├── .editorconfig ├── .gitattributes ├── .github └── workflows │ └── main.yml ├── .gitignore ├── LICENSE ├── README.md └── src ├── 3.x ├── Makefile ├── defines ├── lib │ ├── Makefile │ ├── textsearch.c │ ├── ts_bm.c │ ├── ts_fsm.c │ └── ts_kmp.c └── net │ ├── Makefile │ ├── ipv6 │ ├── Makefile │ └── netfilter │ │ ├── Kconfig │ │ ├── Makefile │ │ ├── ip6_tables.c │ │ ├── ip6t_MASQUERADE.c │ │ ├── ip6t_NPT.c │ │ ├── ip6t_REJECT.c │ │ ├── ip6t_ah.c │ │ ├── ip6t_eui64.c │ │ ├── ip6t_frag.c │ │ ├── ip6t_hbh.c │ │ ├── ip6t_ipv6header.c │ │ ├── ip6t_mh.c │ │ ├── ip6t_rpfilter.c │ │ ├── ip6t_rt.c │ │ ├── ip6table_filter.c │ │ ├── ip6table_mangle.c │ │ ├── ip6table_nat.c │ │ ├── ip6table_raw.c │ │ ├── ip6table_security.c │ │ ├── nf_conntrack_l3proto_ipv6.c │ │ ├── nf_conntrack_proto_icmpv6.c │ │ ├── nf_conntrack_reasm.c │ │ ├── nf_defrag_ipv6_hooks.c │ │ ├── nf_nat_l3proto_ipv6.c │ │ └── nf_nat_proto_icmpv6.c │ └── netfilter │ ├── Kconfig │ ├── Makefile │ ├── core.c │ ├── ipset │ ├── Kconfig │ ├── Makefile │ ├── ip_set_bitmap_gen.h │ ├── ip_set_bitmap_ip.c │ ├── ip_set_bitmap_ipmac.c │ ├── ip_set_bitmap_port.c │ ├── ip_set_core.c │ ├── ip_set_getport.c │ ├── ip_set_hash_gen.h │ ├── ip_set_hash_ip.c │ ├── ip_set_hash_ipport.c │ ├── ip_set_hash_ipportip.c │ ├── ip_set_hash_ipportnet.c │ ├── ip_set_hash_net.c │ ├── ip_set_hash_netiface.c │ ├── ip_set_hash_netport.c │ ├── ip_set_list_set.c │ └── pfxlen.c │ ├── ipvs │ ├── Kconfig │ ├── Makefile │ ├── ip_vs_app.c │ ├── ip_vs_conn.c │ ├── ip_vs_core.c │ ├── ip_vs_ctl.c │ ├── ip_vs_dh.c │ ├── ip_vs_est.c │ ├── ip_vs_ftp.c │ ├── ip_vs_lblc.c │ ├── ip_vs_lblcr.c │ ├── ip_vs_lc.c │ ├── ip_vs_nfct.c │ ├── ip_vs_nq.c │ ├── ip_vs_pe.c │ ├── ip_vs_pe_sip.c │ ├── ip_vs_proto.c │ ├── ip_vs_proto_ah_esp.c │ ├── ip_vs_proto_sctp.c │ ├── ip_vs_proto_tcp.c │ ├── ip_vs_proto_udp.c │ ├── ip_vs_rr.c │ ├── ip_vs_sched.c │ ├── ip_vs_sed.c │ ├── ip_vs_sh.c │ ├── ip_vs_sync.c │ ├── ip_vs_wlc.c │ ├── ip_vs_wrr.c │ └── ip_vs_xmit.c │ ├── nf_conntrack_acct.c │ ├── nf_conntrack_amanda.c │ ├── nf_conntrack_broadcast.c │ ├── nf_conntrack_core.c │ ├── nf_conntrack_ecache.c │ ├── nf_conntrack_expect.c │ ├── nf_conntrack_extend.c │ ├── nf_conntrack_ftp.c │ ├── nf_conntrack_h323_asn1.c │ ├── nf_conntrack_h323_main.c │ ├── nf_conntrack_h323_types.c │ ├── nf_conntrack_helper.c │ ├── nf_conntrack_irc.c │ ├── nf_conntrack_l3proto_generic.c │ ├── nf_conntrack_labels.c │ ├── nf_conntrack_netbios_ns.c │ ├── nf_conntrack_netlink.c │ ├── nf_conntrack_pptp.c │ ├── nf_conntrack_proto.c │ ├── nf_conntrack_proto_dccp.c │ ├── nf_conntrack_proto_generic.c │ ├── nf_conntrack_proto_gre.c │ ├── nf_conntrack_proto_sctp.c │ ├── nf_conntrack_proto_tcp.c │ ├── nf_conntrack_proto_udp.c │ ├── nf_conntrack_proto_udplite.c │ ├── nf_conntrack_sane.c │ ├── nf_conntrack_sip.c │ ├── nf_conntrack_snmp.c │ ├── nf_conntrack_standalone.c │ ├── nf_conntrack_tftp.c │ ├── nf_conntrack_timeout.c │ ├── nf_conntrack_timestamp.c │ ├── nf_internals.h │ ├── nf_log.c │ ├── nf_nat_amanda.c │ ├── nf_nat_core.c │ ├── nf_nat_ftp.c │ ├── nf_nat_helper.c │ ├── nf_nat_irc.c │ ├── nf_nat_proto_common.c │ ├── nf_nat_proto_dccp.c │ ├── nf_nat_proto_sctp.c │ ├── nf_nat_proto_tcp.c │ ├── nf_nat_proto_udp.c │ ├── nf_nat_proto_udplite.c │ ├── nf_nat_proto_unknown.c │ ├── nf_nat_sip.c │ ├── nf_nat_tftp.c │ ├── nf_queue.c │ ├── nf_sockopt.c │ ├── nf_tproxy_core.c │ ├── nfnetlink.c │ ├── nfnetlink_acct.c │ ├── nfnetlink_cthelper.c │ ├── nfnetlink_cttimeout.c │ ├── nfnetlink_log.c │ ├── nfnetlink_queue_core.c │ ├── nfnetlink_queue_ct.c │ ├── x_tables.c │ ├── xt_AUDIT.c │ ├── xt_CHECKSUM.c │ ├── xt_CLASSIFY.c │ ├── xt_CONNSECMARK.c │ ├── xt_CT.c │ ├── xt_HMARK.c │ ├── xt_IDLETIMER.c │ ├── xt_LED.c │ ├── xt_LOG.c │ ├── xt_NETMAP.c │ ├── xt_NFLOG.c │ ├── xt_NFQUEUE.c │ ├── xt_REDIRECT.c │ ├── xt_SECMARK.c │ ├── xt_TCPMSS.c │ ├── xt_TCPOPTSTRIP.c │ ├── xt_TEE.c │ ├── xt_TPROXY.c │ ├── xt_TRACE.c │ ├── xt_addrtype.c │ ├── xt_bpf.c │ ├── xt_cluster.c │ ├── xt_comment.c │ ├── xt_connbytes.c │ ├── xt_connlabel.c │ ├── xt_connlimit.c │ ├── xt_connmark.c │ ├── xt_conntrack.c │ ├── xt_cpu.c │ ├── xt_dccp.c │ ├── xt_devgroup.c │ ├── xt_dscp.c │ ├── xt_ecn.c │ ├── xt_esp.c │ ├── xt_hashlimit.c │ ├── xt_helper.c │ ├── xt_hl.c │ ├── xt_iprange.c │ ├── xt_ipvs.c │ ├── xt_length.c │ ├── xt_limit.c │ ├── xt_mac.c │ ├── xt_mark.c │ ├── xt_multiport.c │ ├── xt_nat.c │ ├── xt_nfacct.c │ ├── xt_osf.c │ ├── xt_owner.c │ ├── xt_physdev.c │ ├── xt_pkttype.c │ ├── xt_policy.c │ ├── xt_quota.c │ ├── xt_rateest.c │ ├── xt_realm.c │ ├── xt_recent.c │ ├── xt_repldata.h │ ├── xt_sctp.c │ ├── xt_set.c │ ├── xt_socket.c │ ├── xt_state.c │ ├── xt_statistic.c │ ├── xt_string.c │ ├── xt_tcpudp.c │ ├── xt_time.c │ └── xt_u32.c ├── 4.x ├── Makefile ├── defines ├── lib │ ├── Makefile │ ├── textsearch.c │ ├── ts_bm.c │ ├── ts_fsm.c │ └── ts_kmp.c └── net │ ├── Makefile │ ├── ipv6 │ ├── Makefile │ └── netfilter │ │ ├── Kconfig │ │ ├── Makefile │ │ ├── ip6_tables.c │ │ ├── ip6t_MASQUERADE.c │ │ ├── ip6t_NPT.c │ │ ├── ip6t_REJECT.c │ │ ├── ip6t_SYNPROXY.c │ │ ├── ip6t_ah.c │ │ ├── ip6t_eui64.c │ │ ├── ip6t_frag.c │ │ ├── ip6t_hbh.c │ │ ├── ip6t_ipv6header.c │ │ ├── ip6t_mh.c │ │ ├── ip6t_rpfilter.c │ │ ├── ip6t_rt.c │ │ ├── ip6table_filter.c │ │ ├── ip6table_mangle.c │ │ ├── ip6table_nat.c │ │ ├── ip6table_raw.c │ │ ├── ip6table_security.c │ │ ├── nf_conntrack_l3proto_ipv6.c │ │ ├── nf_conntrack_proto_icmpv6.c │ │ ├── nf_conntrack_reasm.c │ │ ├── nf_defrag_ipv6_hooks.c │ │ ├── nf_dup_ipv6.c │ │ ├── nf_log_ipv6.c │ │ ├── nf_nat_l3proto_ipv6.c │ │ ├── nf_nat_masquerade_ipv6.c │ │ ├── nf_nat_proto_icmpv6.c │ │ ├── nf_reject_ipv6.c │ │ ├── nf_tables_ipv6.c │ │ ├── nft_chain_nat_ipv6.c │ │ ├── nft_chain_route_ipv6.c │ │ ├── nft_dup_ipv6.c │ │ ├── nft_masq_ipv6.c │ │ ├── nft_redir_ipv6.c │ │ └── nft_reject_ipv6.c │ └── netfilter │ ├── Kconfig │ ├── Makefile │ ├── core.c │ ├── ipset │ ├── Kconfig │ ├── Makefile │ ├── ip_set_bitmap_gen.h │ ├── ip_set_bitmap_ip.c │ ├── ip_set_bitmap_ipmac.c │ ├── ip_set_bitmap_port.c │ ├── ip_set_core.c │ ├── ip_set_getport.c │ ├── ip_set_hash_gen.h │ ├── ip_set_hash_ip.c │ ├── ip_set_hash_ipmark.c │ ├── ip_set_hash_ipport.c │ ├── ip_set_hash_ipportip.c │ ├── ip_set_hash_ipportnet.c │ ├── ip_set_hash_mac.c │ ├── ip_set_hash_net.c │ ├── ip_set_hash_netiface.c │ ├── ip_set_hash_netnet.c │ ├── ip_set_hash_netport.c │ ├── ip_set_hash_netportnet.c │ ├── ip_set_list_set.c │ └── pfxlen.c │ ├── ipvs │ ├── Kconfig │ ├── Makefile │ ├── ip_vs_app.c │ ├── ip_vs_conn.c │ ├── ip_vs_core.c │ ├── ip_vs_ctl.c │ ├── ip_vs_dh.c │ ├── ip_vs_est.c │ ├── ip_vs_fo.c │ ├── ip_vs_ftp.c │ ├── ip_vs_lblc.c │ ├── ip_vs_lblcr.c │ ├── ip_vs_lc.c │ ├── ip_vs_nfct.c │ ├── ip_vs_nq.c │ ├── ip_vs_ovf.c │ ├── ip_vs_pe.c │ ├── ip_vs_pe_sip.c │ ├── ip_vs_proto.c │ ├── ip_vs_proto_ah_esp.c │ ├── ip_vs_proto_sctp.c │ ├── ip_vs_proto_tcp.c │ ├── ip_vs_proto_udp.c │ ├── ip_vs_rr.c │ ├── ip_vs_sched.c │ ├── ip_vs_sed.c │ ├── ip_vs_sh.c │ ├── ip_vs_sync.c │ ├── ip_vs_wlc.c │ ├── ip_vs_wrr.c │ └── ip_vs_xmit.c │ ├── nf_conntrack_acct.c │ ├── nf_conntrack_amanda.c │ ├── nf_conntrack_broadcast.c │ ├── nf_conntrack_core.c │ ├── nf_conntrack_ecache.c │ ├── nf_conntrack_expect.c │ ├── nf_conntrack_extend.c │ ├── nf_conntrack_ftp.c │ ├── nf_conntrack_h323_asn1.c │ ├── nf_conntrack_h323_main.c │ ├── nf_conntrack_h323_types.c │ ├── nf_conntrack_helper.c │ ├── nf_conntrack_irc.c │ ├── nf_conntrack_l3proto_generic.c │ ├── nf_conntrack_labels.c │ ├── nf_conntrack_netbios_ns.c │ ├── nf_conntrack_netlink.c │ ├── nf_conntrack_pptp.c │ ├── nf_conntrack_proto.c │ ├── nf_conntrack_proto_dccp.c │ ├── nf_conntrack_proto_generic.c │ ├── nf_conntrack_proto_gre.c │ ├── nf_conntrack_proto_sctp.c │ ├── nf_conntrack_proto_tcp.c │ ├── nf_conntrack_proto_udp.c │ ├── nf_conntrack_proto_udplite.c │ ├── nf_conntrack_sane.c │ ├── nf_conntrack_seqadj.c │ ├── nf_conntrack_sip.c │ ├── nf_conntrack_snmp.c │ ├── nf_conntrack_standalone.c │ ├── nf_conntrack_tftp.c │ ├── nf_conntrack_timeout.c │ ├── nf_conntrack_timestamp.c │ ├── nf_internals.h │ ├── nf_log.c │ ├── nf_log_common.c │ ├── nf_nat_amanda.c │ ├── nf_nat_core.c │ ├── nf_nat_ftp.c │ ├── nf_nat_helper.c │ ├── nf_nat_irc.c │ ├── nf_nat_proto_common.c │ ├── nf_nat_proto_dccp.c │ ├── nf_nat_proto_sctp.c │ ├── nf_nat_proto_tcp.c │ ├── nf_nat_proto_udp.c │ ├── nf_nat_proto_udplite.c │ ├── nf_nat_proto_unknown.c │ ├── nf_nat_redirect.c │ ├── nf_nat_sip.c │ ├── nf_nat_tftp.c │ ├── nf_queue.c │ ├── nf_sockopt.c │ ├── nf_synproxy_core.c │ ├── nf_tables_api.c │ ├── nf_tables_core.c │ ├── nf_tables_inet.c │ ├── nf_tables_netdev.c │ ├── nfnetlink.c │ ├── nfnetlink_acct.c │ ├── nfnetlink_cthelper.c │ ├── nfnetlink_cttimeout.c │ ├── nfnetlink_log.c │ ├── nfnetlink_queue.c │ ├── nft_bitwise.c │ ├── nft_byteorder.c │ ├── nft_cmp.c │ ├── nft_compat.c │ ├── nft_counter.c │ ├── nft_ct.c │ ├── nft_dynset.c │ ├── nft_exthdr.c │ ├── nft_hash.c │ ├── nft_immediate.c │ ├── nft_limit.c │ ├── nft_log.c │ ├── nft_lookup.c │ ├── nft_masq.c │ ├── nft_meta.c │ ├── nft_nat.c │ ├── nft_payload.c │ ├── nft_queue.c │ ├── nft_rbtree.c │ ├── nft_redir.c │ ├── nft_reject.c │ ├── nft_reject_inet.c │ ├── x_tables.c │ ├── xt_AUDIT.c │ ├── xt_CHECKSUM.c │ ├── xt_CLASSIFY.c │ ├── xt_CONNSECMARK.c │ ├── xt_CT.c │ ├── xt_HMARK.c │ ├── xt_IDLETIMER.c │ ├── xt_LED.c │ ├── xt_LOG.c │ ├── xt_NETMAP.c │ ├── xt_NFLOG.c │ ├── xt_NFQUEUE.c │ ├── xt_REDIRECT.c │ ├── xt_SECMARK.c │ ├── xt_TCPMSS.c │ ├── xt_TCPOPTSTRIP.c │ ├── xt_TEE.c │ ├── xt_TPROXY.c │ ├── xt_TRACE.c │ ├── xt_addrtype.c │ ├── xt_bpf.c │ ├── xt_cgroup.c │ ├── xt_cluster.c │ ├── xt_comment.c │ ├── xt_connbytes.c │ ├── xt_connlabel.c │ ├── xt_connlimit.c │ ├── xt_connmark.c │ ├── xt_conntrack.c │ ├── xt_cpu.c │ ├── xt_dccp.c │ ├── xt_devgroup.c │ ├── xt_dscp.c │ ├── xt_ecn.c │ ├── xt_esp.c │ ├── xt_hashlimit.c │ ├── xt_helper.c │ ├── xt_hl.c │ ├── xt_ipcomp.c │ ├── xt_iprange.c │ ├── xt_ipvs.c │ ├── xt_l2tp.c │ ├── xt_length.c │ ├── xt_limit.c │ ├── xt_mac.c │ ├── xt_mark.c │ ├── xt_multiport.c │ ├── xt_nat.c │ ├── xt_nfacct.c │ ├── xt_osf.c │ ├── xt_owner.c │ ├── xt_physdev.c │ ├── xt_pkttype.c │ ├── xt_policy.c │ ├── xt_quota.c │ ├── xt_rateest.c │ ├── xt_realm.c │ ├── xt_recent.c │ ├── xt_repldata.h │ ├── xt_sctp.c │ ├── xt_set.c │ ├── xt_socket.c │ ├── xt_state.c │ ├── xt_statistic.c │ ├── xt_string.c │ ├── xt_tcpudp.c │ ├── xt_time.c │ └── xt_u32.c └── 5.x ├── Makefile ├── defines ├── lib ├── Makefile ├── textsearch.c ├── ts_bm.c ├── ts_fsm.c └── ts_kmp.c └── net ├── Makefile ├── ipv4 ├── Makefile ├── netfilter.c └── netfilter │ ├── Kconfig │ ├── Makefile │ ├── arp_tables.c │ ├── arpt_mangle.c │ ├── arptable_filter.c │ ├── ip_tables.c │ ├── ipt_CLUSTERIP.c │ ├── ipt_ECN.c │ ├── ipt_REJECT.c │ ├── ipt_SYNPROXY.c │ ├── ipt_ah.c │ ├── ipt_rpfilter.c │ ├── iptable_filter.c │ ├── iptable_mangle.c │ ├── iptable_nat.c │ ├── iptable_raw.c │ ├── iptable_security.c │ ├── nf_defrag_ipv4.c │ ├── nf_dup_ipv4.c │ ├── nf_flow_table_ipv4.c │ ├── nf_log_arp.c │ ├── nf_log_ipv4.c │ ├── nf_nat_h323.c │ ├── nf_nat_pptp.c │ ├── nf_nat_snmp_basic.asn1 │ ├── nf_nat_snmp_basic_main.c │ ├── nf_reject_ipv4.c │ ├── nf_socket_ipv4.c │ ├── nf_tproxy_ipv4.c │ ├── nft_dup_ipv4.c │ ├── nft_fib_ipv4.c │ └── nft_reject_ipv4.c ├── ipv6 ├── Makefile ├── netfilter │ ├── Kconfig │ ├── Makefile │ ├── ip6_tables.c │ ├── ip6t_NPT.c │ ├── ip6t_REJECT.c │ ├── ip6t_SYNPROXY.c │ ├── ip6t_ah.c │ ├── ip6t_eui64.c │ ├── ip6t_frag.c │ ├── ip6t_hbh.c │ ├── ip6t_ipv6header.c │ ├── ip6t_mh.c │ ├── ip6t_rpfilter.c │ ├── ip6t_rt.c │ ├── ip6t_srh.c │ ├── ip6table_filter.c │ ├── ip6table_mangle.c │ ├── ip6table_nat.c │ ├── ip6table_raw.c │ ├── ip6table_security.c │ ├── nf_conntrack_reasm.c │ ├── nf_defrag_ipv6_hooks.c │ ├── nf_dup_ipv6.c │ ├── nf_flow_table_ipv6.c │ ├── nf_log_ipv6.c │ ├── nf_reject_ipv6.c │ ├── nf_socket_ipv6.c │ ├── nf_tproxy_ipv6.c │ ├── nft_dup_ipv6.c │ ├── nft_fib_ipv6.c │ └── nft_reject_ipv6.c ├── udp.c └── udp_impl.h └── netfilter ├── Kconfig ├── Makefile ├── core.c ├── ipset ├── Kconfig ├── Makefile ├── ip_set_bitmap_gen.h ├── ip_set_bitmap_ip.c ├── ip_set_bitmap_ipmac.c ├── ip_set_bitmap_port.c ├── ip_set_core.c ├── ip_set_getport.c ├── ip_set_hash_gen.h ├── ip_set_hash_ip.c ├── ip_set_hash_ipmac.c ├── ip_set_hash_ipmark.c ├── ip_set_hash_ipport.c ├── ip_set_hash_ipportip.c ├── ip_set_hash_ipportnet.c ├── ip_set_hash_mac.c ├── ip_set_hash_net.c ├── ip_set_hash_netiface.c ├── ip_set_hash_netnet.c ├── ip_set_hash_netport.c ├── ip_set_hash_netportnet.c ├── ip_set_list_set.c └── pfxlen.c ├── ipvs ├── Kconfig ├── Makefile ├── ip_vs_app.c ├── ip_vs_conn.c ├── ip_vs_core.c ├── ip_vs_ctl.c ├── ip_vs_dh.c ├── ip_vs_est.c ├── ip_vs_fo.c ├── ip_vs_ftp.c ├── ip_vs_lblc.c ├── ip_vs_lblcr.c ├── ip_vs_lc.c ├── ip_vs_mh.c ├── ip_vs_nfct.c ├── ip_vs_nq.c ├── ip_vs_ovf.c ├── ip_vs_pe.c ├── ip_vs_pe_sip.c ├── ip_vs_proto.c ├── ip_vs_proto_ah_esp.c ├── ip_vs_proto_sctp.c ├── ip_vs_proto_tcp.c ├── ip_vs_proto_udp.c ├── ip_vs_rr.c ├── ip_vs_sched.c ├── ip_vs_sed.c ├── ip_vs_sh.c ├── ip_vs_sync.c ├── ip_vs_wlc.c ├── ip_vs_wrr.c └── ip_vs_xmit.c ├── nf_conncount.c ├── nf_conntrack_acct.c ├── nf_conntrack_amanda.c ├── nf_conntrack_broadcast.c ├── nf_conntrack_core.c ├── nf_conntrack_ecache.c ├── nf_conntrack_expect.c ├── nf_conntrack_extend.c ├── nf_conntrack_ftp.c ├── nf_conntrack_h323_asn1.c ├── nf_conntrack_h323_main.c ├── nf_conntrack_h323_types.c ├── nf_conntrack_helper.c ├── nf_conntrack_irc.c ├── nf_conntrack_labels.c ├── nf_conntrack_netbios_ns.c ├── nf_conntrack_netlink.c ├── nf_conntrack_pptp.c ├── nf_conntrack_proto.c ├── nf_conntrack_proto_dccp.c ├── nf_conntrack_proto_generic.c ├── nf_conntrack_proto_gre.c ├── nf_conntrack_proto_icmp.c ├── nf_conntrack_proto_icmpv6.c ├── nf_conntrack_proto_sctp.c ├── nf_conntrack_proto_tcp.c ├── nf_conntrack_proto_udp.c ├── nf_conntrack_sane.c ├── nf_conntrack_seqadj.c ├── nf_conntrack_sip.c ├── nf_conntrack_snmp.c ├── nf_conntrack_standalone.c ├── nf_conntrack_tftp.c ├── nf_conntrack_timeout.c ├── nf_conntrack_timestamp.c ├── nf_dup_netdev.c ├── nf_flow_table_core.c ├── nf_flow_table_inet.c ├── nf_flow_table_ip.c ├── nf_flow_table_offload.c ├── nf_internals.h ├── nf_log.c ├── nf_log_common.c ├── nf_log_netdev.c ├── nf_nat_amanda.c ├── nf_nat_core.c ├── nf_nat_ftp.c ├── nf_nat_helper.c ├── nf_nat_irc.c ├── nf_nat_masquerade.c ├── nf_nat_proto.c ├── nf_nat_redirect.c ├── nf_nat_sip.c ├── nf_nat_tftp.c ├── nf_queue.c ├── nf_sockopt.c ├── nf_synproxy_core.c ├── nf_tables_api.c ├── nf_tables_core.c ├── nf_tables_offload.c ├── nf_tables_trace.c ├── nfnetlink.c ├── nfnetlink_acct.c ├── nfnetlink_cthelper.c ├── nfnetlink_cttimeout.c ├── nfnetlink_log.c ├── nfnetlink_osf.c ├── nfnetlink_queue.c ├── nft_bitwise.c ├── nft_byteorder.c ├── nft_chain_filter.c ├── nft_chain_nat.c ├── nft_chain_route.c ├── nft_cmp.c ├── nft_compat.c ├── nft_connlimit.c ├── nft_counter.c ├── nft_ct.c ├── nft_dup_netdev.c ├── nft_dynset.c ├── nft_exthdr.c ├── nft_fib.c ├── nft_fib_inet.c ├── nft_fib_netdev.c ├── nft_flow_offload.c ├── nft_fwd_netdev.c ├── nft_hash.c ├── nft_immediate.c ├── nft_limit.c ├── nft_log.c ├── nft_lookup.c ├── nft_masq.c ├── nft_meta.c ├── nft_nat.c ├── nft_numgen.c ├── nft_objref.c ├── nft_osf.c ├── nft_payload.c ├── nft_queue.c ├── nft_quota.c ├── nft_range.c ├── nft_redir.c ├── nft_reject.c ├── nft_reject_inet.c ├── nft_rt.c ├── nft_set_bitmap.c ├── nft_set_hash.c ├── nft_set_pipapo.c ├── nft_set_pipapo.h ├── nft_set_pipapo_avx2.c ├── nft_set_pipapo_avx2.h ├── nft_set_rbtree.c ├── nft_socket.c ├── nft_synproxy.c ├── nft_tproxy.c ├── nft_tunnel.c ├── nft_xfrm.c ├── utils.c ├── x_tables.c ├── xt_AUDIT.c ├── xt_CHECKSUM.c ├── xt_CLASSIFY.c ├── xt_CONNSECMARK.c ├── xt_CT.c ├── xt_HMARK.c ├── xt_IDLETIMER.c ├── xt_LED.c ├── xt_LOG.c ├── xt_MASQUERADE.c ├── xt_NETMAP.c ├── xt_NFLOG.c ├── xt_NFQUEUE.c ├── xt_REDIRECT.c ├── xt_SECMARK.c ├── xt_TCPMSS.c ├── xt_TCPOPTSTRIP.c ├── xt_TEE.c ├── xt_TPROXY.c ├── xt_TRACE.c ├── xt_addrtype.c ├── xt_bpf.c ├── xt_cgroup.c ├── xt_cluster.c ├── xt_comment.c ├── xt_connbytes.c ├── xt_connlabel.c ├── xt_connlimit.c ├── xt_connmark.c ├── xt_conntrack.c ├── xt_cpu.c ├── xt_dccp.c ├── xt_devgroup.c ├── xt_dscp.c ├── xt_ecn.c ├── xt_esp.c ├── xt_hashlimit.c ├── xt_helper.c ├── xt_hl.c ├── xt_ipcomp.c ├── xt_iprange.c ├── xt_ipvs.c ├── xt_l2tp.c ├── xt_length.c ├── xt_limit.c ├── xt_mac.c ├── xt_mark.c ├── xt_multiport.c ├── xt_nat.c ├── xt_nfacct.c ├── xt_osf.c ├── xt_owner.c ├── xt_physdev.c ├── xt_pkttype.c ├── xt_policy.c ├── xt_quota.c ├── xt_rateest.c ├── xt_realm.c ├── xt_recent.c ├── xt_repldata.h ├── xt_sctp.c ├── xt_set.c ├── xt_socket.c ├── xt_state.c ├── xt_statistic.c ├── xt_string.c ├── xt_tcpudp.c ├── xt_time.c └── xt_u32.c /.editorconfig: -------------------------------------------------------------------------------- 1 | # top-most EditorConfig file 2 | root = true 3 | 4 | # Unix-style newlines with a newline ending every file 5 | [*] 6 | end_of_line = lf 7 | insert_final_newline = true 8 | charset = utf-8 9 | indent_size = 2 10 | 11 | # Tab indentation (no size specified) 12 | [Makefile] 13 | indent_style = tab 14 | 15 | # YAML 16 | [*.yml] 17 | indent_style = space 18 | indent_size = 2 19 | 20 | [*.{c,h}] 21 | indent_style = space 22 | indent_size = 4 23 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | *.c eol=lf 2 | *.h eol=lf -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Object files 5 | *.o 6 | *.ko 7 | *.obj 8 | *.elf 9 | 10 | # Linker output 11 | *.ilk 12 | *.map 13 | *.exp 14 | 15 | # Precompiled Headers 16 | *.gch 17 | *.pch 18 | 19 | # Libraries 20 | *.lib 21 | *.a 22 | *.la 23 | *.lo 24 | 25 | # Shared objects (inc. Windows DLLs) 26 | *.dll 27 | *.so 28 | *.so.* 29 | *.dylib 30 | 31 | # Executables 32 | *.exe 33 | *.out 34 | *.app 35 | *.i*86 36 | *.x86_64 37 | *.hex 38 | 39 | # Debug files 40 | *.dSYM/ 41 | *.su 42 | *.idb 43 | *.pdb 44 | 45 | # Kernel Module Compile Results 46 | *.mod* 47 | *.cmd 48 | .tmp_versions/ 49 | modules.order 50 | Module.symvers 51 | Mkfile.old 52 | dkms.conf 53 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 Ing 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # syno-iptables -------------------------------------------------------------------------------- /src/3.x/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # Makefile for the linux networking. 3 | # 4 | # 2 Sep 2000, Christoph Hellwig 5 | # Rewritten to use lists instead of if-statements. 6 | # 7 | 8 | 9 | obj-y += lib/ 10 | obj-y += net/ 11 | -------------------------------------------------------------------------------- /src/3.x/defines: -------------------------------------------------------------------------------- 1 | CONFIG_NETFILTER=m 2 | CONFIG_NETFILTER_XT_CONNMARK=m 3 | CONFIG_NETFILTER_XT_MATCH_COMMENT=m 4 | CONFIG_NETFILTER_XT_MATCH_SOCKET=m 5 | CONFIG_NETFILTER_XT_MATCH_STRING=m 6 | CONFIG_NETFILTER_TPROXY=m 7 | CONFIG_NETFILTER_XT_TARGET_TPROXY=m 8 | CONFIG_NETFILTER_XT_MATCH_OWNER=m 9 | CONFIG_IP6_NF_TARGET_MASQUERADE=m 10 | CONFIG_IP6_NF_NAT=m 11 | CONFIG_IP6_NF_RAW=m 12 | CONFIG_NF_NAT_IPV6=m 13 | CONFIG_NF_NAT_MASQUERADE_IPV6=m 14 | CONFIG_TEXTSEARCH=m 15 | CONFIG_TEXTSEARCH_BM=m -------------------------------------------------------------------------------- /src/3.x/net/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # Makefile for the linux networking. 3 | # 4 | # 2 Sep 2000, Christoph Hellwig 5 | # Rewritten to use lists instead of if-statements. 6 | # 7 | 8 | #obj-y := nonet.o 9 | # 10 | #obj-$(CONFIG_NET) := socket.o core/ 11 | # 12 | #tmp-$(CONFIG_COMPAT) := compat.o 13 | #obj-$(CONFIG_NET) += $(tmp-y) 14 | # 15 | ## LLC has to be linked before the files in net/802/ 16 | #obj-$(CONFIG_LLC) += llc/ 17 | #obj-$(CONFIG_NET) += ethernet/ 802/ sched/ netlink/ 18 | obj-$(CONFIG_NETFILTER) += netfilter/ 19 | #obj-$(CONFIG_INET) += ipv4/ 20 | #obj-$(CONFIG_XFRM) += xfrm/ 21 | #obj-$(CONFIG_UNIX) += unix/ 22 | obj-$(CONFIG_NET) += ipv6/ 23 | #obj-$(CONFIG_PACKET) += packet/ 24 | #obj-$(CONFIG_NET_KEY) += key/ 25 | #obj-$(CONFIG_BRIDGE) += bridge/ 26 | #obj-$(CONFIG_NET_DSA) += dsa/ 27 | #obj-$(CONFIG_IPX) += ipx/ 28 | #obj-$(CONFIG_ATALK) += appletalk/ 29 | #obj-$(CONFIG_X25) += x25/ 30 | #obj-$(CONFIG_LAPB) += lapb/ 31 | #obj-$(CONFIG_NETROM) += netrom/ 32 | #obj-$(CONFIG_ROSE) += rose/ 33 | #obj-$(CONFIG_AX25) += ax25/ 34 | #obj-$(CONFIG_CAN) += can/ 35 | #obj-$(CONFIG_IRDA) += irda/ 36 | #obj-$(CONFIG_BT) += bluetooth/ 37 | #obj-$(CONFIG_SUNRPC) += sunrpc/ 38 | #obj-$(CONFIG_AF_RXRPC) += rxrpc/ 39 | #obj-$(CONFIG_ATM) += atm/ 40 | #obj-$(CONFIG_L2TP) += l2tp/ 41 | #obj-$(CONFIG_DECNET) += decnet/ 42 | #obj-$(CONFIG_PHONET) += phonet/ 43 | #ifneq ($(CONFIG_VLAN_8021Q),) 44 | #obj-y += 8021q/ 45 | #endif 46 | #obj-$(CONFIG_IP_DCCP) += dccp/ 47 | #obj-$(CONFIG_IP_SCTP) += sctp/ 48 | #obj-$(CONFIG_RDS) += rds/ 49 | #obj-$(CONFIG_WIRELESS) += wireless/ 50 | #obj-$(CONFIG_MAC80211) += mac80211/ 51 | #obj-$(CONFIG_TIPC) += tipc/ 52 | #obj-$(CONFIG_NETLABEL) += netlabel/ 53 | #obj-$(CONFIG_IUCV) += iucv/ 54 | #obj-$(CONFIG_RFKILL) += rfkill/ 55 | #obj-$(CONFIG_NET_9P) += 9p/ 56 | #obj-$(CONFIG_CAIF) += caif/ 57 | #ifneq ($(CONFIG_DCB),) 58 | #obj-y += dcb/ 59 | #endif 60 | #obj-$(CONFIG_IEEE802154) += ieee802154/ 61 | #obj-$(CONFIG_MAC802154) += mac802154/ 62 | # 63 | #ifeq ($(CONFIG_NET),y) 64 | #obj-$(CONFIG_SYSCTL) += sysctl_net.o 65 | #endif 66 | #obj-$(CONFIG_WIMAX) += wimax/ 67 | #obj-$(CONFIG_DNS_RESOLVER) += dns_resolver/ 68 | #obj-$(CONFIG_CEPH_LIB) += ceph/ 69 | #obj-$(CONFIG_BATMAN_ADV) += batman-adv/ 70 | #obj-$(CONFIG_NFC) += nfc/ 71 | #obj-$(CONFIG_OPENVSWITCH) += openvswitch/ 72 | #obj-$(CONFIG_VSOCKETS) += vmw_vsock/ 73 | # -------------------------------------------------------------------------------- /src/3.x/net/ipv6/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # Makefile for the Linux TCP/IP (INET6) layer. 3 | # 4 | 5 | #obj-$(CONFIG_IPV6) += ipv6.o 6 | # 7 | #ipv6-objs := af_inet6.o anycast.o ip6_output.o ip6_input.o addrconf.o \ 8 | # addrlabel.o \ 9 | # route.o ip6_fib.o ipv6_sockglue.o ndisc.o udp.o udplite.o \ 10 | # raw.o icmp.o mcast.o reassembly.o tcp_ipv6.o \ 11 | # exthdrs.o datagram.o ip6_flowlabel.o inet6_connection_sock.o 12 | # 13 | #ipv6-offload := ip6_offload.o tcpv6_offload.o udp_offload.o exthdrs_offload.o 14 | # 15 | #ipv6-$(CONFIG_SYSCTL) = sysctl_net_ipv6.o 16 | #ipv6-$(CONFIG_IPV6_MROUTE) += ip6mr.o 17 | # 18 | #ipv6-$(CONFIG_XFRM) += xfrm6_policy.o xfrm6_state.o xfrm6_input.o \ 19 | # xfrm6_output.o 20 | #ipv6-$(CONFIG_NETFILTER) += netfilter.o 21 | #ipv6-$(CONFIG_IPV6_MULTIPLE_TABLES) += fib6_rules.o 22 | #ipv6-$(CONFIG_PROC_FS) += proc.o 23 | #ipv6-$(CONFIG_SYN_COOKIES) += syncookies.o 24 | # 25 | #ipv6-objs += $(ipv6-y) 26 | # 27 | #obj-$(CONFIG_INET6_AH) += ah6.o 28 | #obj-$(CONFIG_INET6_ESP) += esp6.o 29 | #obj-$(CONFIG_INET6_IPCOMP) += ipcomp6.o 30 | #obj-$(CONFIG_INET6_XFRM_TUNNEL) += xfrm6_tunnel.o 31 | #obj-$(CONFIG_INET6_TUNNEL) += tunnel6.o 32 | #obj-$(CONFIG_INET6_XFRM_MODE_TRANSPORT) += xfrm6_mode_transport.o 33 | #obj-$(CONFIG_INET6_XFRM_MODE_TUNNEL) += xfrm6_mode_tunnel.o 34 | #obj-$(CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION) += xfrm6_mode_ro.o 35 | #obj-$(CONFIG_INET6_XFRM_MODE_BEET) += xfrm6_mode_beet.o 36 | #obj-$(CONFIG_IPV6_MIP6) += mip6.o 37 | obj-$(CONFIG_NETFILTER) += netfilter/ 38 | # 39 | #obj-$(CONFIG_IPV6_SIT) += sit.o 40 | #obj-$(CONFIG_IPV6_TUNNEL) += ip6_tunnel.o 41 | #obj-$(CONFIG_IPV6_GRE) += ip6_gre.o 42 | # 43 | #obj-y += addrconf_core.o exthdrs_core.o ip6_checksum.o ip6_icmp.o 44 | #obj-$(CONFIG_INET) += output_core.o protocol.o $(ipv6-offload) 45 | # 46 | #obj-$(subst m,y,$(CONFIG_IPV6)) += inet6_hashtables.o 47 | # -------------------------------------------------------------------------------- /src/3.x/net/ipv6/netfilter/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # Makefile for the netfilter modules on top of IPv6. 3 | # 4 | 5 | # Link order matters here. 6 | obj-$(CONFIG_IP6_NF_IPTABLES) += ip6_tables.o 7 | obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o 8 | obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o 9 | obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o 10 | obj-$(CONFIG_IP6_NF_SECURITY) += ip6table_security.o 11 | obj-$(CONFIG_NF_NAT_IPV6) += ip6table_nat.o 12 | 13 | # objects for l3 independent conntrack 14 | nf_conntrack_ipv6-y := nf_conntrack_l3proto_ipv6.o nf_conntrack_proto_icmpv6.o 15 | 16 | # l3 independent conntrack 17 | obj-$(CONFIG_NF_CONNTRACK_IPV6) += nf_conntrack_ipv6.o nf_defrag_ipv6.o 18 | 19 | nf_nat_ipv6-y := nf_nat_l3proto_ipv6.o nf_nat_proto_icmpv6.o 20 | obj-$(CONFIG_NF_NAT_IPV6) += nf_nat_ipv6.o 21 | 22 | # defrag 23 | nf_defrag_ipv6-y := nf_defrag_ipv6_hooks.o nf_conntrack_reasm.o 24 | obj-$(CONFIG_NF_DEFRAG_IPV6) += nf_defrag_ipv6.o 25 | 26 | # matches 27 | obj-$(CONFIG_IP6_NF_MATCH_AH) += ip6t_ah.o 28 | obj-$(CONFIG_IP6_NF_MATCH_EUI64) += ip6t_eui64.o 29 | obj-$(CONFIG_IP6_NF_MATCH_FRAG) += ip6t_frag.o 30 | obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o 31 | obj-$(CONFIG_IP6_NF_MATCH_MH) += ip6t_mh.o 32 | obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o 33 | obj-$(CONFIG_IP6_NF_MATCH_RPFILTER) += ip6t_rpfilter.o 34 | obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o 35 | 36 | # targets 37 | obj-$(CONFIG_IP6_NF_TARGET_MASQUERADE) += ip6t_MASQUERADE.o 38 | obj-$(CONFIG_IP6_NF_TARGET_NPT) += ip6t_NPT.o 39 | obj-$(CONFIG_IP6_NF_TARGET_REJECT) += ip6t_REJECT.o 40 | -------------------------------------------------------------------------------- /src/3.x/net/ipv6/netfilter/ip6t_eui64.c: -------------------------------------------------------------------------------- 1 | /* Kernel module to match EUI64 address parameters. */ 2 | 3 | /* (C) 2001-2002 Andras Kis-Szabo 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License version 2 as 7 | * published by the Free Software Foundation. 8 | */ 9 | 10 | #include 11 | #include 12 | #include 13 | #include 14 | 15 | #include 16 | #include 17 | 18 | MODULE_DESCRIPTION("Xtables: IPv6 EUI64 address match"); 19 | MODULE_LICENSE("GPL"); 20 | MODULE_AUTHOR("Andras Kis-Szabo "); 21 | 22 | static bool 23 | eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par) 24 | { 25 | unsigned char eui64[8]; 26 | 27 | if (!(skb_mac_header(skb) >= skb->head && 28 | skb_mac_header(skb) + ETH_HLEN <= skb->data) && 29 | par->fragoff != 0) { 30 | par->hotdrop = true; 31 | return false; 32 | } 33 | 34 | memset(eui64, 0, sizeof(eui64)); 35 | 36 | if (eth_hdr(skb)->h_proto == htons(ETH_P_IPV6)) { 37 | if (ipv6_hdr(skb)->version == 0x6) { 38 | memcpy(eui64, eth_hdr(skb)->h_source, 3); 39 | memcpy(eui64 + 5, eth_hdr(skb)->h_source + 3, 3); 40 | eui64[3] = 0xff; 41 | eui64[4] = 0xfe; 42 | eui64[0] ^= 0x02; 43 | 44 | if (!memcmp(ipv6_hdr(skb)->saddr.s6_addr + 8, eui64, 45 | sizeof(eui64))) 46 | return true; 47 | } 48 | } 49 | 50 | return false; 51 | } 52 | 53 | static struct xt_match eui64_mt6_reg __read_mostly = { 54 | .name = "eui64", 55 | .family = NFPROTO_IPV6, 56 | .match = eui64_mt6, 57 | .matchsize = sizeof(int), 58 | .hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_IN) | 59 | (1 << NF_INET_FORWARD), 60 | .me = THIS_MODULE, 61 | }; 62 | 63 | static int __init eui64_mt6_init(void) 64 | { 65 | return xt_register_match(&eui64_mt6_reg); 66 | } 67 | 68 | static void __exit eui64_mt6_exit(void) 69 | { 70 | xt_unregister_match(&eui64_mt6_reg); 71 | } 72 | 73 | module_init(eui64_mt6_init); 74 | module_exit(eui64_mt6_exit); 75 | -------------------------------------------------------------------------------- /src/3.x/net/ipv6/netfilter/ip6table_raw.c: -------------------------------------------------------------------------------- 1 | /* 2 | * IPv6 raw table, a port of the IPv4 raw table to IPv6 3 | * 4 | * Copyright (C) 2003 Jozsef Kadlecsik 5 | */ 6 | #include 7 | #include 8 | #include 9 | 10 | #define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT)) 11 | 12 | static const struct xt_table packet_raw = { 13 | .name = "raw", 14 | .valid_hooks = RAW_VALID_HOOKS, 15 | .me = THIS_MODULE, 16 | .af = NFPROTO_IPV6, 17 | .priority = NF_IP6_PRI_RAW, 18 | }; 19 | 20 | /* The work comes in here from netfilter.c. */ 21 | static unsigned int 22 | ip6table_raw_hook(unsigned int hook, struct sk_buff *skb, 23 | const struct net_device *in, const struct net_device *out, 24 | int (*okfn)(struct sk_buff *)) 25 | { 26 | const struct net *net = dev_net((in != NULL) ? in : out); 27 | 28 | return ip6t_do_table(skb, hook, in, out, net->ipv6.ip6table_raw); 29 | } 30 | 31 | static struct nf_hook_ops *rawtable_ops __read_mostly; 32 | 33 | static int __net_init ip6table_raw_net_init(struct net *net) 34 | { 35 | struct ip6t_replace *repl; 36 | 37 | repl = ip6t_alloc_initial_table(&packet_raw); 38 | if (repl == NULL) 39 | return -ENOMEM; 40 | net->ipv6.ip6table_raw = 41 | ip6t_register_table(net, &packet_raw, repl); 42 | kfree(repl); 43 | return PTR_RET(net->ipv6.ip6table_raw); 44 | } 45 | 46 | static void __net_exit ip6table_raw_net_exit(struct net *net) 47 | { 48 | ip6t_unregister_table(net, net->ipv6.ip6table_raw); 49 | } 50 | 51 | static struct pernet_operations ip6table_raw_net_ops = { 52 | .init = ip6table_raw_net_init, 53 | .exit = ip6table_raw_net_exit, 54 | }; 55 | 56 | static int __init ip6table_raw_init(void) 57 | { 58 | int ret; 59 | 60 | ret = register_pernet_subsys(&ip6table_raw_net_ops); 61 | if (ret < 0) 62 | return ret; 63 | 64 | /* Register hooks */ 65 | rawtable_ops = xt_hook_link(&packet_raw, ip6table_raw_hook); 66 | if (IS_ERR(rawtable_ops)) { 67 | ret = PTR_ERR(rawtable_ops); 68 | goto cleanup_table; 69 | } 70 | 71 | return ret; 72 | 73 | cleanup_table: 74 | unregister_pernet_subsys(&ip6table_raw_net_ops); 75 | return ret; 76 | } 77 | 78 | static void __exit ip6table_raw_fini(void) 79 | { 80 | xt_hook_unlink(&packet_raw, rawtable_ops); 81 | unregister_pernet_subsys(&ip6table_raw_net_ops); 82 | } 83 | 84 | module_init(ip6table_raw_init); 85 | module_exit(ip6table_raw_fini); 86 | MODULE_LICENSE("GPL"); 87 | -------------------------------------------------------------------------------- /src/3.x/net/netfilter/ipset/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # Makefile for the ipset modules 3 | # 4 | 5 | ip_set-y := ip_set_core.o ip_set_getport.o pfxlen.o 6 | 7 | # ipset core 8 | obj-$(CONFIG_IP_SET) += ip_set.o 9 | 10 | # bitmap types 11 | obj-$(CONFIG_IP_SET_BITMAP_IP) += ip_set_bitmap_ip.o 12 | obj-$(CONFIG_IP_SET_BITMAP_IPMAC) += ip_set_bitmap_ipmac.o 13 | obj-$(CONFIG_IP_SET_BITMAP_PORT) += ip_set_bitmap_port.o 14 | 15 | # hash types 16 | obj-$(CONFIG_IP_SET_HASH_IP) += ip_set_hash_ip.o 17 | obj-$(CONFIG_IP_SET_HASH_IPPORT) += ip_set_hash_ipport.o 18 | obj-$(CONFIG_IP_SET_HASH_IPPORTIP) += ip_set_hash_ipportip.o 19 | obj-$(CONFIG_IP_SET_HASH_IPPORTNET) += ip_set_hash_ipportnet.o 20 | obj-$(CONFIG_IP_SET_HASH_NET) += ip_set_hash_net.o 21 | obj-$(CONFIG_IP_SET_HASH_NETPORT) += ip_set_hash_netport.o 22 | obj-$(CONFIG_IP_SET_HASH_NETIFACE) += ip_set_hash_netiface.o 23 | 24 | # list types 25 | obj-$(CONFIG_IP_SET_LIST_SET) += ip_set_list_set.o 26 | -------------------------------------------------------------------------------- /src/3.x/net/netfilter/ipvs/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # Makefile for the IPVS modules on top of IPv4. 3 | # 4 | 5 | # IPVS transport protocol load balancing support 6 | ip_vs_proto-objs-y := 7 | ip_vs_proto-objs-$(CONFIG_IP_VS_PROTO_TCP) += ip_vs_proto_tcp.o 8 | ip_vs_proto-objs-$(CONFIG_IP_VS_PROTO_UDP) += ip_vs_proto_udp.o 9 | ip_vs_proto-objs-$(CONFIG_IP_VS_PROTO_AH_ESP) += ip_vs_proto_ah_esp.o 10 | ip_vs_proto-objs-$(CONFIG_IP_VS_PROTO_SCTP) += ip_vs_proto_sctp.o 11 | 12 | ip_vs-extra_objs-y := 13 | ip_vs-extra_objs-$(CONFIG_IP_VS_NFCT) += ip_vs_nfct.o 14 | 15 | ip_vs-objs := ip_vs_conn.o ip_vs_core.o ip_vs_ctl.o ip_vs_sched.o \ 16 | ip_vs_xmit.o ip_vs_app.o ip_vs_sync.o \ 17 | ip_vs_est.o ip_vs_proto.o ip_vs_pe.o \ 18 | $(ip_vs_proto-objs-y) $(ip_vs-extra_objs-y) 19 | 20 | 21 | # IPVS core 22 | obj-$(CONFIG_IP_VS) += ip_vs.o 23 | 24 | # IPVS schedulers 25 | obj-$(CONFIG_IP_VS_RR) += ip_vs_rr.o 26 | obj-$(CONFIG_IP_VS_WRR) += ip_vs_wrr.o 27 | obj-$(CONFIG_IP_VS_LC) += ip_vs_lc.o 28 | obj-$(CONFIG_IP_VS_WLC) += ip_vs_wlc.o 29 | obj-$(CONFIG_IP_VS_LBLC) += ip_vs_lblc.o 30 | obj-$(CONFIG_IP_VS_LBLCR) += ip_vs_lblcr.o 31 | obj-$(CONFIG_IP_VS_DH) += ip_vs_dh.o 32 | obj-$(CONFIG_IP_VS_SH) += ip_vs_sh.o 33 | obj-$(CONFIG_IP_VS_SED) += ip_vs_sed.o 34 | obj-$(CONFIG_IP_VS_NQ) += ip_vs_nq.o 35 | 36 | # IPVS application helpers 37 | obj-$(CONFIG_IP_VS_FTP) += ip_vs_ftp.o 38 | 39 | # IPVS connection template retrievers 40 | obj-$(CONFIG_IP_VS_PE_SIP) += ip_vs_pe_sip.o 41 | -------------------------------------------------------------------------------- /src/3.x/net/netfilter/nf_conntrack_broadcast.c: -------------------------------------------------------------------------------- 1 | /* 2 | * broadcast connection tracking helper 3 | * 4 | * (c) 2005 Patrick McHardy 5 | * 6 | * This program is free software; you can redistribute it and/or 7 | * modify it under the terms of the GNU General Public License 8 | * as published by the Free Software Foundation; either version 9 | * 2 of the License, or (at your option) any later version. 10 | */ 11 | 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | #include 19 | #include 20 | #include 21 | 22 | int nf_conntrack_broadcast_help(struct sk_buff *skb, 23 | unsigned int protoff, 24 | struct nf_conn *ct, 25 | enum ip_conntrack_info ctinfo, 26 | unsigned int timeout) 27 | { 28 | struct nf_conntrack_expect *exp; 29 | struct iphdr *iph = ip_hdr(skb); 30 | struct rtable *rt = skb_rtable(skb); 31 | struct in_device *in_dev; 32 | struct nf_conn_help *help = nfct_help(ct); 33 | __be32 mask = 0; 34 | 35 | /* we're only interested in locally generated packets */ 36 | if (skb->sk == NULL) 37 | goto out; 38 | if (rt == NULL || !(rt->rt_flags & RTCF_BROADCAST)) 39 | goto out; 40 | if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) 41 | goto out; 42 | 43 | rcu_read_lock(); 44 | in_dev = __in_dev_get_rcu(rt->dst.dev); 45 | if (in_dev != NULL) { 46 | for_primary_ifa(in_dev) { 47 | if (ifa->ifa_broadcast == iph->daddr) { 48 | mask = ifa->ifa_mask; 49 | break; 50 | } 51 | } endfor_ifa(in_dev); 52 | } 53 | rcu_read_unlock(); 54 | 55 | if (mask == 0) 56 | goto out; 57 | 58 | exp = nf_ct_expect_alloc(ct); 59 | if (exp == NULL) 60 | goto out; 61 | 62 | exp->tuple = ct->tuplehash[IP_CT_DIR_REPLY].tuple; 63 | exp->tuple.src.u.udp.port = help->helper->tuple.src.u.udp.port; 64 | 65 | exp->mask.src.u3.ip = mask; 66 | exp->mask.src.u.udp.port = htons(0xFFFF); 67 | 68 | exp->expectfn = NULL; 69 | exp->flags = NF_CT_EXPECT_PERMANENT; 70 | exp->class = NF_CT_EXPECT_CLASS_DEFAULT; 71 | exp->helper = NULL; 72 | 73 | nf_ct_expect_related(exp); 74 | nf_ct_expect_put(exp); 75 | 76 | nf_ct_refresh(ct, skb, timeout * HZ); 77 | out: 78 | return NF_ACCEPT; 79 | } 80 | EXPORT_SYMBOL_GPL(nf_conntrack_broadcast_help); 81 | 82 | MODULE_LICENSE("GPL"); 83 | -------------------------------------------------------------------------------- /src/3.x/net/netfilter/nf_conntrack_l3proto_generic.c: -------------------------------------------------------------------------------- 1 | /* 2 | * (C) 2003,2004 USAGI/WIDE Project 3 | * 4 | * Based largely upon the original ip_conntrack code which 5 | * had the following copyright information: 6 | * 7 | * (C) 1999-2001 Paul `Rusty' Russell 8 | * (C) 2002-2004 Netfilter Core Team 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 as 12 | * published by the Free Software Foundation. 13 | * 14 | * Author: 15 | * Yasuyuki Kozakai @USAGI 16 | */ 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | 34 | static bool generic_pkt_to_tuple(const struct sk_buff *skb, unsigned int nhoff, 35 | struct nf_conntrack_tuple *tuple) 36 | { 37 | memset(&tuple->src.u3, 0, sizeof(tuple->src.u3)); 38 | memset(&tuple->dst.u3, 0, sizeof(tuple->dst.u3)); 39 | 40 | return true; 41 | } 42 | 43 | static bool generic_invert_tuple(struct nf_conntrack_tuple *tuple, 44 | const struct nf_conntrack_tuple *orig) 45 | { 46 | memset(&tuple->src.u3, 0, sizeof(tuple->src.u3)); 47 | memset(&tuple->dst.u3, 0, sizeof(tuple->dst.u3)); 48 | 49 | return true; 50 | } 51 | 52 | static int generic_print_tuple(struct seq_file *s, 53 | const struct nf_conntrack_tuple *tuple) 54 | { 55 | return 0; 56 | } 57 | 58 | static int generic_get_l4proto(const struct sk_buff *skb, unsigned int nhoff, 59 | unsigned int *dataoff, u_int8_t *protonum) 60 | { 61 | /* Never track !!! */ 62 | return -NF_ACCEPT; 63 | } 64 | 65 | 66 | struct nf_conntrack_l3proto nf_conntrack_l3proto_generic __read_mostly = { 67 | .l3proto = PF_UNSPEC, 68 | .name = "unknown", 69 | .pkt_to_tuple = generic_pkt_to_tuple, 70 | .invert_tuple = generic_invert_tuple, 71 | .print_tuple = generic_print_tuple, 72 | .get_l4proto = generic_get_l4proto, 73 | }; 74 | EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_generic); 75 | -------------------------------------------------------------------------------- /src/3.x/net/netfilter/nf_conntrack_timeout.c: -------------------------------------------------------------------------------- 1 | /* 2 | * (C) 2012 by Pablo Neira Ayuso 3 | * (C) 2012 by Vyatta Inc. 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License version 2 as 7 | * published by the Free Software Foundation (or any later at your option). 8 | */ 9 | 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | #include 23 | #include 24 | #include 25 | #include 26 | 27 | struct ctnl_timeout * 28 | (*nf_ct_timeout_find_get_hook)(const char *name) __read_mostly; 29 | EXPORT_SYMBOL_GPL(nf_ct_timeout_find_get_hook); 30 | 31 | void (*nf_ct_timeout_put_hook)(struct ctnl_timeout *timeout) __read_mostly; 32 | EXPORT_SYMBOL_GPL(nf_ct_timeout_put_hook); 33 | 34 | static struct nf_ct_ext_type timeout_extend __read_mostly = { 35 | .len = sizeof(struct nf_conn_timeout), 36 | .align = __alignof__(struct nf_conn_timeout), 37 | .id = NF_CT_EXT_TIMEOUT, 38 | }; 39 | 40 | int nf_conntrack_timeout_init(void) 41 | { 42 | int ret = nf_ct_extend_register(&timeout_extend); 43 | if (ret < 0) 44 | pr_err("nf_ct_timeout: Unable to register timeout extension.\n"); 45 | return ret; 46 | } 47 | 48 | void nf_conntrack_timeout_fini(void) 49 | { 50 | nf_ct_extend_unregister(&timeout_extend); 51 | } 52 | -------------------------------------------------------------------------------- /src/3.x/net/netfilter/nf_internals.h: -------------------------------------------------------------------------------- 1 | #ifndef _NF_INTERNALS_H 2 | #define _NF_INTERNALS_H 3 | 4 | #include 5 | #include 6 | #include 7 | 8 | #ifdef CONFIG_NETFILTER_DEBUG 9 | #define NFDEBUG(format, args...) printk(KERN_DEBUG format , ## args) 10 | #else 11 | #define NFDEBUG(format, args...) 12 | #endif 13 | 14 | 15 | /* core.c */ 16 | extern unsigned int nf_iterate(struct list_head *head, 17 | struct sk_buff *skb, 18 | unsigned int hook, 19 | const struct net_device *indev, 20 | const struct net_device *outdev, 21 | struct nf_hook_ops **elemp, 22 | int (*okfn)(struct sk_buff *), 23 | int hook_thresh); 24 | 25 | /* nf_queue.c */ 26 | extern int nf_queue(struct sk_buff *skb, 27 | struct nf_hook_ops *elem, 28 | u_int8_t pf, unsigned int hook, 29 | struct net_device *indev, 30 | struct net_device *outdev, 31 | int (*okfn)(struct sk_buff *), 32 | unsigned int queuenum); 33 | extern int __init netfilter_queue_init(void); 34 | 35 | /* nf_log.c */ 36 | extern int __init netfilter_log_init(void); 37 | 38 | #endif 39 | -------------------------------------------------------------------------------- /src/3.x/net/netfilter/nf_nat_proto_udp.c: -------------------------------------------------------------------------------- 1 | /* (C) 1999-2001 Paul `Rusty' Russell 2 | * (C) 2002-2006 Netfilter Core Team 3 | * 4 | * This program is free software; you can redistribute it and/or modify 5 | * it under the terms of the GNU General Public License version 2 as 6 | * published by the Free Software Foundation. 7 | */ 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | static u16 udp_port_rover; 21 | 22 | static void 23 | udp_unique_tuple(const struct nf_nat_l3proto *l3proto, 24 | struct nf_conntrack_tuple *tuple, 25 | const struct nf_nat_range *range, 26 | enum nf_nat_manip_type maniptype, 27 | const struct nf_conn *ct) 28 | { 29 | nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct, 30 | &udp_port_rover); 31 | } 32 | 33 | static bool 34 | udp_manip_pkt(struct sk_buff *skb, 35 | const struct nf_nat_l3proto *l3proto, 36 | unsigned int iphdroff, unsigned int hdroff, 37 | const struct nf_conntrack_tuple *tuple, 38 | enum nf_nat_manip_type maniptype) 39 | { 40 | struct udphdr *hdr; 41 | __be16 *portptr, newport; 42 | 43 | if (!skb_make_writable(skb, hdroff + sizeof(*hdr))) 44 | return false; 45 | hdr = (struct udphdr *)(skb->data + hdroff); 46 | 47 | if (maniptype == NF_NAT_MANIP_SRC) { 48 | /* Get rid of src port */ 49 | newport = tuple->src.u.udp.port; 50 | portptr = &hdr->source; 51 | } else { 52 | /* Get rid of dst port */ 53 | newport = tuple->dst.u.udp.port; 54 | portptr = &hdr->dest; 55 | } 56 | if (hdr->check || skb->ip_summed == CHECKSUM_PARTIAL) { 57 | l3proto->csum_update(skb, iphdroff, &hdr->check, 58 | tuple, maniptype); 59 | inet_proto_csum_replace2(&hdr->check, skb, *portptr, newport, 60 | 0); 61 | if (!hdr->check) 62 | hdr->check = CSUM_MANGLED_0; 63 | } 64 | *portptr = newport; 65 | return true; 66 | } 67 | 68 | const struct nf_nat_l4proto nf_nat_l4proto_udp = { 69 | .l4proto = IPPROTO_UDP, 70 | .manip_pkt = udp_manip_pkt, 71 | .in_range = nf_nat_l4proto_in_range, 72 | .unique_tuple = udp_unique_tuple, 73 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 74 | .nlattr_to_range = nf_nat_l4proto_nlattr_to_range, 75 | #endif 76 | }; 77 | -------------------------------------------------------------------------------- /src/3.x/net/netfilter/nf_nat_proto_unknown.c: -------------------------------------------------------------------------------- 1 | /* The "unknown" protocol. This is what is used for protocols we 2 | * don't understand. It's returned by ip_ct_find_proto(). 3 | */ 4 | 5 | /* (C) 1999-2001 Paul `Rusty' Russell 6 | * (C) 2002-2006 Netfilter Core Team 7 | * 8 | * This program is free software; you can redistribute it and/or modify 9 | * it under the terms of the GNU General Public License version 2 as 10 | * published by the Free Software Foundation. 11 | */ 12 | 13 | #include 14 | #include 15 | 16 | #include 17 | #include 18 | #include 19 | 20 | static bool unknown_in_range(const struct nf_conntrack_tuple *tuple, 21 | enum nf_nat_manip_type manip_type, 22 | const union nf_conntrack_man_proto *min, 23 | const union nf_conntrack_man_proto *max) 24 | { 25 | return true; 26 | } 27 | 28 | static void unknown_unique_tuple(const struct nf_nat_l3proto *l3proto, 29 | struct nf_conntrack_tuple *tuple, 30 | const struct nf_nat_range *range, 31 | enum nf_nat_manip_type maniptype, 32 | const struct nf_conn *ct) 33 | { 34 | /* Sorry: we can't help you; if it's not unique, we can't frob 35 | * anything. 36 | */ 37 | return; 38 | } 39 | 40 | static bool 41 | unknown_manip_pkt(struct sk_buff *skb, 42 | const struct nf_nat_l3proto *l3proto, 43 | unsigned int iphdroff, unsigned int hdroff, 44 | const struct nf_conntrack_tuple *tuple, 45 | enum nf_nat_manip_type maniptype) 46 | { 47 | return true; 48 | } 49 | 50 | const struct nf_nat_l4proto nf_nat_l4proto_unknown = { 51 | .manip_pkt = unknown_manip_pkt, 52 | .in_range = unknown_in_range, 53 | .unique_tuple = unknown_unique_tuple, 54 | }; 55 | -------------------------------------------------------------------------------- /src/3.x/net/netfilter/nf_nat_tftp.c: -------------------------------------------------------------------------------- 1 | /* (C) 2001-2002 Magnus Boden 2 | * 3 | * This program is free software; you can redistribute it and/or modify 4 | * it under the terms of the GNU General Public License version 2 as 5 | * published by the Free Software Foundation. 6 | */ 7 | 8 | #include 9 | #include 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | 16 | MODULE_AUTHOR("Magnus Boden "); 17 | MODULE_DESCRIPTION("TFTP NAT helper"); 18 | MODULE_LICENSE("GPL"); 19 | MODULE_ALIAS("ip_nat_tftp"); 20 | 21 | static unsigned int help(struct sk_buff *skb, 22 | enum ip_conntrack_info ctinfo, 23 | struct nf_conntrack_expect *exp) 24 | { 25 | const struct nf_conn *ct = exp->master; 26 | 27 | exp->saved_proto.udp.port 28 | = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.udp.port; 29 | exp->dir = IP_CT_DIR_REPLY; 30 | exp->expectfn = nf_nat_follow_master; 31 | if (nf_ct_expect_related(exp) != 0) { 32 | nf_ct_helper_log(skb, exp->master, "cannot add expectation"); 33 | return NF_DROP; 34 | } 35 | return NF_ACCEPT; 36 | } 37 | 38 | static void __exit nf_nat_tftp_fini(void) 39 | { 40 | RCU_INIT_POINTER(nf_nat_tftp_hook, NULL); 41 | synchronize_rcu(); 42 | } 43 | 44 | static int __init nf_nat_tftp_init(void) 45 | { 46 | BUG_ON(nf_nat_tftp_hook != NULL); 47 | RCU_INIT_POINTER(nf_nat_tftp_hook, help); 48 | return 0; 49 | } 50 | 51 | module_init(nf_nat_tftp_init); 52 | module_exit(nf_nat_tftp_fini); 53 | -------------------------------------------------------------------------------- /src/3.x/net/netfilter/nf_tproxy_core.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Transparent proxy support for Linux/iptables 3 | * 4 | * Copyright (c) 2006-2007 BalaBit IT Ltd. 5 | * Author: Balazs Scheidler, Krisztian Kovacs 6 | * 7 | * This program is free software; you can redistribute it and/or modify 8 | * it under the terms of the GNU General Public License version 2 as 9 | * published by the Free Software Foundation. 10 | * 11 | */ 12 | 13 | #include 14 | 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | 22 | static void 23 | nf_tproxy_destructor(struct sk_buff *skb) 24 | { 25 | struct sock *sk = skb->sk; 26 | 27 | skb->sk = NULL; 28 | skb->destructor = NULL; 29 | 30 | if (sk) 31 | sock_put(sk); 32 | } 33 | 34 | /* consumes sk */ 35 | void 36 | nf_tproxy_assign_sock(struct sk_buff *skb, struct sock *sk) 37 | { 38 | /* assigning tw sockets complicates things; most 39 | * skb->sk->X checks would have to test sk->sk_state first */ 40 | if (sk->sk_state == TCP_TIME_WAIT) { 41 | inet_twsk_put(inet_twsk(sk)); 42 | return; 43 | } 44 | 45 | skb_orphan(skb); 46 | skb->sk = sk; 47 | skb->destructor = nf_tproxy_destructor; 48 | } 49 | EXPORT_SYMBOL_GPL(nf_tproxy_assign_sock); 50 | 51 | static int __init nf_tproxy_init(void) 52 | { 53 | pr_info("NF_TPROXY: Transparent proxy support initialized, version 4.1.0\n"); 54 | pr_info("NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.\n"); 55 | return 0; 56 | } 57 | 58 | module_init(nf_tproxy_init); 59 | 60 | MODULE_LICENSE("GPL"); 61 | MODULE_AUTHOR("Krisztian Kovacs"); 62 | MODULE_DESCRIPTION("Transparent proxy support core routines"); 63 | -------------------------------------------------------------------------------- /src/3.x/net/netfilter/xt_CHECKSUM.c: -------------------------------------------------------------------------------- 1 | /* iptables module for the packet checksum mangling 2 | * 3 | * (C) 2002 by Harald Welte 4 | * (C) 2010 Red Hat, Inc. 5 | * 6 | * Author: Michael S. Tsirkin 7 | * 8 | * This program is free software; you can redistribute it and/or modify 9 | * it under the terms of the GNU General Public License version 2 as 10 | * published by the Free Software Foundation. 11 | */ 12 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 13 | #include 14 | #include 15 | 16 | #include 17 | #include 18 | 19 | MODULE_LICENSE("GPL"); 20 | MODULE_AUTHOR("Michael S. Tsirkin "); 21 | MODULE_DESCRIPTION("Xtables: checksum modification"); 22 | MODULE_ALIAS("ipt_CHECKSUM"); 23 | MODULE_ALIAS("ip6t_CHECKSUM"); 24 | 25 | static unsigned int 26 | checksum_tg(struct sk_buff *skb, const struct xt_action_param *par) 27 | { 28 | if (skb->ip_summed == CHECKSUM_PARTIAL) 29 | skb_checksum_help(skb); 30 | 31 | return XT_CONTINUE; 32 | } 33 | 34 | static int checksum_tg_check(const struct xt_tgchk_param *par) 35 | { 36 | const struct xt_CHECKSUM_info *einfo = par->targinfo; 37 | 38 | if (einfo->operation & ~XT_CHECKSUM_OP_FILL) { 39 | pr_info("unsupported CHECKSUM operation %x\n", einfo->operation); 40 | return -EINVAL; 41 | } 42 | if (!einfo->operation) { 43 | pr_info("no CHECKSUM operation enabled\n"); 44 | return -EINVAL; 45 | } 46 | return 0; 47 | } 48 | 49 | static struct xt_target checksum_tg_reg __read_mostly = { 50 | .name = "CHECKSUM", 51 | .family = NFPROTO_UNSPEC, 52 | .target = checksum_tg, 53 | .targetsize = sizeof(struct xt_CHECKSUM_info), 54 | .table = "mangle", 55 | .checkentry = checksum_tg_check, 56 | .me = THIS_MODULE, 57 | }; 58 | 59 | static int __init checksum_tg_init(void) 60 | { 61 | return xt_register_target(&checksum_tg_reg); 62 | } 63 | 64 | static void __exit checksum_tg_exit(void) 65 | { 66 | xt_unregister_target(&checksum_tg_reg); 67 | } 68 | 69 | module_init(checksum_tg_init); 70 | module_exit(checksum_tg_exit); 71 | -------------------------------------------------------------------------------- /src/3.x/net/netfilter/xt_CLASSIFY.c: -------------------------------------------------------------------------------- 1 | /* 2 | * This is a module which is used for setting the skb->priority field 3 | * of an skb for qdisc classification. 4 | */ 5 | 6 | /* (C) 2001-2002 Patrick McHardy 7 | * 8 | * This program is free software; you can redistribute it and/or modify 9 | * it under the terms of the GNU General Public License version 2 as 10 | * published by the Free Software Foundation. 11 | */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | 24 | MODULE_AUTHOR("Patrick McHardy "); 25 | MODULE_LICENSE("GPL"); 26 | MODULE_DESCRIPTION("Xtables: Qdisc classification"); 27 | MODULE_ALIAS("ipt_CLASSIFY"); 28 | MODULE_ALIAS("ip6t_CLASSIFY"); 29 | MODULE_ALIAS("arpt_CLASSIFY"); 30 | 31 | static unsigned int 32 | classify_tg(struct sk_buff *skb, const struct xt_action_param *par) 33 | { 34 | const struct xt_classify_target_info *clinfo = par->targinfo; 35 | 36 | skb->priority = clinfo->priority; 37 | return XT_CONTINUE; 38 | } 39 | 40 | static struct xt_target classify_tg_reg[] __read_mostly = { 41 | { 42 | .name = "CLASSIFY", 43 | .revision = 0, 44 | .family = NFPROTO_UNSPEC, 45 | .hooks = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) | 46 | (1 << NF_INET_POST_ROUTING), 47 | .target = classify_tg, 48 | .targetsize = sizeof(struct xt_classify_target_info), 49 | .me = THIS_MODULE, 50 | }, 51 | { 52 | .name = "CLASSIFY", 53 | .revision = 0, 54 | .family = NFPROTO_ARP, 55 | .hooks = (1 << NF_ARP_OUT) | (1 << NF_ARP_FORWARD), 56 | .target = classify_tg, 57 | .targetsize = sizeof(struct xt_classify_target_info), 58 | .me = THIS_MODULE, 59 | }, 60 | }; 61 | 62 | static int __init classify_tg_init(void) 63 | { 64 | return xt_register_targets(classify_tg_reg, ARRAY_SIZE(classify_tg_reg)); 65 | } 66 | 67 | static void __exit classify_tg_exit(void) 68 | { 69 | xt_unregister_targets(classify_tg_reg, ARRAY_SIZE(classify_tg_reg)); 70 | } 71 | 72 | module_init(classify_tg_init); 73 | module_exit(classify_tg_exit); 74 | -------------------------------------------------------------------------------- /src/3.x/net/netfilter/xt_NFLOG.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2006 Patrick McHardy 3 | * 4 | * This program is free software; you can redistribute it and/or modify 5 | * it under the terms of the GNU General Public License version 2 as 6 | * published by the Free Software Foundation. 7 | */ 8 | 9 | #include 10 | #include 11 | #include 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | MODULE_AUTHOR("Patrick McHardy "); 19 | MODULE_DESCRIPTION("Xtables: packet logging to netlink using NFLOG"); 20 | MODULE_LICENSE("GPL"); 21 | MODULE_ALIAS("ipt_NFLOG"); 22 | MODULE_ALIAS("ip6t_NFLOG"); 23 | 24 | static unsigned int 25 | nflog_tg(struct sk_buff *skb, const struct xt_action_param *par) 26 | { 27 | const struct xt_nflog_info *info = par->targinfo; 28 | struct nf_loginfo li; 29 | struct net *net = dev_net(par->in ? par->in : par->out); 30 | 31 | li.type = NF_LOG_TYPE_ULOG; 32 | li.u.ulog.copy_len = info->len; 33 | li.u.ulog.group = info->group; 34 | li.u.ulog.qthreshold = info->threshold; 35 | 36 | nfulnl_log_packet(net, par->family, par->hooknum, skb, par->in, 37 | par->out, &li, info->prefix); 38 | return XT_CONTINUE; 39 | } 40 | 41 | static int nflog_tg_check(const struct xt_tgchk_param *par) 42 | { 43 | const struct xt_nflog_info *info = par->targinfo; 44 | 45 | if (info->flags & ~XT_NFLOG_MASK) 46 | return -EINVAL; 47 | if (info->prefix[sizeof(info->prefix) - 1] != '\0') 48 | return -EINVAL; 49 | return 0; 50 | } 51 | 52 | static struct xt_target nflog_tg_reg __read_mostly = { 53 | .name = "NFLOG", 54 | .revision = 0, 55 | .family = NFPROTO_UNSPEC, 56 | .checkentry = nflog_tg_check, 57 | .target = nflog_tg, 58 | .targetsize = sizeof(struct xt_nflog_info), 59 | .me = THIS_MODULE, 60 | }; 61 | 62 | static int __init nflog_tg_init(void) 63 | { 64 | return xt_register_target(&nflog_tg_reg); 65 | } 66 | 67 | static void __exit nflog_tg_exit(void) 68 | { 69 | xt_unregister_target(&nflog_tg_reg); 70 | } 71 | 72 | module_init(nflog_tg_init); 73 | module_exit(nflog_tg_exit); 74 | -------------------------------------------------------------------------------- /src/3.x/net/netfilter/xt_TRACE.c: -------------------------------------------------------------------------------- 1 | /* This is a module which is used to mark packets for tracing. 2 | */ 3 | #include 4 | #include 5 | 6 | #include 7 | 8 | MODULE_DESCRIPTION("Xtables: packet flow tracing"); 9 | MODULE_LICENSE("GPL"); 10 | MODULE_ALIAS("ipt_TRACE"); 11 | MODULE_ALIAS("ip6t_TRACE"); 12 | 13 | static unsigned int 14 | trace_tg(struct sk_buff *skb, const struct xt_action_param *par) 15 | { 16 | skb->nf_trace = 1; 17 | return XT_CONTINUE; 18 | } 19 | 20 | static struct xt_target trace_tg_reg __read_mostly = { 21 | .name = "TRACE", 22 | .revision = 0, 23 | .family = NFPROTO_UNSPEC, 24 | .table = "raw", 25 | .target = trace_tg, 26 | .me = THIS_MODULE, 27 | }; 28 | 29 | static int __init trace_tg_init(void) 30 | { 31 | return xt_register_target(&trace_tg_reg); 32 | } 33 | 34 | static void __exit trace_tg_exit(void) 35 | { 36 | xt_unregister_target(&trace_tg_reg); 37 | } 38 | 39 | module_init(trace_tg_init); 40 | module_exit(trace_tg_exit); 41 | -------------------------------------------------------------------------------- /src/3.x/net/netfilter/xt_bpf.c: -------------------------------------------------------------------------------- 1 | /* Xtables module to match packets using a BPF filter. 2 | * Copyright 2013 Google Inc. 3 | * Written by Willem de Bruijn 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License version 2 as 7 | * published by the Free Software Foundation. 8 | */ 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | #include 15 | #include 16 | 17 | MODULE_AUTHOR("Willem de Bruijn "); 18 | MODULE_DESCRIPTION("Xtables: BPF filter match"); 19 | MODULE_LICENSE("GPL"); 20 | MODULE_ALIAS("ipt_bpf"); 21 | MODULE_ALIAS("ip6t_bpf"); 22 | 23 | static int bpf_mt_check(const struct xt_mtchk_param *par) 24 | { 25 | struct xt_bpf_info *info = par->matchinfo; 26 | struct sock_fprog program; 27 | 28 | program.len = info->bpf_program_num_elem; 29 | program.filter = (struct sock_filter __user *) info->bpf_program; 30 | if (sk_unattached_filter_create(&info->filter, &program)) { 31 | pr_info("bpf: check failed: parse error\n"); 32 | return -EINVAL; 33 | } 34 | 35 | return 0; 36 | } 37 | 38 | static bool bpf_mt(const struct sk_buff *skb, struct xt_action_param *par) 39 | { 40 | const struct xt_bpf_info *info = par->matchinfo; 41 | 42 | return SK_RUN_FILTER(info->filter, skb); 43 | } 44 | 45 | static void bpf_mt_destroy(const struct xt_mtdtor_param *par) 46 | { 47 | const struct xt_bpf_info *info = par->matchinfo; 48 | sk_unattached_filter_destroy(info->filter); 49 | } 50 | 51 | static struct xt_match bpf_mt_reg __read_mostly = { 52 | .name = "bpf", 53 | .revision = 0, 54 | .family = NFPROTO_UNSPEC, 55 | .checkentry = bpf_mt_check, 56 | .match = bpf_mt, 57 | .destroy = bpf_mt_destroy, 58 | .matchsize = sizeof(struct xt_bpf_info), 59 | .me = THIS_MODULE, 60 | }; 61 | 62 | static int __init bpf_mt_init(void) 63 | { 64 | return xt_register_match(&bpf_mt_reg); 65 | } 66 | 67 | static void __exit bpf_mt_exit(void) 68 | { 69 | xt_unregister_match(&bpf_mt_reg); 70 | } 71 | 72 | module_init(bpf_mt_init); 73 | module_exit(bpf_mt_exit); 74 | -------------------------------------------------------------------------------- /src/3.x/net/netfilter/xt_comment.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Implements a dummy match to allow attaching comments to rules 3 | * 4 | * 2003-05-13 Brad Fisher (brad@info-link.net) 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | MODULE_AUTHOR("Brad Fisher "); 13 | MODULE_DESCRIPTION("Xtables: No-op match which can be tagged with a comment"); 14 | MODULE_LICENSE("GPL"); 15 | MODULE_ALIAS("ipt_comment"); 16 | MODULE_ALIAS("ip6t_comment"); 17 | 18 | static bool 19 | comment_mt(const struct sk_buff *skb, struct xt_action_param *par) 20 | { 21 | /* We always match */ 22 | return true; 23 | } 24 | 25 | static struct xt_match comment_mt_reg __read_mostly = { 26 | .name = "comment", 27 | .revision = 0, 28 | .family = NFPROTO_UNSPEC, 29 | .match = comment_mt, 30 | .matchsize = sizeof(struct xt_comment_info), 31 | .me = THIS_MODULE, 32 | }; 33 | 34 | static int __init comment_mt_init(void) 35 | { 36 | return xt_register_match(&comment_mt_reg); 37 | } 38 | 39 | static void __exit comment_mt_exit(void) 40 | { 41 | xt_unregister_match(&comment_mt_reg); 42 | } 43 | 44 | module_init(comment_mt_init); 45 | module_exit(comment_mt_exit); 46 | -------------------------------------------------------------------------------- /src/3.x/net/netfilter/xt_cpu.c: -------------------------------------------------------------------------------- 1 | /* Kernel module to match running CPU */ 2 | 3 | /* 4 | * Might be used to distribute connections on several daemons, if 5 | * RPS (Remote Packet Steering) is enabled or NIC is multiqueue capable, 6 | * each RX queue IRQ affined to one CPU (1:1 mapping) 7 | * 8 | */ 9 | 10 | /* (C) 2010 Eric Dumazet 11 | * 12 | * This program is free software; you can redistribute it and/or modify 13 | * it under the terms of the GNU General Public License version 2 as 14 | * published by the Free Software Foundation. 15 | */ 16 | 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | MODULE_LICENSE("GPL"); 23 | MODULE_AUTHOR("Eric Dumazet "); 24 | MODULE_DESCRIPTION("Xtables: CPU match"); 25 | MODULE_ALIAS("ipt_cpu"); 26 | MODULE_ALIAS("ip6t_cpu"); 27 | 28 | static int cpu_mt_check(const struct xt_mtchk_param *par) 29 | { 30 | const struct xt_cpu_info *info = par->matchinfo; 31 | 32 | if (info->invert & ~1) 33 | return -EINVAL; 34 | return 0; 35 | } 36 | 37 | static bool cpu_mt(const struct sk_buff *skb, struct xt_action_param *par) 38 | { 39 | const struct xt_cpu_info *info = par->matchinfo; 40 | 41 | return (info->cpu == smp_processor_id()) ^ info->invert; 42 | } 43 | 44 | static struct xt_match cpu_mt_reg __read_mostly = { 45 | .name = "cpu", 46 | .revision = 0, 47 | .family = NFPROTO_UNSPEC, 48 | .checkentry = cpu_mt_check, 49 | .match = cpu_mt, 50 | .matchsize = sizeof(struct xt_cpu_info), 51 | .me = THIS_MODULE, 52 | }; 53 | 54 | static int __init cpu_mt_init(void) 55 | { 56 | return xt_register_match(&cpu_mt_reg); 57 | } 58 | 59 | static void __exit cpu_mt_exit(void) 60 | { 61 | xt_unregister_match(&cpu_mt_reg); 62 | } 63 | 64 | module_init(cpu_mt_init); 65 | module_exit(cpu_mt_exit); 66 | -------------------------------------------------------------------------------- /src/3.x/net/netfilter/xt_length.c: -------------------------------------------------------------------------------- 1 | /* Kernel module to match packet length. */ 2 | /* (C) 1999-2001 James Morris 3 | * 4 | * This program is free software; you can redistribute it and/or modify 5 | * it under the terms of the GNU General Public License version 2 as 6 | * published by the Free Software Foundation. 7 | */ 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | #include 15 | #include 16 | 17 | MODULE_AUTHOR("James Morris "); 18 | MODULE_DESCRIPTION("Xtables: Packet length (Layer3,4,5) match"); 19 | MODULE_LICENSE("GPL"); 20 | MODULE_ALIAS("ipt_length"); 21 | MODULE_ALIAS("ip6t_length"); 22 | 23 | static bool 24 | length_mt(const struct sk_buff *skb, struct xt_action_param *par) 25 | { 26 | const struct xt_length_info *info = par->matchinfo; 27 | u_int16_t pktlen = ntohs(ip_hdr(skb)->tot_len); 28 | 29 | return (pktlen >= info->min && pktlen <= info->max) ^ info->invert; 30 | } 31 | 32 | static bool 33 | length_mt6(const struct sk_buff *skb, struct xt_action_param *par) 34 | { 35 | const struct xt_length_info *info = par->matchinfo; 36 | const u_int16_t pktlen = ntohs(ipv6_hdr(skb)->payload_len) + 37 | sizeof(struct ipv6hdr); 38 | 39 | return (pktlen >= info->min && pktlen <= info->max) ^ info->invert; 40 | } 41 | 42 | static struct xt_match length_mt_reg[] __read_mostly = { 43 | { 44 | .name = "length", 45 | .family = NFPROTO_IPV4, 46 | .match = length_mt, 47 | .matchsize = sizeof(struct xt_length_info), 48 | .me = THIS_MODULE, 49 | }, 50 | { 51 | .name = "length", 52 | .family = NFPROTO_IPV6, 53 | .match = length_mt6, 54 | .matchsize = sizeof(struct xt_length_info), 55 | .me = THIS_MODULE, 56 | }, 57 | }; 58 | 59 | static int __init length_mt_init(void) 60 | { 61 | return xt_register_matches(length_mt_reg, ARRAY_SIZE(length_mt_reg)); 62 | } 63 | 64 | static void __exit length_mt_exit(void) 65 | { 66 | xt_unregister_matches(length_mt_reg, ARRAY_SIZE(length_mt_reg)); 67 | } 68 | 69 | module_init(length_mt_init); 70 | module_exit(length_mt_exit); 71 | -------------------------------------------------------------------------------- /src/3.x/net/netfilter/xt_mac.c: -------------------------------------------------------------------------------- 1 | /* Kernel module to match MAC address parameters. */ 2 | 3 | /* (C) 1999-2001 Paul `Rusty' Russell 4 | * (C) 2002-2004 Netfilter Core Team 5 | * 6 | * This program is free software; you can redistribute it and/or modify 7 | * it under the terms of the GNU General Public License version 2 as 8 | * published by the Free Software Foundation. 9 | */ 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | MODULE_LICENSE("GPL"); 23 | MODULE_AUTHOR("Netfilter Core Team "); 24 | MODULE_DESCRIPTION("Xtables: MAC address match"); 25 | MODULE_ALIAS("ipt_mac"); 26 | MODULE_ALIAS("ip6t_mac"); 27 | 28 | static bool mac_mt(const struct sk_buff *skb, struct xt_action_param *par) 29 | { 30 | const struct xt_mac_info *info = par->matchinfo; 31 | bool ret; 32 | 33 | if (skb->dev == NULL || skb->dev->type != ARPHRD_ETHER) 34 | return false; 35 | if (skb_mac_header(skb) < skb->head) 36 | return false; 37 | if (skb_mac_header(skb) + ETH_HLEN > skb->data) 38 | return false; 39 | ret = ether_addr_equal(eth_hdr(skb)->h_source, info->srcaddr); 40 | ret ^= info->invert; 41 | return ret; 42 | } 43 | 44 | static struct xt_match mac_mt_reg __read_mostly = { 45 | .name = "mac", 46 | .revision = 0, 47 | .family = NFPROTO_UNSPEC, 48 | .match = mac_mt, 49 | .matchsize = sizeof(struct xt_mac_info), 50 | .hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_IN) | 51 | (1 << NF_INET_FORWARD), 52 | .me = THIS_MODULE, 53 | }; 54 | 55 | static int __init mac_mt_init(void) 56 | { 57 | return xt_register_match(&mac_mt_reg); 58 | } 59 | 60 | static void __exit mac_mt_exit(void) 61 | { 62 | xt_unregister_match(&mac_mt_reg); 63 | } 64 | 65 | module_init(mac_mt_init); 66 | module_exit(mac_mt_exit); 67 | -------------------------------------------------------------------------------- /src/3.x/net/netfilter/xt_mark.c: -------------------------------------------------------------------------------- 1 | /* 2 | * xt_mark - Netfilter module to match NFMARK value 3 | * 4 | * (C) 1999-2001 Marc Boucher 5 | * Copyright © CC Computer Consultants GmbH, 2007 - 2008 6 | * Jan Engelhardt 7 | * 8 | * This program is free software; you can redistribute it and/or modify 9 | * it under the terms of the GNU General Public License version 2 as 10 | * published by the Free Software Foundation. 11 | */ 12 | 13 | #include 14 | #include 15 | 16 | #include 17 | #include 18 | 19 | MODULE_LICENSE("GPL"); 20 | MODULE_AUTHOR("Marc Boucher "); 21 | MODULE_DESCRIPTION("Xtables: packet mark operations"); 22 | MODULE_ALIAS("ipt_mark"); 23 | MODULE_ALIAS("ip6t_mark"); 24 | MODULE_ALIAS("ipt_MARK"); 25 | MODULE_ALIAS("ip6t_MARK"); 26 | 27 | static unsigned int 28 | mark_tg(struct sk_buff *skb, const struct xt_action_param *par) 29 | { 30 | const struct xt_mark_tginfo2 *info = par->targinfo; 31 | 32 | skb->mark = (skb->mark & ~info->mask) ^ info->mark; 33 | return XT_CONTINUE; 34 | } 35 | 36 | static bool 37 | mark_mt(const struct sk_buff *skb, struct xt_action_param *par) 38 | { 39 | const struct xt_mark_mtinfo1 *info = par->matchinfo; 40 | 41 | return ((skb->mark & info->mask) == info->mark) ^ info->invert; 42 | } 43 | 44 | static struct xt_target mark_tg_reg __read_mostly = { 45 | .name = "MARK", 46 | .revision = 2, 47 | .family = NFPROTO_UNSPEC, 48 | .target = mark_tg, 49 | .targetsize = sizeof(struct xt_mark_tginfo2), 50 | .me = THIS_MODULE, 51 | }; 52 | 53 | static struct xt_match mark_mt_reg __read_mostly = { 54 | .name = "mark", 55 | .revision = 1, 56 | .family = NFPROTO_UNSPEC, 57 | .match = mark_mt, 58 | .matchsize = sizeof(struct xt_mark_mtinfo1), 59 | .me = THIS_MODULE, 60 | }; 61 | 62 | static int __init mark_mt_init(void) 63 | { 64 | int ret; 65 | 66 | ret = xt_register_target(&mark_tg_reg); 67 | if (ret < 0) 68 | return ret; 69 | ret = xt_register_match(&mark_mt_reg); 70 | if (ret < 0) { 71 | xt_unregister_target(&mark_tg_reg); 72 | return ret; 73 | } 74 | return 0; 75 | } 76 | 77 | static void __exit mark_mt_exit(void) 78 | { 79 | xt_unregister_match(&mark_mt_reg); 80 | xt_unregister_target(&mark_tg_reg); 81 | } 82 | 83 | module_init(mark_mt_init); 84 | module_exit(mark_mt_exit); 85 | -------------------------------------------------------------------------------- /src/3.x/net/netfilter/xt_nfacct.c: -------------------------------------------------------------------------------- 1 | /* 2 | * (C) 2011 Pablo Neira Ayuso 3 | * (C) 2011 Intra2net AG 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License version 2 (or any 7 | * later at your option) as published by the Free Software Foundation. 8 | */ 9 | #include 10 | #include 11 | 12 | #include 13 | #include 14 | #include 15 | 16 | MODULE_AUTHOR("Pablo Neira Ayuso "); 17 | MODULE_DESCRIPTION("Xtables: match for the extended accounting infrastructure"); 18 | MODULE_LICENSE("GPL"); 19 | MODULE_ALIAS("ipt_nfacct"); 20 | MODULE_ALIAS("ip6t_nfacct"); 21 | 22 | static bool nfacct_mt(const struct sk_buff *skb, struct xt_action_param *par) 23 | { 24 | const struct xt_nfacct_match_info *info = par->targinfo; 25 | 26 | nfnl_acct_update(skb, info->nfacct); 27 | 28 | return true; 29 | } 30 | 31 | static int 32 | nfacct_mt_checkentry(const struct xt_mtchk_param *par) 33 | { 34 | struct xt_nfacct_match_info *info = par->matchinfo; 35 | struct nf_acct *nfacct; 36 | 37 | nfacct = nfnl_acct_find_get(info->name); 38 | if (nfacct == NULL) { 39 | pr_info("xt_nfacct: accounting object with name `%s' " 40 | "does not exists\n", info->name); 41 | return -ENOENT; 42 | } 43 | info->nfacct = nfacct; 44 | return 0; 45 | } 46 | 47 | static void 48 | nfacct_mt_destroy(const struct xt_mtdtor_param *par) 49 | { 50 | const struct xt_nfacct_match_info *info = par->matchinfo; 51 | 52 | nfnl_acct_put(info->nfacct); 53 | } 54 | 55 | static struct xt_match nfacct_mt_reg __read_mostly = { 56 | .name = "nfacct", 57 | .family = NFPROTO_UNSPEC, 58 | .checkentry = nfacct_mt_checkentry, 59 | .match = nfacct_mt, 60 | .destroy = nfacct_mt_destroy, 61 | .matchsize = sizeof(struct xt_nfacct_match_info), 62 | .me = THIS_MODULE, 63 | }; 64 | 65 | static int __init nfacct_mt_init(void) 66 | { 67 | return xt_register_match(&nfacct_mt_reg); 68 | } 69 | 70 | static void __exit nfacct_mt_exit(void) 71 | { 72 | xt_unregister_match(&nfacct_mt_reg); 73 | } 74 | 75 | module_init(nfacct_mt_init); 76 | module_exit(nfacct_mt_exit); 77 | -------------------------------------------------------------------------------- /src/3.x/net/netfilter/xt_pkttype.c: -------------------------------------------------------------------------------- 1 | /* (C) 1999-2001 Michal Ludvig 2 | * 3 | * This program is free software; you can redistribute it and/or modify 4 | * it under the terms of the GNU General Public License version 2 as 5 | * published by the Free Software Foundation. 6 | */ 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | 16 | #include 17 | #include 18 | 19 | MODULE_LICENSE("GPL"); 20 | MODULE_AUTHOR("Michal Ludvig "); 21 | MODULE_DESCRIPTION("Xtables: link layer packet type match"); 22 | MODULE_ALIAS("ipt_pkttype"); 23 | MODULE_ALIAS("ip6t_pkttype"); 24 | 25 | static bool 26 | pkttype_mt(const struct sk_buff *skb, struct xt_action_param *par) 27 | { 28 | const struct xt_pkttype_info *info = par->matchinfo; 29 | u_int8_t type; 30 | 31 | if (skb->pkt_type != PACKET_LOOPBACK) 32 | type = skb->pkt_type; 33 | else if (par->family == NFPROTO_IPV4 && 34 | ipv4_is_multicast(ip_hdr(skb)->daddr)) 35 | type = PACKET_MULTICAST; 36 | else if (par->family == NFPROTO_IPV6 && 37 | ipv6_hdr(skb)->daddr.s6_addr[0] == 0xFF) 38 | type = PACKET_MULTICAST; 39 | else 40 | type = PACKET_BROADCAST; 41 | 42 | return (type == info->pkttype) ^ info->invert; 43 | } 44 | 45 | static struct xt_match pkttype_mt_reg __read_mostly = { 46 | .name = "pkttype", 47 | .revision = 0, 48 | .family = NFPROTO_UNSPEC, 49 | .match = pkttype_mt, 50 | .matchsize = sizeof(struct xt_pkttype_info), 51 | .me = THIS_MODULE, 52 | }; 53 | 54 | static int __init pkttype_mt_init(void) 55 | { 56 | return xt_register_match(&pkttype_mt_reg); 57 | } 58 | 59 | static void __exit pkttype_mt_exit(void) 60 | { 61 | xt_unregister_match(&pkttype_mt_reg); 62 | } 63 | 64 | module_init(pkttype_mt_init); 65 | module_exit(pkttype_mt_exit); 66 | -------------------------------------------------------------------------------- /src/3.x/net/netfilter/xt_quota.c: -------------------------------------------------------------------------------- 1 | /* 2 | * netfilter module to enforce network quotas 3 | * 4 | * Sam Johnston 5 | */ 6 | #include 7 | #include 8 | #include 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | struct xt_quota_priv { 15 | spinlock_t lock; 16 | uint64_t quota; 17 | }; 18 | 19 | MODULE_LICENSE("GPL"); 20 | MODULE_AUTHOR("Sam Johnston "); 21 | MODULE_DESCRIPTION("Xtables: countdown quota match"); 22 | MODULE_ALIAS("ipt_quota"); 23 | MODULE_ALIAS("ip6t_quota"); 24 | 25 | static bool 26 | quota_mt(const struct sk_buff *skb, struct xt_action_param *par) 27 | { 28 | struct xt_quota_info *q = (void *)par->matchinfo; 29 | struct xt_quota_priv *priv = q->master; 30 | bool ret = q->flags & XT_QUOTA_INVERT; 31 | 32 | spin_lock_bh(&priv->lock); 33 | if (priv->quota >= skb->len) { 34 | priv->quota -= skb->len; 35 | ret = !ret; 36 | } else { 37 | /* we do not allow even small packets from now on */ 38 | priv->quota = 0; 39 | } 40 | spin_unlock_bh(&priv->lock); 41 | 42 | return ret; 43 | } 44 | 45 | static int quota_mt_check(const struct xt_mtchk_param *par) 46 | { 47 | struct xt_quota_info *q = par->matchinfo; 48 | 49 | if (q->flags & ~XT_QUOTA_MASK) 50 | return -EINVAL; 51 | 52 | q->master = kmalloc(sizeof(*q->master), GFP_KERNEL); 53 | if (q->master == NULL) 54 | return -ENOMEM; 55 | 56 | spin_lock_init(&q->master->lock); 57 | q->master->quota = q->quota; 58 | return 0; 59 | } 60 | 61 | static void quota_mt_destroy(const struct xt_mtdtor_param *par) 62 | { 63 | const struct xt_quota_info *q = par->matchinfo; 64 | 65 | kfree(q->master); 66 | } 67 | 68 | static struct xt_match quota_mt_reg __read_mostly = { 69 | .name = "quota", 70 | .revision = 0, 71 | .family = NFPROTO_UNSPEC, 72 | .match = quota_mt, 73 | .checkentry = quota_mt_check, 74 | .destroy = quota_mt_destroy, 75 | .matchsize = sizeof(struct xt_quota_info), 76 | .me = THIS_MODULE, 77 | }; 78 | 79 | static int __init quota_mt_init(void) 80 | { 81 | return xt_register_match("a_mt_reg); 82 | } 83 | 84 | static void __exit quota_mt_exit(void) 85 | { 86 | xt_unregister_match("a_mt_reg); 87 | } 88 | 89 | module_init(quota_mt_init); 90 | module_exit(quota_mt_exit); 91 | -------------------------------------------------------------------------------- /src/3.x/net/netfilter/xt_realm.c: -------------------------------------------------------------------------------- 1 | /* IP tables module for matching the routing realm 2 | * 3 | * (C) 2003 by Sampsa Ranta 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License version 2 as 7 | * published by the Free Software Foundation. 8 | */ 9 | 10 | #include 11 | #include 12 | #include 13 | #include 14 | 15 | #include 16 | #include 17 | #include 18 | 19 | MODULE_AUTHOR("Sampsa Ranta "); 20 | MODULE_LICENSE("GPL"); 21 | MODULE_DESCRIPTION("Xtables: Routing realm match"); 22 | MODULE_ALIAS("ipt_realm"); 23 | 24 | static bool 25 | realm_mt(const struct sk_buff *skb, struct xt_action_param *par) 26 | { 27 | const struct xt_realm_info *info = par->matchinfo; 28 | const struct dst_entry *dst = skb_dst(skb); 29 | 30 | return (info->id == (dst->tclassid & info->mask)) ^ info->invert; 31 | } 32 | 33 | static struct xt_match realm_mt_reg __read_mostly = { 34 | .name = "realm", 35 | .match = realm_mt, 36 | .matchsize = sizeof(struct xt_realm_info), 37 | .hooks = (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_FORWARD) | 38 | (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_LOCAL_IN), 39 | .family = NFPROTO_UNSPEC, 40 | .me = THIS_MODULE 41 | }; 42 | 43 | static int __init realm_mt_init(void) 44 | { 45 | return xt_register_match(&realm_mt_reg); 46 | } 47 | 48 | static void __exit realm_mt_exit(void) 49 | { 50 | xt_unregister_match(&realm_mt_reg); 51 | } 52 | 53 | module_init(realm_mt_init); 54 | module_exit(realm_mt_exit); 55 | -------------------------------------------------------------------------------- /src/3.x/net/netfilter/xt_repldata.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Today's hack: quantum tunneling in structs 3 | * 4 | * 'entries' and 'term' are never anywhere referenced by word in code. In fact, 5 | * they serve as the hanging-off data accessed through repl.data[]. 6 | */ 7 | 8 | #define xt_alloc_initial_table(type, typ2) ({ \ 9 | unsigned int hook_mask = info->valid_hooks; \ 10 | unsigned int nhooks = hweight32(hook_mask); \ 11 | unsigned int bytes = 0, hooknum = 0, i = 0; \ 12 | struct { \ 13 | struct type##_replace repl; \ 14 | struct type##_standard entries[nhooks]; \ 15 | struct type##_error term; \ 16 | } *tbl = kzalloc(sizeof(*tbl), GFP_KERNEL); \ 17 | if (tbl == NULL) \ 18 | return NULL; \ 19 | strncpy(tbl->repl.name, info->name, sizeof(tbl->repl.name)); \ 20 | tbl->term = (struct type##_error)typ2##_ERROR_INIT; \ 21 | tbl->repl.valid_hooks = hook_mask; \ 22 | tbl->repl.num_entries = nhooks + 1; \ 23 | tbl->repl.size = nhooks * sizeof(struct type##_standard) + \ 24 | sizeof(struct type##_error); \ 25 | for (; hook_mask != 0; hook_mask >>= 1, ++hooknum) { \ 26 | if (!(hook_mask & 1)) \ 27 | continue; \ 28 | tbl->repl.hook_entry[hooknum] = bytes; \ 29 | tbl->repl.underflow[hooknum] = bytes; \ 30 | tbl->entries[i++] = (struct type##_standard) \ 31 | typ2##_STANDARD_INIT(NF_ACCEPT); \ 32 | bytes += sizeof(struct type##_standard); \ 33 | } \ 34 | tbl; \ 35 | }) 36 | -------------------------------------------------------------------------------- /src/3.x/net/netfilter/xt_state.c: -------------------------------------------------------------------------------- 1 | /* Kernel module to match connection tracking information. */ 2 | 3 | /* (C) 1999-2001 Paul `Rusty' Russell 4 | * (C) 2002-2005 Netfilter Core Team 5 | * 6 | * This program is free software; you can redistribute it and/or modify 7 | * it under the terms of the GNU General Public License version 2 as 8 | * published by the Free Software Foundation. 9 | */ 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | MODULE_LICENSE("GPL"); 18 | MODULE_AUTHOR("Rusty Russell "); 19 | MODULE_DESCRIPTION("ip[6]_tables connection tracking state match module"); 20 | MODULE_ALIAS("ipt_state"); 21 | MODULE_ALIAS("ip6t_state"); 22 | 23 | static bool 24 | state_mt(const struct sk_buff *skb, struct xt_action_param *par) 25 | { 26 | const struct xt_state_info *sinfo = par->matchinfo; 27 | enum ip_conntrack_info ctinfo; 28 | unsigned int statebit; 29 | struct nf_conn *ct = nf_ct_get(skb, &ctinfo); 30 | 31 | if (!ct) 32 | statebit = XT_STATE_INVALID; 33 | else { 34 | if (nf_ct_is_untracked(ct)) 35 | statebit = XT_STATE_UNTRACKED; 36 | else 37 | statebit = XT_STATE_BIT(ctinfo); 38 | } 39 | return (sinfo->statemask & statebit); 40 | } 41 | 42 | static int state_mt_check(const struct xt_mtchk_param *par) 43 | { 44 | int ret; 45 | 46 | ret = nf_ct_l3proto_try_module_get(par->family); 47 | if (ret < 0) 48 | pr_info("cannot load conntrack support for proto=%u\n", 49 | par->family); 50 | return ret; 51 | } 52 | 53 | static void state_mt_destroy(const struct xt_mtdtor_param *par) 54 | { 55 | nf_ct_l3proto_module_put(par->family); 56 | } 57 | 58 | static struct xt_match state_mt_reg __read_mostly = { 59 | .name = "state", 60 | .family = NFPROTO_UNSPEC, 61 | .checkentry = state_mt_check, 62 | .match = state_mt, 63 | .destroy = state_mt_destroy, 64 | .matchsize = sizeof(struct xt_state_info), 65 | .me = THIS_MODULE, 66 | }; 67 | 68 | static int __init state_mt_init(void) 69 | { 70 | return xt_register_match(&state_mt_reg); 71 | } 72 | 73 | static void __exit state_mt_exit(void) 74 | { 75 | xt_unregister_match(&state_mt_reg); 76 | } 77 | 78 | module_init(state_mt_init); 79 | module_exit(state_mt_exit); 80 | -------------------------------------------------------------------------------- /src/4.x/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # Makefile for the linux networking. 3 | # 4 | # 2 Sep 2000, Christoph Hellwig 5 | # Rewritten to use lists instead of if-statements. 6 | # 7 | 8 | 9 | obj-y += lib/ 10 | obj-y += net/ 11 | -------------------------------------------------------------------------------- /src/4.x/defines: -------------------------------------------------------------------------------- 1 | CONFIG_NETFILTER=m 2 | CONFIG_NETFILTER_XT_CONNMARK=m 3 | CONFIG_NETFILTER_XT_MATCH_COMMENT=m 4 | CONFIG_NETFILTER_XT_MATCH_SOCKET=m 5 | CONFIG_NETFILTER_XT_MATCH_STRING=m 6 | CONFIG_NETFILTER_TPROXY=m 7 | CONFIG_NETFILTER_XT_TARGET_TPROXY=m 8 | CONFIG_NETFILTER_XT_MATCH_OWNER=m 9 | CONFIG_IP6_NF_TARGET_MASQUERADE=m 10 | CONFIG_IP6_NF_NAT=m 11 | CONFIG_IP6_NF_RAW=m 12 | CONFIG_NF_NAT_IPV6=m 13 | CONFIG_NF_NAT_MASQUERADE_IPV6=m 14 | CONFIG_TEXTSEARCH=m 15 | CONFIG_TEXTSEARCH_BM=m -------------------------------------------------------------------------------- /src/4.x/net/ipv6/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # Makefile for the Linux TCP/IP (INET6) layer. 3 | # 4 | 5 | #obj-$(CONFIG_IPV6) += ipv6.o 6 | # 7 | #ipv6-objs := af_inet6.o anycast.o ip6_output.o ip6_input.o addrconf.o \ 8 | # addrlabel.o \ 9 | # route.o ip6_fib.o ipv6_sockglue.o ndisc.o udp.o udplite.o \ 10 | # raw.o icmp.o mcast.o reassembly.o tcp_ipv6.o ping.o \ 11 | # exthdrs.o datagram.o ip6_flowlabel.o inet6_connection_sock.o 12 | # 13 | #ipv6-offload := ip6_offload.o tcpv6_offload.o udp_offload.o exthdrs_offload.o 14 | # 15 | #ipv6-$(CONFIG_SYSCTL) = sysctl_net_ipv6.o 16 | #ipv6-$(CONFIG_IPV6_MROUTE) += ip6mr.o 17 | # 18 | #ipv6-$(CONFIG_XFRM) += xfrm6_policy.o xfrm6_state.o xfrm6_input.o \ 19 | # xfrm6_output.o xfrm6_protocol.o 20 | #ipv6-$(CONFIG_NETFILTER) += netfilter.o 21 | #ipv6-$(CONFIG_IPV6_MULTIPLE_TABLES) += fib6_rules.o 22 | #ipv6-$(CONFIG_PROC_FS) += proc.o 23 | #ipv6-$(CONFIG_SYN_COOKIES) += syncookies.o 24 | # 25 | #ipv6-objs += $(ipv6-y) 26 | # 27 | #obj-$(CONFIG_INET6_AH) += ah6.o 28 | #obj-$(CONFIG_INET6_ESP) += esp6.o 29 | #obj-$(CONFIG_INET6_IPCOMP) += ipcomp6.o 30 | #obj-$(CONFIG_INET6_XFRM_TUNNEL) += xfrm6_tunnel.o 31 | #obj-$(CONFIG_INET6_TUNNEL) += tunnel6.o 32 | #obj-$(CONFIG_INET6_XFRM_MODE_TRANSPORT) += xfrm6_mode_transport.o 33 | #obj-$(CONFIG_INET6_XFRM_MODE_TUNNEL) += xfrm6_mode_tunnel.o 34 | #obj-$(CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION) += xfrm6_mode_ro.o 35 | #obj-$(CONFIG_INET6_XFRM_MODE_BEET) += xfrm6_mode_beet.o 36 | #obj-$(CONFIG_IPV6_MIP6) += mip6.o 37 | #obj-$(CONFIG_IPV6_ILA) += ila.o 38 | obj-$(CONFIG_NETFILTER) += netfilter/ 39 | # 40 | #obj-$(CONFIG_IPV6_VTI) += ip6_vti.o 41 | #obj-$(CONFIG_IPV6_SIT) += sit.o 42 | #obj-$(CONFIG_IPV6_TUNNEL) += ip6_tunnel.o 43 | #obj-$(CONFIG_IPV6_GRE) += ip6_gre.o 44 | # 45 | #obj-y += addrconf_core.o exthdrs_core.o ip6_checksum.o ip6_icmp.o 46 | #obj-$(CONFIG_INET) += output_core.o protocol.o $(ipv6-offload) 47 | # 48 | #obj-$(subst m,y,$(CONFIG_IPV6)) += inet6_hashtables.o 49 | # 50 | #ifneq ($(CONFIG_IPV6),) 51 | #obj-$(CONFIG_NET_UDP_TUNNEL) += ip6_udp_tunnel.o 52 | #obj-y += mcast_snoop.o 53 | #endif 54 | # -------------------------------------------------------------------------------- /src/4.x/net/ipv6/netfilter/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # Makefile for the netfilter modules on top of IPv6. 3 | # 4 | 5 | # Link order matters here. 6 | obj-$(CONFIG_IP6_NF_IPTABLES) += ip6_tables.o 7 | obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o 8 | obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o 9 | obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o 10 | obj-$(CONFIG_IP6_NF_SECURITY) += ip6table_security.o 11 | obj-$(CONFIG_IP6_NF_NAT) += ip6table_nat.o 12 | 13 | # objects for l3 independent conntrack 14 | nf_conntrack_ipv6-y := nf_conntrack_l3proto_ipv6.o nf_conntrack_proto_icmpv6.o 15 | 16 | # l3 independent conntrack 17 | obj-$(CONFIG_NF_CONNTRACK_IPV6) += nf_conntrack_ipv6.o 18 | 19 | nf_nat_ipv6-y := nf_nat_l3proto_ipv6.o nf_nat_proto_icmpv6.o 20 | obj-$(CONFIG_NF_NAT_IPV6) += nf_nat_ipv6.o 21 | obj-$(CONFIG_NF_NAT_MASQUERADE_IPV6) += nf_nat_masquerade_ipv6.o 22 | 23 | # defrag 24 | nf_defrag_ipv6-y := nf_defrag_ipv6_hooks.o nf_conntrack_reasm.o 25 | obj-$(CONFIG_NF_DEFRAG_IPV6) += nf_defrag_ipv6.o 26 | 27 | # logging 28 | obj-$(CONFIG_NF_LOG_IPV6) += nf_log_ipv6.o 29 | 30 | # reject 31 | obj-$(CONFIG_NF_REJECT_IPV6) += nf_reject_ipv6.o 32 | 33 | obj-$(CONFIG_NF_DUP_IPV6) += nf_dup_ipv6.o 34 | 35 | # nf_tables 36 | obj-$(CONFIG_NF_TABLES_IPV6) += nf_tables_ipv6.o 37 | obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV6) += nft_chain_route_ipv6.o 38 | obj-$(CONFIG_NFT_CHAIN_NAT_IPV6) += nft_chain_nat_ipv6.o 39 | obj-$(CONFIG_NFT_REJECT_IPV6) += nft_reject_ipv6.o 40 | obj-$(CONFIG_NFT_MASQ_IPV6) += nft_masq_ipv6.o 41 | obj-$(CONFIG_NFT_REDIR_IPV6) += nft_redir_ipv6.o 42 | obj-$(CONFIG_NFT_DUP_IPV6) += nft_dup_ipv6.o 43 | 44 | # matches 45 | obj-$(CONFIG_IP6_NF_MATCH_AH) += ip6t_ah.o 46 | obj-$(CONFIG_IP6_NF_MATCH_EUI64) += ip6t_eui64.o 47 | obj-$(CONFIG_IP6_NF_MATCH_FRAG) += ip6t_frag.o 48 | obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o 49 | obj-$(CONFIG_IP6_NF_MATCH_MH) += ip6t_mh.o 50 | obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o 51 | obj-$(CONFIG_IP6_NF_MATCH_RPFILTER) += ip6t_rpfilter.o 52 | obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o 53 | 54 | # targets 55 | obj-$(CONFIG_IP6_NF_TARGET_MASQUERADE) += ip6t_MASQUERADE.o 56 | obj-$(CONFIG_IP6_NF_TARGET_NPT) += ip6t_NPT.o 57 | obj-$(CONFIG_IP6_NF_TARGET_REJECT) += ip6t_REJECT.o 58 | obj-$(CONFIG_IP6_NF_TARGET_SYNPROXY) += ip6t_SYNPROXY.o 59 | -------------------------------------------------------------------------------- /src/4.x/net/ipv6/netfilter/ip6t_MASQUERADE.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2011 Patrick McHardy 3 | * 4 | * This program is free software; you can redistribute it and/or modify 5 | * it under the terms of the GNU General Public License version 2 as 6 | * published by the Free Software Foundation. 7 | * 8 | * Based on Rusty Russell's IPv6 MASQUERADE target. Development of IPv6 9 | * NAT funded by Astaro. 10 | */ 11 | 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | 24 | static unsigned int 25 | masquerade_tg6(struct sk_buff *skb, const struct xt_action_param *par) 26 | { 27 | return nf_nat_masquerade_ipv6(skb, par->targinfo, par->out); 28 | } 29 | 30 | static int masquerade_tg6_checkentry(const struct xt_tgchk_param *par) 31 | { 32 | const struct nf_nat_range *range = par->targinfo; 33 | 34 | if (range->flags & NF_NAT_RANGE_MAP_IPS) 35 | return -EINVAL; 36 | return 0; 37 | } 38 | 39 | static struct xt_target masquerade_tg6_reg __read_mostly = { 40 | .name = "MASQUERADE", 41 | .family = NFPROTO_IPV6, 42 | .checkentry = masquerade_tg6_checkentry, 43 | .target = masquerade_tg6, 44 | .targetsize = sizeof(struct nf_nat_range), 45 | .table = "nat", 46 | .hooks = 1 << NF_INET_POST_ROUTING, 47 | .me = THIS_MODULE, 48 | }; 49 | 50 | static int __init masquerade_tg6_init(void) 51 | { 52 | int err; 53 | 54 | err = xt_register_target(&masquerade_tg6_reg); 55 | if (err == 0) 56 | nf_nat_masquerade_ipv6_register_notifier(); 57 | 58 | return err; 59 | } 60 | static void __exit masquerade_tg6_exit(void) 61 | { 62 | nf_nat_masquerade_ipv6_unregister_notifier(); 63 | xt_unregister_target(&masquerade_tg6_reg); 64 | } 65 | 66 | module_init(masquerade_tg6_init); 67 | module_exit(masquerade_tg6_exit); 68 | 69 | MODULE_LICENSE("GPL"); 70 | MODULE_AUTHOR("Patrick McHardy "); 71 | MODULE_DESCRIPTION("Xtables: automatic address SNAT"); 72 | -------------------------------------------------------------------------------- /src/4.x/net/ipv6/netfilter/ip6t_eui64.c: -------------------------------------------------------------------------------- 1 | /* Kernel module to match EUI64 address parameters. */ 2 | 3 | /* (C) 2001-2002 Andras Kis-Szabo 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License version 2 as 7 | * published by the Free Software Foundation. 8 | */ 9 | 10 | #include 11 | #include 12 | #include 13 | #include 14 | 15 | #include 16 | #include 17 | 18 | MODULE_DESCRIPTION("Xtables: IPv6 EUI64 address match"); 19 | MODULE_LICENSE("GPL"); 20 | MODULE_AUTHOR("Andras Kis-Szabo "); 21 | 22 | static bool 23 | eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par) 24 | { 25 | unsigned char eui64[8]; 26 | 27 | if (!(skb_mac_header(skb) >= skb->head && 28 | skb_mac_header(skb) + ETH_HLEN <= skb->data) && 29 | par->fragoff != 0) { 30 | par->hotdrop = true; 31 | return false; 32 | } 33 | 34 | memset(eui64, 0, sizeof(eui64)); 35 | 36 | if (eth_hdr(skb)->h_proto == htons(ETH_P_IPV6)) { 37 | if (ipv6_hdr(skb)->version == 0x6) { 38 | memcpy(eui64, eth_hdr(skb)->h_source, 3); 39 | memcpy(eui64 + 5, eth_hdr(skb)->h_source + 3, 3); 40 | eui64[3] = 0xff; 41 | eui64[4] = 0xfe; 42 | eui64[0] ^= 0x02; 43 | 44 | if (!memcmp(ipv6_hdr(skb)->saddr.s6_addr + 8, eui64, 45 | sizeof(eui64))) 46 | return true; 47 | } 48 | } 49 | 50 | return false; 51 | } 52 | 53 | static struct xt_match eui64_mt6_reg __read_mostly = { 54 | .name = "eui64", 55 | .family = NFPROTO_IPV6, 56 | .match = eui64_mt6, 57 | .matchsize = sizeof(int), 58 | .hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_IN) | 59 | (1 << NF_INET_FORWARD), 60 | .me = THIS_MODULE, 61 | }; 62 | 63 | static int __init eui64_mt6_init(void) 64 | { 65 | return xt_register_match(&eui64_mt6_reg); 66 | } 67 | 68 | static void __exit eui64_mt6_exit(void) 69 | { 70 | xt_unregister_match(&eui64_mt6_reg); 71 | } 72 | 73 | module_init(eui64_mt6_init); 74 | module_exit(eui64_mt6_exit); 75 | -------------------------------------------------------------------------------- /src/4.x/net/ipv6/netfilter/ip6table_raw.c: -------------------------------------------------------------------------------- 1 | /* 2 | * IPv6 raw table, a port of the IPv4 raw table to IPv6 3 | * 4 | * Copyright (C) 2003 Jozsef Kadlecsik 5 | */ 6 | #include 7 | #include 8 | #include 9 | 10 | #define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT)) 11 | 12 | static const struct xt_table packet_raw = { 13 | .name = "raw", 14 | .valid_hooks = RAW_VALID_HOOKS, 15 | .me = THIS_MODULE, 16 | .af = NFPROTO_IPV6, 17 | .priority = NF_IP6_PRI_RAW, 18 | }; 19 | 20 | /* The work comes in here from netfilter.c. */ 21 | static unsigned int 22 | ip6table_raw_hook(void *priv, struct sk_buff *skb, 23 | const struct nf_hook_state *state) 24 | { 25 | return ip6t_do_table(skb, state, state->net->ipv6.ip6table_raw); 26 | } 27 | 28 | static struct nf_hook_ops *rawtable_ops __read_mostly; 29 | 30 | static int __net_init ip6table_raw_net_init(struct net *net) 31 | { 32 | struct ip6t_replace *repl; 33 | 34 | repl = ip6t_alloc_initial_table(&packet_raw); 35 | if (repl == NULL) 36 | return -ENOMEM; 37 | net->ipv6.ip6table_raw = 38 | ip6t_register_table(net, &packet_raw, repl); 39 | kfree(repl); 40 | return PTR_ERR_OR_ZERO(net->ipv6.ip6table_raw); 41 | } 42 | 43 | static void __net_exit ip6table_raw_net_exit(struct net *net) 44 | { 45 | ip6t_unregister_table(net, net->ipv6.ip6table_raw); 46 | } 47 | 48 | static struct pernet_operations ip6table_raw_net_ops = { 49 | .init = ip6table_raw_net_init, 50 | .exit = ip6table_raw_net_exit, 51 | }; 52 | 53 | static int __init ip6table_raw_init(void) 54 | { 55 | int ret; 56 | 57 | ret = register_pernet_subsys(&ip6table_raw_net_ops); 58 | if (ret < 0) 59 | return ret; 60 | 61 | /* Register hooks */ 62 | rawtable_ops = xt_hook_link(&packet_raw, ip6table_raw_hook); 63 | if (IS_ERR(rawtable_ops)) { 64 | ret = PTR_ERR(rawtable_ops); 65 | goto cleanup_table; 66 | } 67 | 68 | return ret; 69 | 70 | cleanup_table: 71 | unregister_pernet_subsys(&ip6table_raw_net_ops); 72 | return ret; 73 | } 74 | 75 | static void __exit ip6table_raw_fini(void) 76 | { 77 | xt_hook_unlink(&packet_raw, rawtable_ops); 78 | unregister_pernet_subsys(&ip6table_raw_net_ops); 79 | } 80 | 81 | module_init(ip6table_raw_init); 82 | module_exit(ip6table_raw_fini); 83 | MODULE_LICENSE("GPL"); 84 | -------------------------------------------------------------------------------- /src/4.x/net/ipv6/netfilter/nft_masq_ipv6.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2014 Arturo Borrero Gonzalez 3 | * 4 | * This program is free software; you can redistribute it and/or modify 5 | * it under the terms of the GNU General Public License version 2 as 6 | * published by the Free Software Foundation. 7 | */ 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | static void nft_masq_ipv6_eval(const struct nft_expr *expr, 21 | struct nft_regs *regs, 22 | const struct nft_pktinfo *pkt) 23 | { 24 | struct nft_masq *priv = nft_expr_priv(expr); 25 | struct nf_nat_range range; 26 | 27 | memset(&range, 0, sizeof(range)); 28 | range.flags = priv->flags; 29 | 30 | regs->verdict.code = nf_nat_masquerade_ipv6(pkt->skb, &range, pkt->out); 31 | } 32 | 33 | static struct nft_expr_type nft_masq_ipv6_type; 34 | static const struct nft_expr_ops nft_masq_ipv6_ops = { 35 | .type = &nft_masq_ipv6_type, 36 | .size = NFT_EXPR_SIZE(sizeof(struct nft_masq)), 37 | .eval = nft_masq_ipv6_eval, 38 | .init = nft_masq_init, 39 | .dump = nft_masq_dump, 40 | .validate = nft_masq_validate, 41 | }; 42 | 43 | static struct nft_expr_type nft_masq_ipv6_type __read_mostly = { 44 | .family = NFPROTO_IPV6, 45 | .name = "masq", 46 | .ops = &nft_masq_ipv6_ops, 47 | .policy = nft_masq_policy, 48 | .maxattr = NFTA_MASQ_MAX, 49 | .owner = THIS_MODULE, 50 | }; 51 | 52 | static int __init nft_masq_ipv6_module_init(void) 53 | { 54 | int ret; 55 | 56 | ret = nft_register_expr(&nft_masq_ipv6_type); 57 | if (ret < 0) 58 | return ret; 59 | 60 | nf_nat_masquerade_ipv6_register_notifier(); 61 | 62 | return ret; 63 | } 64 | 65 | static void __exit nft_masq_ipv6_module_exit(void) 66 | { 67 | nft_unregister_expr(&nft_masq_ipv6_type); 68 | nf_nat_masquerade_ipv6_unregister_notifier(); 69 | } 70 | 71 | module_init(nft_masq_ipv6_module_init); 72 | module_exit(nft_masq_ipv6_module_exit); 73 | 74 | MODULE_LICENSE("GPL"); 75 | MODULE_AUTHOR("Arturo Borrero Gonzalez "); 76 | MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "masq"); 77 | -------------------------------------------------------------------------------- /src/4.x/net/ipv6/netfilter/nft_redir_ipv6.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2014 Arturo Borrero Gonzalez 3 | * 4 | * This program is free software; you can redistribute it and/or modify 5 | * it under the terms of the GNU General Public License version 2 as 6 | * published by the Free Software Foundation. 7 | */ 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | static void nft_redir_ipv6_eval(const struct nft_expr *expr, 21 | struct nft_regs *regs, 22 | const struct nft_pktinfo *pkt) 23 | { 24 | struct nft_redir *priv = nft_expr_priv(expr); 25 | struct nf_nat_range range; 26 | 27 | memset(&range, 0, sizeof(range)); 28 | if (priv->sreg_proto_min) { 29 | range.min_proto.all = 30 | *(__be16 *)®s->data[priv->sreg_proto_min], 31 | range.max_proto.all = 32 | *(__be16 *)®s->data[priv->sreg_proto_max], 33 | range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; 34 | } 35 | 36 | range.flags |= priv->flags; 37 | 38 | regs->verdict.code = nf_nat_redirect_ipv6(pkt->skb, &range, pkt->hook); 39 | } 40 | 41 | static struct nft_expr_type nft_redir_ipv6_type; 42 | static const struct nft_expr_ops nft_redir_ipv6_ops = { 43 | .type = &nft_redir_ipv6_type, 44 | .size = NFT_EXPR_SIZE(sizeof(struct nft_redir)), 45 | .eval = nft_redir_ipv6_eval, 46 | .init = nft_redir_init, 47 | .dump = nft_redir_dump, 48 | .validate = nft_redir_validate, 49 | }; 50 | 51 | static struct nft_expr_type nft_redir_ipv6_type __read_mostly = { 52 | .family = NFPROTO_IPV6, 53 | .name = "redir", 54 | .ops = &nft_redir_ipv6_ops, 55 | .policy = nft_redir_policy, 56 | .maxattr = NFTA_REDIR_MAX, 57 | .owner = THIS_MODULE, 58 | }; 59 | 60 | static int __init nft_redir_ipv6_module_init(void) 61 | { 62 | return nft_register_expr(&nft_redir_ipv6_type); 63 | } 64 | 65 | static void __exit nft_redir_ipv6_module_exit(void) 66 | { 67 | nft_unregister_expr(&nft_redir_ipv6_type); 68 | } 69 | 70 | module_init(nft_redir_ipv6_module_init); 71 | module_exit(nft_redir_ipv6_module_exit); 72 | 73 | MODULE_LICENSE("GPL"); 74 | MODULE_AUTHOR("Arturo Borrero Gonzalez "); 75 | MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "redir"); 76 | -------------------------------------------------------------------------------- /src/4.x/net/ipv6/netfilter/nft_reject_ipv6.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2008-2009 Patrick McHardy 3 | * Copyright (c) 2013 Eric Leblond 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License version 2 as 7 | * published by the Free Software Foundation. 8 | * 9 | * Development of this code funded by Astaro AG (http://www.astaro.com/) 10 | */ 11 | 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | static void nft_reject_ipv6_eval(const struct nft_expr *expr, 23 | struct nft_regs *regs, 24 | const struct nft_pktinfo *pkt) 25 | { 26 | struct nft_reject *priv = nft_expr_priv(expr); 27 | 28 | switch (priv->type) { 29 | case NFT_REJECT_ICMP_UNREACH: 30 | nf_send_unreach6(pkt->net, pkt->skb, priv->icmp_code, 31 | pkt->hook); 32 | break; 33 | case NFT_REJECT_TCP_RST: 34 | nf_send_reset6(pkt->net, pkt->skb, pkt->hook); 35 | break; 36 | default: 37 | break; 38 | } 39 | 40 | regs->verdict.code = NF_DROP; 41 | } 42 | 43 | static struct nft_expr_type nft_reject_ipv6_type; 44 | static const struct nft_expr_ops nft_reject_ipv6_ops = { 45 | .type = &nft_reject_ipv6_type, 46 | .size = NFT_EXPR_SIZE(sizeof(struct nft_reject)), 47 | .eval = nft_reject_ipv6_eval, 48 | .init = nft_reject_init, 49 | .dump = nft_reject_dump, 50 | }; 51 | 52 | static struct nft_expr_type nft_reject_ipv6_type __read_mostly = { 53 | .family = NFPROTO_IPV6, 54 | .name = "reject", 55 | .ops = &nft_reject_ipv6_ops, 56 | .policy = nft_reject_policy, 57 | .maxattr = NFTA_REJECT_MAX, 58 | .owner = THIS_MODULE, 59 | }; 60 | 61 | static int __init nft_reject_ipv6_module_init(void) 62 | { 63 | return nft_register_expr(&nft_reject_ipv6_type); 64 | } 65 | 66 | static void __exit nft_reject_ipv6_module_exit(void) 67 | { 68 | nft_unregister_expr(&nft_reject_ipv6_type); 69 | } 70 | 71 | module_init(nft_reject_ipv6_module_init); 72 | module_exit(nft_reject_ipv6_module_exit); 73 | 74 | MODULE_LICENSE("GPL"); 75 | MODULE_AUTHOR("Patrick McHardy "); 76 | MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "reject"); 77 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/ipset/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # Makefile for the ipset modules 3 | # 4 | 5 | ip_set-y := ip_set_core.o ip_set_getport.o pfxlen.o 6 | 7 | # ipset core 8 | obj-$(CONFIG_IP_SET) += ip_set.o 9 | 10 | # bitmap types 11 | obj-$(CONFIG_IP_SET_BITMAP_IP) += ip_set_bitmap_ip.o 12 | obj-$(CONFIG_IP_SET_BITMAP_IPMAC) += ip_set_bitmap_ipmac.o 13 | obj-$(CONFIG_IP_SET_BITMAP_PORT) += ip_set_bitmap_port.o 14 | 15 | # hash types 16 | obj-$(CONFIG_IP_SET_HASH_IP) += ip_set_hash_ip.o 17 | obj-$(CONFIG_IP_SET_HASH_IPMARK) += ip_set_hash_ipmark.o 18 | obj-$(CONFIG_IP_SET_HASH_IPPORT) += ip_set_hash_ipport.o 19 | obj-$(CONFIG_IP_SET_HASH_IPPORTIP) += ip_set_hash_ipportip.o 20 | obj-$(CONFIG_IP_SET_HASH_IPPORTNET) += ip_set_hash_ipportnet.o 21 | obj-$(CONFIG_IP_SET_HASH_MAC) += ip_set_hash_mac.o 22 | obj-$(CONFIG_IP_SET_HASH_NET) += ip_set_hash_net.o 23 | obj-$(CONFIG_IP_SET_HASH_NETPORT) += ip_set_hash_netport.o 24 | obj-$(CONFIG_IP_SET_HASH_NETIFACE) += ip_set_hash_netiface.o 25 | obj-$(CONFIG_IP_SET_HASH_NETNET) += ip_set_hash_netnet.o 26 | obj-$(CONFIG_IP_SET_HASH_NETPORTNET) += ip_set_hash_netportnet.o 27 | 28 | # list types 29 | obj-$(CONFIG_IP_SET_LIST_SET) += ip_set_list_set.o 30 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/ipvs/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # Makefile for the IPVS modules on top of IPv4. 3 | # 4 | 5 | # IPVS transport protocol load balancing support 6 | ip_vs_proto-objs-y := 7 | ip_vs_proto-objs-$(CONFIG_IP_VS_PROTO_TCP) += ip_vs_proto_tcp.o 8 | ip_vs_proto-objs-$(CONFIG_IP_VS_PROTO_UDP) += ip_vs_proto_udp.o 9 | ip_vs_proto-objs-$(CONFIG_IP_VS_PROTO_AH_ESP) += ip_vs_proto_ah_esp.o 10 | ip_vs_proto-objs-$(CONFIG_IP_VS_PROTO_SCTP) += ip_vs_proto_sctp.o 11 | 12 | ip_vs-extra_objs-y := 13 | ip_vs-extra_objs-$(CONFIG_IP_VS_NFCT) += ip_vs_nfct.o 14 | 15 | ip_vs-objs := ip_vs_conn.o ip_vs_core.o ip_vs_ctl.o ip_vs_sched.o \ 16 | ip_vs_xmit.o ip_vs_app.o ip_vs_sync.o \ 17 | ip_vs_est.o ip_vs_proto.o ip_vs_pe.o \ 18 | $(ip_vs_proto-objs-y) $(ip_vs-extra_objs-y) 19 | 20 | 21 | # IPVS core 22 | obj-$(CONFIG_IP_VS) += ip_vs.o 23 | 24 | # IPVS schedulers 25 | obj-$(CONFIG_IP_VS_RR) += ip_vs_rr.o 26 | obj-$(CONFIG_IP_VS_WRR) += ip_vs_wrr.o 27 | obj-$(CONFIG_IP_VS_LC) += ip_vs_lc.o 28 | obj-$(CONFIG_IP_VS_WLC) += ip_vs_wlc.o 29 | obj-$(CONFIG_IP_VS_FO) += ip_vs_fo.o 30 | obj-$(CONFIG_IP_VS_OVF) += ip_vs_ovf.o 31 | obj-$(CONFIG_IP_VS_LBLC) += ip_vs_lblc.o 32 | obj-$(CONFIG_IP_VS_LBLCR) += ip_vs_lblcr.o 33 | obj-$(CONFIG_IP_VS_DH) += ip_vs_dh.o 34 | obj-$(CONFIG_IP_VS_SH) += ip_vs_sh.o 35 | obj-$(CONFIG_IP_VS_SED) += ip_vs_sed.o 36 | obj-$(CONFIG_IP_VS_NQ) += ip_vs_nq.o 37 | 38 | # IPVS application helpers 39 | obj-$(CONFIG_IP_VS_FTP) += ip_vs_ftp.o 40 | 41 | # IPVS connection template retrievers 42 | obj-$(CONFIG_IP_VS_PE_SIP) += ip_vs_pe_sip.o 43 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/ipvs/ip_vs_fo.c: -------------------------------------------------------------------------------- 1 | /* 2 | * IPVS: Weighted Fail Over module 3 | * 4 | * Authors: Kenny Mathis 5 | * 6 | * This program is free software; you can redistribute it and/or 7 | * modify it under the terms of the GNU General Public License 8 | * as published by the Free Software Foundation; either version 9 | * 2 of the License, or (at your option) any later version. 10 | * 11 | * Changes: 12 | * Kenny Mathis : added initial functionality based on weight 13 | * 14 | */ 15 | 16 | #define KMSG_COMPONENT "IPVS" 17 | #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt 18 | 19 | #include 20 | #include 21 | 22 | #include 23 | 24 | /* Weighted Fail Over Module */ 25 | static struct ip_vs_dest * 26 | ip_vs_fo_schedule(struct ip_vs_service *svc, const struct sk_buff *skb, 27 | struct ip_vs_iphdr *iph) 28 | { 29 | struct ip_vs_dest *dest, *hweight = NULL; 30 | int hw = 0; /* Track highest weight */ 31 | 32 | IP_VS_DBG(6, "ip_vs_fo_schedule(): Scheduling...\n"); 33 | 34 | /* Basic failover functionality 35 | * Find virtual server with highest weight and send it traffic 36 | */ 37 | list_for_each_entry_rcu(dest, &svc->destinations, n_list) { 38 | if (!(dest->flags & IP_VS_DEST_F_OVERLOAD) && 39 | atomic_read(&dest->weight) > hw) { 40 | hweight = dest; 41 | hw = atomic_read(&dest->weight); 42 | } 43 | } 44 | 45 | if (hweight) { 46 | IP_VS_DBG_BUF(6, "FO: server %s:%u activeconns %d weight %d\n", 47 | IP_VS_DBG_ADDR(hweight->af, &hweight->addr), 48 | ntohs(hweight->port), 49 | atomic_read(&hweight->activeconns), 50 | atomic_read(&hweight->weight)); 51 | return hweight; 52 | } 53 | 54 | ip_vs_scheduler_err(svc, "no destination available"); 55 | return NULL; 56 | } 57 | 58 | static struct ip_vs_scheduler ip_vs_fo_scheduler = { 59 | .name = "fo", 60 | .refcnt = ATOMIC_INIT(0), 61 | .module = THIS_MODULE, 62 | .n_list = LIST_HEAD_INIT(ip_vs_fo_scheduler.n_list), 63 | .schedule = ip_vs_fo_schedule, 64 | }; 65 | 66 | static int __init ip_vs_fo_init(void) 67 | { 68 | return register_ip_vs_scheduler(&ip_vs_fo_scheduler); 69 | } 70 | 71 | static void __exit ip_vs_fo_cleanup(void) 72 | { 73 | unregister_ip_vs_scheduler(&ip_vs_fo_scheduler); 74 | synchronize_rcu(); 75 | } 76 | 77 | module_init(ip_vs_fo_init); 78 | module_exit(ip_vs_fo_cleanup); 79 | MODULE_LICENSE("GPL"); 80 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/nf_conntrack_broadcast.c: -------------------------------------------------------------------------------- 1 | /* 2 | * broadcast connection tracking helper 3 | * 4 | * (c) 2005 Patrick McHardy 5 | * 6 | * This program is free software; you can redistribute it and/or 7 | * modify it under the terms of the GNU General Public License 8 | * as published by the Free Software Foundation; either version 9 | * 2 of the License, or (at your option) any later version. 10 | */ 11 | 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | #include 19 | #include 20 | #include 21 | 22 | int nf_conntrack_broadcast_help(struct sk_buff *skb, 23 | unsigned int protoff, 24 | struct nf_conn *ct, 25 | enum ip_conntrack_info ctinfo, 26 | unsigned int timeout) 27 | { 28 | struct nf_conntrack_expect *exp; 29 | struct iphdr *iph = ip_hdr(skb); 30 | struct rtable *rt = skb_rtable(skb); 31 | struct in_device *in_dev; 32 | struct nf_conn_help *help = nfct_help(ct); 33 | __be32 mask = 0; 34 | 35 | /* we're only interested in locally generated packets */ 36 | if (skb->sk == NULL) 37 | goto out; 38 | if (rt == NULL || !(rt->rt_flags & RTCF_BROADCAST)) 39 | goto out; 40 | if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) 41 | goto out; 42 | 43 | rcu_read_lock(); 44 | in_dev = __in_dev_get_rcu(rt->dst.dev); 45 | if (in_dev != NULL) { 46 | for_primary_ifa(in_dev) { 47 | if (ifa->ifa_broadcast == iph->daddr) { 48 | mask = ifa->ifa_mask; 49 | break; 50 | } 51 | } endfor_ifa(in_dev); 52 | } 53 | rcu_read_unlock(); 54 | 55 | if (mask == 0) 56 | goto out; 57 | 58 | exp = nf_ct_expect_alloc(ct); 59 | if (exp == NULL) 60 | goto out; 61 | 62 | exp->tuple = ct->tuplehash[IP_CT_DIR_REPLY].tuple; 63 | exp->tuple.src.u.udp.port = help->helper->tuple.src.u.udp.port; 64 | 65 | exp->mask.src.u3.ip = mask; 66 | exp->mask.src.u.udp.port = htons(0xFFFF); 67 | 68 | exp->expectfn = NULL; 69 | exp->flags = NF_CT_EXPECT_PERMANENT; 70 | exp->class = NF_CT_EXPECT_CLASS_DEFAULT; 71 | exp->helper = NULL; 72 | 73 | nf_ct_expect_related(exp); 74 | nf_ct_expect_put(exp); 75 | 76 | nf_ct_refresh(ct, skb, timeout * HZ); 77 | out: 78 | return NF_ACCEPT; 79 | } 80 | EXPORT_SYMBOL_GPL(nf_conntrack_broadcast_help); 81 | 82 | MODULE_LICENSE("GPL"); 83 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/nf_conntrack_l3proto_generic.c: -------------------------------------------------------------------------------- 1 | /* 2 | * (C) 2003,2004 USAGI/WIDE Project 3 | * 4 | * Based largely upon the original ip_conntrack code which 5 | * had the following copyright information: 6 | * 7 | * (C) 1999-2001 Paul `Rusty' Russell 8 | * (C) 2002-2004 Netfilter Core Team 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 as 12 | * published by the Free Software Foundation. 13 | * 14 | * Author: 15 | * Yasuyuki Kozakai @USAGI 16 | */ 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | 34 | static bool generic_pkt_to_tuple(const struct sk_buff *skb, unsigned int nhoff, 35 | struct nf_conntrack_tuple *tuple) 36 | { 37 | memset(&tuple->src.u3, 0, sizeof(tuple->src.u3)); 38 | memset(&tuple->dst.u3, 0, sizeof(tuple->dst.u3)); 39 | 40 | return true; 41 | } 42 | 43 | static bool generic_invert_tuple(struct nf_conntrack_tuple *tuple, 44 | const struct nf_conntrack_tuple *orig) 45 | { 46 | memset(&tuple->src.u3, 0, sizeof(tuple->src.u3)); 47 | memset(&tuple->dst.u3, 0, sizeof(tuple->dst.u3)); 48 | 49 | return true; 50 | } 51 | 52 | static void generic_print_tuple(struct seq_file *s, 53 | const struct nf_conntrack_tuple *tuple) 54 | { 55 | } 56 | 57 | static int generic_get_l4proto(const struct sk_buff *skb, unsigned int nhoff, 58 | unsigned int *dataoff, u_int8_t *protonum) 59 | { 60 | /* Never track !!! */ 61 | return -NF_ACCEPT; 62 | } 63 | 64 | 65 | struct nf_conntrack_l3proto nf_conntrack_l3proto_generic __read_mostly = { 66 | .l3proto = PF_UNSPEC, 67 | .name = "unknown", 68 | .pkt_to_tuple = generic_pkt_to_tuple, 69 | .invert_tuple = generic_invert_tuple, 70 | .print_tuple = generic_print_tuple, 71 | .get_l4proto = generic_get_l4proto, 72 | }; 73 | EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_generic); 74 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/nf_conntrack_timeout.c: -------------------------------------------------------------------------------- 1 | /* 2 | * (C) 2012 by Pablo Neira Ayuso 3 | * (C) 2012 by Vyatta Inc. 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License version 2 as 7 | * published by the Free Software Foundation (or any later at your option). 8 | */ 9 | 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | #include 23 | #include 24 | #include 25 | #include 26 | 27 | struct ctnl_timeout * 28 | (*nf_ct_timeout_find_get_hook)(const char *name) __read_mostly; 29 | EXPORT_SYMBOL_GPL(nf_ct_timeout_find_get_hook); 30 | 31 | void (*nf_ct_timeout_put_hook)(struct ctnl_timeout *timeout) __read_mostly; 32 | EXPORT_SYMBOL_GPL(nf_ct_timeout_put_hook); 33 | 34 | static struct nf_ct_ext_type timeout_extend __read_mostly = { 35 | .len = sizeof(struct nf_conn_timeout), 36 | .align = __alignof__(struct nf_conn_timeout), 37 | .id = NF_CT_EXT_TIMEOUT, 38 | }; 39 | 40 | int nf_conntrack_timeout_init(void) 41 | { 42 | int ret = nf_ct_extend_register(&timeout_extend); 43 | if (ret < 0) 44 | pr_err("nf_ct_timeout: Unable to register timeout extension.\n"); 45 | return ret; 46 | } 47 | 48 | void nf_conntrack_timeout_fini(void) 49 | { 50 | nf_ct_extend_unregister(&timeout_extend); 51 | } 52 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/nf_internals.h: -------------------------------------------------------------------------------- 1 | #ifndef _NF_INTERNALS_H 2 | #define _NF_INTERNALS_H 3 | 4 | #include 5 | #include 6 | #include 7 | 8 | #ifdef CONFIG_NETFILTER_DEBUG 9 | #define NFDEBUG(format, args...) printk(KERN_DEBUG format , ## args) 10 | #else 11 | #define NFDEBUG(format, args...) 12 | #endif 13 | 14 | 15 | /* core.c */ 16 | unsigned int nf_iterate(struct list_head *head, struct sk_buff *skb, 17 | struct nf_hook_state *state, struct nf_hook_ops **elemp); 18 | 19 | /* nf_queue.c */ 20 | int nf_queue(struct sk_buff *skb, struct nf_hook_ops *elem, 21 | struct nf_hook_state *state, unsigned int queuenum); 22 | void nf_queue_nf_hook_drop(struct net *net, struct nf_hook_ops *ops); 23 | int __init netfilter_queue_init(void); 24 | 25 | /* nf_log.c */ 26 | int __init netfilter_log_init(void); 27 | 28 | #endif 29 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/nf_nat_proto_udp.c: -------------------------------------------------------------------------------- 1 | /* (C) 1999-2001 Paul `Rusty' Russell 2 | * (C) 2002-2006 Netfilter Core Team 3 | * 4 | * This program is free software; you can redistribute it and/or modify 5 | * it under the terms of the GNU General Public License version 2 as 6 | * published by the Free Software Foundation. 7 | */ 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | static u16 udp_port_rover; 21 | 22 | static void 23 | udp_unique_tuple(const struct nf_nat_l3proto *l3proto, 24 | struct nf_conntrack_tuple *tuple, 25 | const struct nf_nat_range *range, 26 | enum nf_nat_manip_type maniptype, 27 | const struct nf_conn *ct) 28 | { 29 | nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct, 30 | &udp_port_rover); 31 | } 32 | 33 | static bool 34 | udp_manip_pkt(struct sk_buff *skb, 35 | const struct nf_nat_l3proto *l3proto, 36 | unsigned int iphdroff, unsigned int hdroff, 37 | const struct nf_conntrack_tuple *tuple, 38 | enum nf_nat_manip_type maniptype) 39 | { 40 | struct udphdr *hdr; 41 | __be16 *portptr, newport; 42 | 43 | if (!skb_make_writable(skb, hdroff + sizeof(*hdr))) 44 | return false; 45 | hdr = (struct udphdr *)(skb->data + hdroff); 46 | 47 | if (maniptype == NF_NAT_MANIP_SRC) { 48 | /* Get rid of src port */ 49 | newport = tuple->src.u.udp.port; 50 | portptr = &hdr->source; 51 | } else { 52 | /* Get rid of dst port */ 53 | newport = tuple->dst.u.udp.port; 54 | portptr = &hdr->dest; 55 | } 56 | if (hdr->check || skb->ip_summed == CHECKSUM_PARTIAL) { 57 | l3proto->csum_update(skb, iphdroff, &hdr->check, 58 | tuple, maniptype); 59 | inet_proto_csum_replace2(&hdr->check, skb, *portptr, newport, 60 | false); 61 | if (!hdr->check) 62 | hdr->check = CSUM_MANGLED_0; 63 | } 64 | *portptr = newport; 65 | return true; 66 | } 67 | 68 | const struct nf_nat_l4proto nf_nat_l4proto_udp = { 69 | .l4proto = IPPROTO_UDP, 70 | .manip_pkt = udp_manip_pkt, 71 | .in_range = nf_nat_l4proto_in_range, 72 | .unique_tuple = udp_unique_tuple, 73 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK) 74 | .nlattr_to_range = nf_nat_l4proto_nlattr_to_range, 75 | #endif 76 | }; 77 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/nf_nat_proto_unknown.c: -------------------------------------------------------------------------------- 1 | /* The "unknown" protocol. This is what is used for protocols we 2 | * don't understand. It's returned by ip_ct_find_proto(). 3 | */ 4 | 5 | /* (C) 1999-2001 Paul `Rusty' Russell 6 | * (C) 2002-2006 Netfilter Core Team 7 | * 8 | * This program is free software; you can redistribute it and/or modify 9 | * it under the terms of the GNU General Public License version 2 as 10 | * published by the Free Software Foundation. 11 | */ 12 | 13 | #include 14 | #include 15 | 16 | #include 17 | #include 18 | #include 19 | 20 | static bool unknown_in_range(const struct nf_conntrack_tuple *tuple, 21 | enum nf_nat_manip_type manip_type, 22 | const union nf_conntrack_man_proto *min, 23 | const union nf_conntrack_man_proto *max) 24 | { 25 | return true; 26 | } 27 | 28 | static void unknown_unique_tuple(const struct nf_nat_l3proto *l3proto, 29 | struct nf_conntrack_tuple *tuple, 30 | const struct nf_nat_range *range, 31 | enum nf_nat_manip_type maniptype, 32 | const struct nf_conn *ct) 33 | { 34 | /* Sorry: we can't help you; if it's not unique, we can't frob 35 | * anything. 36 | */ 37 | return; 38 | } 39 | 40 | static bool 41 | unknown_manip_pkt(struct sk_buff *skb, 42 | const struct nf_nat_l3proto *l3proto, 43 | unsigned int iphdroff, unsigned int hdroff, 44 | const struct nf_conntrack_tuple *tuple, 45 | enum nf_nat_manip_type maniptype) 46 | { 47 | return true; 48 | } 49 | 50 | const struct nf_nat_l4proto nf_nat_l4proto_unknown = { 51 | .manip_pkt = unknown_manip_pkt, 52 | .in_range = unknown_in_range, 53 | .unique_tuple = unknown_unique_tuple, 54 | }; 55 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/nf_nat_tftp.c: -------------------------------------------------------------------------------- 1 | /* (C) 2001-2002 Magnus Boden 2 | * 3 | * This program is free software; you can redistribute it and/or modify 4 | * it under the terms of the GNU General Public License version 2 as 5 | * published by the Free Software Foundation. 6 | */ 7 | 8 | #include 9 | #include 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | 16 | MODULE_AUTHOR("Magnus Boden "); 17 | MODULE_DESCRIPTION("TFTP NAT helper"); 18 | MODULE_LICENSE("GPL"); 19 | MODULE_ALIAS("ip_nat_tftp"); 20 | 21 | static unsigned int help(struct sk_buff *skb, 22 | enum ip_conntrack_info ctinfo, 23 | struct nf_conntrack_expect *exp) 24 | { 25 | const struct nf_conn *ct = exp->master; 26 | 27 | exp->saved_proto.udp.port 28 | = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.udp.port; 29 | exp->dir = IP_CT_DIR_REPLY; 30 | exp->expectfn = nf_nat_follow_master; 31 | if (nf_ct_expect_related(exp) != 0) { 32 | nf_ct_helper_log(skb, exp->master, "cannot add expectation"); 33 | return NF_DROP; 34 | } 35 | return NF_ACCEPT; 36 | } 37 | 38 | static void __exit nf_nat_tftp_fini(void) 39 | { 40 | RCU_INIT_POINTER(nf_nat_tftp_hook, NULL); 41 | synchronize_rcu(); 42 | } 43 | 44 | static int __init nf_nat_tftp_init(void) 45 | { 46 | BUG_ON(nf_nat_tftp_hook != NULL); 47 | RCU_INIT_POINTER(nf_nat_tftp_hook, help); 48 | return 0; 49 | } 50 | 51 | module_init(nf_nat_tftp_init); 52 | module_exit(nf_nat_tftp_fini); 53 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/nft_masq.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2014 Arturo Borrero Gonzalez 3 | * 4 | * This program is free software; you can redistribute it and/or modify 5 | * it under the terms of the GNU General Public License version 2 as 6 | * published by the Free Software Foundation. 7 | */ 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | 19 | const struct nla_policy nft_masq_policy[NFTA_MASQ_MAX + 1] = { 20 | [NFTA_MASQ_FLAGS] = { .type = NLA_U32 }, 21 | }; 22 | EXPORT_SYMBOL_GPL(nft_masq_policy); 23 | 24 | int nft_masq_validate(const struct nft_ctx *ctx, 25 | const struct nft_expr *expr, 26 | const struct nft_data **data) 27 | { 28 | int err; 29 | 30 | err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT); 31 | if (err < 0) 32 | return err; 33 | 34 | return nft_chain_validate_hooks(ctx->chain, 35 | (1 << NF_INET_POST_ROUTING)); 36 | } 37 | EXPORT_SYMBOL_GPL(nft_masq_validate); 38 | 39 | int nft_masq_init(const struct nft_ctx *ctx, 40 | const struct nft_expr *expr, 41 | const struct nlattr * const tb[]) 42 | { 43 | struct nft_masq *priv = nft_expr_priv(expr); 44 | int err; 45 | 46 | err = nft_masq_validate(ctx, expr, NULL); 47 | if (err) 48 | return err; 49 | 50 | if (tb[NFTA_MASQ_FLAGS] == NULL) 51 | return 0; 52 | 53 | priv->flags = ntohl(nla_get_be32(tb[NFTA_MASQ_FLAGS])); 54 | if (priv->flags & ~NF_NAT_RANGE_MASK) 55 | return -EINVAL; 56 | 57 | return 0; 58 | } 59 | EXPORT_SYMBOL_GPL(nft_masq_init); 60 | 61 | int nft_masq_dump(struct sk_buff *skb, const struct nft_expr *expr) 62 | { 63 | const struct nft_masq *priv = nft_expr_priv(expr); 64 | 65 | if (priv->flags == 0) 66 | return 0; 67 | 68 | if (nla_put_be32(skb, NFTA_MASQ_FLAGS, htonl(priv->flags))) 69 | goto nla_put_failure; 70 | 71 | return 0; 72 | 73 | nla_put_failure: 74 | return -1; 75 | } 76 | EXPORT_SYMBOL_GPL(nft_masq_dump); 77 | 78 | MODULE_LICENSE("GPL"); 79 | MODULE_AUTHOR("Arturo Borrero Gonzalez "); 80 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/xt_CHECKSUM.c: -------------------------------------------------------------------------------- 1 | /* iptables module for the packet checksum mangling 2 | * 3 | * (C) 2002 by Harald Welte 4 | * (C) 2010 Red Hat, Inc. 5 | * 6 | * Author: Michael S. Tsirkin 7 | * 8 | * This program is free software; you can redistribute it and/or modify 9 | * it under the terms of the GNU General Public License version 2 as 10 | * published by the Free Software Foundation. 11 | */ 12 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 13 | #include 14 | #include 15 | 16 | #include 17 | #include 18 | 19 | MODULE_LICENSE("GPL"); 20 | MODULE_AUTHOR("Michael S. Tsirkin "); 21 | MODULE_DESCRIPTION("Xtables: checksum modification"); 22 | MODULE_ALIAS("ipt_CHECKSUM"); 23 | MODULE_ALIAS("ip6t_CHECKSUM"); 24 | 25 | static unsigned int 26 | checksum_tg(struct sk_buff *skb, const struct xt_action_param *par) 27 | { 28 | if (skb->ip_summed == CHECKSUM_PARTIAL) 29 | skb_checksum_help(skb); 30 | 31 | return XT_CONTINUE; 32 | } 33 | 34 | static int checksum_tg_check(const struct xt_tgchk_param *par) 35 | { 36 | const struct xt_CHECKSUM_info *einfo = par->targinfo; 37 | 38 | if (einfo->operation & ~XT_CHECKSUM_OP_FILL) { 39 | pr_info("unsupported CHECKSUM operation %x\n", einfo->operation); 40 | return -EINVAL; 41 | } 42 | if (!einfo->operation) { 43 | pr_info("no CHECKSUM operation enabled\n"); 44 | return -EINVAL; 45 | } 46 | return 0; 47 | } 48 | 49 | static struct xt_target checksum_tg_reg __read_mostly = { 50 | .name = "CHECKSUM", 51 | .family = NFPROTO_UNSPEC, 52 | .target = checksum_tg, 53 | .targetsize = sizeof(struct xt_CHECKSUM_info), 54 | .table = "mangle", 55 | .checkentry = checksum_tg_check, 56 | .me = THIS_MODULE, 57 | }; 58 | 59 | static int __init checksum_tg_init(void) 60 | { 61 | return xt_register_target(&checksum_tg_reg); 62 | } 63 | 64 | static void __exit checksum_tg_exit(void) 65 | { 66 | xt_unregister_target(&checksum_tg_reg); 67 | } 68 | 69 | module_init(checksum_tg_init); 70 | module_exit(checksum_tg_exit); 71 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/xt_CLASSIFY.c: -------------------------------------------------------------------------------- 1 | /* 2 | * This is a module which is used for setting the skb->priority field 3 | * of an skb for qdisc classification. 4 | */ 5 | 6 | /* (C) 2001-2002 Patrick McHardy 7 | * 8 | * This program is free software; you can redistribute it and/or modify 9 | * it under the terms of the GNU General Public License version 2 as 10 | * published by the Free Software Foundation. 11 | */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | 24 | MODULE_AUTHOR("Patrick McHardy "); 25 | MODULE_LICENSE("GPL"); 26 | MODULE_DESCRIPTION("Xtables: Qdisc classification"); 27 | MODULE_ALIAS("ipt_CLASSIFY"); 28 | MODULE_ALIAS("ip6t_CLASSIFY"); 29 | MODULE_ALIAS("arpt_CLASSIFY"); 30 | 31 | static unsigned int 32 | classify_tg(struct sk_buff *skb, const struct xt_action_param *par) 33 | { 34 | const struct xt_classify_target_info *clinfo = par->targinfo; 35 | 36 | skb->priority = clinfo->priority; 37 | return XT_CONTINUE; 38 | } 39 | 40 | static struct xt_target classify_tg_reg[] __read_mostly = { 41 | { 42 | .name = "CLASSIFY", 43 | .revision = 0, 44 | .family = NFPROTO_UNSPEC, 45 | .hooks = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) | 46 | (1 << NF_INET_POST_ROUTING), 47 | .target = classify_tg, 48 | .targetsize = sizeof(struct xt_classify_target_info), 49 | .me = THIS_MODULE, 50 | }, 51 | { 52 | .name = "CLASSIFY", 53 | .revision = 0, 54 | .family = NFPROTO_ARP, 55 | .hooks = (1 << NF_ARP_OUT) | (1 << NF_ARP_FORWARD), 56 | .target = classify_tg, 57 | .targetsize = sizeof(struct xt_classify_target_info), 58 | .me = THIS_MODULE, 59 | }, 60 | }; 61 | 62 | static int __init classify_tg_init(void) 63 | { 64 | return xt_register_targets(classify_tg_reg, ARRAY_SIZE(classify_tg_reg)); 65 | } 66 | 67 | static void __exit classify_tg_exit(void) 68 | { 69 | xt_unregister_targets(classify_tg_reg, ARRAY_SIZE(classify_tg_reg)); 70 | } 71 | 72 | module_init(classify_tg_init); 73 | module_exit(classify_tg_exit); 74 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/xt_NFLOG.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2006 Patrick McHardy 3 | * 4 | * This program is free software; you can redistribute it and/or modify 5 | * it under the terms of the GNU General Public License version 2 as 6 | * published by the Free Software Foundation. 7 | */ 8 | 9 | #include 10 | #include 11 | #include 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | MODULE_AUTHOR("Patrick McHardy "); 19 | MODULE_DESCRIPTION("Xtables: packet logging to netlink using NFLOG"); 20 | MODULE_LICENSE("GPL"); 21 | MODULE_ALIAS("ipt_NFLOG"); 22 | MODULE_ALIAS("ip6t_NFLOG"); 23 | 24 | static unsigned int 25 | nflog_tg(struct sk_buff *skb, const struct xt_action_param *par) 26 | { 27 | const struct xt_nflog_info *info = par->targinfo; 28 | struct nf_loginfo li; 29 | struct net *net = par->net; 30 | 31 | li.type = NF_LOG_TYPE_ULOG; 32 | li.u.ulog.copy_len = info->len; 33 | li.u.ulog.group = info->group; 34 | li.u.ulog.qthreshold = info->threshold; 35 | 36 | nfulnl_log_packet(net, par->family, par->hooknum, skb, par->in, 37 | par->out, &li, info->prefix); 38 | return XT_CONTINUE; 39 | } 40 | 41 | static int nflog_tg_check(const struct xt_tgchk_param *par) 42 | { 43 | const struct xt_nflog_info *info = par->targinfo; 44 | 45 | if (info->flags & ~XT_NFLOG_MASK) 46 | return -EINVAL; 47 | if (info->prefix[sizeof(info->prefix) - 1] != '\0') 48 | return -EINVAL; 49 | return 0; 50 | } 51 | 52 | static struct xt_target nflog_tg_reg __read_mostly = { 53 | .name = "NFLOG", 54 | .revision = 0, 55 | .family = NFPROTO_UNSPEC, 56 | .checkentry = nflog_tg_check, 57 | .target = nflog_tg, 58 | .targetsize = sizeof(struct xt_nflog_info), 59 | .me = THIS_MODULE, 60 | }; 61 | 62 | static int __init nflog_tg_init(void) 63 | { 64 | return xt_register_target(&nflog_tg_reg); 65 | } 66 | 67 | static void __exit nflog_tg_exit(void) 68 | { 69 | xt_unregister_target(&nflog_tg_reg); 70 | } 71 | 72 | module_init(nflog_tg_init); 73 | module_exit(nflog_tg_exit); 74 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/xt_TRACE.c: -------------------------------------------------------------------------------- 1 | /* This is a module which is used to mark packets for tracing. 2 | */ 3 | #include 4 | #include 5 | 6 | #include 7 | 8 | MODULE_DESCRIPTION("Xtables: packet flow tracing"); 9 | MODULE_LICENSE("GPL"); 10 | MODULE_ALIAS("ipt_TRACE"); 11 | MODULE_ALIAS("ip6t_TRACE"); 12 | 13 | static unsigned int 14 | trace_tg(struct sk_buff *skb, const struct xt_action_param *par) 15 | { 16 | skb->nf_trace = 1; 17 | return XT_CONTINUE; 18 | } 19 | 20 | static struct xt_target trace_tg_reg __read_mostly = { 21 | .name = "TRACE", 22 | .revision = 0, 23 | .family = NFPROTO_UNSPEC, 24 | .table = "raw", 25 | .target = trace_tg, 26 | .me = THIS_MODULE, 27 | }; 28 | 29 | static int __init trace_tg_init(void) 30 | { 31 | return xt_register_target(&trace_tg_reg); 32 | } 33 | 34 | static void __exit trace_tg_exit(void) 35 | { 36 | xt_unregister_target(&trace_tg_reg); 37 | } 38 | 39 | module_init(trace_tg_init); 40 | module_exit(trace_tg_exit); 41 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/xt_bpf.c: -------------------------------------------------------------------------------- 1 | /* Xtables module to match packets using a BPF filter. 2 | * Copyright 2013 Google Inc. 3 | * Written by Willem de Bruijn 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License version 2 as 7 | * published by the Free Software Foundation. 8 | */ 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | #include 15 | #include 16 | 17 | MODULE_AUTHOR("Willem de Bruijn "); 18 | MODULE_DESCRIPTION("Xtables: BPF filter match"); 19 | MODULE_LICENSE("GPL"); 20 | MODULE_ALIAS("ipt_bpf"); 21 | MODULE_ALIAS("ip6t_bpf"); 22 | 23 | static int bpf_mt_check(const struct xt_mtchk_param *par) 24 | { 25 | struct xt_bpf_info *info = par->matchinfo; 26 | struct sock_fprog_kern program; 27 | 28 | program.len = info->bpf_program_num_elem; 29 | program.filter = info->bpf_program; 30 | 31 | if (bpf_prog_create(&info->filter, &program)) { 32 | pr_info("bpf: check failed: parse error\n"); 33 | return -EINVAL; 34 | } 35 | 36 | return 0; 37 | } 38 | 39 | static bool bpf_mt(const struct sk_buff *skb, struct xt_action_param *par) 40 | { 41 | const struct xt_bpf_info *info = par->matchinfo; 42 | 43 | return BPF_PROG_RUN(info->filter, skb); 44 | } 45 | 46 | static void bpf_mt_destroy(const struct xt_mtdtor_param *par) 47 | { 48 | const struct xt_bpf_info *info = par->matchinfo; 49 | bpf_prog_destroy(info->filter); 50 | } 51 | 52 | static struct xt_match bpf_mt_reg __read_mostly = { 53 | .name = "bpf", 54 | .revision = 0, 55 | .family = NFPROTO_UNSPEC, 56 | .checkentry = bpf_mt_check, 57 | .match = bpf_mt, 58 | .destroy = bpf_mt_destroy, 59 | .matchsize = sizeof(struct xt_bpf_info), 60 | .me = THIS_MODULE, 61 | }; 62 | 63 | static int __init bpf_mt_init(void) 64 | { 65 | return xt_register_match(&bpf_mt_reg); 66 | } 67 | 68 | static void __exit bpf_mt_exit(void) 69 | { 70 | xt_unregister_match(&bpf_mt_reg); 71 | } 72 | 73 | module_init(bpf_mt_init); 74 | module_exit(bpf_mt_exit); 75 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/xt_cgroup.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Xtables module to match the process control group. 3 | * 4 | * Might be used to implement individual "per-application" firewall 5 | * policies in contrast to global policies based on control groups. 6 | * Matching is based upon processes tagged to net_cls' classid marker. 7 | * 8 | * (C) 2013 Daniel Borkmann 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 as 12 | * published by the Free Software Foundation. 13 | */ 14 | 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | MODULE_LICENSE("GPL"); 22 | MODULE_AUTHOR("Daniel Borkmann "); 23 | MODULE_DESCRIPTION("Xtables: process control group matching"); 24 | MODULE_ALIAS("ipt_cgroup"); 25 | MODULE_ALIAS("ip6t_cgroup"); 26 | 27 | static int cgroup_mt_check(const struct xt_mtchk_param *par) 28 | { 29 | struct xt_cgroup_info *info = par->matchinfo; 30 | 31 | if (info->invert & ~1) 32 | return -EINVAL; 33 | 34 | return 0; 35 | } 36 | 37 | static bool 38 | cgroup_mt(const struct sk_buff *skb, struct xt_action_param *par) 39 | { 40 | const struct xt_cgroup_info *info = par->matchinfo; 41 | 42 | if (skb->sk == NULL || !sk_fullsock(skb->sk)) 43 | return false; 44 | 45 | return (info->id == skb->sk->sk_classid) ^ info->invert; 46 | } 47 | 48 | static struct xt_match cgroup_mt_reg __read_mostly = { 49 | .name = "cgroup", 50 | .revision = 0, 51 | .family = NFPROTO_UNSPEC, 52 | .checkentry = cgroup_mt_check, 53 | .match = cgroup_mt, 54 | .matchsize = sizeof(struct xt_cgroup_info), 55 | .me = THIS_MODULE, 56 | .hooks = (1 << NF_INET_LOCAL_OUT) | 57 | (1 << NF_INET_POST_ROUTING) | 58 | (1 << NF_INET_LOCAL_IN), 59 | }; 60 | 61 | static int __init cgroup_mt_init(void) 62 | { 63 | return xt_register_match(&cgroup_mt_reg); 64 | } 65 | 66 | static void __exit cgroup_mt_exit(void) 67 | { 68 | xt_unregister_match(&cgroup_mt_reg); 69 | } 70 | 71 | module_init(cgroup_mt_init); 72 | module_exit(cgroup_mt_exit); 73 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/xt_comment.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Implements a dummy match to allow attaching comments to rules 3 | * 4 | * 2003-05-13 Brad Fisher (brad@info-link.net) 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | MODULE_AUTHOR("Brad Fisher "); 13 | MODULE_DESCRIPTION("Xtables: No-op match which can be tagged with a comment"); 14 | MODULE_LICENSE("GPL"); 15 | MODULE_ALIAS("ipt_comment"); 16 | MODULE_ALIAS("ip6t_comment"); 17 | 18 | static bool 19 | comment_mt(const struct sk_buff *skb, struct xt_action_param *par) 20 | { 21 | /* We always match */ 22 | return true; 23 | } 24 | 25 | static struct xt_match comment_mt_reg __read_mostly = { 26 | .name = "comment", 27 | .revision = 0, 28 | .family = NFPROTO_UNSPEC, 29 | .match = comment_mt, 30 | .matchsize = sizeof(struct xt_comment_info), 31 | .me = THIS_MODULE, 32 | }; 33 | 34 | static int __init comment_mt_init(void) 35 | { 36 | return xt_register_match(&comment_mt_reg); 37 | } 38 | 39 | static void __exit comment_mt_exit(void) 40 | { 41 | xt_unregister_match(&comment_mt_reg); 42 | } 43 | 44 | module_init(comment_mt_init); 45 | module_exit(comment_mt_exit); 46 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/xt_cpu.c: -------------------------------------------------------------------------------- 1 | /* Kernel module to match running CPU */ 2 | 3 | /* 4 | * Might be used to distribute connections on several daemons, if 5 | * RPS (Remote Packet Steering) is enabled or NIC is multiqueue capable, 6 | * each RX queue IRQ affined to one CPU (1:1 mapping) 7 | * 8 | */ 9 | 10 | /* (C) 2010 Eric Dumazet 11 | * 12 | * This program is free software; you can redistribute it and/or modify 13 | * it under the terms of the GNU General Public License version 2 as 14 | * published by the Free Software Foundation. 15 | */ 16 | 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | MODULE_LICENSE("GPL"); 23 | MODULE_AUTHOR("Eric Dumazet "); 24 | MODULE_DESCRIPTION("Xtables: CPU match"); 25 | MODULE_ALIAS("ipt_cpu"); 26 | MODULE_ALIAS("ip6t_cpu"); 27 | 28 | static int cpu_mt_check(const struct xt_mtchk_param *par) 29 | { 30 | const struct xt_cpu_info *info = par->matchinfo; 31 | 32 | if (info->invert & ~1) 33 | return -EINVAL; 34 | return 0; 35 | } 36 | 37 | static bool cpu_mt(const struct sk_buff *skb, struct xt_action_param *par) 38 | { 39 | const struct xt_cpu_info *info = par->matchinfo; 40 | 41 | return (info->cpu == smp_processor_id()) ^ info->invert; 42 | } 43 | 44 | static struct xt_match cpu_mt_reg __read_mostly = { 45 | .name = "cpu", 46 | .revision = 0, 47 | .family = NFPROTO_UNSPEC, 48 | .checkentry = cpu_mt_check, 49 | .match = cpu_mt, 50 | .matchsize = sizeof(struct xt_cpu_info), 51 | .me = THIS_MODULE, 52 | }; 53 | 54 | static int __init cpu_mt_init(void) 55 | { 56 | return xt_register_match(&cpu_mt_reg); 57 | } 58 | 59 | static void __exit cpu_mt_exit(void) 60 | { 61 | xt_unregister_match(&cpu_mt_reg); 62 | } 63 | 64 | module_init(cpu_mt_init); 65 | module_exit(cpu_mt_exit); 66 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/xt_length.c: -------------------------------------------------------------------------------- 1 | /* Kernel module to match packet length. */ 2 | /* (C) 1999-2001 James Morris 3 | * 4 | * This program is free software; you can redistribute it and/or modify 5 | * it under the terms of the GNU General Public License version 2 as 6 | * published by the Free Software Foundation. 7 | */ 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | #include 15 | #include 16 | 17 | MODULE_AUTHOR("James Morris "); 18 | MODULE_DESCRIPTION("Xtables: Packet length (Layer3,4,5) match"); 19 | MODULE_LICENSE("GPL"); 20 | MODULE_ALIAS("ipt_length"); 21 | MODULE_ALIAS("ip6t_length"); 22 | 23 | static bool 24 | length_mt(const struct sk_buff *skb, struct xt_action_param *par) 25 | { 26 | const struct xt_length_info *info = par->matchinfo; 27 | u_int16_t pktlen = ntohs(ip_hdr(skb)->tot_len); 28 | 29 | return (pktlen >= info->min && pktlen <= info->max) ^ info->invert; 30 | } 31 | 32 | static bool 33 | length_mt6(const struct sk_buff *skb, struct xt_action_param *par) 34 | { 35 | const struct xt_length_info *info = par->matchinfo; 36 | const u_int16_t pktlen = ntohs(ipv6_hdr(skb)->payload_len) + 37 | sizeof(struct ipv6hdr); 38 | 39 | return (pktlen >= info->min && pktlen <= info->max) ^ info->invert; 40 | } 41 | 42 | static struct xt_match length_mt_reg[] __read_mostly = { 43 | { 44 | .name = "length", 45 | .family = NFPROTO_IPV4, 46 | .match = length_mt, 47 | .matchsize = sizeof(struct xt_length_info), 48 | .me = THIS_MODULE, 49 | }, 50 | { 51 | .name = "length", 52 | .family = NFPROTO_IPV6, 53 | .match = length_mt6, 54 | .matchsize = sizeof(struct xt_length_info), 55 | .me = THIS_MODULE, 56 | }, 57 | }; 58 | 59 | static int __init length_mt_init(void) 60 | { 61 | return xt_register_matches(length_mt_reg, ARRAY_SIZE(length_mt_reg)); 62 | } 63 | 64 | static void __exit length_mt_exit(void) 65 | { 66 | xt_unregister_matches(length_mt_reg, ARRAY_SIZE(length_mt_reg)); 67 | } 68 | 69 | module_init(length_mt_init); 70 | module_exit(length_mt_exit); 71 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/xt_mac.c: -------------------------------------------------------------------------------- 1 | /* Kernel module to match MAC address parameters. */ 2 | 3 | /* (C) 1999-2001 Paul `Rusty' Russell 4 | * (C) 2002-2004 Netfilter Core Team 5 | * 6 | * This program is free software; you can redistribute it and/or modify 7 | * it under the terms of the GNU General Public License version 2 as 8 | * published by the Free Software Foundation. 9 | */ 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | MODULE_LICENSE("GPL"); 23 | MODULE_AUTHOR("Netfilter Core Team "); 24 | MODULE_DESCRIPTION("Xtables: MAC address match"); 25 | MODULE_ALIAS("ipt_mac"); 26 | MODULE_ALIAS("ip6t_mac"); 27 | 28 | static bool mac_mt(const struct sk_buff *skb, struct xt_action_param *par) 29 | { 30 | const struct xt_mac_info *info = par->matchinfo; 31 | bool ret; 32 | 33 | if (skb->dev == NULL || skb->dev->type != ARPHRD_ETHER) 34 | return false; 35 | if (skb_mac_header(skb) < skb->head) 36 | return false; 37 | if (skb_mac_header(skb) + ETH_HLEN > skb->data) 38 | return false; 39 | ret = ether_addr_equal(eth_hdr(skb)->h_source, info->srcaddr); 40 | ret ^= info->invert; 41 | return ret; 42 | } 43 | 44 | static struct xt_match mac_mt_reg __read_mostly = { 45 | .name = "mac", 46 | .revision = 0, 47 | .family = NFPROTO_UNSPEC, 48 | .match = mac_mt, 49 | .matchsize = sizeof(struct xt_mac_info), 50 | .hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_IN) | 51 | (1 << NF_INET_FORWARD), 52 | .me = THIS_MODULE, 53 | }; 54 | 55 | static int __init mac_mt_init(void) 56 | { 57 | return xt_register_match(&mac_mt_reg); 58 | } 59 | 60 | static void __exit mac_mt_exit(void) 61 | { 62 | xt_unregister_match(&mac_mt_reg); 63 | } 64 | 65 | module_init(mac_mt_init); 66 | module_exit(mac_mt_exit); 67 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/xt_mark.c: -------------------------------------------------------------------------------- 1 | /* 2 | * xt_mark - Netfilter module to match NFMARK value 3 | * 4 | * (C) 1999-2001 Marc Boucher 5 | * Copyright © CC Computer Consultants GmbH, 2007 - 2008 6 | * Jan Engelhardt 7 | * 8 | * This program is free software; you can redistribute it and/or modify 9 | * it under the terms of the GNU General Public License version 2 as 10 | * published by the Free Software Foundation. 11 | */ 12 | 13 | #include 14 | #include 15 | 16 | #include 17 | #include 18 | 19 | MODULE_LICENSE("GPL"); 20 | MODULE_AUTHOR("Marc Boucher "); 21 | MODULE_DESCRIPTION("Xtables: packet mark operations"); 22 | MODULE_ALIAS("ipt_mark"); 23 | MODULE_ALIAS("ip6t_mark"); 24 | MODULE_ALIAS("ipt_MARK"); 25 | MODULE_ALIAS("ip6t_MARK"); 26 | MODULE_ALIAS("arpt_MARK"); 27 | 28 | static unsigned int 29 | mark_tg(struct sk_buff *skb, const struct xt_action_param *par) 30 | { 31 | const struct xt_mark_tginfo2 *info = par->targinfo; 32 | 33 | skb->mark = (skb->mark & ~info->mask) ^ info->mark; 34 | return XT_CONTINUE; 35 | } 36 | 37 | static bool 38 | mark_mt(const struct sk_buff *skb, struct xt_action_param *par) 39 | { 40 | const struct xt_mark_mtinfo1 *info = par->matchinfo; 41 | 42 | return ((skb->mark & info->mask) == info->mark) ^ info->invert; 43 | } 44 | 45 | static struct xt_target mark_tg_reg __read_mostly = { 46 | .name = "MARK", 47 | .revision = 2, 48 | .family = NFPROTO_UNSPEC, 49 | .target = mark_tg, 50 | .targetsize = sizeof(struct xt_mark_tginfo2), 51 | .me = THIS_MODULE, 52 | }; 53 | 54 | static struct xt_match mark_mt_reg __read_mostly = { 55 | .name = "mark", 56 | .revision = 1, 57 | .family = NFPROTO_UNSPEC, 58 | .match = mark_mt, 59 | .matchsize = sizeof(struct xt_mark_mtinfo1), 60 | .me = THIS_MODULE, 61 | }; 62 | 63 | static int __init mark_mt_init(void) 64 | { 65 | int ret; 66 | 67 | ret = xt_register_target(&mark_tg_reg); 68 | if (ret < 0) 69 | return ret; 70 | ret = xt_register_match(&mark_mt_reg); 71 | if (ret < 0) { 72 | xt_unregister_target(&mark_tg_reg); 73 | return ret; 74 | } 75 | return 0; 76 | } 77 | 78 | static void __exit mark_mt_exit(void) 79 | { 80 | xt_unregister_match(&mark_mt_reg); 81 | xt_unregister_target(&mark_tg_reg); 82 | } 83 | 84 | module_init(mark_mt_init); 85 | module_exit(mark_mt_exit); 86 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/xt_nfacct.c: -------------------------------------------------------------------------------- 1 | /* 2 | * (C) 2011 Pablo Neira Ayuso 3 | * (C) 2011 Intra2net AG 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License version 2 (or any 7 | * later at your option) as published by the Free Software Foundation. 8 | */ 9 | #include 10 | #include 11 | 12 | #include 13 | #include 14 | #include 15 | 16 | MODULE_AUTHOR("Pablo Neira Ayuso "); 17 | MODULE_DESCRIPTION("Xtables: match for the extended accounting infrastructure"); 18 | MODULE_LICENSE("GPL"); 19 | MODULE_ALIAS("ipt_nfacct"); 20 | MODULE_ALIAS("ip6t_nfacct"); 21 | 22 | static bool nfacct_mt(const struct sk_buff *skb, struct xt_action_param *par) 23 | { 24 | int overquota; 25 | const struct xt_nfacct_match_info *info = par->targinfo; 26 | 27 | nfnl_acct_update(skb, info->nfacct); 28 | 29 | overquota = nfnl_acct_overquota(skb, info->nfacct); 30 | 31 | return overquota == NFACCT_UNDERQUOTA ? false : true; 32 | } 33 | 34 | static int 35 | nfacct_mt_checkentry(const struct xt_mtchk_param *par) 36 | { 37 | struct xt_nfacct_match_info *info = par->matchinfo; 38 | struct nf_acct *nfacct; 39 | 40 | nfacct = nfnl_acct_find_get(par->net, info->name); 41 | if (nfacct == NULL) { 42 | pr_info("xt_nfacct: accounting object with name `%s' " 43 | "does not exists\n", info->name); 44 | return -ENOENT; 45 | } 46 | info->nfacct = nfacct; 47 | return 0; 48 | } 49 | 50 | static void 51 | nfacct_mt_destroy(const struct xt_mtdtor_param *par) 52 | { 53 | const struct xt_nfacct_match_info *info = par->matchinfo; 54 | 55 | nfnl_acct_put(info->nfacct); 56 | } 57 | 58 | static struct xt_match nfacct_mt_reg __read_mostly = { 59 | .name = "nfacct", 60 | .family = NFPROTO_UNSPEC, 61 | .checkentry = nfacct_mt_checkentry, 62 | .match = nfacct_mt, 63 | .destroy = nfacct_mt_destroy, 64 | .matchsize = sizeof(struct xt_nfacct_match_info), 65 | .me = THIS_MODULE, 66 | }; 67 | 68 | static int __init nfacct_mt_init(void) 69 | { 70 | return xt_register_match(&nfacct_mt_reg); 71 | } 72 | 73 | static void __exit nfacct_mt_exit(void) 74 | { 75 | xt_unregister_match(&nfacct_mt_reg); 76 | } 77 | 78 | module_init(nfacct_mt_init); 79 | module_exit(nfacct_mt_exit); 80 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/xt_pkttype.c: -------------------------------------------------------------------------------- 1 | /* (C) 1999-2001 Michal Ludvig 2 | * 3 | * This program is free software; you can redistribute it and/or modify 4 | * it under the terms of the GNU General Public License version 2 as 5 | * published by the Free Software Foundation. 6 | */ 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | 16 | #include 17 | #include 18 | 19 | MODULE_LICENSE("GPL"); 20 | MODULE_AUTHOR("Michal Ludvig "); 21 | MODULE_DESCRIPTION("Xtables: link layer packet type match"); 22 | MODULE_ALIAS("ipt_pkttype"); 23 | MODULE_ALIAS("ip6t_pkttype"); 24 | 25 | static bool 26 | pkttype_mt(const struct sk_buff *skb, struct xt_action_param *par) 27 | { 28 | const struct xt_pkttype_info *info = par->matchinfo; 29 | u_int8_t type; 30 | 31 | if (skb->pkt_type != PACKET_LOOPBACK) 32 | type = skb->pkt_type; 33 | else if (par->family == NFPROTO_IPV4 && 34 | ipv4_is_multicast(ip_hdr(skb)->daddr)) 35 | type = PACKET_MULTICAST; 36 | else if (par->family == NFPROTO_IPV6 && 37 | ipv6_hdr(skb)->daddr.s6_addr[0] == 0xFF) 38 | type = PACKET_MULTICAST; 39 | else 40 | type = PACKET_BROADCAST; 41 | 42 | return (type == info->pkttype) ^ info->invert; 43 | } 44 | 45 | static struct xt_match pkttype_mt_reg __read_mostly = { 46 | .name = "pkttype", 47 | .revision = 0, 48 | .family = NFPROTO_UNSPEC, 49 | .match = pkttype_mt, 50 | .matchsize = sizeof(struct xt_pkttype_info), 51 | .me = THIS_MODULE, 52 | }; 53 | 54 | static int __init pkttype_mt_init(void) 55 | { 56 | return xt_register_match(&pkttype_mt_reg); 57 | } 58 | 59 | static void __exit pkttype_mt_exit(void) 60 | { 61 | xt_unregister_match(&pkttype_mt_reg); 62 | } 63 | 64 | module_init(pkttype_mt_init); 65 | module_exit(pkttype_mt_exit); 66 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/xt_quota.c: -------------------------------------------------------------------------------- 1 | /* 2 | * netfilter module to enforce network quotas 3 | * 4 | * Sam Johnston 5 | */ 6 | #include 7 | #include 8 | #include 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | struct xt_quota_priv { 15 | spinlock_t lock; 16 | uint64_t quota; 17 | }; 18 | 19 | MODULE_LICENSE("GPL"); 20 | MODULE_AUTHOR("Sam Johnston "); 21 | MODULE_DESCRIPTION("Xtables: countdown quota match"); 22 | MODULE_ALIAS("ipt_quota"); 23 | MODULE_ALIAS("ip6t_quota"); 24 | 25 | static bool 26 | quota_mt(const struct sk_buff *skb, struct xt_action_param *par) 27 | { 28 | struct xt_quota_info *q = (void *)par->matchinfo; 29 | struct xt_quota_priv *priv = q->master; 30 | bool ret = q->flags & XT_QUOTA_INVERT; 31 | 32 | spin_lock_bh(&priv->lock); 33 | if (priv->quota >= skb->len) { 34 | priv->quota -= skb->len; 35 | ret = !ret; 36 | } else { 37 | /* we do not allow even small packets from now on */ 38 | priv->quota = 0; 39 | } 40 | spin_unlock_bh(&priv->lock); 41 | 42 | return ret; 43 | } 44 | 45 | static int quota_mt_check(const struct xt_mtchk_param *par) 46 | { 47 | struct xt_quota_info *q = par->matchinfo; 48 | 49 | if (q->flags & ~XT_QUOTA_MASK) 50 | return -EINVAL; 51 | 52 | q->master = kmalloc(sizeof(*q->master), GFP_KERNEL); 53 | if (q->master == NULL) 54 | return -ENOMEM; 55 | 56 | spin_lock_init(&q->master->lock); 57 | q->master->quota = q->quota; 58 | return 0; 59 | } 60 | 61 | static void quota_mt_destroy(const struct xt_mtdtor_param *par) 62 | { 63 | const struct xt_quota_info *q = par->matchinfo; 64 | 65 | kfree(q->master); 66 | } 67 | 68 | static struct xt_match quota_mt_reg __read_mostly = { 69 | .name = "quota", 70 | .revision = 0, 71 | .family = NFPROTO_UNSPEC, 72 | .match = quota_mt, 73 | .checkentry = quota_mt_check, 74 | .destroy = quota_mt_destroy, 75 | .matchsize = sizeof(struct xt_quota_info), 76 | .me = THIS_MODULE, 77 | }; 78 | 79 | static int __init quota_mt_init(void) 80 | { 81 | return xt_register_match("a_mt_reg); 82 | } 83 | 84 | static void __exit quota_mt_exit(void) 85 | { 86 | xt_unregister_match("a_mt_reg); 87 | } 88 | 89 | module_init(quota_mt_init); 90 | module_exit(quota_mt_exit); 91 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/xt_realm.c: -------------------------------------------------------------------------------- 1 | /* IP tables module for matching the routing realm 2 | * 3 | * (C) 2003 by Sampsa Ranta 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License version 2 as 7 | * published by the Free Software Foundation. 8 | */ 9 | 10 | #include 11 | #include 12 | #include 13 | #include 14 | 15 | #include 16 | #include 17 | #include 18 | 19 | MODULE_AUTHOR("Sampsa Ranta "); 20 | MODULE_LICENSE("GPL"); 21 | MODULE_DESCRIPTION("Xtables: Routing realm match"); 22 | MODULE_ALIAS("ipt_realm"); 23 | 24 | static bool 25 | realm_mt(const struct sk_buff *skb, struct xt_action_param *par) 26 | { 27 | const struct xt_realm_info *info = par->matchinfo; 28 | const struct dst_entry *dst = skb_dst(skb); 29 | 30 | return (info->id == (dst->tclassid & info->mask)) ^ info->invert; 31 | } 32 | 33 | static struct xt_match realm_mt_reg __read_mostly = { 34 | .name = "realm", 35 | .match = realm_mt, 36 | .matchsize = sizeof(struct xt_realm_info), 37 | .hooks = (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_FORWARD) | 38 | (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_LOCAL_IN), 39 | .family = NFPROTO_UNSPEC, 40 | .me = THIS_MODULE 41 | }; 42 | 43 | static int __init realm_mt_init(void) 44 | { 45 | return xt_register_match(&realm_mt_reg); 46 | } 47 | 48 | static void __exit realm_mt_exit(void) 49 | { 50 | xt_unregister_match(&realm_mt_reg); 51 | } 52 | 53 | module_init(realm_mt_init); 54 | module_exit(realm_mt_exit); 55 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/xt_repldata.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Today's hack: quantum tunneling in structs 3 | * 4 | * 'entries' and 'term' are never anywhere referenced by word in code. In fact, 5 | * they serve as the hanging-off data accessed through repl.data[]. 6 | */ 7 | 8 | /* tbl has the following structure equivalent, but is C99 compliant: 9 | * struct { 10 | * struct type##_replace repl; 11 | * struct type##_standard entries[nhooks]; 12 | * struct type##_error term; 13 | * } *tbl; 14 | */ 15 | 16 | #define xt_alloc_initial_table(type, typ2) ({ \ 17 | unsigned int hook_mask = info->valid_hooks; \ 18 | unsigned int nhooks = hweight32(hook_mask); \ 19 | unsigned int bytes = 0, hooknum = 0, i = 0; \ 20 | struct { \ 21 | struct type##_replace repl; \ 22 | struct type##_standard entries[]; \ 23 | } *tbl; \ 24 | struct type##_error *term; \ 25 | size_t term_offset = (offsetof(typeof(*tbl), entries[nhooks]) + \ 26 | __alignof__(*term) - 1) & ~(__alignof__(*term) - 1); \ 27 | tbl = kzalloc(term_offset + sizeof(*term), GFP_KERNEL); \ 28 | if (tbl == NULL) \ 29 | return NULL; \ 30 | term = (struct type##_error *)&(((char *)tbl)[term_offset]); \ 31 | strncpy(tbl->repl.name, info->name, sizeof(tbl->repl.name)); \ 32 | *term = (struct type##_error)typ2##_ERROR_INIT; \ 33 | tbl->repl.valid_hooks = hook_mask; \ 34 | tbl->repl.num_entries = nhooks + 1; \ 35 | tbl->repl.size = nhooks * sizeof(struct type##_standard) + \ 36 | sizeof(struct type##_error); \ 37 | for (; hook_mask != 0; hook_mask >>= 1, ++hooknum) { \ 38 | if (!(hook_mask & 1)) \ 39 | continue; \ 40 | tbl->repl.hook_entry[hooknum] = bytes; \ 41 | tbl->repl.underflow[hooknum] = bytes; \ 42 | tbl->entries[i++] = (struct type##_standard) \ 43 | typ2##_STANDARD_INIT(NF_ACCEPT); \ 44 | bytes += sizeof(struct type##_standard); \ 45 | } \ 46 | tbl; \ 47 | }) 48 | -------------------------------------------------------------------------------- /src/4.x/net/netfilter/xt_state.c: -------------------------------------------------------------------------------- 1 | /* Kernel module to match connection tracking information. */ 2 | 3 | /* (C) 1999-2001 Paul `Rusty' Russell 4 | * (C) 2002-2005 Netfilter Core Team 5 | * 6 | * This program is free software; you can redistribute it and/or modify 7 | * it under the terms of the GNU General Public License version 2 as 8 | * published by the Free Software Foundation. 9 | */ 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | MODULE_LICENSE("GPL"); 18 | MODULE_AUTHOR("Rusty Russell "); 19 | MODULE_DESCRIPTION("ip[6]_tables connection tracking state match module"); 20 | MODULE_ALIAS("ipt_state"); 21 | MODULE_ALIAS("ip6t_state"); 22 | 23 | static bool 24 | state_mt(const struct sk_buff *skb, struct xt_action_param *par) 25 | { 26 | const struct xt_state_info *sinfo = par->matchinfo; 27 | enum ip_conntrack_info ctinfo; 28 | unsigned int statebit; 29 | struct nf_conn *ct = nf_ct_get(skb, &ctinfo); 30 | 31 | if (!ct) 32 | statebit = XT_STATE_INVALID; 33 | else { 34 | if (nf_ct_is_untracked(ct)) 35 | statebit = XT_STATE_UNTRACKED; 36 | else 37 | statebit = XT_STATE_BIT(ctinfo); 38 | } 39 | return (sinfo->statemask & statebit); 40 | } 41 | 42 | static int state_mt_check(const struct xt_mtchk_param *par) 43 | { 44 | int ret; 45 | 46 | ret = nf_ct_l3proto_try_module_get(par->family); 47 | if (ret < 0) 48 | pr_info("cannot load conntrack support for proto=%u\n", 49 | par->family); 50 | return ret; 51 | } 52 | 53 | static void state_mt_destroy(const struct xt_mtdtor_param *par) 54 | { 55 | nf_ct_l3proto_module_put(par->family); 56 | } 57 | 58 | static struct xt_match state_mt_reg __read_mostly = { 59 | .name = "state", 60 | .family = NFPROTO_UNSPEC, 61 | .checkentry = state_mt_check, 62 | .match = state_mt, 63 | .destroy = state_mt_destroy, 64 | .matchsize = sizeof(struct xt_state_info), 65 | .me = THIS_MODULE, 66 | }; 67 | 68 | static int __init state_mt_init(void) 69 | { 70 | return xt_register_match(&state_mt_reg); 71 | } 72 | 73 | static void __exit state_mt_exit(void) 74 | { 75 | xt_unregister_match(&state_mt_reg); 76 | } 77 | 78 | module_init(state_mt_init); 79 | module_exit(state_mt_exit); 80 | -------------------------------------------------------------------------------- /src/5.x/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # Makefile for the linux networking. 3 | # 4 | # 2 Sep 2000, Christoph Hellwig 5 | # Rewritten to use lists instead of if-statements. 6 | # 7 | 8 | 9 | obj-y += lib/ 10 | obj-y += net/ 11 | -------------------------------------------------------------------------------- /src/5.x/defines: -------------------------------------------------------------------------------- 1 | CONFIG_NETFILTER=m 2 | CONFIG_NETFILTER_XT_CONNMARK=m 3 | CONFIG_NETFILTER_XT_MATCH_COMMENT=m 4 | nCONFIG_NETFILTER_XT_MATCH_SOCKET=m 5 | CONFIG_NETFILTER_XT_MATCH_STRING=m 6 | CONFIG_NETFILTER_TPROXY=m 7 | nCONFIG_NETFILTER_XT_TARGET_TPROXY=m 8 | CONFIG_NETFILTER_XT_MATCH_OWNER=m 9 | 10 | CONFIG_INET=m 11 | nCONFIG_NF_SOCKET_IPV4=m 12 | nCONFIG_NF_TPROXY_IPV4=m 13 | 14 | CONFIG_NET=m 15 | nCONFIG_NF_SOCKET_IPV6=m 16 | nCONFIG_NF_TPROXY_IPV6=m 17 | CONFIG_IP6_NF_NAT=m 18 | CONFIG_IP6_NF_RAW=m 19 | CONFIG_NF_NAT_IPV6=m 20 | 21 | CONFIG_TEXTSEARCH=m 22 | CONFIG_TEXTSEARCH_BM=m -------------------------------------------------------------------------------- /src/5.x/net/ipv4/netfilter/Makefile: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-2.0 2 | # 3 | # Makefile for the netfilter modules on top of IPv4. 4 | # 5 | 6 | # defrag 7 | obj-$(CONFIG_NF_DEFRAG_IPV4) += nf_defrag_ipv4.o 8 | 9 | obj-$(CONFIG_NF_SOCKET_IPV4) += nf_socket_ipv4.o 10 | obj-$(CONFIG_NF_TPROXY_IPV4) += nf_tproxy_ipv4.o 11 | 12 | # logging 13 | obj-$(CONFIG_NF_LOG_ARP) += nf_log_arp.o 14 | obj-$(CONFIG_NF_LOG_IPV4) += nf_log_ipv4.o 15 | 16 | # reject 17 | obj-$(CONFIG_NF_REJECT_IPV4) += nf_reject_ipv4.o 18 | 19 | # NAT helpers (nf_conntrack) 20 | obj-$(CONFIG_NF_NAT_H323) += nf_nat_h323.o 21 | obj-$(CONFIG_NF_NAT_PPTP) += nf_nat_pptp.o 22 | 23 | nf_nat_snmp_basic-y := nf_nat_snmp_basic.asn1.o nf_nat_snmp_basic_main.o 24 | $(obj)/nf_nat_snmp_basic_main.o: $(obj)/nf_nat_snmp_basic.asn1.h 25 | obj-$(CONFIG_NF_NAT_SNMP_BASIC) += nf_nat_snmp_basic.o 26 | 27 | obj-$(CONFIG_NFT_REJECT_IPV4) += nft_reject_ipv4.o 28 | obj-$(CONFIG_NFT_FIB_IPV4) += nft_fib_ipv4.o 29 | obj-$(CONFIG_NFT_DUP_IPV4) += nft_dup_ipv4.o 30 | 31 | # flow table support 32 | obj-$(CONFIG_NF_FLOW_TABLE_IPV4) += nf_flow_table_ipv4.o 33 | 34 | # generic IP tables 35 | obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o 36 | 37 | # the three instances of ip_tables 38 | obj-$(CONFIG_IP_NF_FILTER) += iptable_filter.o 39 | obj-$(CONFIG_IP_NF_MANGLE) += iptable_mangle.o 40 | obj-$(CONFIG_IP_NF_NAT) += iptable_nat.o 41 | obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o 42 | obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o 43 | 44 | # matches 45 | obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o 46 | obj-$(CONFIG_IP_NF_MATCH_RPFILTER) += ipt_rpfilter.o 47 | 48 | # targets 49 | obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o 50 | obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o 51 | obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o 52 | obj-$(CONFIG_IP_NF_TARGET_SYNPROXY) += ipt_SYNPROXY.o 53 | 54 | # generic ARP tables 55 | obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o 56 | obj-$(CONFIG_IP_NF_ARP_MANGLE) += arpt_mangle.o 57 | 58 | # just filtering instance of ARP tables for now 59 | obj-$(CONFIG_IP_NF_ARPFILTER) += arptable_filter.o 60 | 61 | obj-$(CONFIG_NF_DUP_IPV4) += nf_dup_ipv4.o 62 | -------------------------------------------------------------------------------- /src/5.x/net/ipv4/netfilter/nf_flow_table_ipv4.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-only 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | static struct nf_flowtable_type flowtable_ipv4 = { 10 | .family = NFPROTO_IPV4, 11 | .init = nf_flow_table_init, 12 | .setup = nf_flow_table_offload_setup, 13 | .action = nf_flow_rule_route_ipv4, 14 | .free = nf_flow_table_free, 15 | .hook = nf_flow_offload_ip_hook, 16 | .owner = THIS_MODULE, 17 | }; 18 | 19 | static int __init nf_flow_ipv4_module_init(void) 20 | { 21 | nft_register_flowtable_type(&flowtable_ipv4); 22 | 23 | return 0; 24 | } 25 | 26 | static void __exit nf_flow_ipv4_module_exit(void) 27 | { 28 | nft_unregister_flowtable_type(&flowtable_ipv4); 29 | } 30 | 31 | module_init(nf_flow_ipv4_module_init); 32 | module_exit(nf_flow_ipv4_module_exit); 33 | 34 | MODULE_LICENSE("GPL"); 35 | MODULE_AUTHOR("Pablo Neira Ayuso "); 36 | MODULE_ALIAS_NF_FLOWTABLE(AF_INET); 37 | MODULE_DESCRIPTION("Netfilter flow table support"); 38 | -------------------------------------------------------------------------------- /src/5.x/net/ipv4/netfilter/nft_reject_ipv4.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-only 2 | /* 3 | * Copyright (c) 2008-2009 Patrick McHardy 4 | * Copyright (c) 2013 Eric Leblond 5 | * 6 | * Development of this code funded by Astaro AG (http://www.astaro.com/) 7 | */ 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | 19 | static void nft_reject_ipv4_eval(const struct nft_expr *expr, 20 | struct nft_regs *regs, 21 | const struct nft_pktinfo *pkt) 22 | { 23 | struct nft_reject *priv = nft_expr_priv(expr); 24 | 25 | switch (priv->type) { 26 | case NFT_REJECT_ICMP_UNREACH: 27 | nf_send_unreach(pkt->skb, priv->icmp_code, nft_hook(pkt)); 28 | break; 29 | case NFT_REJECT_TCP_RST: 30 | nf_send_reset(nft_net(pkt), pkt->skb, nft_hook(pkt)); 31 | break; 32 | default: 33 | break; 34 | } 35 | 36 | regs->verdict.code = NF_DROP; 37 | } 38 | 39 | static struct nft_expr_type nft_reject_ipv4_type; 40 | static const struct nft_expr_ops nft_reject_ipv4_ops = { 41 | .type = &nft_reject_ipv4_type, 42 | .size = NFT_EXPR_SIZE(sizeof(struct nft_reject)), 43 | .eval = nft_reject_ipv4_eval, 44 | .init = nft_reject_init, 45 | .dump = nft_reject_dump, 46 | .validate = nft_reject_validate, 47 | }; 48 | 49 | static struct nft_expr_type nft_reject_ipv4_type __read_mostly = { 50 | .family = NFPROTO_IPV4, 51 | .name = "reject", 52 | .ops = &nft_reject_ipv4_ops, 53 | .policy = nft_reject_policy, 54 | .maxattr = NFTA_REJECT_MAX, 55 | .owner = THIS_MODULE, 56 | }; 57 | 58 | static int __init nft_reject_ipv4_module_init(void) 59 | { 60 | return nft_register_expr(&nft_reject_ipv4_type); 61 | } 62 | 63 | static void __exit nft_reject_ipv4_module_exit(void) 64 | { 65 | nft_unregister_expr(&nft_reject_ipv4_type); 66 | } 67 | 68 | module_init(nft_reject_ipv4_module_init); 69 | module_exit(nft_reject_ipv4_module_exit); 70 | 71 | MODULE_LICENSE("GPL"); 72 | MODULE_AUTHOR("Patrick McHardy "); 73 | MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "reject"); 74 | MODULE_DESCRIPTION("IPv4 packet rejection for nftables"); 75 | -------------------------------------------------------------------------------- /src/5.x/net/ipv6/Makefile: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-2.0 2 | # 3 | # Makefile for the Linux TCP/IP (INET6) layer. 4 | # 5 | 6 | #obj-$(CONFIG_IPV6) += ipv6.o 7 | # 8 | #ipv6-objs := af_inet6.o anycast.o ip6_output.o ip6_input.o addrconf.o \ 9 | # addrlabel.o \ 10 | # route.o ip6_fib.o ipv6_sockglue.o ndisc.o udp.o udplite.o \ 11 | # raw.o icmp.o mcast.o reassembly.o tcp_ipv6.o ping.o \ 12 | # exthdrs.o datagram.o ip6_flowlabel.o inet6_connection_sock.o \ 13 | # udp_offload.o seg6.o fib6_notifier.o rpl.o 14 | ipv6-objs := udp.o 15 | # 16 | #ipv6-offload := ip6_offload.o tcpv6_offload.o exthdrs_offload.o 17 | # 18 | #ipv6-$(CONFIG_SYSCTL) = sysctl_net_ipv6.o 19 | #ipv6-$(CONFIG_IPV6_MROUTE) += ip6mr.o 20 | # 21 | #ipv6-$(CONFIG_XFRM) += xfrm6_policy.o xfrm6_state.o xfrm6_input.o \ 22 | # xfrm6_output.o xfrm6_protocol.o 23 | #ipv6-$(CONFIG_NETFILTER) += netfilter.o 24 | #ipv6-$(CONFIG_IPV6_MULTIPLE_TABLES) += fib6_rules.o 25 | #ipv6-$(CONFIG_PROC_FS) += proc.o 26 | #ipv6-$(CONFIG_SYN_COOKIES) += syncookies.o 27 | #ipv6-$(CONFIG_NETLABEL) += calipso.o 28 | #ipv6-$(CONFIG_IPV6_SEG6_LWTUNNEL) += seg6_iptunnel.o seg6_local.o 29 | #ipv6-$(CONFIG_IPV6_SEG6_HMAC) += seg6_hmac.o 30 | #ipv6-$(CONFIG_IPV6_RPL_LWTUNNEL) += rpl_iptunnel.o 31 | # 32 | #ipv6-objs += $(ipv6-y) 33 | # 34 | #obj-$(CONFIG_INET6_AH) += ah6.o 35 | #obj-$(CONFIG_INET6_ESP) += esp6.o 36 | #obj-$(CONFIG_INET6_ESP_OFFLOAD) += esp6_offload.o 37 | #obj-$(CONFIG_INET6_IPCOMP) += ipcomp6.o 38 | #obj-$(CONFIG_INET6_XFRM_TUNNEL) += xfrm6_tunnel.o 39 | #obj-$(CONFIG_INET6_TUNNEL) += tunnel6.o 40 | #obj-$(CONFIG_IPV6_MIP6) += mip6.o 41 | #obj-$(CONFIG_IPV6_ILA) += ila/ 42 | obj-$(CONFIG_NETFILTER) += netfilter/ 43 | # 44 | #obj-$(CONFIG_IPV6_VTI) += ip6_vti.o 45 | #obj-$(CONFIG_IPV6_SIT) += sit.o 46 | #obj-$(CONFIG_IPV6_TUNNEL) += ip6_tunnel.o 47 | #obj-$(CONFIG_IPV6_GRE) += ip6_gre.o 48 | #obj-$(CONFIG_IPV6_FOU) += fou6.o 49 | # 50 | #obj-y += addrconf_core.o exthdrs_core.o ip6_checksum.o ip6_icmp.o 51 | #obj-$(CONFIG_INET) += output_core.o protocol.o $(ipv6-offload) 52 | # 53 | #obj-$(subst m,y,$(CONFIG_IPV6)) += inet6_hashtables.o 54 | # 55 | #ifneq ($(CONFIG_IPV6),) 56 | #obj-$(CONFIG_NET_UDP_TUNNEL) += ip6_udp_tunnel.o 57 | #obj-y += mcast_snoop.o 58 | #endif 59 | # -------------------------------------------------------------------------------- /src/5.x/net/ipv6/netfilter/Makefile: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-2.0 2 | # 3 | # Makefile for the netfilter modules on top of IPv6. 4 | # 5 | 6 | # Link order matters here. 7 | obj-$(CONFIG_IP6_NF_IPTABLES) += ip6_tables.o 8 | obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o 9 | obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o 10 | obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o 11 | obj-$(CONFIG_IP6_NF_SECURITY) += ip6table_security.o 12 | obj-$(CONFIG_IP6_NF_NAT) += ip6table_nat.o 13 | 14 | # defrag 15 | nf_defrag_ipv6-y := nf_defrag_ipv6_hooks.o nf_conntrack_reasm.o 16 | obj-$(CONFIG_NF_DEFRAG_IPV6) += nf_defrag_ipv6.o 17 | 18 | ifeq ($(CONFIG_NF_SOCKET_IPV6),m) 19 | EXTRA_CFLAGS+=-DCONFIG_NF_SOCKET_IPV6=m 20 | endif 21 | ifeq ($(CONFIG_NF_TPROXY_IPV6),m) 22 | EXTRA_CFLAGS+=-DCONFIG_NF_TPROXY_IPV6=m 23 | endif 24 | obj-$(CONFIG_NF_SOCKET_IPV6) += nf_socket_ipv6.o 25 | obj-$(CONFIG_NF_TPROXY_IPV6) += nf_tproxy_ipv6.o 26 | 27 | # logging 28 | obj-$(CONFIG_NF_LOG_IPV6) += nf_log_ipv6.o 29 | 30 | # reject 31 | obj-$(CONFIG_NF_REJECT_IPV6) += nf_reject_ipv6.o 32 | 33 | obj-$(CONFIG_NF_DUP_IPV6) += nf_dup_ipv6.o 34 | 35 | # nf_tables 36 | obj-$(CONFIG_NFT_REJECT_IPV6) += nft_reject_ipv6.o 37 | obj-$(CONFIG_NFT_DUP_IPV6) += nft_dup_ipv6.o 38 | obj-$(CONFIG_NFT_FIB_IPV6) += nft_fib_ipv6.o 39 | 40 | # flow table support 41 | obj-$(CONFIG_NF_FLOW_TABLE_IPV6) += nf_flow_table_ipv6.o 42 | 43 | # matches 44 | obj-$(CONFIG_IP6_NF_MATCH_AH) += ip6t_ah.o 45 | obj-$(CONFIG_IP6_NF_MATCH_EUI64) += ip6t_eui64.o 46 | obj-$(CONFIG_IP6_NF_MATCH_FRAG) += ip6t_frag.o 47 | obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o 48 | obj-$(CONFIG_IP6_NF_MATCH_MH) += ip6t_mh.o 49 | obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o 50 | obj-$(CONFIG_IP6_NF_MATCH_RPFILTER) += ip6t_rpfilter.o 51 | obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o 52 | obj-$(CONFIG_IP6_NF_MATCH_SRH) += ip6t_srh.o 53 | 54 | # targets 55 | obj-$(CONFIG_IP6_NF_TARGET_NPT) += ip6t_NPT.o 56 | obj-$(CONFIG_IP6_NF_TARGET_REJECT) += ip6t_REJECT.o 57 | obj-$(CONFIG_IP6_NF_TARGET_SYNPROXY) += ip6t_SYNPROXY.o 58 | -------------------------------------------------------------------------------- /src/5.x/net/ipv6/netfilter/ip6t_eui64.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-only 2 | /* Kernel module to match EUI64 address parameters. */ 3 | 4 | /* (C) 2001-2002 Andras Kis-Szabo 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | #include 13 | #include 14 | 15 | MODULE_DESCRIPTION("Xtables: IPv6 EUI64 address match"); 16 | MODULE_LICENSE("GPL"); 17 | MODULE_AUTHOR("Andras Kis-Szabo "); 18 | 19 | static bool 20 | eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par) 21 | { 22 | unsigned char eui64[8]; 23 | 24 | if (!(skb_mac_header(skb) >= skb->head && 25 | skb_mac_header(skb) + ETH_HLEN <= skb->data) && 26 | par->fragoff != 0) { 27 | par->hotdrop = true; 28 | return false; 29 | } 30 | 31 | memset(eui64, 0, sizeof(eui64)); 32 | 33 | if (eth_hdr(skb)->h_proto == htons(ETH_P_IPV6)) { 34 | if (ipv6_hdr(skb)->version == 0x6) { 35 | memcpy(eui64, eth_hdr(skb)->h_source, 3); 36 | memcpy(eui64 + 5, eth_hdr(skb)->h_source + 3, 3); 37 | eui64[3] = 0xff; 38 | eui64[4] = 0xfe; 39 | eui64[0] ^= 0x02; 40 | 41 | if (!memcmp(ipv6_hdr(skb)->saddr.s6_addr + 8, eui64, 42 | sizeof(eui64))) 43 | return true; 44 | } 45 | } 46 | 47 | return false; 48 | } 49 | 50 | static struct xt_match eui64_mt6_reg __read_mostly = { 51 | .name = "eui64", 52 | .family = NFPROTO_IPV6, 53 | .match = eui64_mt6, 54 | .matchsize = sizeof(int), 55 | .hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_IN) | 56 | (1 << NF_INET_FORWARD), 57 | .me = THIS_MODULE, 58 | }; 59 | 60 | static int __init eui64_mt6_init(void) 61 | { 62 | return xt_register_match(&eui64_mt6_reg); 63 | } 64 | 65 | static void __exit eui64_mt6_exit(void) 66 | { 67 | xt_unregister_match(&eui64_mt6_reg); 68 | } 69 | 70 | module_init(eui64_mt6_init); 71 | module_exit(eui64_mt6_exit); 72 | -------------------------------------------------------------------------------- /src/5.x/net/ipv6/netfilter/nf_dup_ipv6.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-or-later 2 | /* 3 | * (C) 2007 by Sebastian Claßen 4 | * (C) 2007-2010 by Jan Engelhardt 5 | * 6 | * Extracted from xt_TEE.c 7 | */ 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #if IS_ENABLED(CONFIG_NF_CONNTRACK) 16 | #include 17 | #endif 18 | 19 | static bool nf_dup_ipv6_route(struct net *net, struct sk_buff *skb, 20 | const struct in6_addr *gw, int oif) 21 | { 22 | const struct ipv6hdr *iph = ipv6_hdr(skb); 23 | struct dst_entry *dst; 24 | struct flowi6 fl6; 25 | 26 | memset(&fl6, 0, sizeof(fl6)); 27 | if (oif != -1) 28 | fl6.flowi6_oif = oif; 29 | 30 | fl6.daddr = *gw; 31 | fl6.flowlabel = (__force __be32)(((iph->flow_lbl[0] & 0xF) << 16) | 32 | (iph->flow_lbl[1] << 8) | iph->flow_lbl[2]); 33 | fl6.flowi6_flags = FLOWI_FLAG_KNOWN_NH; 34 | dst = ip6_route_output(net, NULL, &fl6); 35 | if (dst->error) { 36 | dst_release(dst); 37 | return false; 38 | } 39 | skb_dst_drop(skb); 40 | skb_dst_set(skb, dst); 41 | skb->dev = dst->dev; 42 | skb->protocol = htons(ETH_P_IPV6); 43 | 44 | return true; 45 | } 46 | 47 | void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum, 48 | const struct in6_addr *gw, int oif) 49 | { 50 | if (this_cpu_read(nf_skb_duplicated)) 51 | return; 52 | skb = pskb_copy(skb, GFP_ATOMIC); 53 | if (skb == NULL) 54 | return; 55 | 56 | #if IS_ENABLED(CONFIG_NF_CONNTRACK) 57 | nf_reset_ct(skb); 58 | nf_ct_set(skb, NULL, IP_CT_UNTRACKED); 59 | #endif 60 | if (hooknum == NF_INET_PRE_ROUTING || 61 | hooknum == NF_INET_LOCAL_IN) { 62 | struct ipv6hdr *iph = ipv6_hdr(skb); 63 | --iph->hop_limit; 64 | } 65 | if (nf_dup_ipv6_route(net, skb, gw, oif)) { 66 | __this_cpu_write(nf_skb_duplicated, true); 67 | ip6_local_out(net, skb->sk, skb); 68 | __this_cpu_write(nf_skb_duplicated, false); 69 | } else { 70 | kfree_skb(skb); 71 | } 72 | } 73 | EXPORT_SYMBOL_GPL(nf_dup_ipv6); 74 | 75 | MODULE_AUTHOR("Sebastian Claßen "); 76 | MODULE_AUTHOR("Jan Engelhardt "); 77 | MODULE_DESCRIPTION("nf_dup_ipv6: IPv6 packet duplication"); 78 | MODULE_LICENSE("GPL"); 79 | -------------------------------------------------------------------------------- /src/5.x/net/ipv6/netfilter/nf_flow_table_ipv6.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-only 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | static struct nf_flowtable_type flowtable_ipv6 = { 11 | .family = NFPROTO_IPV6, 12 | .init = nf_flow_table_init, 13 | .setup = nf_flow_table_offload_setup, 14 | .action = nf_flow_rule_route_ipv6, 15 | .free = nf_flow_table_free, 16 | .hook = nf_flow_offload_ipv6_hook, 17 | .owner = THIS_MODULE, 18 | }; 19 | 20 | static int __init nf_flow_ipv6_module_init(void) 21 | { 22 | nft_register_flowtable_type(&flowtable_ipv6); 23 | 24 | return 0; 25 | } 26 | 27 | static void __exit nf_flow_ipv6_module_exit(void) 28 | { 29 | nft_unregister_flowtable_type(&flowtable_ipv6); 30 | } 31 | 32 | module_init(nf_flow_ipv6_module_init); 33 | module_exit(nf_flow_ipv6_module_exit); 34 | 35 | MODULE_LICENSE("GPL"); 36 | MODULE_AUTHOR("Pablo Neira Ayuso "); 37 | MODULE_ALIAS_NF_FLOWTABLE(AF_INET6); 38 | MODULE_DESCRIPTION("Netfilter flow table IPv6 module"); 39 | -------------------------------------------------------------------------------- /src/5.x/net/ipv6/netfilter/nft_reject_ipv6.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-only 2 | /* 3 | * Copyright (c) 2008-2009 Patrick McHardy 4 | * Copyright (c) 2013 Eric Leblond 5 | * 6 | * Development of this code funded by Astaro AG (http://www.astaro.com/) 7 | */ 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | 19 | static void nft_reject_ipv6_eval(const struct nft_expr *expr, 20 | struct nft_regs *regs, 21 | const struct nft_pktinfo *pkt) 22 | { 23 | struct nft_reject *priv = nft_expr_priv(expr); 24 | 25 | switch (priv->type) { 26 | case NFT_REJECT_ICMP_UNREACH: 27 | nf_send_unreach6(nft_net(pkt), pkt->skb, priv->icmp_code, 28 | nft_hook(pkt)); 29 | break; 30 | case NFT_REJECT_TCP_RST: 31 | nf_send_reset6(nft_net(pkt), pkt->skb, nft_hook(pkt)); 32 | break; 33 | default: 34 | break; 35 | } 36 | 37 | regs->verdict.code = NF_DROP; 38 | } 39 | 40 | static struct nft_expr_type nft_reject_ipv6_type; 41 | static const struct nft_expr_ops nft_reject_ipv6_ops = { 42 | .type = &nft_reject_ipv6_type, 43 | .size = NFT_EXPR_SIZE(sizeof(struct nft_reject)), 44 | .eval = nft_reject_ipv6_eval, 45 | .init = nft_reject_init, 46 | .dump = nft_reject_dump, 47 | .validate = nft_reject_validate, 48 | }; 49 | 50 | static struct nft_expr_type nft_reject_ipv6_type __read_mostly = { 51 | .family = NFPROTO_IPV6, 52 | .name = "reject", 53 | .ops = &nft_reject_ipv6_ops, 54 | .policy = nft_reject_policy, 55 | .maxattr = NFTA_REJECT_MAX, 56 | .owner = THIS_MODULE, 57 | }; 58 | 59 | static int __init nft_reject_ipv6_module_init(void) 60 | { 61 | return nft_register_expr(&nft_reject_ipv6_type); 62 | } 63 | 64 | static void __exit nft_reject_ipv6_module_exit(void) 65 | { 66 | nft_unregister_expr(&nft_reject_ipv6_type); 67 | } 68 | 69 | module_init(nft_reject_ipv6_module_init); 70 | module_exit(nft_reject_ipv6_module_exit); 71 | 72 | MODULE_LICENSE("GPL"); 73 | MODULE_AUTHOR("Patrick McHardy "); 74 | MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "reject"); 75 | MODULE_DESCRIPTION("IPv6 packet rejection for nftables"); 76 | -------------------------------------------------------------------------------- /src/5.x/net/ipv6/udp_impl.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: GPL-2.0 */ 2 | #ifndef _UDP6_IMPL_H 3 | #define _UDP6_IMPL_H 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | int __udp6_lib_rcv(struct sk_buff *, struct udp_table *, int); 12 | int __udp6_lib_err(struct sk_buff *, struct inet6_skb_parm *, u8, u8, int, 13 | __be32, struct udp_table *); 14 | 15 | int udp_v6_get_port(struct sock *sk, unsigned short snum); 16 | void udp_v6_rehash(struct sock *sk); 17 | 18 | int udpv6_getsockopt(struct sock *sk, int level, int optname, 19 | char __user *optval, int __user *optlen); 20 | int udpv6_setsockopt(struct sock *sk, int level, int optname, sockptr_t optval, 21 | unsigned int optlen); 22 | int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len); 23 | int udpv6_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock, 24 | int flags, int *addr_len); 25 | void udpv6_destroy_sock(struct sock *sk); 26 | 27 | #ifdef CONFIG_PROC_FS 28 | int udp6_seq_show(struct seq_file *seq, void *v); 29 | #endif 30 | #endif /* _UDP6_IMPL_H */ 31 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/ipset/Makefile: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-2.0 2 | # 3 | # Makefile for the ipset modules 4 | # 5 | 6 | ip_set-y := ip_set_core.o ip_set_getport.o pfxlen.o 7 | 8 | # ipset core 9 | obj-$(CONFIG_IP_SET) += ip_set.o 10 | 11 | # bitmap types 12 | obj-$(CONFIG_IP_SET_BITMAP_IP) += ip_set_bitmap_ip.o 13 | obj-$(CONFIG_IP_SET_BITMAP_IPMAC) += ip_set_bitmap_ipmac.o 14 | obj-$(CONFIG_IP_SET_BITMAP_PORT) += ip_set_bitmap_port.o 15 | 16 | # hash types 17 | obj-$(CONFIG_IP_SET_HASH_IP) += ip_set_hash_ip.o 18 | obj-$(CONFIG_IP_SET_HASH_IPMAC) += ip_set_hash_ipmac.o 19 | obj-$(CONFIG_IP_SET_HASH_IPMARK) += ip_set_hash_ipmark.o 20 | obj-$(CONFIG_IP_SET_HASH_IPPORT) += ip_set_hash_ipport.o 21 | obj-$(CONFIG_IP_SET_HASH_IPPORTIP) += ip_set_hash_ipportip.o 22 | obj-$(CONFIG_IP_SET_HASH_IPPORTNET) += ip_set_hash_ipportnet.o 23 | obj-$(CONFIG_IP_SET_HASH_MAC) += ip_set_hash_mac.o 24 | obj-$(CONFIG_IP_SET_HASH_NET) += ip_set_hash_net.o 25 | obj-$(CONFIG_IP_SET_HASH_NETPORT) += ip_set_hash_netport.o 26 | obj-$(CONFIG_IP_SET_HASH_NETIFACE) += ip_set_hash_netiface.o 27 | obj-$(CONFIG_IP_SET_HASH_NETNET) += ip_set_hash_netnet.o 28 | obj-$(CONFIG_IP_SET_HASH_NETPORTNET) += ip_set_hash_netportnet.o 29 | 30 | # list types 31 | obj-$(CONFIG_IP_SET_LIST_SET) += ip_set_list_set.o 32 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/ipvs/Makefile: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-2.0 2 | # 3 | # Makefile for the IPVS modules on top of IPv4. 4 | # 5 | 6 | # IPVS transport protocol load balancing support 7 | ip_vs_proto-objs-y := 8 | ip_vs_proto-objs-$(CONFIG_IP_VS_PROTO_TCP) += ip_vs_proto_tcp.o 9 | ip_vs_proto-objs-$(CONFIG_IP_VS_PROTO_UDP) += ip_vs_proto_udp.o 10 | ip_vs_proto-objs-$(CONFIG_IP_VS_PROTO_AH_ESP) += ip_vs_proto_ah_esp.o 11 | ip_vs_proto-objs-$(CONFIG_IP_VS_PROTO_SCTP) += ip_vs_proto_sctp.o 12 | 13 | ip_vs-extra_objs-y := 14 | ip_vs-extra_objs-$(CONFIG_IP_VS_NFCT) += ip_vs_nfct.o 15 | 16 | ip_vs-objs := ip_vs_conn.o ip_vs_core.o ip_vs_ctl.o ip_vs_sched.o \ 17 | ip_vs_xmit.o ip_vs_app.o ip_vs_sync.o \ 18 | ip_vs_est.o ip_vs_proto.o ip_vs_pe.o \ 19 | $(ip_vs_proto-objs-y) $(ip_vs-extra_objs-y) 20 | 21 | 22 | # IPVS core 23 | obj-$(CONFIG_IP_VS) += ip_vs.o 24 | 25 | # IPVS schedulers 26 | obj-$(CONFIG_IP_VS_RR) += ip_vs_rr.o 27 | obj-$(CONFIG_IP_VS_WRR) += ip_vs_wrr.o 28 | obj-$(CONFIG_IP_VS_LC) += ip_vs_lc.o 29 | obj-$(CONFIG_IP_VS_WLC) += ip_vs_wlc.o 30 | obj-$(CONFIG_IP_VS_FO) += ip_vs_fo.o 31 | obj-$(CONFIG_IP_VS_OVF) += ip_vs_ovf.o 32 | obj-$(CONFIG_IP_VS_LBLC) += ip_vs_lblc.o 33 | obj-$(CONFIG_IP_VS_LBLCR) += ip_vs_lblcr.o 34 | obj-$(CONFIG_IP_VS_DH) += ip_vs_dh.o 35 | obj-$(CONFIG_IP_VS_SH) += ip_vs_sh.o 36 | obj-$(CONFIG_IP_VS_MH) += ip_vs_mh.o 37 | obj-$(CONFIG_IP_VS_SED) += ip_vs_sed.o 38 | obj-$(CONFIG_IP_VS_NQ) += ip_vs_nq.o 39 | 40 | # IPVS application helpers 41 | obj-$(CONFIG_IP_VS_FTP) += ip_vs_ftp.o 42 | 43 | # IPVS connection template retrievers 44 | obj-$(CONFIG_IP_VS_PE_SIP) += ip_vs_pe_sip.o 45 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/ipvs/ip_vs_fo.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-or-later 2 | /* 3 | * IPVS: Weighted Fail Over module 4 | * 5 | * Authors: Kenny Mathis 6 | * 7 | * Changes: 8 | * Kenny Mathis : added initial functionality based on weight 9 | */ 10 | 11 | #define KMSG_COMPONENT "IPVS" 12 | #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt 13 | 14 | #include 15 | #include 16 | 17 | #include 18 | 19 | /* Weighted Fail Over Module */ 20 | static struct ip_vs_dest * 21 | ip_vs_fo_schedule(struct ip_vs_service *svc, const struct sk_buff *skb, 22 | struct ip_vs_iphdr *iph) 23 | { 24 | struct ip_vs_dest *dest, *hweight = NULL; 25 | int hw = 0; /* Track highest weight */ 26 | 27 | IP_VS_DBG(6, "ip_vs_fo_schedule(): Scheduling...\n"); 28 | 29 | /* Basic failover functionality 30 | * Find virtual server with highest weight and send it traffic 31 | */ 32 | list_for_each_entry_rcu(dest, &svc->destinations, n_list) { 33 | if (!(dest->flags & IP_VS_DEST_F_OVERLOAD) && 34 | atomic_read(&dest->weight) > hw) { 35 | hweight = dest; 36 | hw = atomic_read(&dest->weight); 37 | } 38 | } 39 | 40 | if (hweight) { 41 | IP_VS_DBG_BUF(6, "FO: server %s:%u activeconns %d weight %d\n", 42 | IP_VS_DBG_ADDR(hweight->af, &hweight->addr), 43 | ntohs(hweight->port), 44 | atomic_read(&hweight->activeconns), 45 | atomic_read(&hweight->weight)); 46 | return hweight; 47 | } 48 | 49 | ip_vs_scheduler_err(svc, "no destination available"); 50 | return NULL; 51 | } 52 | 53 | static struct ip_vs_scheduler ip_vs_fo_scheduler = { 54 | .name = "fo", 55 | .refcnt = ATOMIC_INIT(0), 56 | .module = THIS_MODULE, 57 | .n_list = LIST_HEAD_INIT(ip_vs_fo_scheduler.n_list), 58 | .schedule = ip_vs_fo_schedule, 59 | }; 60 | 61 | static int __init ip_vs_fo_init(void) 62 | { 63 | return register_ip_vs_scheduler(&ip_vs_fo_scheduler); 64 | } 65 | 66 | static void __exit ip_vs_fo_cleanup(void) 67 | { 68 | unregister_ip_vs_scheduler(&ip_vs_fo_scheduler); 69 | synchronize_rcu(); 70 | } 71 | 72 | module_init(ip_vs_fo_init); 73 | module_exit(ip_vs_fo_cleanup); 74 | MODULE_LICENSE("GPL"); 75 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/ipvs/ip_vs_ovf.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-or-later 2 | /* 3 | * IPVS: Overflow-Connection Scheduling module 4 | * 5 | * Authors: Raducu Deaconu 6 | * 7 | * Scheduler implements "overflow" loadbalancing according to number of active 8 | * connections , will keep all connections to the node with the highest weight 9 | * and overflow to the next node if the number of connections exceeds the node's 10 | * weight. 11 | * Note that this scheduler might not be suitable for UDP because it only uses 12 | * active connections 13 | */ 14 | 15 | #define KMSG_COMPONENT "IPVS" 16 | #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt 17 | 18 | #include 19 | #include 20 | 21 | #include 22 | 23 | /* OVF Connection scheduling */ 24 | static struct ip_vs_dest * 25 | ip_vs_ovf_schedule(struct ip_vs_service *svc, const struct sk_buff *skb, 26 | struct ip_vs_iphdr *iph) 27 | { 28 | struct ip_vs_dest *dest, *h = NULL; 29 | int hw = 0, w; 30 | 31 | IP_VS_DBG(6, "ip_vs_ovf_schedule(): Scheduling...\n"); 32 | /* select the node with highest weight, go to next in line if active 33 | * connections exceed weight 34 | */ 35 | list_for_each_entry_rcu(dest, &svc->destinations, n_list) { 36 | w = atomic_read(&dest->weight); 37 | if ((dest->flags & IP_VS_DEST_F_OVERLOAD) || 38 | atomic_read(&dest->activeconns) > w || 39 | w == 0) 40 | continue; 41 | if (!h || w > hw) { 42 | h = dest; 43 | hw = w; 44 | } 45 | } 46 | 47 | if (h) { 48 | IP_VS_DBG_BUF(6, "OVF: server %s:%u active %d w %d\n", 49 | IP_VS_DBG_ADDR(h->af, &h->addr), 50 | ntohs(h->port), 51 | atomic_read(&h->activeconns), 52 | atomic_read(&h->weight)); 53 | return h; 54 | } 55 | 56 | ip_vs_scheduler_err(svc, "no destination available"); 57 | return NULL; 58 | } 59 | 60 | static struct ip_vs_scheduler ip_vs_ovf_scheduler = { 61 | .name = "ovf", 62 | .refcnt = ATOMIC_INIT(0), 63 | .module = THIS_MODULE, 64 | .n_list = LIST_HEAD_INIT(ip_vs_ovf_scheduler.n_list), 65 | .schedule = ip_vs_ovf_schedule, 66 | }; 67 | 68 | static int __init ip_vs_ovf_init(void) 69 | { 70 | return register_ip_vs_scheduler(&ip_vs_ovf_scheduler); 71 | } 72 | 73 | static void __exit ip_vs_ovf_cleanup(void) 74 | { 75 | unregister_ip_vs_scheduler(&ip_vs_ovf_scheduler); 76 | synchronize_rcu(); 77 | } 78 | 79 | module_init(ip_vs_ovf_init); 80 | module_exit(ip_vs_ovf_cleanup); 81 | MODULE_LICENSE("GPL"); 82 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/nf_conntrack_acct.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-only 2 | /* Accouting handling for netfilter. */ 3 | 4 | /* 5 | * (C) 2008 Krzysztof Piotr Oledzki 6 | */ 7 | 8 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 9 | 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | 16 | #include 17 | #include 18 | #include 19 | 20 | static bool nf_ct_acct __read_mostly; 21 | 22 | module_param_named(acct, nf_ct_acct, bool, 0644); 23 | MODULE_PARM_DESC(acct, "Enable connection tracking flow accounting."); 24 | 25 | static const struct nf_ct_ext_type acct_extend = { 26 | .len = sizeof(struct nf_conn_acct), 27 | .align = __alignof__(struct nf_conn_acct), 28 | .id = NF_CT_EXT_ACCT, 29 | }; 30 | 31 | void nf_conntrack_acct_pernet_init(struct net *net) 32 | { 33 | net->ct.sysctl_acct = nf_ct_acct; 34 | } 35 | 36 | int nf_conntrack_acct_init(void) 37 | { 38 | int ret = nf_ct_extend_register(&acct_extend); 39 | if (ret < 0) 40 | pr_err("Unable to register extension\n"); 41 | return ret; 42 | } 43 | 44 | void nf_conntrack_acct_fini(void) 45 | { 46 | nf_ct_extend_unregister(&acct_extend); 47 | } 48 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/nf_conntrack_broadcast.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-or-later 2 | /* 3 | * broadcast connection tracking helper 4 | * 5 | * (c) 2005 Patrick McHardy 6 | */ 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | #include 15 | #include 16 | #include 17 | 18 | int nf_conntrack_broadcast_help(struct sk_buff *skb, 19 | struct nf_conn *ct, 20 | enum ip_conntrack_info ctinfo, 21 | unsigned int timeout) 22 | { 23 | struct nf_conntrack_expect *exp; 24 | struct iphdr *iph = ip_hdr(skb); 25 | struct rtable *rt = skb_rtable(skb); 26 | struct in_device *in_dev; 27 | struct nf_conn_help *help = nfct_help(ct); 28 | __be32 mask = 0; 29 | 30 | /* we're only interested in locally generated packets */ 31 | if (skb->sk == NULL || !net_eq(nf_ct_net(ct), sock_net(skb->sk))) 32 | goto out; 33 | if (rt == NULL || !(rt->rt_flags & RTCF_BROADCAST)) 34 | goto out; 35 | if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) 36 | goto out; 37 | 38 | in_dev = __in_dev_get_rcu(rt->dst.dev); 39 | if (in_dev != NULL) { 40 | const struct in_ifaddr *ifa; 41 | 42 | in_dev_for_each_ifa_rcu(ifa, in_dev) { 43 | if (ifa->ifa_flags & IFA_F_SECONDARY) 44 | continue; 45 | 46 | if (ifa->ifa_broadcast == iph->daddr) { 47 | mask = ifa->ifa_mask; 48 | break; 49 | } 50 | } 51 | } 52 | 53 | if (mask == 0) 54 | goto out; 55 | 56 | exp = nf_ct_expect_alloc(ct); 57 | if (exp == NULL) 58 | goto out; 59 | 60 | exp->tuple = ct->tuplehash[IP_CT_DIR_REPLY].tuple; 61 | exp->tuple.src.u.udp.port = help->helper->tuple.src.u.udp.port; 62 | 63 | exp->mask.src.u3.ip = mask; 64 | exp->mask.src.u.udp.port = htons(0xFFFF); 65 | 66 | exp->expectfn = NULL; 67 | exp->flags = NF_CT_EXPECT_PERMANENT; 68 | exp->class = NF_CT_EXPECT_CLASS_DEFAULT; 69 | exp->helper = NULL; 70 | 71 | nf_ct_expect_related(exp, 0); 72 | nf_ct_expect_put(exp); 73 | 74 | nf_ct_refresh(ct, skb, timeout * HZ); 75 | out: 76 | return NF_ACCEPT; 77 | } 78 | EXPORT_SYMBOL_GPL(nf_conntrack_broadcast_help); 79 | 80 | MODULE_LICENSE("GPL"); 81 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/nf_conntrack_netbios_ns.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-or-later 2 | /* 3 | * NetBIOS name service broadcast connection tracking helper 4 | * 5 | * (c) 2005 Patrick McHardy 6 | */ 7 | /* 8 | * This helper tracks locally originating NetBIOS name service 9 | * requests by issuing permanent expectations (valid until 10 | * timing out) matching all reply connections from the 11 | * destination network. The only NetBIOS specific thing is 12 | * actually the port number. 13 | */ 14 | #include 15 | #include 16 | #include 17 | #include 18 | 19 | #include 20 | #include 21 | #include 22 | 23 | #define NMBD_PORT 137 24 | 25 | MODULE_AUTHOR("Patrick McHardy "); 26 | MODULE_DESCRIPTION("NetBIOS name service broadcast connection tracking helper"); 27 | MODULE_LICENSE("GPL"); 28 | MODULE_ALIAS("ip_conntrack_netbios_ns"); 29 | MODULE_ALIAS_NFCT_HELPER("netbios_ns"); 30 | 31 | static unsigned int timeout __read_mostly = 3; 32 | module_param(timeout, uint, 0400); 33 | MODULE_PARM_DESC(timeout, "timeout for master connection/replies in seconds"); 34 | 35 | static struct nf_conntrack_expect_policy exp_policy = { 36 | .max_expected = 1, 37 | }; 38 | 39 | static int netbios_ns_help(struct sk_buff *skb, unsigned int protoff, 40 | struct nf_conn *ct, 41 | enum ip_conntrack_info ctinfo) 42 | { 43 | return nf_conntrack_broadcast_help(skb, ct, ctinfo, timeout); 44 | } 45 | 46 | static struct nf_conntrack_helper helper __read_mostly = { 47 | .name = "netbios-ns", 48 | .tuple.src.l3num = NFPROTO_IPV4, 49 | .tuple.src.u.udp.port = cpu_to_be16(NMBD_PORT), 50 | .tuple.dst.protonum = IPPROTO_UDP, 51 | .me = THIS_MODULE, 52 | .help = netbios_ns_help, 53 | .expect_policy = &exp_policy, 54 | }; 55 | 56 | static int __init nf_conntrack_netbios_ns_init(void) 57 | { 58 | NF_CT_HELPER_BUILD_BUG_ON(0); 59 | 60 | exp_policy.timeout = timeout; 61 | return nf_conntrack_helper_register(&helper); 62 | } 63 | 64 | static void __exit nf_conntrack_netbios_ns_fini(void) 65 | { 66 | nf_conntrack_helper_unregister(&helper); 67 | } 68 | 69 | module_init(nf_conntrack_netbios_ns_init); 70 | module_exit(nf_conntrack_netbios_ns_fini); 71 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/nf_conntrack_proto_generic.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-only 2 | /* (C) 1999-2001 Paul `Rusty' Russell 3 | * (C) 2002-2004 Netfilter Core Team 4 | */ 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | static const unsigned int nf_ct_generic_timeout = 600*HZ; 14 | 15 | #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 16 | 17 | #include 18 | #include 19 | 20 | static int generic_timeout_nlattr_to_obj(struct nlattr *tb[], 21 | struct net *net, void *data) 22 | { 23 | struct nf_generic_net *gn = nf_generic_pernet(net); 24 | unsigned int *timeout = data; 25 | 26 | if (!timeout) 27 | timeout = &gn->timeout; 28 | 29 | if (tb[CTA_TIMEOUT_GENERIC_TIMEOUT]) 30 | *timeout = 31 | ntohl(nla_get_be32(tb[CTA_TIMEOUT_GENERIC_TIMEOUT])) * HZ; 32 | else { 33 | /* Set default generic timeout. */ 34 | *timeout = gn->timeout; 35 | } 36 | 37 | return 0; 38 | } 39 | 40 | static int 41 | generic_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data) 42 | { 43 | const unsigned int *timeout = data; 44 | 45 | if (nla_put_be32(skb, CTA_TIMEOUT_GENERIC_TIMEOUT, htonl(*timeout / HZ))) 46 | goto nla_put_failure; 47 | 48 | return 0; 49 | 50 | nla_put_failure: 51 | return -ENOSPC; 52 | } 53 | 54 | static const struct nla_policy 55 | generic_timeout_nla_policy[CTA_TIMEOUT_GENERIC_MAX+1] = { 56 | [CTA_TIMEOUT_GENERIC_TIMEOUT] = { .type = NLA_U32 }, 57 | }; 58 | #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ 59 | 60 | void nf_conntrack_generic_init_net(struct net *net) 61 | { 62 | struct nf_generic_net *gn = nf_generic_pernet(net); 63 | 64 | gn->timeout = nf_ct_generic_timeout; 65 | } 66 | 67 | const struct nf_conntrack_l4proto nf_conntrack_l4proto_generic = 68 | { 69 | .l4proto = 255, 70 | #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 71 | .ctnl_timeout = { 72 | .nlattr_to_obj = generic_timeout_nlattr_to_obj, 73 | .obj_to_nlattr = generic_timeout_obj_to_nlattr, 74 | .nlattr_max = CTA_TIMEOUT_GENERIC_MAX, 75 | .obj_size = sizeof(unsigned int), 76 | .nla_policy = generic_timeout_nla_policy, 77 | }, 78 | #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ 79 | }; 80 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/nf_conntrack_snmp.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-or-later 2 | /* 3 | * SNMP service broadcast connection tracking helper 4 | * 5 | * (c) 2011 Jiri Olsa 6 | */ 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | #define SNMP_PORT 161 18 | 19 | MODULE_AUTHOR("Jiri Olsa "); 20 | MODULE_DESCRIPTION("SNMP service broadcast connection tracking helper"); 21 | MODULE_LICENSE("GPL"); 22 | MODULE_ALIAS_NFCT_HELPER("snmp"); 23 | 24 | static unsigned int timeout __read_mostly = 30; 25 | module_param(timeout, uint, 0400); 26 | MODULE_PARM_DESC(timeout, "timeout for master connection/replies in seconds"); 27 | 28 | int (*nf_nat_snmp_hook)(struct sk_buff *skb, 29 | unsigned int protoff, 30 | struct nf_conn *ct, 31 | enum ip_conntrack_info ctinfo); 32 | EXPORT_SYMBOL_GPL(nf_nat_snmp_hook); 33 | 34 | static int snmp_conntrack_help(struct sk_buff *skb, unsigned int protoff, 35 | struct nf_conn *ct, 36 | enum ip_conntrack_info ctinfo) 37 | { 38 | typeof(nf_nat_snmp_hook) nf_nat_snmp; 39 | 40 | nf_conntrack_broadcast_help(skb, ct, ctinfo, timeout); 41 | 42 | nf_nat_snmp = rcu_dereference(nf_nat_snmp_hook); 43 | if (nf_nat_snmp && ct->status & IPS_NAT_MASK) 44 | return nf_nat_snmp(skb, protoff, ct, ctinfo); 45 | 46 | return NF_ACCEPT; 47 | } 48 | 49 | static struct nf_conntrack_expect_policy exp_policy = { 50 | .max_expected = 1, 51 | }; 52 | 53 | static struct nf_conntrack_helper helper __read_mostly = { 54 | .name = "snmp", 55 | .tuple.src.l3num = NFPROTO_IPV4, 56 | .tuple.src.u.udp.port = cpu_to_be16(SNMP_PORT), 57 | .tuple.dst.protonum = IPPROTO_UDP, 58 | .me = THIS_MODULE, 59 | .help = snmp_conntrack_help, 60 | .expect_policy = &exp_policy, 61 | }; 62 | 63 | static int __init nf_conntrack_snmp_init(void) 64 | { 65 | exp_policy.timeout = timeout; 66 | return nf_conntrack_helper_register(&helper); 67 | } 68 | 69 | static void __exit nf_conntrack_snmp_fini(void) 70 | { 71 | nf_conntrack_helper_unregister(&helper); 72 | } 73 | 74 | module_init(nf_conntrack_snmp_init); 75 | module_exit(nf_conntrack_snmp_fini); 76 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/nf_conntrack_timestamp.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-or-later 2 | /* 3 | * (C) 2010 Pablo Neira Ayuso 4 | */ 5 | 6 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | #include 14 | #include 15 | #include 16 | 17 | static bool nf_ct_tstamp __read_mostly; 18 | 19 | module_param_named(tstamp, nf_ct_tstamp, bool, 0644); 20 | MODULE_PARM_DESC(tstamp, "Enable connection tracking flow timestamping."); 21 | 22 | static const struct nf_ct_ext_type tstamp_extend = { 23 | .len = sizeof(struct nf_conn_tstamp), 24 | .align = __alignof__(struct nf_conn_tstamp), 25 | .id = NF_CT_EXT_TSTAMP, 26 | }; 27 | 28 | void nf_conntrack_tstamp_pernet_init(struct net *net) 29 | { 30 | net->ct.sysctl_tstamp = nf_ct_tstamp; 31 | } 32 | 33 | int nf_conntrack_tstamp_init(void) 34 | { 35 | int ret; 36 | ret = nf_ct_extend_register(&tstamp_extend); 37 | if (ret < 0) 38 | pr_err("Unable to register extension\n"); 39 | return ret; 40 | } 41 | 42 | void nf_conntrack_tstamp_fini(void) 43 | { 44 | nf_ct_extend_unregister(&tstamp_extend); 45 | } 46 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/nf_dup_netdev.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-only 2 | /* 3 | * Copyright (c) 2015 Pablo Neira Ayuso 4 | */ 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | 16 | static void nf_do_netdev_egress(struct sk_buff *skb, struct net_device *dev) 17 | { 18 | if (skb_mac_header_was_set(skb)) 19 | skb_push(skb, skb->mac_len); 20 | 21 | skb->dev = dev; 22 | skb->tstamp = 0; 23 | dev_queue_xmit(skb); 24 | } 25 | 26 | void nf_fwd_netdev_egress(const struct nft_pktinfo *pkt, int oif) 27 | { 28 | struct net_device *dev; 29 | 30 | dev = dev_get_by_index_rcu(nft_net(pkt), oif); 31 | if (!dev) { 32 | kfree_skb(pkt->skb); 33 | return; 34 | } 35 | 36 | nf_do_netdev_egress(pkt->skb, dev); 37 | } 38 | EXPORT_SYMBOL_GPL(nf_fwd_netdev_egress); 39 | 40 | void nf_dup_netdev_egress(const struct nft_pktinfo *pkt, int oif) 41 | { 42 | struct net_device *dev; 43 | struct sk_buff *skb; 44 | 45 | dev = dev_get_by_index_rcu(nft_net(pkt), oif); 46 | if (dev == NULL) 47 | return; 48 | 49 | skb = skb_clone(pkt->skb, GFP_ATOMIC); 50 | if (skb) 51 | nf_do_netdev_egress(skb, dev); 52 | } 53 | EXPORT_SYMBOL_GPL(nf_dup_netdev_egress); 54 | 55 | int nft_fwd_dup_netdev_offload(struct nft_offload_ctx *ctx, 56 | struct nft_flow_rule *flow, 57 | enum flow_action_id id, int oif) 58 | { 59 | struct flow_action_entry *entry; 60 | struct net_device *dev; 61 | 62 | /* nft_flow_rule_destroy() releases the reference on this device. */ 63 | dev = dev_get_by_index(ctx->net, oif); 64 | if (!dev) 65 | return -EOPNOTSUPP; 66 | 67 | entry = &flow->rule->action.entries[ctx->num_actions++]; 68 | entry->id = id; 69 | entry->dev = dev; 70 | 71 | return 0; 72 | } 73 | EXPORT_SYMBOL_GPL(nft_fwd_dup_netdev_offload); 74 | 75 | MODULE_LICENSE("GPL"); 76 | MODULE_AUTHOR("Pablo Neira Ayuso "); 77 | MODULE_DESCRIPTION("Netfilter packet duplication support"); 78 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/nf_flow_table_inet.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-only 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | static unsigned int 11 | nf_flow_offload_inet_hook(void *priv, struct sk_buff *skb, 12 | const struct nf_hook_state *state) 13 | { 14 | switch (skb->protocol) { 15 | case htons(ETH_P_IP): 16 | return nf_flow_offload_ip_hook(priv, skb, state); 17 | case htons(ETH_P_IPV6): 18 | return nf_flow_offload_ipv6_hook(priv, skb, state); 19 | } 20 | 21 | return NF_ACCEPT; 22 | } 23 | 24 | static int nf_flow_rule_route_inet(struct net *net, 25 | const struct flow_offload *flow, 26 | enum flow_offload_tuple_dir dir, 27 | struct nf_flow_rule *flow_rule) 28 | { 29 | const struct flow_offload_tuple *flow_tuple = &flow->tuplehash[dir].tuple; 30 | int err; 31 | 32 | switch (flow_tuple->l3proto) { 33 | case NFPROTO_IPV4: 34 | err = nf_flow_rule_route_ipv4(net, flow, dir, flow_rule); 35 | break; 36 | case NFPROTO_IPV6: 37 | err = nf_flow_rule_route_ipv6(net, flow, dir, flow_rule); 38 | break; 39 | default: 40 | err = -1; 41 | break; 42 | } 43 | 44 | return err; 45 | } 46 | 47 | static struct nf_flowtable_type flowtable_inet = { 48 | .family = NFPROTO_INET, 49 | .init = nf_flow_table_init, 50 | .setup = nf_flow_table_offload_setup, 51 | .action = nf_flow_rule_route_inet, 52 | .free = nf_flow_table_free, 53 | .hook = nf_flow_offload_inet_hook, 54 | .owner = THIS_MODULE, 55 | }; 56 | 57 | static int __init nf_flow_inet_module_init(void) 58 | { 59 | nft_register_flowtable_type(&flowtable_inet); 60 | 61 | return 0; 62 | } 63 | 64 | static void __exit nf_flow_inet_module_exit(void) 65 | { 66 | nft_unregister_flowtable_type(&flowtable_inet); 67 | } 68 | 69 | module_init(nf_flow_inet_module_init); 70 | module_exit(nf_flow_inet_module_exit); 71 | 72 | MODULE_LICENSE("GPL"); 73 | MODULE_AUTHOR("Pablo Neira Ayuso "); 74 | MODULE_ALIAS_NF_FLOWTABLE(1); /* NFPROTO_INET */ 75 | MODULE_DESCRIPTION("Netfilter flow table mixed IPv4/IPv6 module"); 76 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/nf_internals.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: GPL-2.0 */ 2 | #ifndef _NF_INTERNALS_H 3 | #define _NF_INTERNALS_H 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | /* nf_conntrack_netlink.c: applied on tuple filters */ 10 | #define CTA_FILTER_F_CTA_IP_SRC (1 << 0) 11 | #define CTA_FILTER_F_CTA_IP_DST (1 << 1) 12 | #define CTA_FILTER_F_CTA_TUPLE_ZONE (1 << 2) 13 | #define CTA_FILTER_F_CTA_PROTO_NUM (1 << 3) 14 | #define CTA_FILTER_F_CTA_PROTO_SRC_PORT (1 << 4) 15 | #define CTA_FILTER_F_CTA_PROTO_DST_PORT (1 << 5) 16 | #define CTA_FILTER_F_CTA_PROTO_ICMP_TYPE (1 << 6) 17 | #define CTA_FILTER_F_CTA_PROTO_ICMP_CODE (1 << 7) 18 | #define CTA_FILTER_F_CTA_PROTO_ICMP_ID (1 << 8) 19 | #define CTA_FILTER_F_CTA_PROTO_ICMPV6_TYPE (1 << 9) 20 | #define CTA_FILTER_F_CTA_PROTO_ICMPV6_CODE (1 << 10) 21 | #define CTA_FILTER_F_CTA_PROTO_ICMPV6_ID (1 << 11) 22 | #define CTA_FILTER_F_MAX (1 << 12) 23 | #define CTA_FILTER_F_ALL (CTA_FILTER_F_MAX-1) 24 | #define CTA_FILTER_FLAG(ctattr) CTA_FILTER_F_ ## ctattr 25 | 26 | /* nf_queue.c */ 27 | void nf_queue_nf_hook_drop(struct net *net); 28 | 29 | /* nf_log.c */ 30 | int __init netfilter_log_init(void); 31 | 32 | /* core.c */ 33 | void nf_hook_entries_delete_raw(struct nf_hook_entries __rcu **pp, 34 | const struct nf_hook_ops *reg); 35 | int nf_hook_entries_insert_raw(struct nf_hook_entries __rcu **pp, 36 | const struct nf_hook_ops *reg); 37 | #endif 38 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/nf_log_netdev.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-only 2 | /* 3 | * (C) 2016 by Pablo Neira Ayuso 4 | */ 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | #include 13 | #include 14 | 15 | static void nf_log_netdev_packet(struct net *net, u_int8_t pf, 16 | unsigned int hooknum, 17 | const struct sk_buff *skb, 18 | const struct net_device *in, 19 | const struct net_device *out, 20 | const struct nf_loginfo *loginfo, 21 | const char *prefix) 22 | { 23 | nf_log_l2packet(net, pf, skb->protocol, hooknum, skb, in, out, 24 | loginfo, prefix); 25 | } 26 | 27 | static struct nf_logger nf_netdev_logger __read_mostly = { 28 | .name = "nf_log_netdev", 29 | .type = NF_LOG_TYPE_LOG, 30 | .logfn = nf_log_netdev_packet, 31 | .me = THIS_MODULE, 32 | }; 33 | 34 | static int __net_init nf_log_netdev_net_init(struct net *net) 35 | { 36 | return nf_log_set(net, NFPROTO_NETDEV, &nf_netdev_logger); 37 | } 38 | 39 | static void __net_exit nf_log_netdev_net_exit(struct net *net) 40 | { 41 | nf_log_unset(net, &nf_netdev_logger); 42 | } 43 | 44 | static struct pernet_operations nf_log_netdev_net_ops = { 45 | .init = nf_log_netdev_net_init, 46 | .exit = nf_log_netdev_net_exit, 47 | }; 48 | 49 | static int __init nf_log_netdev_init(void) 50 | { 51 | int ret; 52 | 53 | /* Request to load the real packet loggers. */ 54 | nf_logger_request_module(NFPROTO_IPV4, NF_LOG_TYPE_LOG); 55 | nf_logger_request_module(NFPROTO_IPV6, NF_LOG_TYPE_LOG); 56 | nf_logger_request_module(NFPROTO_ARP, NF_LOG_TYPE_LOG); 57 | 58 | ret = register_pernet_subsys(&nf_log_netdev_net_ops); 59 | if (ret < 0) 60 | return ret; 61 | 62 | nf_log_register(NFPROTO_NETDEV, &nf_netdev_logger); 63 | return 0; 64 | } 65 | 66 | static void __exit nf_log_netdev_exit(void) 67 | { 68 | unregister_pernet_subsys(&nf_log_netdev_net_ops); 69 | nf_log_unregister(&nf_netdev_logger); 70 | } 71 | 72 | module_init(nf_log_netdev_init); 73 | module_exit(nf_log_netdev_exit); 74 | 75 | MODULE_AUTHOR("Pablo Neira Ayuso "); 76 | MODULE_DESCRIPTION("Netfilter netdev packet logging"); 77 | MODULE_LICENSE("GPL"); 78 | MODULE_ALIAS_NF_LOGGER(5, 0); /* NFPROTO_NETDEV */ 79 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/nf_nat_tftp.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-only 2 | /* (C) 2001-2002 Magnus Boden 3 | */ 4 | 5 | #include 6 | #include 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | #define NAT_HELPER_NAME "tftp" 14 | 15 | MODULE_AUTHOR("Magnus Boden "); 16 | MODULE_DESCRIPTION("TFTP NAT helper"); 17 | MODULE_LICENSE("GPL"); 18 | MODULE_ALIAS_NF_NAT_HELPER(NAT_HELPER_NAME); 19 | 20 | static struct nf_conntrack_nat_helper nat_helper_tftp = 21 | NF_CT_NAT_HELPER_INIT(NAT_HELPER_NAME); 22 | 23 | static unsigned int help(struct sk_buff *skb, 24 | enum ip_conntrack_info ctinfo, 25 | struct nf_conntrack_expect *exp) 26 | { 27 | const struct nf_conn *ct = exp->master; 28 | 29 | exp->saved_proto.udp.port 30 | = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.udp.port; 31 | exp->dir = IP_CT_DIR_REPLY; 32 | exp->expectfn = nf_nat_follow_master; 33 | if (nf_ct_expect_related(exp, 0) != 0) { 34 | nf_ct_helper_log(skb, exp->master, "cannot add expectation"); 35 | return NF_DROP; 36 | } 37 | return NF_ACCEPT; 38 | } 39 | 40 | static void __exit nf_nat_tftp_fini(void) 41 | { 42 | nf_nat_helper_unregister(&nat_helper_tftp); 43 | RCU_INIT_POINTER(nf_nat_tftp_hook, NULL); 44 | synchronize_rcu(); 45 | } 46 | 47 | static int __init nf_nat_tftp_init(void) 48 | { 49 | BUG_ON(nf_nat_tftp_hook != NULL); 50 | nf_nat_helper_register(&nat_helper_tftp); 51 | RCU_INIT_POINTER(nf_nat_tftp_hook, help); 52 | return 0; 53 | } 54 | 55 | module_init(nf_nat_tftp_init); 56 | module_exit(nf_nat_tftp_fini); 57 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/nft_fib_inet.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-only 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | #include 13 | 14 | static void nft_fib_inet_eval(const struct nft_expr *expr, 15 | struct nft_regs *regs, 16 | const struct nft_pktinfo *pkt) 17 | { 18 | const struct nft_fib *priv = nft_expr_priv(expr); 19 | 20 | switch (nft_pf(pkt)) { 21 | case NFPROTO_IPV4: 22 | switch (priv->result) { 23 | case NFT_FIB_RESULT_OIF: 24 | case NFT_FIB_RESULT_OIFNAME: 25 | return nft_fib4_eval(expr, regs, pkt); 26 | case NFT_FIB_RESULT_ADDRTYPE: 27 | return nft_fib4_eval_type(expr, regs, pkt); 28 | } 29 | break; 30 | case NFPROTO_IPV6: 31 | switch (priv->result) { 32 | case NFT_FIB_RESULT_OIF: 33 | case NFT_FIB_RESULT_OIFNAME: 34 | return nft_fib6_eval(expr, regs, pkt); 35 | case NFT_FIB_RESULT_ADDRTYPE: 36 | return nft_fib6_eval_type(expr, regs, pkt); 37 | } 38 | break; 39 | } 40 | 41 | regs->verdict.code = NF_DROP; 42 | } 43 | 44 | static struct nft_expr_type nft_fib_inet_type; 45 | static const struct nft_expr_ops nft_fib_inet_ops = { 46 | .type = &nft_fib_inet_type, 47 | .size = NFT_EXPR_SIZE(sizeof(struct nft_fib)), 48 | .eval = nft_fib_inet_eval, 49 | .init = nft_fib_init, 50 | .dump = nft_fib_dump, 51 | .validate = nft_fib_validate, 52 | }; 53 | 54 | static struct nft_expr_type nft_fib_inet_type __read_mostly = { 55 | .family = NFPROTO_INET, 56 | .name = "fib", 57 | .ops = &nft_fib_inet_ops, 58 | .policy = nft_fib_policy, 59 | .maxattr = NFTA_FIB_MAX, 60 | .owner = THIS_MODULE, 61 | }; 62 | 63 | static int __init nft_fib_inet_module_init(void) 64 | { 65 | return nft_register_expr(&nft_fib_inet_type); 66 | } 67 | 68 | static void __exit nft_fib_inet_module_exit(void) 69 | { 70 | nft_unregister_expr(&nft_fib_inet_type); 71 | } 72 | 73 | module_init(nft_fib_inet_module_init); 74 | module_exit(nft_fib_inet_module_exit); 75 | 76 | MODULE_LICENSE("GPL"); 77 | MODULE_AUTHOR("Florian Westphal "); 78 | MODULE_ALIAS_NFT_AF_EXPR(1, "fib"); 79 | MODULE_DESCRIPTION("nftables fib inet support"); 80 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/nft_set_pipapo_avx2.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: GPL-2.0-only */ 2 | #ifndef _NFT_SET_PIPAPO_AVX2_H 3 | 4 | #if defined(CONFIG_X86_64) && !defined(CONFIG_UML) 5 | #include 6 | #define NFT_PIPAPO_ALIGN (XSAVE_YMM_SIZE / BITS_PER_BYTE) 7 | 8 | bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set, 9 | const u32 *key, const struct nft_set_ext **ext); 10 | bool nft_pipapo_avx2_estimate(const struct nft_set_desc *desc, u32 features, 11 | struct nft_set_estimate *est); 12 | #endif /* defined(CONFIG_X86_64) && !defined(CONFIG_UML) */ 13 | 14 | #endif /* _NFT_SET_PIPAPO_AVX2_H */ 15 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/xt_CLASSIFY.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-only 2 | /* 3 | * This is a module which is used for setting the skb->priority field 4 | * of an skb for qdisc classification. 5 | */ 6 | 7 | /* (C) 2001-2002 Patrick McHardy 8 | */ 9 | 10 | #include 11 | #include 12 | #include 13 | #include 14 | 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | MODULE_AUTHOR("Patrick McHardy "); 22 | MODULE_LICENSE("GPL"); 23 | MODULE_DESCRIPTION("Xtables: Qdisc classification"); 24 | MODULE_ALIAS("ipt_CLASSIFY"); 25 | MODULE_ALIAS("ip6t_CLASSIFY"); 26 | MODULE_ALIAS("arpt_CLASSIFY"); 27 | 28 | static unsigned int 29 | classify_tg(struct sk_buff *skb, const struct xt_action_param *par) 30 | { 31 | const struct xt_classify_target_info *clinfo = par->targinfo; 32 | 33 | skb->priority = clinfo->priority; 34 | return XT_CONTINUE; 35 | } 36 | 37 | static struct xt_target classify_tg_reg[] __read_mostly = { 38 | { 39 | .name = "CLASSIFY", 40 | .revision = 0, 41 | .family = NFPROTO_UNSPEC, 42 | .hooks = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) | 43 | (1 << NF_INET_POST_ROUTING), 44 | .target = classify_tg, 45 | .targetsize = sizeof(struct xt_classify_target_info), 46 | .me = THIS_MODULE, 47 | }, 48 | { 49 | .name = "CLASSIFY", 50 | .revision = 0, 51 | .family = NFPROTO_ARP, 52 | .hooks = (1 << NF_ARP_OUT) | (1 << NF_ARP_FORWARD), 53 | .target = classify_tg, 54 | .targetsize = sizeof(struct xt_classify_target_info), 55 | .me = THIS_MODULE, 56 | }, 57 | }; 58 | 59 | static int __init classify_tg_init(void) 60 | { 61 | return xt_register_targets(classify_tg_reg, ARRAY_SIZE(classify_tg_reg)); 62 | } 63 | 64 | static void __exit classify_tg_exit(void) 65 | { 66 | xt_unregister_targets(classify_tg_reg, ARRAY_SIZE(classify_tg_reg)); 67 | } 68 | 69 | module_init(classify_tg_init); 70 | module_exit(classify_tg_exit); 71 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/xt_NFLOG.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-only 2 | /* 3 | * Copyright (c) 2006 Patrick McHardy 4 | */ 5 | 6 | #include 7 | #include 8 | #include 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | MODULE_AUTHOR("Patrick McHardy "); 15 | MODULE_DESCRIPTION("Xtables: packet logging to netlink using NFLOG"); 16 | MODULE_LICENSE("GPL"); 17 | MODULE_ALIAS("ipt_NFLOG"); 18 | MODULE_ALIAS("ip6t_NFLOG"); 19 | 20 | static unsigned int 21 | nflog_tg(struct sk_buff *skb, const struct xt_action_param *par) 22 | { 23 | const struct xt_nflog_info *info = par->targinfo; 24 | struct net *net = xt_net(par); 25 | struct nf_loginfo li; 26 | 27 | li.type = NF_LOG_TYPE_ULOG; 28 | li.u.ulog.copy_len = info->len; 29 | li.u.ulog.group = info->group; 30 | li.u.ulog.qthreshold = info->threshold; 31 | li.u.ulog.flags = 0; 32 | 33 | if (info->flags & XT_NFLOG_F_COPY_LEN) 34 | li.u.ulog.flags |= NF_LOG_F_COPY_LEN; 35 | 36 | nf_log_packet(net, xt_family(par), xt_hooknum(par), skb, xt_in(par), 37 | xt_out(par), &li, "%s", info->prefix); 38 | 39 | return XT_CONTINUE; 40 | } 41 | 42 | static int nflog_tg_check(const struct xt_tgchk_param *par) 43 | { 44 | const struct xt_nflog_info *info = par->targinfo; 45 | 46 | if (info->flags & ~XT_NFLOG_MASK) 47 | return -EINVAL; 48 | if (info->prefix[sizeof(info->prefix) - 1] != '\0') 49 | return -EINVAL; 50 | 51 | return nf_logger_find_get(par->family, NF_LOG_TYPE_ULOG); 52 | } 53 | 54 | static void nflog_tg_destroy(const struct xt_tgdtor_param *par) 55 | { 56 | nf_logger_put(par->family, NF_LOG_TYPE_ULOG); 57 | } 58 | 59 | static struct xt_target nflog_tg_reg __read_mostly = { 60 | .name = "NFLOG", 61 | .revision = 0, 62 | .family = NFPROTO_UNSPEC, 63 | .checkentry = nflog_tg_check, 64 | .destroy = nflog_tg_destroy, 65 | .target = nflog_tg, 66 | .targetsize = sizeof(struct xt_nflog_info), 67 | .me = THIS_MODULE, 68 | }; 69 | 70 | static int __init nflog_tg_init(void) 71 | { 72 | return xt_register_target(&nflog_tg_reg); 73 | } 74 | 75 | static void __exit nflog_tg_exit(void) 76 | { 77 | xt_unregister_target(&nflog_tg_reg); 78 | } 79 | 80 | module_init(nflog_tg_init); 81 | module_exit(nflog_tg_exit); 82 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/xt_TRACE.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-only 2 | /* This is a module which is used to mark packets for tracing. 3 | */ 4 | #include 5 | #include 6 | 7 | #include 8 | #include 9 | 10 | MODULE_DESCRIPTION("Xtables: packet flow tracing"); 11 | MODULE_LICENSE("GPL"); 12 | MODULE_ALIAS("ipt_TRACE"); 13 | MODULE_ALIAS("ip6t_TRACE"); 14 | 15 | static int trace_tg_check(const struct xt_tgchk_param *par) 16 | { 17 | return nf_logger_find_get(par->family, NF_LOG_TYPE_LOG); 18 | } 19 | 20 | static void trace_tg_destroy(const struct xt_tgdtor_param *par) 21 | { 22 | nf_logger_put(par->family, NF_LOG_TYPE_LOG); 23 | } 24 | 25 | static unsigned int 26 | trace_tg(struct sk_buff *skb, const struct xt_action_param *par) 27 | { 28 | skb->nf_trace = 1; 29 | return XT_CONTINUE; 30 | } 31 | 32 | static struct xt_target trace_tg_reg __read_mostly = { 33 | .name = "TRACE", 34 | .revision = 0, 35 | .family = NFPROTO_UNSPEC, 36 | .table = "raw", 37 | .target = trace_tg, 38 | .checkentry = trace_tg_check, 39 | .destroy = trace_tg_destroy, 40 | .me = THIS_MODULE, 41 | }; 42 | 43 | static int __init trace_tg_init(void) 44 | { 45 | return xt_register_target(&trace_tg_reg); 46 | } 47 | 48 | static void __exit trace_tg_exit(void) 49 | { 50 | xt_unregister_target(&trace_tg_reg); 51 | } 52 | 53 | module_init(trace_tg_init); 54 | module_exit(trace_tg_exit); 55 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/xt_comment.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-only 2 | /* 3 | * Implements a dummy match to allow attaching comments to rules 4 | * 5 | * 2003-05-13 Brad Fisher (brad@info-link.net) 6 | */ 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | MODULE_AUTHOR("Brad Fisher "); 14 | MODULE_DESCRIPTION("Xtables: No-op match which can be tagged with a comment"); 15 | MODULE_LICENSE("GPL"); 16 | MODULE_ALIAS("ipt_comment"); 17 | MODULE_ALIAS("ip6t_comment"); 18 | 19 | static bool 20 | comment_mt(const struct sk_buff *skb, struct xt_action_param *par) 21 | { 22 | /* We always match */ 23 | return true; 24 | } 25 | 26 | static struct xt_match comment_mt_reg __read_mostly = { 27 | .name = "comment", 28 | .revision = 0, 29 | .family = NFPROTO_UNSPEC, 30 | .match = comment_mt, 31 | .matchsize = sizeof(struct xt_comment_info), 32 | .me = THIS_MODULE, 33 | }; 34 | 35 | static int __init comment_mt_init(void) 36 | { 37 | return xt_register_match(&comment_mt_reg); 38 | } 39 | 40 | static void __exit comment_mt_exit(void) 41 | { 42 | xt_unregister_match(&comment_mt_reg); 43 | } 44 | 45 | module_init(comment_mt_init); 46 | module_exit(comment_mt_exit); 47 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/xt_cpu.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-only 2 | /* Kernel module to match running CPU */ 3 | 4 | /* 5 | * Might be used to distribute connections on several daemons, if 6 | * RPS (Remote Packet Steering) is enabled or NIC is multiqueue capable, 7 | * each RX queue IRQ affined to one CPU (1:1 mapping) 8 | */ 9 | 10 | /* (C) 2010 Eric Dumazet 11 | */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | MODULE_LICENSE("GPL"); 19 | MODULE_AUTHOR("Eric Dumazet "); 20 | MODULE_DESCRIPTION("Xtables: CPU match"); 21 | MODULE_ALIAS("ipt_cpu"); 22 | MODULE_ALIAS("ip6t_cpu"); 23 | 24 | static int cpu_mt_check(const struct xt_mtchk_param *par) 25 | { 26 | const struct xt_cpu_info *info = par->matchinfo; 27 | 28 | if (info->invert & ~1) 29 | return -EINVAL; 30 | return 0; 31 | } 32 | 33 | static bool cpu_mt(const struct sk_buff *skb, struct xt_action_param *par) 34 | { 35 | const struct xt_cpu_info *info = par->matchinfo; 36 | 37 | return (info->cpu == smp_processor_id()) ^ info->invert; 38 | } 39 | 40 | static struct xt_match cpu_mt_reg __read_mostly = { 41 | .name = "cpu", 42 | .revision = 0, 43 | .family = NFPROTO_UNSPEC, 44 | .checkentry = cpu_mt_check, 45 | .match = cpu_mt, 46 | .matchsize = sizeof(struct xt_cpu_info), 47 | .me = THIS_MODULE, 48 | }; 49 | 50 | static int __init cpu_mt_init(void) 51 | { 52 | return xt_register_match(&cpu_mt_reg); 53 | } 54 | 55 | static void __exit cpu_mt_exit(void) 56 | { 57 | xt_unregister_match(&cpu_mt_reg); 58 | } 59 | 60 | module_init(cpu_mt_init); 61 | module_exit(cpu_mt_exit); 62 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/xt_devgroup.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-only 2 | /* 3 | * Copyright (c) 2011 Patrick McHardy 4 | */ 5 | 6 | #include 7 | #include 8 | #include 9 | 10 | #include 11 | #include 12 | 13 | MODULE_AUTHOR("Patrick McHardy "); 14 | MODULE_LICENSE("GPL"); 15 | MODULE_DESCRIPTION("Xtables: Device group match"); 16 | MODULE_ALIAS("ipt_devgroup"); 17 | MODULE_ALIAS("ip6t_devgroup"); 18 | 19 | static bool devgroup_mt(const struct sk_buff *skb, struct xt_action_param *par) 20 | { 21 | const struct xt_devgroup_info *info = par->matchinfo; 22 | 23 | if (info->flags & XT_DEVGROUP_MATCH_SRC && 24 | (((info->src_group ^ xt_in(par)->group) & info->src_mask ? 1 : 0) ^ 25 | ((info->flags & XT_DEVGROUP_INVERT_SRC) ? 1 : 0))) 26 | return false; 27 | 28 | if (info->flags & XT_DEVGROUP_MATCH_DST && 29 | (((info->dst_group ^ xt_out(par)->group) & info->dst_mask ? 1 : 0) ^ 30 | ((info->flags & XT_DEVGROUP_INVERT_DST) ? 1 : 0))) 31 | return false; 32 | 33 | return true; 34 | } 35 | 36 | static int devgroup_mt_checkentry(const struct xt_mtchk_param *par) 37 | { 38 | const struct xt_devgroup_info *info = par->matchinfo; 39 | 40 | if (info->flags & ~(XT_DEVGROUP_MATCH_SRC | XT_DEVGROUP_INVERT_SRC | 41 | XT_DEVGROUP_MATCH_DST | XT_DEVGROUP_INVERT_DST)) 42 | return -EINVAL; 43 | 44 | if (info->flags & XT_DEVGROUP_MATCH_SRC && 45 | par->hook_mask & ~((1 << NF_INET_PRE_ROUTING) | 46 | (1 << NF_INET_LOCAL_IN) | 47 | (1 << NF_INET_FORWARD))) 48 | return -EINVAL; 49 | 50 | if (info->flags & XT_DEVGROUP_MATCH_DST && 51 | par->hook_mask & ~((1 << NF_INET_FORWARD) | 52 | (1 << NF_INET_LOCAL_OUT) | 53 | (1 << NF_INET_POST_ROUTING))) 54 | return -EINVAL; 55 | 56 | return 0; 57 | } 58 | 59 | static struct xt_match devgroup_mt_reg __read_mostly = { 60 | .name = "devgroup", 61 | .match = devgroup_mt, 62 | .checkentry = devgroup_mt_checkentry, 63 | .matchsize = sizeof(struct xt_devgroup_info), 64 | .family = NFPROTO_UNSPEC, 65 | .me = THIS_MODULE 66 | }; 67 | 68 | static int __init devgroup_mt_init(void) 69 | { 70 | return xt_register_match(&devgroup_mt_reg); 71 | } 72 | 73 | static void __exit devgroup_mt_exit(void) 74 | { 75 | xt_unregister_match(&devgroup_mt_reg); 76 | } 77 | 78 | module_init(devgroup_mt_init); 79 | module_exit(devgroup_mt_exit); 80 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/xt_length.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-only 2 | /* Kernel module to match packet length. */ 3 | /* (C) 1999-2001 James Morris 4 | */ 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | #include 12 | #include 13 | 14 | MODULE_AUTHOR("James Morris "); 15 | MODULE_DESCRIPTION("Xtables: Packet length (Layer3,4,5) match"); 16 | MODULE_LICENSE("GPL"); 17 | MODULE_ALIAS("ipt_length"); 18 | MODULE_ALIAS("ip6t_length"); 19 | 20 | static bool 21 | length_mt(const struct sk_buff *skb, struct xt_action_param *par) 22 | { 23 | const struct xt_length_info *info = par->matchinfo; 24 | u_int16_t pktlen = ntohs(ip_hdr(skb)->tot_len); 25 | 26 | return (pktlen >= info->min && pktlen <= info->max) ^ info->invert; 27 | } 28 | 29 | static bool 30 | length_mt6(const struct sk_buff *skb, struct xt_action_param *par) 31 | { 32 | const struct xt_length_info *info = par->matchinfo; 33 | const u_int16_t pktlen = ntohs(ipv6_hdr(skb)->payload_len) + 34 | sizeof(struct ipv6hdr); 35 | 36 | return (pktlen >= info->min && pktlen <= info->max) ^ info->invert; 37 | } 38 | 39 | static struct xt_match length_mt_reg[] __read_mostly = { 40 | { 41 | .name = "length", 42 | .family = NFPROTO_IPV4, 43 | .match = length_mt, 44 | .matchsize = sizeof(struct xt_length_info), 45 | .me = THIS_MODULE, 46 | }, 47 | { 48 | .name = "length", 49 | .family = NFPROTO_IPV6, 50 | .match = length_mt6, 51 | .matchsize = sizeof(struct xt_length_info), 52 | .me = THIS_MODULE, 53 | }, 54 | }; 55 | 56 | static int __init length_mt_init(void) 57 | { 58 | return xt_register_matches(length_mt_reg, ARRAY_SIZE(length_mt_reg)); 59 | } 60 | 61 | static void __exit length_mt_exit(void) 62 | { 63 | xt_unregister_matches(length_mt_reg, ARRAY_SIZE(length_mt_reg)); 64 | } 65 | 66 | module_init(length_mt_init); 67 | module_exit(length_mt_exit); 68 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/xt_mac.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-only 2 | /* Kernel module to match MAC address parameters. */ 3 | 4 | /* (C) 1999-2001 Paul `Rusty' Russell 5 | * (C) 2002-2004 Netfilter Core Team 6 | */ 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | #include 15 | #include 16 | #include 17 | #include 18 | 19 | MODULE_LICENSE("GPL"); 20 | MODULE_AUTHOR("Netfilter Core Team "); 21 | MODULE_DESCRIPTION("Xtables: MAC address match"); 22 | MODULE_ALIAS("ipt_mac"); 23 | MODULE_ALIAS("ip6t_mac"); 24 | 25 | static bool mac_mt(const struct sk_buff *skb, struct xt_action_param *par) 26 | { 27 | const struct xt_mac_info *info = par->matchinfo; 28 | bool ret; 29 | 30 | if (skb->dev == NULL || skb->dev->type != ARPHRD_ETHER) 31 | return false; 32 | if (skb_mac_header(skb) < skb->head) 33 | return false; 34 | if (skb_mac_header(skb) + ETH_HLEN > skb->data) 35 | return false; 36 | ret = ether_addr_equal(eth_hdr(skb)->h_source, info->srcaddr); 37 | ret ^= info->invert; 38 | return ret; 39 | } 40 | 41 | static struct xt_match mac_mt_reg __read_mostly = { 42 | .name = "mac", 43 | .revision = 0, 44 | .family = NFPROTO_UNSPEC, 45 | .match = mac_mt, 46 | .matchsize = sizeof(struct xt_mac_info), 47 | .hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_IN) | 48 | (1 << NF_INET_FORWARD), 49 | .me = THIS_MODULE, 50 | }; 51 | 52 | static int __init mac_mt_init(void) 53 | { 54 | return xt_register_match(&mac_mt_reg); 55 | } 56 | 57 | static void __exit mac_mt_exit(void) 58 | { 59 | xt_unregister_match(&mac_mt_reg); 60 | } 61 | 62 | module_init(mac_mt_init); 63 | module_exit(mac_mt_exit); 64 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/xt_mark.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-only 2 | /* 3 | * xt_mark - Netfilter module to match NFMARK value 4 | * 5 | * (C) 1999-2001 Marc Boucher 6 | * Copyright © CC Computer Consultants GmbH, 2007 - 2008 7 | * Jan Engelhardt 8 | */ 9 | 10 | #include 11 | #include 12 | 13 | #include 14 | #include 15 | 16 | MODULE_LICENSE("GPL"); 17 | MODULE_AUTHOR("Marc Boucher "); 18 | MODULE_DESCRIPTION("Xtables: packet mark operations"); 19 | MODULE_ALIAS("ipt_mark"); 20 | MODULE_ALIAS("ip6t_mark"); 21 | MODULE_ALIAS("ipt_MARK"); 22 | MODULE_ALIAS("ip6t_MARK"); 23 | MODULE_ALIAS("arpt_MARK"); 24 | 25 | static unsigned int 26 | mark_tg(struct sk_buff *skb, const struct xt_action_param *par) 27 | { 28 | const struct xt_mark_tginfo2 *info = par->targinfo; 29 | 30 | skb->mark = (skb->mark & ~info->mask) ^ info->mark; 31 | return XT_CONTINUE; 32 | } 33 | 34 | static bool 35 | mark_mt(const struct sk_buff *skb, struct xt_action_param *par) 36 | { 37 | const struct xt_mark_mtinfo1 *info = par->matchinfo; 38 | 39 | return ((skb->mark & info->mask) == info->mark) ^ info->invert; 40 | } 41 | 42 | static struct xt_target mark_tg_reg __read_mostly = { 43 | .name = "MARK", 44 | .revision = 2, 45 | .family = NFPROTO_UNSPEC, 46 | .target = mark_tg, 47 | .targetsize = sizeof(struct xt_mark_tginfo2), 48 | .me = THIS_MODULE, 49 | }; 50 | 51 | static struct xt_match mark_mt_reg __read_mostly = { 52 | .name = "mark", 53 | .revision = 1, 54 | .family = NFPROTO_UNSPEC, 55 | .match = mark_mt, 56 | .matchsize = sizeof(struct xt_mark_mtinfo1), 57 | .me = THIS_MODULE, 58 | }; 59 | 60 | static int __init mark_mt_init(void) 61 | { 62 | int ret; 63 | 64 | ret = xt_register_target(&mark_tg_reg); 65 | if (ret < 0) 66 | return ret; 67 | ret = xt_register_match(&mark_mt_reg); 68 | if (ret < 0) { 69 | xt_unregister_target(&mark_tg_reg); 70 | return ret; 71 | } 72 | return 0; 73 | } 74 | 75 | static void __exit mark_mt_exit(void) 76 | { 77 | xt_unregister_match(&mark_mt_reg); 78 | xt_unregister_target(&mark_tg_reg); 79 | } 80 | 81 | module_init(mark_mt_init); 82 | module_exit(mark_mt_exit); 83 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/xt_osf.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-or-later 2 | /* 3 | * Copyright (c) 2003+ Evgeniy Polyakov 4 | */ 5 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 6 | #include 7 | #include 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | 19 | #include 20 | #include 21 | 22 | #include 23 | #include 24 | #include 25 | #include 26 | 27 | static bool 28 | xt_osf_match_packet(const struct sk_buff *skb, struct xt_action_param *p) 29 | { 30 | return nf_osf_match(skb, xt_family(p), xt_hooknum(p), xt_in(p), 31 | xt_out(p), p->matchinfo, xt_net(p), nf_osf_fingers); 32 | } 33 | 34 | static struct xt_match xt_osf_match = { 35 | .name = "osf", 36 | .revision = 0, 37 | .family = NFPROTO_IPV4, 38 | .proto = IPPROTO_TCP, 39 | .hooks = (1 << NF_INET_LOCAL_IN) | 40 | (1 << NF_INET_PRE_ROUTING) | 41 | (1 << NF_INET_FORWARD), 42 | .match = xt_osf_match_packet, 43 | .matchsize = sizeof(struct xt_osf_info), 44 | .me = THIS_MODULE, 45 | }; 46 | 47 | static int __init xt_osf_init(void) 48 | { 49 | int err; 50 | 51 | err = xt_register_match(&xt_osf_match); 52 | if (err) { 53 | pr_err("Failed to register OS fingerprint " 54 | "matching module (%d)\n", err); 55 | return err; 56 | } 57 | 58 | return 0; 59 | } 60 | 61 | static void __exit xt_osf_fini(void) 62 | { 63 | xt_unregister_match(&xt_osf_match); 64 | } 65 | 66 | module_init(xt_osf_init); 67 | module_exit(xt_osf_fini); 68 | 69 | MODULE_LICENSE("GPL"); 70 | MODULE_AUTHOR("Evgeniy Polyakov "); 71 | MODULE_DESCRIPTION("Passive OS fingerprint matching."); 72 | MODULE_ALIAS("ipt_osf"); 73 | MODULE_ALIAS("ip6t_osf"); 74 | MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_OSF); 75 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/xt_pkttype.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-only 2 | /* (C) 1999-2001 Michal Ludvig 3 | */ 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | #include 14 | #include 15 | 16 | MODULE_LICENSE("GPL"); 17 | MODULE_AUTHOR("Michal Ludvig "); 18 | MODULE_DESCRIPTION("Xtables: link layer packet type match"); 19 | MODULE_ALIAS("ipt_pkttype"); 20 | MODULE_ALIAS("ip6t_pkttype"); 21 | 22 | static bool 23 | pkttype_mt(const struct sk_buff *skb, struct xt_action_param *par) 24 | { 25 | const struct xt_pkttype_info *info = par->matchinfo; 26 | u_int8_t type; 27 | 28 | if (skb->pkt_type != PACKET_LOOPBACK) 29 | type = skb->pkt_type; 30 | else if (xt_family(par) == NFPROTO_IPV4 && 31 | ipv4_is_multicast(ip_hdr(skb)->daddr)) 32 | type = PACKET_MULTICAST; 33 | else if (xt_family(par) == NFPROTO_IPV6) 34 | type = PACKET_MULTICAST; 35 | else 36 | type = PACKET_BROADCAST; 37 | 38 | return (type == info->pkttype) ^ info->invert; 39 | } 40 | 41 | static struct xt_match pkttype_mt_reg __read_mostly = { 42 | .name = "pkttype", 43 | .revision = 0, 44 | .family = NFPROTO_UNSPEC, 45 | .match = pkttype_mt, 46 | .matchsize = sizeof(struct xt_pkttype_info), 47 | .me = THIS_MODULE, 48 | }; 49 | 50 | static int __init pkttype_mt_init(void) 51 | { 52 | return xt_register_match(&pkttype_mt_reg); 53 | } 54 | 55 | static void __exit pkttype_mt_exit(void) 56 | { 57 | xt_unregister_match(&pkttype_mt_reg); 58 | } 59 | 60 | module_init(pkttype_mt_init); 61 | module_exit(pkttype_mt_exit); 62 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/xt_quota.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-only 2 | /* 3 | * netfilter module to enforce network quotas 4 | * 5 | * Sam Johnston 6 | */ 7 | #include 8 | #include 9 | #include 10 | 11 | #include 12 | #include 13 | #include 14 | 15 | struct xt_quota_priv { 16 | spinlock_t lock; 17 | uint64_t quota; 18 | }; 19 | 20 | MODULE_LICENSE("GPL"); 21 | MODULE_AUTHOR("Sam Johnston "); 22 | MODULE_DESCRIPTION("Xtables: countdown quota match"); 23 | MODULE_ALIAS("ipt_quota"); 24 | MODULE_ALIAS("ip6t_quota"); 25 | 26 | static bool 27 | quota_mt(const struct sk_buff *skb, struct xt_action_param *par) 28 | { 29 | struct xt_quota_info *q = (void *)par->matchinfo; 30 | struct xt_quota_priv *priv = q->master; 31 | bool ret = q->flags & XT_QUOTA_INVERT; 32 | 33 | spin_lock_bh(&priv->lock); 34 | if (priv->quota >= skb->len) { 35 | priv->quota -= skb->len; 36 | ret = !ret; 37 | } else { 38 | /* we do not allow even small packets from now on */ 39 | priv->quota = 0; 40 | } 41 | spin_unlock_bh(&priv->lock); 42 | 43 | return ret; 44 | } 45 | 46 | static int quota_mt_check(const struct xt_mtchk_param *par) 47 | { 48 | struct xt_quota_info *q = par->matchinfo; 49 | 50 | if (q->flags & ~XT_QUOTA_MASK) 51 | return -EINVAL; 52 | 53 | q->master = kmalloc(sizeof(*q->master), GFP_KERNEL); 54 | if (q->master == NULL) 55 | return -ENOMEM; 56 | 57 | spin_lock_init(&q->master->lock); 58 | q->master->quota = q->quota; 59 | return 0; 60 | } 61 | 62 | static void quota_mt_destroy(const struct xt_mtdtor_param *par) 63 | { 64 | const struct xt_quota_info *q = par->matchinfo; 65 | 66 | kfree(q->master); 67 | } 68 | 69 | static struct xt_match quota_mt_reg __read_mostly = { 70 | .name = "quota", 71 | .revision = 0, 72 | .family = NFPROTO_UNSPEC, 73 | .match = quota_mt, 74 | .checkentry = quota_mt_check, 75 | .destroy = quota_mt_destroy, 76 | .matchsize = sizeof(struct xt_quota_info), 77 | .usersize = offsetof(struct xt_quota_info, master), 78 | .me = THIS_MODULE, 79 | }; 80 | 81 | static int __init quota_mt_init(void) 82 | { 83 | return xt_register_match("a_mt_reg); 84 | } 85 | 86 | static void __exit quota_mt_exit(void) 87 | { 88 | xt_unregister_match("a_mt_reg); 89 | } 90 | 91 | module_init(quota_mt_init); 92 | module_exit(quota_mt_exit); 93 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/xt_realm.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-only 2 | /* IP tables module for matching the routing realm 3 | * 4 | * (C) 2003 by Sampsa Ranta 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | #include 13 | #include 14 | #include 15 | 16 | MODULE_AUTHOR("Sampsa Ranta "); 17 | MODULE_LICENSE("GPL"); 18 | MODULE_DESCRIPTION("Xtables: Routing realm match"); 19 | MODULE_ALIAS("ipt_realm"); 20 | 21 | static bool 22 | realm_mt(const struct sk_buff *skb, struct xt_action_param *par) 23 | { 24 | const struct xt_realm_info *info = par->matchinfo; 25 | const struct dst_entry *dst = skb_dst(skb); 26 | 27 | return (info->id == (dst->tclassid & info->mask)) ^ info->invert; 28 | } 29 | 30 | static struct xt_match realm_mt_reg __read_mostly = { 31 | .name = "realm", 32 | .match = realm_mt, 33 | .matchsize = sizeof(struct xt_realm_info), 34 | .hooks = (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_FORWARD) | 35 | (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_LOCAL_IN), 36 | .family = NFPROTO_UNSPEC, 37 | .me = THIS_MODULE 38 | }; 39 | 40 | static int __init realm_mt_init(void) 41 | { 42 | return xt_register_match(&realm_mt_reg); 43 | } 44 | 45 | static void __exit realm_mt_exit(void) 46 | { 47 | xt_unregister_match(&realm_mt_reg); 48 | } 49 | 50 | module_init(realm_mt_init); 51 | module_exit(realm_mt_exit); 52 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/xt_repldata.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: GPL-2.0 */ 2 | /* 3 | * Today's hack: quantum tunneling in structs 4 | * 5 | * 'entries' and 'term' are never anywhere referenced by word in code. In fact, 6 | * they serve as the hanging-off data accessed through repl.data[]. 7 | */ 8 | 9 | /* tbl has the following structure equivalent, but is C99 compliant: 10 | * struct { 11 | * struct type##_replace repl; 12 | * struct type##_standard entries[nhooks]; 13 | * struct type##_error term; 14 | * } *tbl; 15 | */ 16 | 17 | #define xt_alloc_initial_table(type, typ2) ({ \ 18 | unsigned int hook_mask = info->valid_hooks; \ 19 | unsigned int nhooks = hweight32(hook_mask); \ 20 | unsigned int bytes = 0, hooknum = 0, i = 0; \ 21 | struct { \ 22 | struct type##_replace repl; \ 23 | struct type##_standard entries[]; \ 24 | } *tbl; \ 25 | struct type##_error *term; \ 26 | size_t term_offset = (offsetof(typeof(*tbl), entries[nhooks]) + \ 27 | __alignof__(*term) - 1) & ~(__alignof__(*term) - 1); \ 28 | tbl = kzalloc(term_offset + sizeof(*term), GFP_KERNEL); \ 29 | if (tbl == NULL) \ 30 | return NULL; \ 31 | term = (struct type##_error *)&(((char *)tbl)[term_offset]); \ 32 | strncpy(tbl->repl.name, info->name, sizeof(tbl->repl.name)); \ 33 | *term = (struct type##_error)typ2##_ERROR_INIT; \ 34 | tbl->repl.valid_hooks = hook_mask; \ 35 | tbl->repl.num_entries = nhooks + 1; \ 36 | tbl->repl.size = nhooks * sizeof(struct type##_standard) + \ 37 | sizeof(struct type##_error); \ 38 | for (; hook_mask != 0; hook_mask >>= 1, ++hooknum) { \ 39 | if (!(hook_mask & 1)) \ 40 | continue; \ 41 | tbl->repl.hook_entry[hooknum] = bytes; \ 42 | tbl->repl.underflow[hooknum] = bytes; \ 43 | tbl->entries[i++] = (struct type##_standard) \ 44 | typ2##_STANDARD_INIT(NF_ACCEPT); \ 45 | bytes += sizeof(struct type##_standard); \ 46 | } \ 47 | tbl; \ 48 | }) 49 | -------------------------------------------------------------------------------- /src/5.x/net/netfilter/xt_state.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-2.0-only 2 | /* Kernel module to match connection tracking information. */ 3 | 4 | /* (C) 1999-2001 Paul `Rusty' Russell 5 | * (C) 2002-2005 Netfilter Core Team 6 | */ 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | MODULE_LICENSE("GPL"); 15 | MODULE_AUTHOR("Rusty Russell "); 16 | MODULE_DESCRIPTION("ip[6]_tables connection tracking state match module"); 17 | MODULE_ALIAS("ipt_state"); 18 | MODULE_ALIAS("ip6t_state"); 19 | 20 | static bool 21 | state_mt(const struct sk_buff *skb, struct xt_action_param *par) 22 | { 23 | const struct xt_state_info *sinfo = par->matchinfo; 24 | enum ip_conntrack_info ctinfo; 25 | unsigned int statebit; 26 | struct nf_conn *ct = nf_ct_get(skb, &ctinfo); 27 | 28 | if (ct) 29 | statebit = XT_STATE_BIT(ctinfo); 30 | else if (ctinfo == IP_CT_UNTRACKED) 31 | statebit = XT_STATE_UNTRACKED; 32 | else 33 | statebit = XT_STATE_INVALID; 34 | 35 | return (sinfo->statemask & statebit); 36 | } 37 | 38 | static int state_mt_check(const struct xt_mtchk_param *par) 39 | { 40 | int ret; 41 | 42 | ret = nf_ct_netns_get(par->net, par->family); 43 | if (ret < 0) 44 | pr_info_ratelimited("cannot load conntrack support for proto=%u\n", 45 | par->family); 46 | return ret; 47 | } 48 | 49 | static void state_mt_destroy(const struct xt_mtdtor_param *par) 50 | { 51 | nf_ct_netns_put(par->net, par->family); 52 | } 53 | 54 | static struct xt_match state_mt_reg __read_mostly = { 55 | .name = "state", 56 | .family = NFPROTO_UNSPEC, 57 | .checkentry = state_mt_check, 58 | .match = state_mt, 59 | .destroy = state_mt_destroy, 60 | .matchsize = sizeof(struct xt_state_info), 61 | .me = THIS_MODULE, 62 | }; 63 | 64 | static int __init state_mt_init(void) 65 | { 66 | return xt_register_match(&state_mt_reg); 67 | } 68 | 69 | static void __exit state_mt_exit(void) 70 | { 71 | xt_unregister_match(&state_mt_reg); 72 | } 73 | 74 | module_init(state_mt_init); 75 | module_exit(state_mt_exit); 76 | --------------------------------------------------------------------------------