From 8a82b39ef90b95cd4533fb5a6f5afa2b74ebd61d Mon Sep 17 00:00:00 2001 From: Jozsef Kadlecsik Date: Wed, 2 Oct 2013 17:31:15 +0200 Subject: Compatibility code is modified not to rely on kernel version numbers Instead the kernel source code is checked to verify the different compatibility issues for the supported kernel releases. This way hopefully backported features will be handled properly. --- .gitignore | 1 + configure.ac | 149 ++++++++++++++++++++- .../include/linux/netfilter/ipset/ip_set_compat.h | 103 -------------- .../linux/netfilter/ipset/ip_set_compat.h.in | 119 ++++++++++++++++ kernel/net/netfilter/ipset/ip_set_core.c | 41 +++++- kernel/net/netfilter/ipset/ip_set_getport.c | 5 +- kernel/net/netfilter/ipset/pfxlen.c | 2 +- kernel/net/netfilter/xt_set.c | 46 ++++--- 8 files changed, 333 insertions(+), 133 deletions(-) delete mode 100644 kernel/include/linux/netfilter/ipset/ip_set_compat.h create mode 100644 kernel/include/linux/netfilter/ipset/ip_set_compat.h.in diff --git a/.gitignore b/.gitignore index da371b4..a2aeac6 100644 --- a/.gitignore +++ b/.gitignore @@ -16,6 +16,7 @@ Makefile.in .tmp_versions Module.symvers modules.order +kernel/include/linux/netfilter/ipset/ip_set_compat.h /aclocal.m4 /autom4te.cache/ diff --git a/configure.ac b/configure.ac index 6d06ef5..df40dcd 100644 --- a/configure.ac +++ b/configure.ac @@ -67,6 +67,7 @@ then fi AC_PROG_GREP +AC_PROG_AWK if ! $GREP -q "NFNL_SUBSYS_IPSET" "$ksourcedir/include/linux/netfilter/nfnetlink.h" && \ ! $GREP -q "NFNL_SUBSYS_IPSET" "$ksourcedir/include/uapi/linux/netfilter/nfnetlink.h"; @@ -166,7 +167,150 @@ AC_CHECK_TYPES([union nf_inet_addr],,,[#include dnl Checks for functions AC_CHECK_FUNCS(gethostbyname2) -dnl Checks for compiler characteristics. +dnl Check kernel incompatibilities... Ugly like hell +AC_MSG_CHECKING([kernel source for struct xt_action_param]) +if test -f $ksourcedir/include/linux/netfilter/x_tables.h && \ + $GREP -q 'struct xt_action_param' $ksourcedir/include/linux/netfilter/x_tables.h; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_STRUCT_XT_ACTION_PARAM, define) +else + AC_MSG_RESULT(no) + AC_SUBST(HAVE_STRUCT_XT_ACTION_PARAM, undef) +fi + +AC_MSG_CHECKING([kernel source for vzalloc]) +if test -f $ksourcedir/include/linux/vmalloc.h && \ + $GREP -q 'vzalloc' $ksourcedir/include/linux/vmalloc.h; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_VZALLOC, define) +else + AC_MSG_RESULT(no) + AC_SUBST(HAVE_VZALLOC, undef) +fi + +AC_MSG_CHECKING([kernel source for ether_addr_equal]) +if test -f $ksourcedir/include/linux/etherdevice.h && \ + $GREP -q 'ether_addr_equal' $ksourcedir/include/linux/etherdevice.h; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_ETHER_ADDR_EQUAL, define) +else + AC_MSG_RESULT(no) + AC_SUBST(HAVE_ETHER_ADDR_EQUAL, undef) +fi + +AC_MSG_CHECKING([kernel source for nla_put_be64]) +if test -f $ksourcedir/include/net/netlink.h && \ + $GREP -q 'nla_put_be64' $ksourcedir/include/net/netlink.h; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_NLA_PUT_BE64, define) +else + AC_MSG_RESULT(no) + AC_SUBST(HAVE_NLA_PUT_BE64, undef) +fi + +AC_MSG_CHECKING([kernel source for portid in nl_info]) +if test -f $ksourcedir/include/linux/netlink.h && \ + $AWK '/^struct netlink_skb_parms/ {for(i=1; i<=5; i++) {getline; print}}' $ksourcedir/include/linux/netlink.h | $GREP -q 'portid;'; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_NL_INFO_PORTID, define) +else + AC_MSG_RESULT(no) + AC_SUBST(HAVE_NL_INFO_PORTID, undef) +fi + +AC_MSG_CHECKING([kernel source for netlink_dump_start args]) +if test -f $ksourcedir/include/linux/netlink.h && \ + $AWK '/netlink_dump_start/ {for(i=1; i<=4; i++) {getline; print}}' $ksourcedir/include/linux/netlink.h | $GREP -q 'done.*;'; then + AC_MSG_RESULT(5 args) + AC_SUBST(HAVE_NETLINK_DUMP_START_ARGS, 5) +elif test -f $ksourcedir/include/linux/netlink.h && \ + $AWK '/netlink_dump_start/ {for(i=1; i<=4; i++) {getline; print}}' $ksourcedir/include/linux/netlink.h | $GREP -q 'min_dump_alloc.*;'; then + AC_MSG_RESULT(6 args) + AC_SUBST(HAVE_NETLINK_DUMP_START_ARGS, 6) +else + AC_MSG_RESULT(4 args) + AC_SUBST(HAVE_NETLINK_DUMP_START_ARGS, 4) +fi + +AC_MSG_CHECKING([kernel source for ns_capable]) +if test -f $ksourcedir/include/linux/capability.h && \ + $GREP -q 'ns_capable' $ksourcedir/include/linux/capability.h; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_NS_CAPABLE, define) +else + AC_MSG_RESULT(no) + AC_SUBST(HAVE_NS_CAPABLE, undef) +fi + +AC_MSG_CHECKING([kernel source for nfnl_lock per subsys]) +if test -f $ksourcedir/include/linux/netfilter/nfnetlink.h && \ + $GREP -q 'nfnl_lock.* subsys_id' $ksourcedir/include/linux/netfilter/nfnetlink.h; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_NFNL_LOCK_SUBSYS, define) +else + AC_MSG_RESULT(no) + AC_SUBST(HAVE_NFNL_LOCK_SUBSYS, undef) +fi + +AC_MSG_CHECKING([kernel source for export.h]) +if test -f $ksourcedir/include/linux/export.h; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_EXPORT_H, define) +else + AC_MSG_RESULT(no) + AC_SUBST(HAVE_EXPORT_H, undef) +fi + +AC_MSG_CHECKING([kernel source for ipv6_skip_exthdr args]) +if test -f $ksourcedir/include/net/ipv6.h && \ + $AWK '/ipv6_skip_exthdr/ {getline; print}' $ksourcedir/include/net/ipv6.h | $GREP -q 'frag_offp'; then + AC_MSG_RESULT(4 args) + AC_SUBST(HAVE_IPV6_SKIP_EXTHDR_ARGS, 4) +else + AC_MSG_RESULT(3 args) + AC_SUBST(HAVE_IPV6_SKIP_EXTHDR_ARGS, 3) +fi + +AC_MSG_CHECKING([kernel source for bool checkentry function prototype]) +if test -f $ksourcedir/net/netfilter/xt_state.c && \ + $GREP -q 'bool state_mt_check' $ksourcedir/net/netfilter/xt_state.c; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_CHECKENTRY_BOOL, define) +else + AC_MSG_RESULT(no) + AC_SUBST(HAVE_CHECKENTRY_BOOL, undef) +fi + +AC_MSG_CHECKING([kernel source for old struct xt_target_param]) +if test -f $ksourcedir/net/netfilter/xt_TCPMSS.c && \ + $GREP -q 'const struct xt_target_param' $ksourcedir/net/netfilter/xt_TCPMSS.c; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_XT_TARGET_PARAM, define) +else + AC_MSG_RESULT(no) + AC_SUBST(HAVE_XT_TARGET_PARAM, undef) +fi + +AC_MSG_CHECKING([kernel source for id in struct pernet_operations]) +if test -f $ksourcedir/include/net/net_namespace.h && \ + $AWK '/struct pernet_operations/ {for(i=1; i<=6; i++) {getline; print}}' $ksourcedir/include/net/net_namespace.h | $GREP -q 'int \*id;'; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_NET_OPS_ID, define) +else + AC_MSG_RESULT(no) + AC_SUBST(HAVE_NET_OPS_ID, undef) +fi + +AC_MSG_CHECKING([kernel source for struct net_generic]) +if test -f $ksourcedir/include/net/netns/generic.h && \ + $GREP -q 'struct net_generic' $ksourcedir/include/net/netns/generic.h; then + AC_MSG_RESULT(yes) +else + AC_MSG_RESULT(no) + AC_MSG_ERROR([Netns support is required in the Linux kernel tree]) +fi + +dnl Checks for compiler characteristics. dnl Check extra warning flags except dnl -Wconversion -> we need it dnl -Wunreachable-code -> fails with ntoh* @@ -210,7 +354,8 @@ dnl Checks for library functions. dnl Generate output AC_CONFIG_FILES([Makefile include/libipset/Makefile - lib/Makefile lib/libipset.pc src/Makefile]) + lib/Makefile lib/libipset.pc src/Makefile + kernel/include/linux/netfilter/ipset/ip_set_compat.h]) AC_OUTPUT dnl Summary diff --git a/kernel/include/linux/netfilter/ipset/ip_set_compat.h b/kernel/include/linux/netfilter/ipset/ip_set_compat.h deleted file mode 100644 index cdc8f53..0000000 --- a/kernel/include/linux/netfilter/ipset/ip_set_compat.h +++ /dev/null @@ -1,103 +0,0 @@ -#ifndef __IP_SET_COMPAT_H -#define __IP_SET_COMPAT_H - -/* Not everything could be moved here. Compatibility stuffs can be found in - * xt_set.c, ip_set_core.c, ip_set_getport.c, pfxlen.c too. - */ - -#include -#include - -#ifndef rcu_dereference_bh -#define rcu_dereference_bh(p) rcu_dereference(p) -#endif - -#ifndef rcu_dereference_protected -#define rcu_dereference_protected(p, c) rcu_dereference(p) -#endif - -#ifndef __rcu -#define __rcu -#endif - -#ifdef CHECK_KCONFIG -#ifndef CONFIG_SPARSE_RCU_POINTER -#error "CONFIG_SPARSE_RCU_POINTER must be enabled" -#endif -#endif - -#if defined(CONFIG_NETFILTER_NETLINK) || defined(CONFIG_NETFILTER_NETLINK_MODULE) -#else -#error "NETFILTER_NETLINK must be enabled: select NFACCT/NFQUEUE/LOG over NFNETLINK" -#endif - -#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 35) -#define xt_action_param xt_match_param -#endif - -#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 37) -#define vzalloc(size) __vmalloc(size,\ - GFP_KERNEL|__GFP_ZERO|__GFP_HIGHMEM,\ - PAGE_KERNEL) -#endif - -#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 5, 0) -#include - -static inline bool ether_addr_equal(const u8 *addr1, const u8 *addr2) -{ - return !compare_ether_addr(addr1, addr2); -} - -static inline int nla_put_be64(struct sk_buff *skb, int attrtype, __be64 value) -{ - return nla_put(skb, attrtype, sizeof(__be64), &value); -} - -static inline int nla_put_net64(struct sk_buff *skb, int attrtype, __be64 value) -{ - return nla_put_be64(skb, attrtype | NLA_F_NET_BYTEORDER, value); -} -#endif - -#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 7, 0) -#define NETLINK_PORTID(skb) NETLINK_CB(skb).pid -#else -#define NETLINK_PORTID(skb) NETLINK_CB(skb).portid -#endif - -#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 8, 0) -#define ns_capable(ns, cap) capable(cap) -#endif - -#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 9, 0) -#define lock_nfnl() nfnl_lock() -#define unlock_nfnl() nfnl_unlock() -#else -#define lock_nfnl() nfnl_lock(NFNL_SUBSYS_IPSET) -#define unlock_nfnl() nfnl_unlock(NFNL_SUBSYS_IPSET) -#endif - -#ifdef NLA_PUT_NET16 -static inline int nla_put_be16(struct sk_buff *skb, int attrtype, __be16 value) -{ - return nla_put(skb, attrtype, sizeof(__be16), &value); -} - -static inline int nla_put_net16(struct sk_buff *skb, int attrtype, __be16 value) -{ - return nla_put_be16(skb, attrtype | NLA_F_NET_BYTEORDER, value); -} - -static inline int nla_put_be32(struct sk_buff *skb, int attrtype, __be32 value) -{ - return nla_put(skb, attrtype, sizeof(__be32), &value); -} - -static inline int nla_put_net32(struct sk_buff *skb, int attrtype, __be32 value) -{ - return nla_put_be32(skb, attrtype | NLA_F_NET_BYTEORDER, value); -} -#endif - -#endif /* __IP_SET_COMPAT_H */ diff --git a/kernel/include/linux/netfilter/ipset/ip_set_compat.h.in b/kernel/include/linux/netfilter/ipset/ip_set_compat.h.in new file mode 100644 index 0000000..b93c5d9 --- /dev/null +++ b/kernel/include/linux/netfilter/ipset/ip_set_compat.h.in @@ -0,0 +1,119 @@ +#ifndef __IP_SET_COMPAT_H +#define __IP_SET_COMPAT_H + +#@HAVE_STRUCT_XT_ACTION_PARAM@ HAVE_STRUCT_XT_ACTION_PARAM +#@HAVE_VZALLOC@ HAVE_VZALLOC +#@HAVE_ETHER_ADDR_EQUAL@ HAVE_ETHER_ADDR_EQUAL +#@HAVE_NLA_PUT_BE64@ HAVE_NLA_PUT_BE64 +#@HAVE_NL_INFO_PORTID@ HAVE_NL_INFO_PORTID +#define HAVE_NETLINK_DUMP_START_ARGS @HAVE_NETLINK_DUMP_START_ARGS@ +#@HAVE_NS_CAPABLE@ HAVE_NS_CAPABLE +#@HAVE_NFNL_LOCK_SUBSYS@ HAVE_NFNL_LOCK_SUBSYS +#@HAVE_EXPORT_H@ HAVE_EXPORT_H +#define HAVE_IPV6_SKIP_EXTHDR_ARGS @HAVE_IPV6_SKIP_EXTHDR_ARGS@ +#@HAVE_CHECKENTRY_BOOL@ HAVE_CHECKENTRY_BOOL +#@HAVE_XT_TARGET_PARAM@ HAVE_XT_TARGET_PARAM +#@HAVE_NET_OPS_ID@ HAVE_NET_OPS_ID + +/* Not everything could be moved here. Compatibility stuffs can be found in + * xt_set.c, ip_set_core.c, ip_set_getport.c, pfxlen.c too. + */ + +#include +#include + +#ifndef rcu_dereference_bh +#define rcu_dereference_bh(p) rcu_dereference(p) +#endif + +#ifndef rcu_dereference_protected +#define rcu_dereference_protected(p, c) rcu_dereference(p) +#endif + +#ifndef __rcu +#define __rcu +#endif + +#ifdef CHECK_KCONFIG +#ifndef CONFIG_SPARSE_RCU_POINTER +#error "CONFIG_SPARSE_RCU_POINTER must be enabled" +#endif +#endif + +#if defined(CONFIG_NETFILTER_NETLINK) || defined(CONFIG_NETFILTER_NETLINK_MODULE) +#else +#error "NETFILTER_NETLINK must be enabled: select NFACCT/NFQUEUE/LOG over NFNETLINK" +#endif + +#ifndef HAVE_STRUCT_XT_ACTION_PARAM +#define xt_action_param xt_match_param +#endif + +#ifndef HAVE_VZALLOC +#define vzalloc(size) __vmalloc(size,\ + GFP_KERNEL|__GFP_ZERO|__GFP_HIGHMEM,\ + PAGE_KERNEL) +#endif + +#ifndef HAVE_ETHER_ADDR_EQUAL +#include + +static inline bool ether_addr_equal(const u8 *addr1, const u8 *addr2) +{ + return !compare_ether_addr(addr1, addr2); +} +#endif + +#ifndef HAVE_NLA_PUT_BE64 +static inline int nla_put_be64(struct sk_buff *skb, int attrtype, __be64 value) +{ + return nla_put(skb, attrtype, sizeof(__be64), &value); +} + +static inline int nla_put_net64(struct sk_buff *skb, int attrtype, __be64 value) +{ + return nla_put_be64(skb, attrtype | NLA_F_NET_BYTEORDER, value); +} +#endif + +#ifdef HAVE_NL_INFO_PORTID +#define NETLINK_PORTID(skb) NETLINK_CB(skb).portid +#else +#define NETLINK_PORTID(skb) NETLINK_CB(skb).pid +#endif + +#ifndef HAVE_NS_CAPABLE +#define ns_capable(ns, cap) capable(cap) +#endif + +#ifdef HAVE_NFNL_LOCK_SUBSYS +#define lock_nfnl() nfnl_lock(NFNL_SUBSYS_IPSET) +#define unlock_nfnl() nfnl_unlock(NFNL_SUBSYS_IPSET) +#else +#define lock_nfnl() nfnl_lock() +#define unlock_nfnl() nfnl_unlock() +#endif + +#ifdef NLA_PUT_NET16 +static inline int nla_put_be16(struct sk_buff *skb, int attrtype, __be16 value) +{ + return nla_put(skb, attrtype, sizeof(__be16), &value); +} + +static inline int nla_put_net16(struct sk_buff *skb, int attrtype, __be16 value) +{ + return nla_put_be16(skb, attrtype | NLA_F_NET_BYTEORDER, value); +} + +static inline int nla_put_be32(struct sk_buff *skb, int attrtype, __be32 value) +{ + return nla_put(skb, attrtype, sizeof(__be32), &value); +} + +static inline int nla_put_net32(struct sk_buff *skb, int attrtype, __be32 value) +{ + return nla_put_be32(skb, attrtype | NLA_F_NET_BYTEORDER, value); +} +#endif + +#endif /* __IP_SET_COMPAT_H */ diff --git a/kernel/net/netfilter/ipset/ip_set_core.c b/kernel/net/netfilter/ipset/ip_set_core.c index 9506973..c1989d9 100644 --- a/kernel/net/netfilter/ipset/ip_set_core.c +++ b/kernel/net/netfilter/ipset/ip_set_core.c @@ -1388,11 +1388,11 @@ ip_set_dump(struct sock *ctnl, struct sk_buff *skb, if (unlikely(protocol_failed(attr))) return -IPSET_ERR_PROTOCOL; -#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 1, 0) +#if HAVE_NETLINK_DUMP_START_ARGS == 5 return netlink_dump_start(ctnl, skb, nlh, ip_set_dump_start, ip_set_dump_done); -#elif LINUX_VERSION_CODE < KERNEL_VERSION(3, 4, 0) +#elif HAVE_NETLINK_DUMP_START_ARGS == 6 return netlink_dump_start(ctnl, skb, nlh, ip_set_dump_start, ip_set_dump_done, 0); @@ -1977,20 +1977,42 @@ static struct nf_sockopt_ops so_set __read_mostly = { static int __net_init ip_set_net_init(struct net *net) { - struct ip_set_net *inst = ip_set_pernet(net); + struct ip_set_net *inst; struct ip_set **list; +#ifdef HAVE_NET_OPS_ID + inst = ip_set_pernet(net); +#else + int err; + + inst = kzalloc(sizeof(struct ip_set_net), GFP_KERNEL); + if (!inst) + return -ENOMEM; + err = net_assign_generic(net, ip_set_net_id, inst); + if (err < 0) + goto err_alloc; +#endif inst->ip_set_max = max_sets ? max_sets : CONFIG_IP_SET_MAX; if (inst->ip_set_max >= IPSET_INVALID_ID) inst->ip_set_max = IPSET_INVALID_ID - 1; list = kzalloc(sizeof(struct ip_set *) * inst->ip_set_max, GFP_KERNEL); if (!list) +#ifdef HAVE_NET_OPS_ID return -ENOMEM; +#else + goto err_alloc; +#endif inst->is_deleted = 0; rcu_assign_pointer(inst->ip_set_list, list); pr_notice("ip_set: protocol %u\n", IPSET_PROTOCOL); return 0; + +#ifndef HAVE_NET_OPS_ID +err_alloc: + kfree(inst); + return err; +#endif } static void __net_exit @@ -2009,13 +2031,18 @@ ip_set_net_exit(struct net *net) ip_set_destroy_set(inst, i); } kfree(rcu_dereference_protected(inst->ip_set_list, 1)); +#ifndef HAVE_NET_OPS_ID + kfree(inst); +#endif } static struct pernet_operations ip_set_net_ops = { .init = ip_set_net_init, .exit = ip_set_net_exit, +#ifdef HAVE_NET_OPS_ID .id = &ip_set_net_id, .size = sizeof(struct ip_set_net) +#endif }; @@ -2033,7 +2060,11 @@ ip_set_init(void) nfnetlink_subsys_unregister(&ip_set_netlink_subsys); return ret; } +#ifdef HAVE_NET_OPS_ID ret = register_pernet_subsys(&ip_set_net_ops); +#else + ret = register_pernet_gen_device(&ip_set_net_id, &ip_set_net_ops); +#endif if (ret) { pr_err("ip_set: cannot register pernet_subsys.\n"); nf_unregister_sockopt(&so_set); @@ -2046,7 +2077,11 @@ ip_set_init(void) static void __exit ip_set_fini(void) { +#ifdef HAVE_NET_OPS_ID unregister_pernet_subsys(&ip_set_net_ops); +#else + unregister_pernet_gen_device(ip_set_net_id, &ip_set_net_ops); +#endif nf_unregister_sockopt(&so_set); nfnetlink_subsys_unregister(&ip_set_netlink_subsys); pr_debug("these are the famous last words\n"); diff --git a/kernel/net/netfilter/ipset/ip_set_getport.c b/kernel/net/netfilter/ipset/ip_set_getport.c index a0d96eb..5d5ff82 100644 --- a/kernel/net/netfilter/ipset/ip_set_getport.c +++ b/kernel/net/netfilter/ipset/ip_set_getport.c @@ -8,7 +8,7 @@ /* Get Layer-4 data from the packets */ #include -#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 2, 0) +#ifdef HAVE_EXPORT_H #include #endif #include @@ -21,6 +21,7 @@ #include #include +#include /* We must handle non-linear skbs */ static bool @@ -138,7 +139,7 @@ ip_set_get_ip6_port(const struct sk_buff *skb, bool src, __be16 frag_off = 0; nexthdr = ipv6_hdr(skb)->nexthdr; -#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 3, 0) +#if HAVE_IPV6_SKIP_EXTHDR_ARGS == 4 protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr, &frag_off); #else diff --git a/kernel/net/netfilter/ipset/pfxlen.c b/kernel/net/netfilter/ipset/pfxlen.c index 1fe890f..e69f5ef 100644 --- a/kernel/net/netfilter/ipset/pfxlen.c +++ b/kernel/net/netfilter/ipset/pfxlen.c @@ -1,5 +1,5 @@ #include -#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 2, 0) +#ifdef HAVE_EXPORT_H #include #endif #include diff --git a/kernel/net/netfilter/xt_set.c b/kernel/net/netfilter/xt_set.c index 4a4cee9..46fdbe0 100644 --- a/kernel/net/netfilter/xt_set.c +++ b/kernel/net/netfilter/xt_set.c @@ -28,16 +28,18 @@ MODULE_ALIAS("ip6t_set"); MODULE_ALIAS("ipt_SET"); MODULE_ALIAS("ip6t_SET"); -#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 35) +#ifdef HAVE_CHECKENTRY_BOOL #define CHECK_OK 1 #define CHECK_FAIL(err) 0 #define CONST const #define FTYPE bool +#define XT_PAR_NET(par) NULL #else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35) */ #define CHECK_OK 0 #define CHECK_FAIL(err) (err) #define CONST #define FTYPE int +#define XT_PAR_NET(par) (par)->net #endif static inline int @@ -94,7 +96,7 @@ set_match_v0_checkentry(const struct xt_mtchk_param *par) struct xt_set_info_match_v0 *info = par->matchinfo; ip_set_id_t index; - index = ip_set_nfnl_get_byindex(par->net, info->match_set.index); + index = ip_set_nfnl_get_byindex(XT_PAR_NET(par), info->match_set.index); if (index == IPSET_INVALID_ID) { pr_warning("Cannot find set indentified by id %u to match\n", @@ -104,7 +106,7 @@ set_match_v0_checkentry(const struct xt_mtchk_param *par) if (info->match_set.u.flags[IPSET_DIM_MAX-1] != 0) { pr_warning("Protocol error: set match dimension " "is over the limit!\n"); - ip_set_nfnl_put(par->net, info->match_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->match_set.index); return CHECK_FAIL(-ERANGE); } @@ -119,7 +121,7 @@ set_match_v0_destroy(const struct xt_mtdtor_param *par) { struct xt_set_info_match_v0 *info = par->matchinfo; - ip_set_nfnl_put(par->net, info->match_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->match_set.index); } /* Revision 1 */ @@ -144,7 +146,7 @@ set_match_v1_checkentry(const struct xt_mtchk_param *par) struct xt_set_info_match_v1 *info = par->matchinfo; ip_set_id_t index; - index = ip_set_nfnl_get_byindex(par->net, info->match_set.index); + index = ip_set_nfnl_get_byindex(XT_PAR_NET(par), info->match_set.index); if (index == IPSET_INVALID_ID) { pr_warning("Cannot find set indentified by id %u to match\n", @@ -154,7 +156,7 @@ set_match_v1_checkentry(const struct xt_mtchk_param *par) if (info->match_set.dim > IPSET_DIM_MAX) { pr_warning("Protocol error: set match dimension " "is over the limit!\n"); - ip_set_nfnl_put(par->net, info->match_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->match_set.index); return CHECK_FAIL(-ERANGE); } @@ -166,7 +168,7 @@ set_match_v1_destroy(const struct xt_mtdtor_param *par) { struct xt_set_info_match_v1 *info = par->matchinfo; - ip_set_nfnl_put(par->net, info->match_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->match_set.index); } /* Revision 3 match */ @@ -217,7 +219,7 @@ set_match_v3(const struct sk_buff *skb, CONST struct xt_action_param *par) /* Revision 0 interface: backward compatible with netfilter/iptables */ -#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 35) +#ifdef HAVE_XT_TARGET_PARAM #undef xt_action_param #define xt_action_param xt_target_param #define CAST_TO_MATCH (const struct xt_match_param *) @@ -249,7 +251,7 @@ set_target_v0_checkentry(const struct xt_tgchk_param *par) ip_set_id_t index; if (info->add_set.index != IPSET_INVALID_ID) { - index = ip_set_nfnl_get_byindex(par->net, info->add_set.index); + index = ip_set_nfnl_get_byindex(XT_PAR_NET(par), info->add_set.index); if (index == IPSET_INVALID_ID) { pr_warning("Cannot find add_set index %u as target\n", info->add_set.index); @@ -258,12 +260,12 @@ set_target_v0_checkentry(const struct xt_tgchk_param *par) } if (info->del_set.index != IPSET_INVALID_ID) { - index = ip_set_nfnl_get_byindex(par->net, info->del_set.index); + index = ip_set_nfnl_get_byindex(XT_PAR_NET(par), info->del_set.index); if (index == IPSET_INVALID_ID) { pr_warning("Cannot find del_set index %u as target\n", info->del_set.index); if (info->add_set.index != IPSET_INVALID_ID) - ip_set_nfnl_put(par->net, info->add_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->add_set.index); return CHECK_FAIL(-ENOENT); } } @@ -272,9 +274,9 @@ set_target_v0_checkentry(const struct xt_tgchk_param *par) pr_warning("Protocol error: SET target dimension " "is over the limit!\n"); if (info->add_set.index != IPSET_INVALID_ID) - ip_set_nfnl_put(par->net, info->add_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->add_set.index); if (info->del_set.index != IPSET_INVALID_ID) - ip_set_nfnl_put(par->net, info->del_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->del_set.index); return CHECK_FAIL(-ERANGE); } @@ -291,9 +293,9 @@ set_target_v0_destroy(const struct xt_tgdtor_param *par) const struct xt_set_info_target_v0 *info = par->targinfo; if (info->add_set.index != IPSET_INVALID_ID) - ip_set_nfnl_put(par->net, info->add_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->add_set.index); if (info->del_set.index != IPSET_INVALID_ID) - ip_set_nfnl_put(par->net, info->del_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->del_set.index); } /* Revision 1 target */ @@ -322,7 +324,7 @@ set_target_v1_checkentry(const struct xt_tgchk_param *par) ip_set_id_t index; if (info->add_set.index != IPSET_INVALID_ID) { - index = ip_set_nfnl_get_byindex(par->net, info->add_set.index); + index = ip_set_nfnl_get_byindex(XT_PAR_NET(par), info->add_set.index); if (index == IPSET_INVALID_ID) { pr_warning("Cannot find add_set index %u as target\n", info->add_set.index); @@ -331,12 +333,12 @@ set_target_v1_checkentry(const struct xt_tgchk_param *par) } if (info->del_set.index != IPSET_INVALID_ID) { - index = ip_set_nfnl_get_byindex(par->net, info->del_set.index); + index = ip_set_nfnl_get_byindex(XT_PAR_NET(par), info->del_set.index); if (index == IPSET_INVALID_ID) { pr_warning("Cannot find del_set index %u as target\n", info->del_set.index); if (info->add_set.index != IPSET_INVALID_ID) - ip_set_nfnl_put(par->net, info->add_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->add_set.index); return CHECK_FAIL(-ENOENT); } } @@ -345,9 +347,9 @@ set_target_v1_checkentry(const struct xt_tgchk_param *par) pr_warning("Protocol error: SET target dimension " "is over the limit!\n"); if (info->add_set.index != IPSET_INVALID_ID) - ip_set_nfnl_put(par->net, info->add_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->add_set.index); if (info->del_set.index != IPSET_INVALID_ID) - ip_set_nfnl_put(par->net, info->del_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->del_set.index); return CHECK_FAIL(-ERANGE); } @@ -360,9 +362,9 @@ set_target_v1_destroy(const struct xt_tgdtor_param *par) const struct xt_set_info_target_v1 *info = par->targinfo; if (info->add_set.index != IPSET_INVALID_ID) - ip_set_nfnl_put(par->net, info->add_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->add_set.index); if (info->del_set.index != IPSET_INVALID_ID) - ip_set_nfnl_put(par->net, info->del_set.index); + ip_set_nfnl_put(XT_PAR_NET(par), info->del_set.index); } /* Revision 2 target */ -- cgit v1.2.3