diff options
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/Kbuild | 4 | ||||
| -rw-r--r-- | kernel/Kconfig.ipset | 74 | ||||
| -rw-r--r-- | kernel/include/linux/netfilter/ip_set.h | 1 | ||||
| -rw-r--r-- | kernel/include/linux/netfilter/ip_set_kernel.h | 2 | ||||
| -rw-r--r-- | kernel/ip_set.c | 54 | ||||
| -rw-r--r-- | kernel/ip_set_bitmap_ip.c | 6 | ||||
| -rw-r--r-- | kernel/ip_set_bitmap_ipmac.c | 8 | ||||
| -rw-r--r-- | kernel/ip_set_bitmap_port.c | 6 | ||||
| -rw-r--r-- | kernel/ip_set_hash_ip.c | 6 | ||||
| -rw-r--r-- | kernel/ip_set_hash_ipport.c | 6 | ||||
| -rw-r--r-- | kernel/ip_set_hash_ipportip.c | 6 | ||||
| -rw-r--r-- | kernel/ip_set_hash_ipportnet.c | 6 | ||||
| -rw-r--r-- | kernel/ip_set_hash_net.c | 6 | ||||
| -rw-r--r-- | kernel/ip_set_list_set.c | 4 | ||||
| -rw-r--r-- | kernel/xt_set.c | 15 |
15 files changed, 100 insertions, 104 deletions
diff --git a/kernel/Kbuild b/kernel/Kbuild index 9c7771a..9875d70 100644 --- a/kernel/Kbuild +++ b/kernel/Kbuild @@ -1,5 +1,7 @@ EXTRA_CFLAGS := -I$(M)/include \ - -DCONFIG_IP_SET_MAX=$(IP_SET_MAX) + -DCONFIG_IP_SET_MAX=$(IP_SET_MAX) \ + -DNETLINK_DUMP_CONST=$(NETLINK_DUMP_CONST) \ + -DNFNL_CB_CONST=$(NFNL_CB_CONST) obj-m += ip_set.o xt_set.o obj-m += ip_set_bitmap_ip.o ip_set_bitmap_ipmac.o ip_set_bitmap_port.o diff --git a/kernel/Kconfig.ipset b/kernel/Kconfig.ipset index 7f7a34a..527b294 100644 --- a/kernel/Kconfig.ipset +++ b/kernel/Kconfig.ipset @@ -20,95 +20,79 @@ config IP_SET_MAX The value can be overriden by the 'max_sets' module parameter of the 'ip_set' module. -config IP_SET_IPMAP - tristate "ipmap set support" +config IP_SET_BITMAP_IP + tristate "bitmap:ip set support" depends on IP_SET help - This option adds the ipmap set type support. + This option adds the bitmap:ip set type support. To compile it as a module, choose M here. If unsure, say N. -config IP_SET_MACIPMAP - tristate "macipmap set support" +config IP_SET_BITMAP_IPMAC + tristate "bitmap:ip,mac set support" depends on IP_SET help - This option adds the macipmap set type support. + This option adds the bitmap:ip,mac set type support. To compile it as a module, choose M here. If unsure, say N. -config IP_SET_PORTMAP - tristate "portmap set support" +config IP_SET_BITMAP_PORT + tristate "bitmap:port set support" depends on IP_SET help - This option adds the portmap set type support. + This option adds the bitmap:port set type support. To compile it as a module, choose M here. If unsure, say N. -config IP_SET_IPHASH - tristate "iphash set support" +config IP_SET_HASH_IP + tristate "hash:ip set support" depends on IP_SET help - This option adds the iphash set type support. + This option adds the hash:ip set type support. To compile it as a module, choose M here. If unsure, say N. -config IP_SET_NETHASH - tristate "nethash set support" +config IP_SET_HASH_NET + tristate "hash:net set support" depends on IP_SET help - This option adds the nethash set type support. + This option adds the hash:net set type support. To compile it as a module, choose M here. If unsure, say N. -config IP_SET_IPPORTHASH - tristate "ipporthash set support" +config IP_SET_HASH_IPPORT + tristate "hash:ip,port set support" depends on IP_SET help - This option adds the ipporthash set type support. + This option adds the hash:ip,port set type support. To compile it as a module, choose M here. If unsure, say N. -config IP_SET_IPPORTIPHASH - tristate "ipportiphash set support" +config IP_SET_HASH_IPPORTIP + tristate "hash:ip,port,ip set support" depends on IP_SET help - This option adds the ipportiphash set type support. + This option adds the hash:ip,port,ip set type support. To compile it as a module, choose M here. If unsure, say N. -config IP_SET_IPPORTNETHASH - tristate "ipportnethash set support" +config IP_SET_HASH_IPPORTNET + tristate "hash:ip,port,net set support" depends on IP_SET help - This option adds the ipportnethash set type support. + This option adds the hash:ip,port,net set type support. To compile it as a module, choose M here. If unsure, say N. -config IP_SET_IPTREE - tristate "iptree set support" +config IP_SET_LIST_SET + tristate "list:set set support" depends on IP_SET help - This option adds the iptree set type support. + This option adds the list:set set type support. To compile it as a module, choose M here. If unsure, say N. -config IP_SET_IPTREEMAP - tristate "iptreemap set support" - depends on IP_SET - help - This option adds the iptreemap set type support. - - To compile it as a module, choose M here. If unsure, say N. - -config IP_SET_SETLIST - tristate "setlist set support" - depends on IP_SET - help - This option adds the setlist set type support. - - To compile it as a module, choose M here. If unsure, say N. - -config IP_MATCH_SET +config NETFILTER_XT_MATCH_SET tristate "set match support" depends on IP_SET help @@ -117,7 +101,7 @@ config IP_MATCH_SET To compile it as a module, choose M here. If unsure, say N. -config IP_TARGET_SET +config NETFILTER_XT_TARGET_SET tristate "SET target support" depends on IP_SET help diff --git a/kernel/include/linux/netfilter/ip_set.h b/kernel/include/linux/netfilter/ip_set.h index f306859..b83454a 100644 --- a/kernel/include/linux/netfilter/ip_set.h +++ b/kernel/include/linux/netfilter/ip_set.h @@ -155,6 +155,7 @@ enum ipset_adt { #include <linux/ip.h> #include <linux/ipv6.h> #include <linux/netlink.h> +#include <linux/vmalloc.h> #include <net/netlink.h> /* Sets are identified by an index in kernel space. Tweak with ip_set_id_t diff --git a/kernel/include/linux/netfilter/ip_set_kernel.h b/kernel/include/linux/netfilter/ip_set_kernel.h index d6e033b..0f04217 100644 --- a/kernel/include/linux/netfilter/ip_set_kernel.h +++ b/kernel/include/linux/netfilter/ip_set_kernel.h @@ -10,8 +10,10 @@ #ifdef __KERNEL__ +#ifdef CONFIG_DEBUG_KERNEL /* Complete debug messages */ #define pr_fmt(fmt) "%s %s[%i]: " fmt "\n", __FILE__, __func__, __LINE__ +#endif #include <linux/kernel.h> diff --git a/kernel/ip_set.c b/kernel/ip_set.c index 9d7093c..74b2e91 100644 --- a/kernel/ip_set.c +++ b/kernel/ip_set.c @@ -425,7 +425,7 @@ EXPORT_SYMBOL(ip_set_nfnl_put); */ static inline bool -protocol_failed(const struct nlattr * const tb[]) +protocol_failed(NFNL_CB_CONST struct nlattr * NFNL_CB_CONST tb[]) { return !tb[IPSET_ATTR_PROTOCOL] || nla_get_u8(tb[IPSET_ATTR_PROTOCOL]) != IPSET_PROTOCOL; @@ -530,8 +530,8 @@ load_type_module(const char *typename) static int ip_set_create(struct sock *ctnl, struct sk_buff *skb, - const struct nlmsghdr *nlh, - const struct nlattr * const attr[]) + NFNL_CB_CONST struct nlmsghdr *nlh, + NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[]) { struct ip_set *set, *clash; ip_set_id_t index = IPSET_INVALID_ID; @@ -669,8 +669,8 @@ ip_set_destroy_set(ip_set_id_t index) static int ip_set_destroy(struct sock *ctnl, struct sk_buff *skb, - const struct nlmsghdr *nlh, - const struct nlattr * const attr[]) + NFNL_CB_CONST struct nlmsghdr *nlh, + NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[]) { ip_set_id_t i; @@ -714,8 +714,8 @@ ip_set_flush_set(struct ip_set *set) static int ip_set_flush(struct sock *ctnl, struct sk_buff *skb, - const struct nlmsghdr *nlh, - const struct nlattr * const attr[]) + NFNL_CB_CONST struct nlmsghdr *nlh, + NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[]) { ip_set_id_t i; @@ -750,8 +750,8 @@ ip_set_setname2_policy[IPSET_ATTR_CMD_MAX + 1] __read_mostly = { static int ip_set_rename(struct sock *ctnl, struct sk_buff *skb, - const struct nlmsghdr *nlh, - const struct nlattr * const attr[]) + NFNL_CB_CONST struct nlmsghdr *nlh, + NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[]) { struct ip_set *set; const char *name2; @@ -790,8 +790,8 @@ ip_set_rename(struct sock *ctnl, struct sk_buff *skb, static int ip_set_swap(struct sock *ctnl, struct sk_buff *skb, - const struct nlmsghdr *nlh, - const struct nlattr * const attr[]) + NFNL_CB_CONST struct nlmsghdr *nlh, + NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[]) { struct ip_set *from, *to; ip_set_id_t from_id, to_id; @@ -968,8 +968,8 @@ out: static int ip_set_dump(struct sock *ctnl, struct sk_buff *skb, - const struct nlmsghdr *nlh, - const struct nlattr * const attr[]) + NFNL_CB_CONST struct nlmsghdr *nlh, + NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[]) { ip_set_id_t index; @@ -1009,7 +1009,7 @@ ip_set_adt_policy[IPSET_ATTR_CMD_MAX + 1] __read_mostly = { static int call_ad(struct sock *ctnl, struct sk_buff *skb, - const struct nlattr * const attr[], + NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[], struct ip_set *set, const struct nlattr *nla, enum ipset_adt adt, u32 flags) { @@ -1041,8 +1041,8 @@ call_ad(struct sock *ctnl, struct sk_buff *skb, static int ip_set_uadd(struct sock *ctnl, struct sk_buff *skb, - const struct nlmsghdr *nlh, - const struct nlattr * const attr[]) + NFNL_CB_CONST struct nlmsghdr *nlh, + NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[]) { struct ip_set *set; const struct nlattr *nla; @@ -1085,8 +1085,8 @@ ip_set_uadd(struct sock *ctnl, struct sk_buff *skb, static int ip_set_udel(struct sock *ctnl, struct sk_buff *skb, - const struct nlmsghdr *nlh, - const struct nlattr * const attr[]) + NFNL_CB_CONST struct nlmsghdr *nlh, + NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[]) { struct ip_set *set; const struct nlattr *nla; @@ -1129,8 +1129,8 @@ ip_set_udel(struct sock *ctnl, struct sk_buff *skb, static int ip_set_utest(struct sock *ctnl, struct sk_buff *skb, - const struct nlmsghdr *nlh, - const struct nlattr * const attr[]) + NFNL_CB_CONST struct nlmsghdr *nlh, + NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[]) { struct ip_set *set; int ret = 0; @@ -1162,8 +1162,8 @@ ip_set_utest(struct sock *ctnl, struct sk_buff *skb, static int ip_set_header(struct sock *ctnl, struct sk_buff *skb, - const struct nlmsghdr *nlh, - const struct nlattr * const attr[]) + NFNL_CB_CONST struct nlmsghdr *nlh, + NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[]) { struct ip_set *set; struct sk_buff *skb2; @@ -1220,8 +1220,8 @@ ip_set_type_policy[IPSET_ATTR_CMD_MAX + 1] __read_mostly = { static int ip_set_type(struct sock *ctnl, struct sk_buff *skb, - const struct nlmsghdr *nlh, - const struct nlattr * const attr[]) + NFNL_CB_CONST struct nlmsghdr *nlh, + NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[]) { struct sk_buff *skb2; struct nlmsghdr *nlh2; @@ -1283,8 +1283,8 @@ ip_set_protocol_policy[IPSET_ATTR_CMD_MAX + 1] __read_mostly = { static int ip_set_protocol(struct sock *ctnl, struct sk_buff *skb, - const struct nlmsghdr *nlh, - const struct nlattr * const attr[]) + NFNL_CB_CONST struct nlmsghdr *nlh, + NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[]) { struct sk_buff *skb2; struct nlmsghdr *nlh2; @@ -1525,7 +1525,7 @@ ip_set_init(void) return ret; } - pr_notice("ip_set with protocol version %u loaded", IPSET_PROTOCOL); + pr_notice("ip_set: protocol %u", IPSET_PROTOCOL); return 0; } diff --git a/kernel/ip_set_bitmap_ip.c b/kernel/ip_set_bitmap_ip.c index 27b9665..e63bcda 100644 --- a/kernel/ip_set_bitmap_ip.c +++ b/kernel/ip_set_bitmap_ip.c @@ -115,7 +115,7 @@ bitmap_ip_uadt(struct ip_set *set, struct nlattr *head, int len, enum ipset_adt adt, u32 *lineno, u32 flags) { struct bitmap_ip *map = set->data; - struct nlattr *tb[IPSET_ATTR_ADT_MAX]; + struct nlattr *tb[IPSET_ATTR_ADT_MAX+1]; u32 ip, ip_to, id; int ret = 0; @@ -357,7 +357,7 @@ bitmap_ip_timeout_uadt(struct ip_set *set, struct nlattr *head, int len, enum ipset_adt adt, u32 *lineno, u32 flags) { struct bitmap_ip_timeout *map = set->data; - struct nlattr *tb[IPSET_ATTR_ADT_MAX]; + struct nlattr *tb[IPSET_ATTR_ADT_MAX+1]; u32 ip, ip_to, id, timeout = map->timeout; int ret = 0; @@ -594,7 +594,7 @@ static int bitmap_ip_create(struct ip_set *set, struct nlattr *head, int len, u32 flags) { - struct nlattr *tb[IPSET_ATTR_CREATE_MAX]; + struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1]; u32 first_ip, last_ip, hosts, elements; u8 netmask = 32; diff --git a/kernel/ip_set_bitmap_ipmac.c b/kernel/ip_set_bitmap_ipmac.c index 3c94975..5833c77 100644 --- a/kernel/ip_set_bitmap_ipmac.c +++ b/kernel/ip_set_bitmap_ipmac.c @@ -61,13 +61,13 @@ struct ipmac { struct ipmac_elem { unsigned char ether[ETH_ALEN]; unsigned char match; -}; +} __attribute__ ((aligned)); struct ipmac_telem { unsigned char ether[ETH_ALEN]; unsigned char match; unsigned long timeout; -}; +} __attribute__ ((aligned)); static inline void * bitmap_ipmac_elem(const struct bitmap_ipmac *map, u32 id) @@ -376,7 +376,7 @@ bitmap_ipmac_uadt(struct ip_set *set, struct nlattr *head, int len, enum ipset_adt adt, u32 *lineno, u32 flags) { struct bitmap_ipmac *map = set->data; - struct nlattr *tb[IPSET_ATTR_ADT_MAX]; + struct nlattr *tb[IPSET_ATTR_ADT_MAX+1]; ipset_adtfn adtfn = set->variant->adt[adt]; struct ipmac data; u32 timeout = map->timeout; @@ -570,7 +570,7 @@ static int bitmap_ipmac_create(struct ip_set *set, struct nlattr *head, int len, u32 flags) { - struct nlattr *tb[IPSET_ATTR_CREATE_MAX]; + struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1]; u32 first_ip, last_ip, elements; struct bitmap_ipmac *map; diff --git a/kernel/ip_set_bitmap_port.c b/kernel/ip_set_bitmap_port.c index 6517252..c96b06c 100644 --- a/kernel/ip_set_bitmap_port.c +++ b/kernel/ip_set_bitmap_port.c @@ -109,7 +109,7 @@ bitmap_port_uadt(struct ip_set *set, struct nlattr *head, int len, enum ipset_adt adt, u32 *lineno, u32 flags) { struct bitmap_port *map = set->data; - struct nlattr *tb[IPSET_ATTR_ADT_MAX]; + struct nlattr *tb[IPSET_ATTR_ADT_MAX+1]; u32 port; /* wraparound */ u16 id, port_to; int ret = 0; @@ -344,7 +344,7 @@ bitmap_port_timeout_uadt(struct ip_set *set, struct nlattr *head, int len, enum ipset_adt adt, u32 *lineno, u32 flags) { const struct bitmap_port_timeout *map = set->data; - struct nlattr *tb[IPSET_ATTR_ADT_MAX]; + struct nlattr *tb[IPSET_ATTR_ADT_MAX+1]; u16 id, port_to; u32 port, timeout = map->timeout; /* wraparound */ int ret = 0; @@ -567,7 +567,7 @@ static int bitmap_port_create(struct ip_set *set, struct nlattr *head, int len, u32 flags) { - struct nlattr *tb[IPSET_ATTR_CREATE_MAX]; + struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1]; u16 first_port, last_port; if (nla_parse(tb, IPSET_ATTR_CREATE_MAX, head, len, diff --git a/kernel/ip_set_hash_ip.c b/kernel/ip_set_hash_ip.c index d73a5da..1af96ac 100644 --- a/kernel/ip_set_hash_ip.c +++ b/kernel/ip_set_hash_ip.c @@ -148,7 +148,7 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *head, int len, enum ipset_adt adt, u32 *lineno, u32 flags) { struct chash *h = set->data; - struct nlattr *tb[IPSET_ATTR_ADT_MAX]; + struct nlattr *tb[IPSET_ATTR_ADT_MAX+1]; ipset_adtfn adtfn = set->variant->adt[adt]; u32 ip, nip, ip_to, hosts, timeout = h->timeout; int ret = 0; @@ -337,7 +337,7 @@ hash_ip6_uadt(struct ip_set *set, struct nlattr *head, int len, enum ipset_adt adt, u32 *lineno, u32 flags) { struct chash *h = set->data; - struct nlattr *tb[IPSET_ATTR_ADT_MAX]; + struct nlattr *tb[IPSET_ATTR_ADT_MAX+1]; ipset_adtfn adtfn = set->variant->adt[adt]; union nf_inet_addr *ip; u32 timeout = h->timeout; @@ -385,7 +385,7 @@ hash_ip_create_policy[IPSET_ATTR_CREATE_MAX+1] __read_mostly = { static int hash_ip_create(struct ip_set *set, struct nlattr *head, int len, u32 flags) { - struct nlattr *tb[IPSET_ATTR_CREATE_MAX]; + struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1]; u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM; u8 netmask; struct chash *h; diff --git a/kernel/ip_set_hash_ipport.c b/kernel/ip_set_hash_ipport.c index cb319d2..f0274f9 100644 --- a/kernel/ip_set_hash_ipport.c +++ b/kernel/ip_set_hash_ipport.c @@ -171,7 +171,7 @@ hash_ipport4_uadt(struct ip_set *set, struct nlattr *head, int len, enum ipset_adt adt, u32 *lineno, u32 flags) { struct chash *h = set->data; - struct nlattr *tb[IPSET_ATTR_ADT_MAX]; + struct nlattr *tb[IPSET_ATTR_ADT_MAX+1]; ipset_adtfn adtfn = set->variant->adt[adt]; struct hash_ipport4_elem data = { .proto = h->proto }; u32 timeout = h->timeout; @@ -365,7 +365,7 @@ hash_ipport6_uadt(struct ip_set *set, struct nlattr *head, int len, enum ipset_adt adt, u32 *lineno, u32 flags) { struct chash *h = set->data; - struct nlattr *tb[IPSET_ATTR_ADT_MAX]; + struct nlattr *tb[IPSET_ATTR_ADT_MAX+1]; ipset_adtfn adtfn = set->variant->adt[adt]; struct hash_ipport6_elem data = { .proto = h->proto }; u32 timeout = h->timeout; @@ -433,7 +433,7 @@ hash_ipport_create_policy[IPSET_ATTR_CREATE_MAX+1] __read_mostly = { static int hash_ipport_create(struct ip_set *set, struct nlattr *head, int len, u32 flags) { - struct nlattr *tb[IPSET_ATTR_CREATE_MAX]; + struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1]; struct chash *h; u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM; u8 proto = IPSET_IPPROTO_TCPUDP; /* Backward compatibility */ diff --git a/kernel/ip_set_hash_ipportip.c b/kernel/ip_set_hash_ipportip.c index 2c3cf9b..16e6f17 100644 --- a/kernel/ip_set_hash_ipportip.c +++ b/kernel/ip_set_hash_ipportip.c @@ -178,7 +178,7 @@ hash_ipportip4_uadt(struct ip_set *set, struct nlattr *head, int len, enum ipset_adt adt, u32 *lineno, u32 flags) { struct chash *h = set->data; - struct nlattr *tb[IPSET_ATTR_ADT_MAX]; + struct nlattr *tb[IPSET_ATTR_ADT_MAX+1]; ipset_adtfn adtfn = set->variant->adt[adt]; struct hash_ipportip4_elem data = { .proto = h->proto }; u32 timeout = h->timeout; @@ -385,7 +385,7 @@ hash_ipportip6_uadt(struct ip_set *set, struct nlattr *head, int len, enum ipset_adt adt, u32 *lineno, u32 flags) { struct chash *h = set->data; - struct nlattr *tb[IPSET_ATTR_ADT_MAX]; + struct nlattr *tb[IPSET_ATTR_ADT_MAX+1]; ipset_adtfn adtfn = set->variant->adt[adt]; struct hash_ipportip6_elem data = { .proto = h->proto }; u32 timeout = h->timeout; @@ -460,7 +460,7 @@ static int hash_ipportip_create(struct ip_set *set, struct nlattr *head, int len, u32 flags) { - struct nlattr *tb[IPSET_ATTR_CREATE_MAX]; + struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1]; struct chash *h; u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM; u8 proto = IPSET_IPPROTO_TCPUDP; /* Backward compatibility */ diff --git a/kernel/ip_set_hash_ipportnet.c b/kernel/ip_set_hash_ipportnet.c index 4bc44f5..f356a88 100644 --- a/kernel/ip_set_hash_ipportnet.c +++ b/kernel/ip_set_hash_ipportnet.c @@ -198,7 +198,7 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *head, int len, enum ipset_adt adt, u32 *lineno, u32 flags) { struct chash *h = set->data; - struct nlattr *tb[IPSET_ATTR_ADT_MAX]; + struct nlattr *tb[IPSET_ATTR_ADT_MAX+1]; ipset_adtfn adtfn = set->variant->adt[adt]; struct hash_ipportnet4_elem data = { .cidr = HOST_MASK, .proto = h->proto }; @@ -442,7 +442,7 @@ hash_ipportnet6_uadt(struct ip_set *set, struct nlattr *head, int len, enum ipset_adt adt, u32 *lineno, u32 flags) { struct chash *h = set->data; - struct nlattr *tb[IPSET_ATTR_ADT_MAX]; + struct nlattr *tb[IPSET_ATTR_ADT_MAX+1]; ipset_adtfn adtfn = set->variant->adt[adt]; struct hash_ipportnet6_elem data = { .cidr = HOST_MASK, .proto = h->proto }; @@ -526,7 +526,7 @@ static int hash_ipportnet_create(struct ip_set *set, struct nlattr *head, int len, u32 flags) { - struct nlattr *tb[IPSET_ATTR_CREATE_MAX]; + struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1]; struct chash *h; u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM; u8 proto = IPSET_IPPROTO_TCPUDP; /* Backward compatibility */ diff --git a/kernel/ip_set_hash_net.c b/kernel/ip_set_hash_net.c index 9be9e2c..42112a2 100644 --- a/kernel/ip_set_hash_net.c +++ b/kernel/ip_set_hash_net.c @@ -168,7 +168,7 @@ hash_net4_uadt(struct ip_set *set, struct nlattr *head, int len, enum ipset_adt adt, u32 *lineno, u32 flags) { struct chash *h = set->data; - struct nlattr *tb[IPSET_ATTR_ADT_MAX]; + struct nlattr *tb[IPSET_ATTR_ADT_MAX+1]; ipset_adtfn adtfn = set->variant->adt[adt]; struct hash_net4_elem data = { .cidr = HOST_MASK }; u32 timeout = h->timeout; @@ -356,7 +356,7 @@ hash_net6_uadt(struct ip_set *set, struct nlattr *head, int len, enum ipset_adt adt, u32 *lineno, u32 flags) { struct chash *h = set->data; - struct nlattr *tb[IPSET_ATTR_ADT_MAX]; + struct nlattr *tb[IPSET_ATTR_ADT_MAX+1]; ipset_adtfn adtfn = set->variant->adt[adt]; struct hash_net6_elem data = { .cidr = HOST_MASK }; u32 timeout = h->timeout; @@ -408,7 +408,7 @@ hash_net_create_policy[IPSET_ATTR_CREATE_MAX+1] __read_mostly = { static int hash_net_create(struct ip_set *set, struct nlattr *head, int len, u32 flags) { - struct nlattr *tb[IPSET_ATTR_CREATE_MAX]; + struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1]; u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM; struct chash *h; diff --git a/kernel/ip_set_list_set.c b/kernel/ip_set_list_set.c index 94c5702..c1e4699 100644 --- a/kernel/ip_set_list_set.c +++ b/kernel/ip_set_list_set.c @@ -210,7 +210,7 @@ list_set_uadt(struct ip_set *set, struct nlattr *head, int len, enum ipset_adt adt, u32 *lineno, u32 flags) { struct list_set *map = set->data; - struct nlattr *tb[IPSET_ATTR_ADT_MAX]; + struct nlattr *tb[IPSET_ATTR_ADT_MAX+1]; bool with_timeout = with_timeout(map->timeout); int before = 0; u32 timeout = map->timeout; @@ -533,7 +533,7 @@ static int list_set_create(struct ip_set *set, struct nlattr *head, int len, u32 flags) { - struct nlattr *tb[IPSET_ATTR_CREATE_MAX]; + struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1]; u32 size = IP_SET_LIST_DEFAULT_SIZE; if (nla_parse(tb, IPSET_ATTR_CREATE_MAX, head, len, diff --git a/kernel/xt_set.c b/kernel/xt_set.c index 344d003..3ed8a6a 100644 --- a/kernel/xt_set.c +++ b/kernel/xt_set.c @@ -13,6 +13,7 @@ #include <linux/module.h> #include <linux/skbuff.h> +#include <linux/version.h> #include <linux/netfilter/x_tables.h> #include <linux/netfilter/xt_set.h> @@ -37,6 +38,16 @@ match_set(ip_set_id_t index, const struct sk_buff *skb, /* Revision 0 interface: backward compatible with netfilter/iptables */ +/* Backward compatibility constrains: + * 2.6.24: [NETLINK]: Introduce nested and byteorder flag to netlink attribute + * 2.6.31: netfilter: passive OS fingerprint xtables match + */ + + +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,31) +#error "Linux kernel version too old: must be >= 2.6.31" +#endif + static bool set_match_v0(const struct sk_buff *skb, const struct xt_match_param *par) { @@ -93,7 +104,6 @@ set_match_v0_destroy(const struct xt_mtdtor_param *par) { struct xt_set_info_match *info = par->matchinfo; - ip_set_nfnl_put(info->match_set.index); } @@ -200,12 +210,9 @@ set_match_destroy(const struct xt_mtdtor_param *par) { struct xt_set_info_match *info = par->matchinfo; - ip_set_nfnl_put(info->match_set.index); } -/* Set target */ - static unsigned int set_target(struct sk_buff *skb, const struct xt_target_param *par) { |