NF_MAX_VERDICT - 1) {
|
||||||
|
duprintf("mark_source_chains: bad "
|
||||||
|
"negative verdict (%i)\n",
|
||||||
|
t->verdict);
|
||||||
|
--- a/net/ipv4/netfilter/ip_tables.c
|
||||||
|
+++ b/net/ipv4/netfilter/ip_tables.c
|
||||||
|
@@ -74,6 +74,25 @@ do { \
|
||||||
|
|
||||||
|
Hence the start of any table is given by get_table() below. */
|
||||||
|
|
||||||
|
+static unsigned long ifname_compare(const char *_a, const char *_b,
|
||||||
|
+ const unsigned char *_mask)
|
||||||
|
+{
|
||||||
|
+ const unsigned long *a = (const unsigned long *)_a;
|
||||||
|
+ const unsigned long *b = (const unsigned long *)_b;
|
||||||
|
+ const unsigned long *mask = (const unsigned long *)_mask;
|
||||||
|
+ unsigned long ret;
|
||||||
|
+
|
||||||
|
+ ret = (a[0] ^ b[0]) & mask[0];
|
||||||
|
+ if (IFNAMSIZ > sizeof(unsigned long))
|
||||||
|
+ ret |= (a[1] ^ b[1]) & mask[1];
|
||||||
|
+ if (IFNAMSIZ > 2 * sizeof(unsigned long))
|
||||||
|
+ ret |= (a[2] ^ b[2]) & mask[2];
|
||||||
|
+ if (IFNAMSIZ > 3 * sizeof(unsigned long))
|
||||||
|
+ ret |= (a[3] ^ b[3]) & mask[3];
|
||||||
|
+ BUILD_BUG_ON(IFNAMSIZ > 4 * sizeof(unsigned long));
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/* Returns whether matches rule or not. */
|
||||||
|
/* Performance critical - called for every packet */
|
||||||
|
static inline bool
|
||||||
|
@@ -83,7 +102,6 @@ ip_packet_match(const struct iphdr *ip,
|
||||||
|
const struct ipt_ip *ipinfo,
|
||||||
|
int isfrag)
|
||||||
|
{
|
||||||
|
- size_t i;
|
||||||
|
unsigned long ret;
|
||||||
|
|
||||||
|
#define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg)))
|
||||||
|
@@ -110,12 +128,7 @@ ip_packet_match(const struct iphdr *ip,
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* Look for ifname matches; this should unroll nicely. */
|
||||||
|
- for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
|
||||||
|
- ret |= (((const unsigned long *)indev)[i]
|
||||||
|
- ^ ((const unsigned long *)ipinfo->iniface)[i])
|
||||||
|
- & ((const unsigned long *)ipinfo->iniface_mask)[i];
|
||||||
|
- }
|
||||||
|
+ ret = ifname_compare(indev, ipinfo->iniface, ipinfo->iniface_mask);
|
||||||
|
|
||||||
|
if (FWINV(ret != 0, IPT_INV_VIA_IN)) {
|
||||||
|
dprintf("VIA in mismatch (%s vs %s).%s\n",
|
||||||
|
@@ -124,11 +137,7 @@ ip_packet_match(const struct iphdr *ip,
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
- for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
|
||||||
|
- ret |= (((const unsigned long *)outdev)[i]
|
||||||
|
- ^ ((const unsigned long *)ipinfo->outiface)[i])
|
||||||
|
- & ((const unsigned long *)ipinfo->outiface_mask)[i];
|
||||||
|
- }
|
||||||
|
+ ret = ifname_compare(outdev, ipinfo->outiface, ipinfo->outiface_mask);
|
||||||
|
|
||||||
|
if (FWINV(ret != 0, IPT_INV_VIA_OUT)) {
|
||||||
|
dprintf("VIA out mismatch (%s vs %s).%s\n",
|
||||||
|
@@ -523,7 +532,9 @@ mark_source_chains(struct xt_table_info
|
||||||
|
&& unconditional(&e->ip)) || visited) {
|
||||||
|
unsigned int oldpos, size;
|
||||||
|
|
||||||
|
- if (t->verdict < -NF_MAX_VERDICT - 1) {
|
||||||
|
+ if ((strcmp(t->target.u.user.name,
|
||||||
|
+ IPT_STANDARD_TARGET) == 0) &&
|
||||||
|
+ t->verdict < -NF_MAX_VERDICT - 1) {
|
||||||
|
duprintf("mark_source_chains: bad "
|
||||||
|
"negative verdict (%i)\n",
|
||||||
|
t->verdict);
|
||||||
|
--- a/net/ipv6/netfilter/ip6_tables.c
|
||||||
|
+++ b/net/ipv6/netfilter/ip6_tables.c
|
||||||
|
@@ -525,7 +525,9 @@ mark_source_chains(struct xt_table_info
|
||||||
|
&& unconditional(&e->ipv6)) || visited) {
|
||||||
|
unsigned int oldpos, size;
|
||||||
|
|
||||||
|
- if (t->verdict < -NF_MAX_VERDICT - 1) {
|
||||||
|
+ if ((strcmp(t->target.u.user.name,
|
||||||
|
+ IP6T_STANDARD_TARGET) == 0) &&
|
||||||
|
+ t->verdict < -NF_MAX_VERDICT - 1) {
|
||||||
|
duprintf("mark_source_chains: bad "
|
||||||
|
"negative verdict (%i)\n",
|
||||||
|
t->verdict);
|
Loading…
Reference in a new issue