diff -urN linux-2.4.18-pre7/include/linux/netfilter_ipv4/ip_tables.h linux-2.4.18-pre7-oldnf/include/linux/netfilter_ipv4/ip_tables.h --- linux-2.4.18-pre7/include/linux/netfilter_ipv4/ip_tables.h Fri Jan 25 09:50:46 2002 +++ linux-2.4.18-pre7-oldnf/include/linux/netfilter_ipv4/ip_tables.h Fri Jan 25 09:52:37 2002 @@ -428,9 +428,6 @@ /* Man behind the curtain... */ struct ipt_table_info *private; - - /* Set this to THIS_MODULE if you are a module, otherwise NULL */ - struct module *me; }; extern int ipt_register_table(struct ipt_table *table); diff -urN linux-2.4.18-pre7/include/linux/netfilter_ipv6/ip6_tables.h linux-2.4.18-pre7-oldnf/include/linux/netfilter_ipv6/ip6_tables.h --- linux-2.4.18-pre7/include/linux/netfilter_ipv6/ip6_tables.h Fri Jan 25 09:50:46 2002 +++ linux-2.4.18-pre7-oldnf/include/linux/netfilter_ipv6/ip6_tables.h Fri Jan 25 09:52:37 2002 @@ -435,9 +435,6 @@ /* Man behind the curtain... */ struct ip6t_table_info *private; - - /* Set this to THIS_MODULE if you are a module, otherwise NULL */ - struct module *me; }; extern int ip6t_register_table(struct ip6t_table *table); diff -urN linux-2.4.18-pre7/include/linux/netlink.h linux-2.4.18-pre7-oldnf/include/linux/netlink.h --- linux-2.4.18-pre7/include/linux/netlink.h Fri Jan 25 09:50:46 2002 +++ linux-2.4.18-pre7-oldnf/include/linux/netlink.h Fri Jan 25 09:59:14 2002 @@ -6,7 +6,6 @@ #define NETLINK_USERSOCK 2 /* Reserved for user mode socket protocols */ #define NETLINK_FIREWALL 3 /* Firewalling hook */ #define NETLINK_TCPDIAG 4 /* TCP socket monitoring */ -#define NETLINK_NFLOG 5 /* netfilter/iptables ULOG */ #define NETLINK_ARPD 8 #define NETLINK_ROUTE6 11 /* af_inet6 route comm channel */ #define NETLINK_IP6_FW 13 diff -urN linux-2.4.18-pre7/net/ipv4/netfilter/Config.in linux-2.4.18-pre7-oldnf/net/ipv4/netfilter/Config.in --- linux-2.4.18-pre7/net/ipv4/netfilter/Config.in Fri Jan 25 09:50:47 2002 +++ linux-2.4.18-pre7-oldnf/net/ipv4/netfilter/Config.in Fri Jan 25 09:52:37 2002 @@ -21,7 +21,6 @@ dep_tristate ' netfilter MARK match support' CONFIG_IP_NF_MATCH_MARK $CONFIG_IP_NF_IPTABLES dep_tristate ' Multiple port match support' CONFIG_IP_NF_MATCH_MULTIPORT $CONFIG_IP_NF_IPTABLES dep_tristate ' TOS match support' CONFIG_IP_NF_MATCH_TOS $CONFIG_IP_NF_IPTABLES - dep_tristate ' AH/ESP match support' CONFIG_IP_NF_MATCH_AH_ESP $CONFIG_IP_NF_IPTABLES dep_tristate ' LENGTH match support' CONFIG_IP_NF_MATCH_LENGTH $CONFIG_IP_NF_IPTABLES dep_tristate ' TTL match support' CONFIG_IP_NF_MATCH_TTL $CONFIG_IP_NF_IPTABLES dep_tristate ' tcpmss match support' CONFIG_IP_NF_MATCH_TCPMSS $CONFIG_IP_NF_IPTABLES @@ -75,9 +74,6 @@ dep_tristate ' MARK target support' CONFIG_IP_NF_TARGET_MARK $CONFIG_IP_NF_MANGLE fi dep_tristate ' LOG target support' CONFIG_IP_NF_TARGET_LOG $CONFIG_IP_NF_IPTABLES - if [ "$CONFIG_NETLINK" != "n" ]; then - dep_tristate ' ULOG target support' CONFIG_IP_NF_TARGET_ULOG $CONFIG_NETLINK $CONFIG_IP_NF_IPTABLES - fi dep_tristate ' TCPMSS target support' CONFIG_IP_NF_TARGET_TCPMSS $CONFIG_IP_NF_IPTABLES fi diff -urN linux-2.4.18-pre7/net/ipv4/netfilter/Makefile linux-2.4.18-pre7-oldnf/net/ipv4/netfilter/Makefile --- linux-2.4.18-pre7/net/ipv4/netfilter/Makefile Fri Jan 25 09:50:47 2002 +++ linux-2.4.18-pre7-oldnf/net/ipv4/netfilter/Makefile Fri Jan 25 09:52:37 2002 @@ -56,7 +56,6 @@ obj-$(CONFIG_IP_NF_MATCH_MULTIPORT) += ipt_multiport.o obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o -obj-$(CONFIG_IP_NF_MATCH_AH_ESP) += ipt_ah.o ipt_esp.o obj-$(CONFIG_IP_NF_MATCH_LENGTH) += ipt_length.o @@ -74,7 +73,6 @@ obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o -obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o # backwards compatibility diff -urN linux-2.4.18-pre7/net/ipv4/netfilter/ip_fw_compat_masq.c linux-2.4.18-pre7-oldnf/net/ipv4/netfilter/ip_fw_compat_masq.c --- linux-2.4.18-pre7/net/ipv4/netfilter/ip_fw_compat_masq.c Fri Jan 25 09:50:47 2002 +++ linux-2.4.18-pre7-oldnf/net/ipv4/netfilter/ip_fw_compat_masq.c Fri Jan 25 09:52:37 2002 @@ -157,7 +157,7 @@ /* Fall thru... */ case IPPROTO_TCP: case IPPROTO_UDP: - IP_NF_ASSERT(((*pskb)->nh.iph->frag_off & htons(IP_OFFSET)) == 0); + IP_NF_ASSERT((skb->nh.iph->frag_off & htons(IP_OFFSET)) == 0); if (!get_tuple(iph, (*pskb)->len, &tuple, protocol)) { if (net_ratelimit()) diff -urN linux-2.4.18-pre7/net/ipv4/netfilter/ip_fw_compat_redir.c linux-2.4.18-pre7-oldnf/net/ipv4/netfilter/ip_fw_compat_redir.c --- linux-2.4.18-pre7/net/ipv4/netfilter/ip_fw_compat_redir.c Fri Jan 25 09:50:47 2002 +++ linux-2.4.18-pre7-oldnf/net/ipv4/netfilter/ip_fw_compat_redir.c Fri Jan 25 09:52:37 2002 @@ -20,9 +20,6 @@ #include -/* Very simple timeout pushed back by each packet */ -#define REDIR_TIMEOUT (240*HZ) - static DECLARE_LOCK(redir_lock); #define ASSERT_READ_LOCK(x) MUST_BE_LOCKED(&redir_lock) #define ASSERT_WRITE_LOCK(x) MUST_BE_LOCKED(&redir_lock) @@ -153,14 +150,6 @@ skb->nfcache |= NFC_ALTERED; } -static void destroyme(unsigned long me) -{ - LOCK_BH(&redir_lock); - LIST_DELETE(&redirs, (struct redir *)me); - UNLOCK_BH(&redir_lock); - kfree((struct redir *)me); -} - /* REDIRECT a packet. */ unsigned int do_redirect(struct sk_buff *skb, @@ -183,10 +172,6 @@ struct udphdr *udph = (struct udphdr *)((u_int32_t *)iph + iph->ihl); - /* Must have whole header */ - if (skb->len < iph->ihl*4 + sizeof(*udph)) - return NF_DROP; - if (udph->check) /* 0 is a special case meaning no checksum */ udph->check = cheat_check(~iph->daddr, newdst, cheat_check(udph->dest ^ 0xFFFF, @@ -206,10 +191,6 @@ struct redir *redir; int ret; - /* Must have whole header */ - if (skb->len < iph->ihl*4 + sizeof(*tcph)) - return NF_DROP; - DEBUGP("Doing tcp redirect. %08X:%u %08X:%u -> %08X:%u\n", iph->saddr, tcph->source, iph->daddr, tcph->dest, newdst, redirpt); @@ -225,9 +206,7 @@ } list_prepend(&redirs, redir); init_timer(&redir->destroyme); - redir->destroyme.function = destroyme; - redir->destroyme.data = (unsigned long)redir; - redir->destroyme.expires = jiffies + REDIR_TIMEOUT; + redir->destroyme.expires = jiffies + 75*HZ; add_timer(&redir->destroyme); } /* In case mangling has changed, rewrite this part. */ @@ -248,6 +227,13 @@ } } +static void destroyme(unsigned long me) +{ + LOCK_BH(&redir_lock); + LIST_DELETE(&redirs, (struct redir *)me); + UNLOCK_BH(&redir_lock); +} + /* Incoming packet: is it a reply to a masqueraded connection, or part of an already-redirected TCP connection? */ void @@ -261,18 +247,15 @@ if (iph->protocol != IPPROTO_TCP) return; - /* Must have whole header */ - if (skb->len < iph->ihl*4 + sizeof(*tcph)) - return; - LOCK_BH(&redir_lock); redir = find_redir(iph->saddr, iph->daddr, tcph->source, tcph->dest); if (redir) { DEBUGP("Doing tcp redirect again.\n"); do_tcp_redir(skb, redir); - if (del_timer(&redir->destroyme)) { - redir->destroyme.expires = jiffies + REDIR_TIMEOUT; - add_timer(&redir->destroyme); + if (tcph->rst || tcph->fin) { + redir->destroyme.function = destroyme; + redir->destroyme.data = (unsigned long)redir; + mod_timer(&redir->destroyme, 75*HZ); } } UNLOCK_BH(&redir_lock); @@ -289,18 +272,15 @@ if (iph->protocol != IPPROTO_TCP) return; - /* Must have whole header */ - if (skb->len < iph->ihl*4 + sizeof(*tcph)) - return; - LOCK_BH(&redir_lock); redir = find_unredir(iph->saddr, iph->daddr, tcph->source, tcph->dest); if (redir) { DEBUGP("Doing tcp unredirect.\n"); do_tcp_unredir(skb, redir); - if (del_timer(&redir->destroyme)) { - redir->destroyme.expires = jiffies + REDIR_TIMEOUT; - add_timer(&redir->destroyme); + if (tcph->rst || tcph->fin) { + redir->destroyme.function = destroyme; + redir->destroyme.data = (unsigned long)redir; + mod_timer(&redir->destroyme, 75*HZ); } } UNLOCK_BH(&redir_lock); diff -urN linux-2.4.18-pre7/net/ipv4/netfilter/ip_nat_rule.c linux-2.4.18-pre7-oldnf/net/ipv4/netfilter/ip_nat_rule.c --- linux-2.4.18-pre7/net/ipv4/netfilter/ip_nat_rule.c Fri Jan 25 09:50:47 2002 +++ linux-2.4.18-pre7-oldnf/net/ipv4/netfilter/ip_nat_rule.c Fri Jan 25 09:52:37 2002 @@ -104,7 +104,7 @@ static struct ipt_table nat_table = { { NULL, NULL }, "nat", &nat_initial_table.repl, - NAT_VALID_HOOKS, RW_LOCK_UNLOCKED, NULL, THIS_MODULE }; + NAT_VALID_HOOKS, RW_LOCK_UNLOCKED, NULL }; LIST_HEAD(nat_expect_list); diff -urN linux-2.4.18-pre7/net/ipv4/netfilter/ip_nat_standalone.c linux-2.4.18-pre7-oldnf/net/ipv4/netfilter/ip_nat_standalone.c --- linux-2.4.18-pre7/net/ipv4/netfilter/ip_nat_standalone.c Fri Jan 25 09:50:47 2002 +++ linux-2.4.18-pre7-oldnf/net/ipv4/netfilter/ip_nat_standalone.c Fri Jan 25 09:52:37 2002 @@ -166,16 +166,19 @@ return ip_nat_fn(hooknum, pskb, in, out, okfn); } -static int route_me_harder(struct sk_buff **pskb) +/* FIXME: change in oif may mean change in hh_len. Check and realloc + --RR */ +static int +route_me_harder(struct sk_buff *skb) { - struct iphdr *iph = (*pskb)->nh.iph; + struct iphdr *iph = skb->nh.iph; struct rtable *rt; struct rt_key key = { dst:iph->daddr, src:iph->saddr, - oif:(*pskb)->sk ? (*pskb)->sk->bound_dev_if : 0, + oif:skb->sk ? skb->sk->bound_dev_if : 0, tos:RT_TOS(iph->tos)|RTO_CONN, #ifdef CONFIG_IP_ROUTE_FWMARK - fwmark:(*pskb)->nfmark + fwmark:skb->nfmark #endif }; @@ -185,24 +188,9 @@ } /* Drop old route. */ - dst_release((*pskb)->dst); + dst_release(skb->dst); - (*pskb)->dst = &rt->u.dst; - - /* Change in oif may mean change in hh_len. */ - if (skb_headroom(*pskb) < (*pskb)->dst->dev->hard_header_len) { - struct sk_buff *nskb; - - nskb = skb_realloc_headroom(*pskb, - (*pskb)->dst->dev - ->hard_header_len); - if (!nskb) - return -ENOMEM; - if ((*pskb)->sk) - skb_set_owner_w(nskb, (*pskb)->sk); - kfree_skb(*pskb); - *pskb = nskb; - } + skb->dst = &rt->u.dst; return 0; } @@ -228,7 +216,7 @@ if (ret != NF_DROP && ret != NF_STOLEN && ((*pskb)->nh.iph->saddr != saddr || (*pskb)->nh.iph->daddr != daddr)) - return route_me_harder(pskb) == 0 ? ret : NF_DROP; + return route_me_harder(*pskb) == 0 ? ret : NF_DROP; return ret; } diff -urN linux-2.4.18-pre7/net/ipv4/netfilter/ip_tables.c linux-2.4.18-pre7-oldnf/net/ipv4/netfilter/ip_tables.c --- linux-2.4.18-pre7/net/ipv4/netfilter/ip_tables.c Fri Jan 25 09:50:47 2002 +++ linux-2.4.18-pre7-oldnf/net/ipv4/netfilter/ip_tables.c Fri Jan 25 09:52:37 2002 @@ -2,11 +2,6 @@ * Packet matching code. * * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling - * Copyright (C) 2009-2002 Netfilter core team - * - * 19 Jan 2002 Harald Welte - * - increase module usage count as soon as we have rules inside - * a table */ #include #include @@ -89,8 +84,6 @@ unsigned int size; /* Number of entries: FIXME. --RR */ unsigned int number; - /* Initial number of entries. Needed for module usage count */ - unsigned int initial_entries; /* Entry points and underflows */ unsigned int hook_entry[NF_IP_NUMHOOKS]; @@ -909,7 +902,6 @@ } oldinfo = table->private; table->private = newinfo; - newinfo->initial_entries = oldinfo->initial_entries; write_unlock_bh(&table->lock); return oldinfo; @@ -1113,16 +1105,6 @@ if (!oldinfo) goto free_newinfo_counters_untrans_unlock; - /* Update module usage count based on number of rules */ - duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n", - oldinfo->number, oldinfo->initial_entries, newinfo->number); - if (t->me && (oldinfo->number <= oldinfo->initial_entries) && - (newinfo->number > oldinfo->initial_entries)) - __MOD_INC_USE_COUNT(t->me); - else if (t->me && (oldinfo->number > oldinfo->initial_entries) && - (newinfo->number <= oldinfo->initial_entries)) - __MOD_DEC_USE_COUNT(t->me); - /* Get the old counters. */ get_counters(oldinfo, counters); /* Decrease module usage counts and free resource */ @@ -1381,7 +1363,7 @@ int ret; struct ipt_table_info *newinfo; static struct ipt_table_info bootstrap - = { 0, 0, 0, { 0 }, { 0 }, { } }; + = { 0, 0, { 0 }, { 0 }, { } }; MOD_INC_USE_COUNT; newinfo = vmalloc(sizeof(struct ipt_table_info) @@ -1424,9 +1406,6 @@ duprintf("table->private->number = %u\n", table->private->number); - - /* save number of initial entries */ - table->private->initial_entries = table->private->number; table->lock = RW_LOCK_UNLOCKED; list_prepend(&ipt_tables, table); @@ -1767,7 +1746,7 @@ } #endif - printk("ip_tables: (C) 2000-2002 Netfilter core team\n"); + printk("ip_tables: (c)2000 Netfilter core team\n"); return 0; } diff -urN linux-2.4.18-pre7/net/ipv4/netfilter/ipchains_core.c linux-2.4.18-pre7-oldnf/net/ipv4/netfilter/ipchains_core.c --- linux-2.4.18-pre7/net/ipv4/netfilter/ipchains_core.c Fri Jan 25 09:50:47 2002 +++ linux-2.4.18-pre7-oldnf/net/ipv4/netfilter/ipchains_core.c Fri Jan 25 09:52:37 2002 @@ -838,7 +838,6 @@ i->branch->refcount--; kfree(i); i = tmp; - MOD_DEC_USE_COUNT; } return 0; } @@ -876,16 +875,13 @@ * interrupts is not necessary. */ chainptr->chain = rule; if (rule->branch) rule->branch->refcount++; - goto append_successful; + return 0; } /* Find the rule before the end of the chain */ for (i = chainptr->chain; i->next; i = i->next); i->next = rule; if (rule->branch) rule->branch->refcount++; - -append_successful: - MOD_INC_USE_COUNT; return 0; } @@ -904,7 +900,7 @@ frwl->next = chainptr->chain; if (frwl->branch) frwl->branch->refcount++; chainptr->chain = frwl; - goto insert_successful; + return 0; } position--; while (--position && f != NULL) f = f->next; @@ -914,9 +910,6 @@ frwl->next = f->next; f->next = frwl; - -insert_successful: - MOD_INC_USE_COUNT; return 0; } @@ -950,8 +943,6 @@ i->next = i->next->next; kfree(tmp); } - - MOD_DEC_USE_COUNT; return 0; } @@ -1058,7 +1049,6 @@ else chainptr->chain = ftmp->next; kfree(ftmp); - MOD_DEC_USE_COUNT; break; } @@ -1099,8 +1089,6 @@ tmp->next = tmp2->next; kfree(tmp2); - - MOD_DEC_USE_COUNT; return 0; } @@ -1153,7 +1141,6 @@ * user defined chain * * and therefore can be * deleted */ - MOD_INC_USE_COUNT; return 0; } diff -urN linux-2.4.18-pre7/net/ipv4/netfilter/ipfwadm_core.c linux-2.4.18-pre7-oldnf/net/ipv4/netfilter/ipfwadm_core.c --- linux-2.4.18-pre7/net/ipv4/netfilter/ipfwadm_core.c Fri Jan 25 09:50:47 2002 +++ linux-2.4.18-pre7-oldnf/net/ipv4/netfilter/ipfwadm_core.c Fri Jan 25 09:52:37 2002 @@ -20,7 +20,7 @@ * license in recognition of the original copyright. * -- Alan Cox. * - * $Id: ipfwadm_core.c,v 1.9.2.1 2002/01/23 13:18:19 davem Exp $ + * $Id: ipfwadm_core.c,v 1.9 2001/09/18 22:29:10 davem Exp $ * * Ported from BSD to Linux, * Alan Cox 22/Nov/1994. @@ -104,7 +104,6 @@ #include #include #include -#include #include #include @@ -688,7 +687,6 @@ ftmp = *chainptr; *chainptr = ftmp->fw_next; kfree(ftmp); - MOD_DEC_USE_COUNT(); } restore_flags(flags); } @@ -732,7 +730,6 @@ ftmp->fw_next = *chainptr; *chainptr=ftmp; restore_flags(flags); - MOD_INC_USE_COUNT(); return(0); } @@ -783,7 +780,6 @@ else *chainptr=ftmp; restore_flags(flags); - MOD_INC_USE_COUNT(); return(0); } @@ -857,10 +853,9 @@ } } restore_flags(flags); - if (was_found) { - MOD_DEC_USE_COUNT(); + if (was_found) return 0; - } else + else return(EINVAL); } diff -urN linux-2.4.18-pre7/net/ipv4/netfilter/ipt_LOG.c linux-2.4.18-pre7-oldnf/net/ipv4/netfilter/ipt_LOG.c --- linux-2.4.18-pre7/net/ipv4/netfilter/ipt_LOG.c Fri Jan 25 09:50:47 2002 +++ linux-2.4.18-pre7-oldnf/net/ipv4/netfilter/ipt_LOG.c Fri Jan 25 09:52:37 2002 @@ -217,7 +217,7 @@ printk("["); dump_packet(info, (struct iphdr *)(icmph + 1), - datalen-sizeof(struct icmphdr), + datalen-sizeof(struct iphdr), 0); printk("] "); } diff -urN linux-2.4.18-pre7/net/ipv4/netfilter/ipt_REDIRECT.c linux-2.4.18-pre7-oldnf/net/ipv4/netfilter/ipt_REDIRECT.c --- linux-2.4.18-pre7/net/ipv4/netfilter/ipt_REDIRECT.c Fri Jan 25 09:50:47 2002 +++ linux-2.4.18-pre7-oldnf/net/ipv4/netfilter/ipt_REDIRECT.c Fri Jan 25 09:52:37 2002 @@ -74,17 +74,10 @@ /* Local packets: make them go to loopback */ if (hooknum == NF_IP_LOCAL_OUT) newdst = htonl(0x7F000001); - else { - struct in_device *indev; - - /* Device might not have an associated in_device. */ - indev = (struct in_device *)(*pskb)->dev->ip_ptr; - if (indev == NULL) - return NF_DROP; - + else /* Grab first address on interface. */ - newdst = indev->ifa_list->ifa_local; - } + newdst = (((struct in_device *)(*pskb)->dev->ip_ptr) + ->ifa_list->ifa_local); /* Transfer from original range. */ newrange = ((struct ip_nat_multi_range) diff -urN linux-2.4.18-pre7/net/ipv4/netfilter/iptable_filter.c linux-2.4.18-pre7-oldnf/net/ipv4/netfilter/iptable_filter.c --- linux-2.4.18-pre7/net/ipv4/netfilter/iptable_filter.c Fri Jan 25 09:50:47 2002 +++ linux-2.4.18-pre7-oldnf/net/ipv4/netfilter/iptable_filter.c Fri Jan 25 09:52:37 2002 @@ -83,7 +83,7 @@ static struct ipt_table packet_filter = { { NULL, NULL }, "filter", &initial_table.repl, - FILTER_VALID_HOOKS, RW_LOCK_UNLOCKED, NULL, THIS_MODULE }; + FILTER_VALID_HOOKS, RW_LOCK_UNLOCKED, NULL }; /* The work comes in here from netfilter.c. */ static unsigned int diff -urN linux-2.4.18-pre7/net/ipv4/netfilter/iptable_mangle.c linux-2.4.18-pre7-oldnf/net/ipv4/netfilter/iptable_mangle.c --- linux-2.4.18-pre7/net/ipv4/netfilter/iptable_mangle.c Fri Jan 25 09:50:47 2002 +++ linux-2.4.18-pre7-oldnf/net/ipv4/netfilter/iptable_mangle.c Fri Jan 25 09:52:37 2002 @@ -2,8 +2,6 @@ * This is the 1999 rewrite of IP Firewalling, aiming for kernel 2.3.x. * * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling - * - * Extended to all five netfilter hooks by Brad Chapman & Harald Welte */ #include #include @@ -14,11 +12,7 @@ #include #include -#define MANGLE_VALID_HOOKS ((1 << NF_IP_PRE_ROUTING) | \ - (1 << NF_IP_LOCAL_IN) | \ - (1 << NF_IP_FORWARD) | \ - (1 << NF_IP_LOCAL_OUT) | \ - (1 << NF_IP_POST_ROUTING)) +#define MANGLE_VALID_HOOKS ((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT)) /* Standard entry. */ struct ipt_standard @@ -39,25 +33,18 @@ struct ipt_error_target target; }; -/* Ouch - five different hooks? Maybe this should be a config option..... -- BC */ static struct { struct ipt_replace repl; - struct ipt_standard entries[5]; + struct ipt_standard entries[2]; struct ipt_error term; } initial_table __initdata -= { { "mangle", MANGLE_VALID_HOOKS, 6, - sizeof(struct ipt_standard) * 5 + sizeof(struct ipt_error), - { [NF_IP_PRE_ROUTING] 0, - [NF_IP_LOCAL_IN] sizeof(struct ipt_standard), - [NF_IP_FORWARD] sizeof(struct ipt_standard) * 2, - [NF_IP_LOCAL_OUT] sizeof(struct ipt_standard) * 3, - [NF_IP_POST_ROUTING] sizeof(struct ipt_standard) * 4 }, - { [NF_IP_PRE_ROUTING] 0, - [NF_IP_LOCAL_IN] sizeof(struct ipt_standard), - [NF_IP_FORWARD] sizeof(struct ipt_standard) * 2, - [NF_IP_LOCAL_OUT] sizeof(struct ipt_standard) * 3, - [NF_IP_POST_ROUTING] sizeof(struct ipt_standard) * 4 }, += { { "mangle", MANGLE_VALID_HOOKS, 3, + sizeof(struct ipt_standard) * 2 + sizeof(struct ipt_error), + { [NF_IP_PRE_ROUTING] 0, + [NF_IP_LOCAL_OUT] sizeof(struct ipt_standard) }, + { [NF_IP_PRE_ROUTING] 0, + [NF_IP_LOCAL_OUT] sizeof(struct ipt_standard) }, 0, NULL, { } }, { /* PRE_ROUTING */ @@ -68,22 +55,6 @@ 0, { 0, 0 }, { } }, { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } }, -NF_ACCEPT - 1 } }, - /* LOCAL_IN */ - { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 }, - 0, - sizeof(struct ipt_entry), - sizeof(struct ipt_standard), - 0, { 0, 0 }, { } }, - { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } }, - -NF_ACCEPT - 1 } }, - /* FORWARD */ - { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 }, - 0, - sizeof(struct ipt_entry), - sizeof(struct ipt_standard), - 0, { 0, 0 }, { } }, - { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } }, - -NF_ACCEPT - 1 } }, /* LOCAL_OUT */ { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 }, 0, @@ -91,15 +62,7 @@ sizeof(struct ipt_standard), 0, { 0, 0 }, { } }, { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } }, - -NF_ACCEPT - 1 } }, - /* POST_ROUTING */ - { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 }, - 0, - sizeof(struct ipt_entry), - sizeof(struct ipt_standard), - 0, { 0, 0 }, { } }, - { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } }, - -NF_ACCEPT - 1 } }, + -NF_ACCEPT - 1 } } }, /* ERROR */ { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 }, @@ -116,11 +79,11 @@ static struct ipt_table packet_mangler = { { NULL, NULL }, "mangle", &initial_table.repl, - MANGLE_VALID_HOOKS, RW_LOCK_UNLOCKED, NULL, THIS_MODULE }; + MANGLE_VALID_HOOKS, RW_LOCK_UNLOCKED, NULL }; /* The work comes in here from netfilter.c. */ static unsigned int -ipt_route_hook(unsigned int hook, +ipt_hook(unsigned int hook, struct sk_buff **pskb, const struct net_device *in, const struct net_device *out, @@ -158,7 +121,7 @@ } static unsigned int -ipt_local_hook(unsigned int hook, +ipt_local_out_hook(unsigned int hook, struct sk_buff **pskb, const struct net_device *in, const struct net_device *out, @@ -196,16 +159,9 @@ } static struct nf_hook_ops ipt_ops[] -= { { { NULL, NULL }, ipt_route_hook, PF_INET, NF_IP_PRE_ROUTING, - NF_IP_PRI_MANGLE }, - { { NULL, NULL }, ipt_local_hook, PF_INET, NF_IP_LOCAL_IN, - NF_IP_PRI_MANGLE }, - { { NULL, NULL }, ipt_route_hook, PF_INET, NF_IP_FORWARD, - NF_IP_PRI_MANGLE }, - { { NULL, NULL }, ipt_local_hook, PF_INET, NF_IP_LOCAL_OUT, - NF_IP_PRI_MANGLE }, - { { NULL, NULL }, ipt_route_hook, PF_INET, NF_IP_POST_ROUTING, - NF_IP_PRI_MANGLE } += { { { NULL, NULL }, ipt_hook, PF_INET, NF_IP_PRE_ROUTING, NF_IP_PRI_MANGLE }, + { { NULL, NULL }, ipt_local_out_hook, PF_INET, NF_IP_LOCAL_OUT, + NF_IP_PRI_MANGLE } }; static int __init init(void) @@ -226,26 +182,8 @@ if (ret < 0) goto cleanup_hook0; - ret = nf_register_hook(&ipt_ops[2]); - if (ret < 0) - goto cleanup_hook1; - - ret = nf_register_hook(&ipt_ops[3]); - if (ret < 0) - goto cleanup_hook2; - - ret = nf_register_hook(&ipt_ops[4]); - if (ret < 0) - goto cleanup_hook3; - return ret; - cleanup_hook3: - nf_unregister_hook(&ipt_ops[3]); - cleanup_hook2: - nf_unregister_hook(&ipt_ops[2]); - cleanup_hook1: - nf_unregister_hook(&ipt_ops[1]); cleanup_hook0: nf_unregister_hook(&ipt_ops[0]); cleanup_table: diff -urN linux-2.4.18-pre7/net/ipv6/netfilter/Config.in linux-2.4.18-pre7-oldnf/net/ipv6/netfilter/Config.in --- linux-2.4.18-pre7/net/ipv6/netfilter/Config.in Fri Jan 25 09:50:47 2002 +++ linux-2.4.18-pre7-oldnf/net/ipv6/netfilter/Config.in Fri Jan 25 09:52:37 2002 @@ -9,10 +9,9 @@ # dep_tristate ' FTP protocol support' CONFIG_IP6_NF_FTP $CONFIG_IP6_NF_CONNTRACK #fi -if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then - tristate 'Userspace queueing via NETLINK (EXPERIMENTAL)' CONFIG_IP6_NF_QUEUE -fi - +#if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then +# tristate 'Userspace queueing via NETLINK (EXPERIMENTAL)' CONFIG_IP6_NF_QUEUE +#fi tristate 'IP6 tables support (required for filtering/masq/NAT)' CONFIG_IP6_NF_IPTABLES if [ "$CONFIG_IP6_NF_IPTABLES" != "n" ]; then # The simple matches. diff -urN linux-2.4.18-pre7/net/ipv6/netfilter/Makefile linux-2.4.18-pre7-oldnf/net/ipv6/netfilter/Makefile --- linux-2.4.18-pre7/net/ipv6/netfilter/Makefile Fri Jan 25 09:50:47 2002 +++ linux-2.4.18-pre7-oldnf/net/ipv6/netfilter/Makefile Fri Jan 25 09:52:37 2002 @@ -21,7 +21,6 @@ obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o obj-$(CONFIG_IP6_NF_TARGET_MARK) += ip6t_MARK.o -obj-$(CONFIG_IP6_NF_QUEUE) += ip6_queue.o obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o include $(TOPDIR)/Rules.make diff -urN linux-2.4.18-pre7/net/ipv6/netfilter/ip6_tables.c linux-2.4.18-pre7-oldnf/net/ipv6/netfilter/ip6_tables.c --- linux-2.4.18-pre7/net/ipv6/netfilter/ip6_tables.c Fri Jan 25 09:50:47 2002 +++ linux-2.4.18-pre7-oldnf/net/ipv6/netfilter/ip6_tables.c Fri Jan 25 09:52:37 2002 @@ -2,11 +2,6 @@ * Packet matching code. * * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling - * Copyright (C) 2000-2002 Netfilter core team - * - * 19 Jan 2002 Harald Welte - * - increase module usage count as soon as we have rules inside - * a table */ #include #include @@ -91,8 +86,6 @@ unsigned int size; /* Number of entries: FIXME. --RR */ unsigned int number; - /* Initial number of entries. Needed for module usage count */ - unsigned int initial_entries; /* Entry points and underflows */ unsigned int hook_entry[NF_IP6_NUMHOOKS]; @@ -956,7 +949,6 @@ } oldinfo = table->private; table->private = newinfo; - newinfo->initial_entries = oldinfo->initial_entries; write_unlock_bh(&table->lock); return oldinfo; @@ -1156,16 +1148,6 @@ if (!oldinfo) goto free_newinfo_counters_untrans_unlock; - /* Update module usage count based on number of rules */ - duprintf("do_replace: oldnum=%u, initnum=%u, newnum=%u\n", - oldinfo->number, oldinfo->initial_entries, newinfo->number); - if (t->me && (oldinfo->number <= oldinfo->initial_entries) && - (newinfo->number > oldinfo->initial_entries)) - __MOD_INC_USE_COUNT(t->me); - else if (t->me && (oldinfo->number > oldinfo->initial_entries) && - (newinfo->number <= oldinfo->initial_entries)) - __MOD_DEC_USE_COUNT(t->me); - /* Get the old counters. */ get_counters(oldinfo, counters); /* Decrease module usage counts and free resource */ @@ -1424,7 +1406,7 @@ int ret; struct ip6t_table_info *newinfo; static struct ip6t_table_info bootstrap - = { 0, 0, 0, { 0 }, { 0 }, { }, { } }; + = { 0, 0, { 0 }, { 0 }, { }, { } }; MOD_INC_USE_COUNT; newinfo = vmalloc(sizeof(struct ip6t_table_info) @@ -1801,7 +1783,7 @@ } #endif - printk("ip6_tables: (C) 2000-2002 Netfilter core team\n"); + printk("ip6_tables: (c)2000 Netfilter core team\n"); return 0; } diff -urN linux-2.4.18-pre7/net/ipv6/netfilter/ip6t_MARK.c linux-2.4.18-pre7-oldnf/net/ipv6/netfilter/ip6t_MARK.c --- linux-2.4.18-pre7/net/ipv6/netfilter/ip6t_MARK.c Fri Jan 25 09:50:47 2002 +++ linux-2.4.18-pre7-oldnf/net/ipv6/netfilter/ip6t_MARK.c Fri Jan 25 09:52:37 2002 @@ -51,7 +51,7 @@ static int __init init(void) { - printk(KERN_DEBUG "registering ipv6 mark target\n"); + printk(KERN_DEBUG "registreing ipv6 mark target\n"); if (ip6t_register_target(&ip6t_mark_reg)) return -EINVAL; diff -urN linux-2.4.18-pre7/net/ipv6/netfilter/ip6table_filter.c linux-2.4.18-pre7-oldnf/net/ipv6/netfilter/ip6table_filter.c --- linux-2.4.18-pre7/net/ipv6/netfilter/ip6table_filter.c Fri Jan 25 09:50:47 2002 +++ linux-2.4.18-pre7-oldnf/net/ipv6/netfilter/ip6table_filter.c Fri Jan 25 09:52:37 2002 @@ -83,7 +83,7 @@ static struct ip6t_table packet_filter = { { NULL, NULL }, "filter", &initial_table.repl, - FILTER_VALID_HOOKS, RW_LOCK_UNLOCKED, NULL, THIS_MODULE }; + FILTER_VALID_HOOKS, RW_LOCK_UNLOCKED, NULL }; /* The work comes in here from netfilter.c. */ static unsigned int diff -urN linux-2.4.18-pre7/net/ipv6/netfilter/ip6table_mangle.c linux-2.4.18-pre7-oldnf/net/ipv6/netfilter/ip6table_mangle.c --- linux-2.4.18-pre7/net/ipv6/netfilter/ip6table_mangle.c Fri Jan 25 09:50:47 2002 +++ linux-2.4.18-pre7-oldnf/net/ipv6/netfilter/ip6table_mangle.c Fri Jan 25 09:52:37 2002 @@ -1,18 +1,14 @@ /* * IPv6 packet mangling table, a port of the IPv4 mangle table to IPv6 * - * Copyright (C) 2000-2001 by Harald Welte + * Copyright (C) 2000 by Harald Welte */ #include #include -#define MANGLE_VALID_HOOKS ((1 << NF_IP6_PRE_ROUTING) | \ - (1 << NF_IP6_LOCAL_IN) | \ - (1 << NF_IP6_FORWARD) | \ - (1 << NF_IP6_LOCAL_OUT) | \ - (1 << NF_IP6_POST_ROUTING)) +#define MANGLE_VALID_HOOKS ((1 << NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_OUT)) -#if 0 +#if 1 #define DEBUGP(x, args...) printk(KERN_DEBUG x, ## args) #else #define DEBUGP(x, args...) @@ -40,41 +36,19 @@ static struct { struct ip6t_replace repl; - struct ip6t_standard entries[5]; + struct ip6t_standard entries[2]; struct ip6t_error term; } initial_table __initdata -= { { "mangle", MANGLE_VALID_HOOKS, 6, - sizeof(struct ip6t_standard) * 5 + sizeof(struct ip6t_error), - { [NF_IP6_PRE_ROUTING] 0, - [NF_IP6_LOCAL_IN] sizeof(struct ip6t_standard), - [NF_IP6_FORWARD] sizeof(struct ip6t_standard) * 2, - [NF_IP6_LOCAL_OUT] sizeof(struct ip6t_standard) * 3, - [NF_IP6_POST_ROUTING] sizeof(struct ip6t_standard) * 4}, - { [NF_IP6_PRE_ROUTING] 0, - [NF_IP6_LOCAL_IN] sizeof(struct ip6t_standard), - [NF_IP6_FORWARD] sizeof(struct ip6t_standard) * 2, - [NF_IP6_LOCAL_OUT] sizeof(struct ip6t_standard) * 3, - [NF_IP6_POST_ROUTING] sizeof(struct ip6t_standard) * 4}, += { { "mangle", MANGLE_VALID_HOOKS, 3, + sizeof(struct ip6t_standard) * 2 + sizeof(struct ip6t_error), + { [NF_IP6_PRE_ROUTING] 0, + [NF_IP6_LOCAL_OUT] sizeof(struct ip6t_standard) }, + { [NF_IP6_PRE_ROUTING] 0, + [NF_IP6_LOCAL_OUT] sizeof(struct ip6t_standard) }, 0, NULL, { } }, { /* PRE_ROUTING */ - { { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 }, - 0, - sizeof(struct ip6t_entry), - sizeof(struct ip6t_standard), - 0, { 0, 0 }, { } }, - { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } }, - -NF_ACCEPT - 1 } }, - /* LOCAL_IN */ - { { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 }, - 0, - sizeof(struct ip6t_entry), - sizeof(struct ip6t_standard), - 0, { 0, 0 }, { } }, - { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } }, - -NF_ACCEPT - 1 } }, - /* FORWARD */ - { { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 }, + { { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 }, 0, sizeof(struct ip6t_entry), sizeof(struct ip6t_standard), @@ -82,14 +56,6 @@ { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } }, -NF_ACCEPT - 1 } }, /* LOCAL_OUT */ - { { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 }, - 0, - sizeof(struct ip6t_entry), - sizeof(struct ip6t_standard), - 0, { 0, 0 }, { } }, - { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } }, - -NF_ACCEPT - 1 } }, - /* POST_ROUTING */ { { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 }, 0, sizeof(struct ip6t_entry), @@ -113,11 +79,11 @@ static struct ip6t_table packet_mangler = { { NULL, NULL }, "mangle", &initial_table.repl, - MANGLE_VALID_HOOKS, RW_LOCK_UNLOCKED, NULL, THIS_MODULE }; + MANGLE_VALID_HOOKS, RW_LOCK_UNLOCKED, NULL }; /* The work comes in here from netfilter.c. */ static unsigned int -ip6t_route_hook(unsigned int hook, +ip6t_hook(unsigned int hook, struct sk_buff **pskb, const struct net_device *in, const struct net_device *out, @@ -127,7 +93,7 @@ } static unsigned int -ip6t_local_hook(unsigned int hook, +ip6t_local_out_hook(unsigned int hook, struct sk_buff **pskb, const struct net_device *in, const struct net_device *out, @@ -176,11 +142,9 @@ } static struct nf_hook_ops ip6t_ops[] -= { { { NULL, NULL }, ip6t_route_hook, PF_INET6, NF_IP6_PRE_ROUTING, NF_IP6_PRI_MANGLE }, - { { NULL, NULL }, ip6t_local_hook, PF_INET6, NF_IP6_LOCAL_IN, NF_IP6_PRI_MANGLE }, - { { NULL, NULL }, ip6t_route_hook, PF_INET6, NF_IP6_FORWARD, NF_IP6_PRI_MANGLE }, - { { NULL, NULL }, ip6t_local_hook, PF_INET6, NF_IP6_LOCAL_OUT, NF_IP6_PRI_MANGLE }, - { { NULL, NULL }, ip6t_route_hook, PF_INET6, NF_IP6_POST_ROUTING, NF_IP6_PRI_MANGLE } += { { { NULL, NULL }, ip6t_hook, PF_INET6, NF_IP6_PRE_ROUTING, NF_IP6_PRI_MANGLE }, + { { NULL, NULL }, ip6t_local_out_hook, PF_INET6, NF_IP6_LOCAL_OUT, + NF_IP6_PRI_MANGLE } }; static int __init init(void) @@ -201,26 +165,8 @@ if (ret < 0) goto cleanup_hook0; - ret = nf_register_hook(&ip6t_ops[2]); - if (ret < 0) - goto cleanup_hook1; - - ret = nf_register_hook(&ip6t_ops[3]); - if (ret < 0) - goto cleanup_hook2; - - ret = nf_register_hook(&ip6t_ops[4]); - if (ret < 0) - goto cleanup_hook3; - return ret; - cleanup_hook3: - nf_unregister_hook(&ip6t_ops[3]); - cleanup_hook2: - nf_unregister_hook(&ip6t_ops[2]); - cleanup_hook1: - nf_unregister_hook(&ip6t_ops[1]); cleanup_hook0: nf_unregister_hook(&ip6t_ops[0]); cleanup_table: