From c942046cd86f454987a8baad76a99e45ebfad53c Mon Sep 17 00:00:00 2001 From: ranon rat <66473662+ranon-rat@users.noreply.github.com> Date: Sun, 7 Feb 2021 15:58:07 -0600 Subject: [PATCH 1/2] new docs --- Documentation/ABI/{README => README.md} | 31 +- Documentation/ABI/obsolete/sysfs-bus-usb | 31 -- Documentation/ABI/obsolete/sysfs-bus-usb.md | 16 + README => README.md | 154 ++++---- include/uapi/linux/netfilter/xt_CONNMARK.h | 33 +- include/uapi/linux/netfilter/xt_DSCP.h | 27 +- include/uapi/linux/netfilter/xt_MARK.h | 17 +- include/uapi/linux/netfilter/xt_RATEEST.h | 38 +- include/uapi/linux/netfilter/xt_TCPMSS.h | 13 +- include/uapi/linux/netfilter_ipv4/ipt_ECN.h | 44 +-- include/uapi/linux/netfilter_ipv4/ipt_TTL.h | 14 +- include/uapi/linux/netfilter_ipv6/ip6t_HL.h | 14 +- net/netfilter/xt_DSCP.c | 147 +++----- net/netfilter/xt_HL.c | 171 +++------ net/netfilter/xt_RATEEST.c | 241 ++++++------- net/netfilter/xt_TCPMSS.c | 366 ++++---------------- 16 files changed, 498 insertions(+), 859 deletions(-) rename Documentation/ABI/{README => README.md} (75%) delete mode 100755 Documentation/ABI/obsolete/sysfs-bus-usb create mode 100755 Documentation/ABI/obsolete/sysfs-bus-usb.md rename README => README.md (84%) diff --git a/Documentation/ABI/README b/Documentation/ABI/README.md similarity index 75% rename from Documentation/ABI/README rename to Documentation/ABI/README.md index 10069828..72dc67e9 100755 --- a/Documentation/ABI/README +++ b/Documentation/ABI/README.md @@ -9,7 +9,7 @@ of stability according to the rules described below. The different levels of stability are: - stable/ + - `stable/` This directory documents the interfaces that the developer has defined to be stable. Userspace programs are free to use these interfaces with no restrictions, and backward compatibility for @@ -17,7 +17,7 @@ The different levels of stability are: (like syscalls) are expected to never change and always be available. - testing/ + - `testing/` This directory documents interfaces that are felt to be stable, as the main development of this interface has been completed. The interface can be changed to add new features, but the @@ -31,34 +31,29 @@ The different levels of stability are: notify them if any changes occur (see the description of the layout of the files below for details on how to do this.) - obsolete/ + - `obsolete/` This directory documents interfaces that are still remaining in the kernel, but are marked to be removed at some later point in time. The description of the interface will document the reason why it is obsolete and when it can be expected to be removed. - removed/ + - `removed/` This directory contains a list of the old interfaces that have been removed from the kernel. Every file in these directories will contain the following information: -What: Short description of the interface -Date: Date created -KernelVersion: Kernel version this feature first showed up in. -Contact: Primary contact for this interface (may be a mailing list) -Description: Long description of the interface and how to use it. -Users: All users of this interface who wish to be notified when - it changes. This is very important for interfaces in - the "testing" stage, so that kernel developers can work - with userspace developers to ensure that things do not - break in ways that are unacceptable. It is also - important to get feedback for these interfaces to make - sure they are working in a proper way and do not need to - be changed further. +| What | Short description of the interface| +|--|--| +| Date | Date created| +| KernelVersion | Kernel version this feature first showed up in.| +| Contact |Primary contact for this interface (may be a mailing list)| +| Description | Long description of the interface and how to use it.| +| Users | All users of this interface who wish to be notified when it changes. This is very important for interfaces in the `testing` stage, so that kernel developerscan work with userspace developers to ensure that things do not break in ways that are unacceptable. It is also important to get feedback for these interfaces to make sure they are working in a properway and do not need to be changed further. | -How things move between levels: + +# How things move between levels: Interfaces in stable may move to obsolete, as long as the proper notification is given. diff --git a/Documentation/ABI/obsolete/sysfs-bus-usb b/Documentation/ABI/obsolete/sysfs-bus-usb deleted file mode 100755 index bd096d33..00000000 --- a/Documentation/ABI/obsolete/sysfs-bus-usb +++ /dev/null @@ -1,31 +0,0 @@ -What: /sys/bus/usb/devices/.../power/level -Date: March 2007 -KernelVersion: 2.6.21 -Contact: Alan Stern -Description: - Each USB device directory will contain a file named - power/level. This file holds a power-level setting for - the device, either "on" or "auto". - - "on" means that the device is not allowed to autosuspend, - although normal suspends for system sleep will still - be honored. "auto" means the device will autosuspend - and autoresume in the usual manner, according to the - capabilities of its driver. - - During normal use, devices should be left in the "auto" - level. The "on" level is meant for administrative uses. - If you want to suspend a device immediately but leave it - free to wake up in response to I/O requests, you should - write "0" to power/autosuspend. - - Device not capable of proper suspend and resume should be - left in the "on" level. Although the USB spec requires - devices to support suspend/resume, many of them do not. - In fact so many don't that by default, the USB core - initializes all non-hub devices in the "on" level. Some - drivers may change this setting when they are bound. - - This file is deprecated and will be removed after 2010. - Use the power/control file instead; it does exactly the - same thing. diff --git a/Documentation/ABI/obsolete/sysfs-bus-usb.md b/Documentation/ABI/obsolete/sysfs-bus-usb.md new file mode 100755 index 00000000..b1666767 --- /dev/null +++ b/Documentation/ABI/obsolete/sysfs-bus-usb.md @@ -0,0 +1,16 @@ + +||| +|--|--| +|What: | /sys/bus/usb/devices/.../power/level +|Date: | March 2007 +|KernelVersion:| 2.6.21 +|Contact:| Alan Stern +|Description:| Each USB device directory will contain a file named power/level. This file holds a power-level setting for the device, either `on` or `auto`. +- `on` means that the device is not allowed to autosuspend, although normal suspends for system sleep will still be honored. `auto` means the device will autosuspend and autoresume in the usual manner, according to the capabilities of its driver. +- During normal use, devices should be left in the `auto` level. The `on` level is meant for administrative uses. +- If you want to suspend a device immediately but leave it free to wake up in response to I/O requests, you should write `0` to power/autosuspend. +- Device not capable of proper suspend and resume should be left in the `on` level. +- Although the USB spec requires devices to support suspend/resume, many of them do not. +- In fact so many don't that by default, the USB core initializes all non-hub devices in the `on` level. Some drivers may change this setting when they are bound. +- This file is deprecated and will be removed after 2010. +- Use the power/control file instead; it does exactly the same thing. | diff --git a/README b/README.md similarity index 84% rename from README rename to README.md index a24ec89b..b60210bf 100755 --- a/README +++ b/README.md @@ -1,10 +1,10 @@ - Linux kernel release 3.x +# [Linux kernel release 3.x](http://kernel.org/>) These are the release notes for Linux version 3. Read them carefully, as they tell you what this is all about, explain how to install the kernel, and what to do if something goes wrong. -WHAT IS LINUX? +# WHAT IS LINUX? Linux is a clone of the operating system Unix, written from scratch by Linus Torvalds with assistance from a loosely-knit team of hackers across @@ -18,7 +18,7 @@ WHAT IS LINUX? It is distributed under the GNU General Public License - see the accompanying COPYING file for more details. -ON WHAT HARDWARE DOES IT RUN? +# ON WHAT HARDWARE DOES IT RUN? Although originally developed first for 32-bit x86-based PCs (386 or higher), today Linux also runs on (at least) the Compaq Alpha AXP, Sun SPARC and @@ -34,7 +34,7 @@ ON WHAT HARDWARE DOES IT RUN? Linux has also been ported to itself. You can now run the kernel as a userspace application - this is called UserMode Linux (UML). -DOCUMENTATION: +# DOCUMENTATION: - There is a lot of documentation available both in electronic form on the Internet and in books, both Linux-specific and pertaining to @@ -53,22 +53,22 @@ DOCUMENTATION: - The Documentation/DocBook/ subdirectory contains several guides for kernel developers and users. These guides can be rendered in a number of formats: PostScript (.ps), PDF, HTML, & man-pages, among others. - After installation, "make psdocs", "make pdfdocs", "make htmldocs", - or "make mandocs" will render the documentation in the requested format. + After installation, `make psdocs`, `make pdfdocs`, `make htmldocs`, + or `make mandocs` will render the documentation in the requested format. -INSTALLING the kernel source: +# INSTALLING the kernel source: - If you install the full sources, put the kernel tarball in a directory where you have permissions (eg. your home directory) and unpack it: - + ```sh gzip -cd linux-3.X.tar.gz | tar xvf - - + ``` or - + ```sh bzip2 -dc linux-3.X.tar.bz2 | tar xvf - - - Replace "X" with the version number of the latest kernel. + ``` + Replace `X` with the version number of the latest kernel. Do NOT use the /usr/src/linux area! This area has a (usually incomplete) set of kernel headers that are used by the library header @@ -79,14 +79,14 @@ INSTALLING the kernel source: distributed in the traditional gzip and the newer bzip2 format. To install by patching, get all the newer patch files, enter the top level directory of the kernel source (linux-3.X) and execute: - + ```sh gzip -cd ../patch-3.x.gz | patch -p1 - + ``` or - + ```sh bzip2 -dc ../patch-3.x.bz2 | patch -p1 - - Replace "x" for all versions bigger than the version "X" of your current + ``` + Replace `x` for all versions bigger than the version `X` of your current source tree, _in_order_, and you should be ok. You may want to remove the backup files (some-file-name~ or some-file-name.orig), and make sure that there are no failed patches (some-file-name# or some-file-name.rej). @@ -104,21 +104,21 @@ INSTALLING the kernel source: Alternatively, the script patch-kernel can be used to automate this process. It determines the current kernel version and applies any patches found. - + ```sh linux/scripts/patch-kernel linux - + ``` The first argument in the command above is the location of the kernel source. Patches are applied from the current directory, but an alternative directory can be specified as the second argument. - Make sure you have no stale .o files and dependencies lying around: - + ```sh cd linux make mrproper - + ``` You should now have the sources correctly installed. -SOFTWARE REQUIREMENTS +# SOFTWARE REQUIREMENTS Compiling and running the 3.x kernels requires up-to-date versions of various software packages. Consult @@ -129,88 +129,90 @@ SOFTWARE REQUIREMENTS you can just update packages when obvious problems arise during build or operation. -BUILD directory for the kernel: +# BUILD directory for the kernel: When compiling the kernel, all output files will per default be stored together with the kernel source code. - Using the option "make O=output/dir" allow you to specify an alternate + Using the option `make O=output/dir` allow you to specify an alternate place for the output files (including .config). Example: + ```sh kernel source code: /usr/src/linux-3.X build directory: /home/name/build/kernel - + ``` To configure and build the kernel, use: - + + ```sh cd /usr/src/linux-3.X make O=/home/name/build/kernel menuconfig make O=/home/name/build/kernel sudo make O=/home/name/build/kernel modules_install install - + ``` Please note: If the 'O=output/dir' option is used, then it must be used for all invocations of make. -CONFIGURING the kernel: +# CONFIGURING the kernel: Do not skip this step even if you are only upgrading one minor version. New configuration options are added in each release, and odd problems will turn up if the configuration files are not set up as expected. If you want to carry your existing configuration to a - new version with minimal work, use "make oldconfig", which will + new version with minimal work, use `make oldconfig`, which will only ask you for the answers to new questions. - Alternative configuration commands are: - "make config" Plain text interface. - - "make menuconfig" Text based color menus, radiolists & dialogs. - - "make nconfig" Enhanced text based color menus. + `make config` Plain text interface. - "make xconfig" X windows (Qt) based configuration tool. + `make menuconfig` Text based color menus, radiolists & dialogs. - "make gconfig" X windows (Gtk) based configuration tool. - - "make oldconfig" Default all questions based on the contents of + `make nconfig` Enhanced text based color menus.` + + `make xconfig` X windows (Qt) based configuration tool.` + + `make gconfig` X windows (Gtk) based configuration tool.` + + `make oldconfig` Default all questions based on the contents of your existing ./.config file and asking about new config symbols. - "make silentoldconfig" + `make silentoldconfig` Like above, but avoids cluttering the screen with questions already answered. Additionally updates the dependencies. - "make olddefconfig" + `make olddefconfig` Like above, but sets new symbols to their default values without prompting. - "make defconfig" Create a ./.config file by using the default + `make defconfig` Create a ./.config file by using the default symbol values from either arch/$ARCH/defconfig or arch/$ARCH/configs/${PLATFORM}_defconfig, depending on the architecture. - "make ${PLATFORM}_defconfig" + `make ${PLATFORM}_defconfig` Create a ./.config file by using the default symbol values from arch/$ARCH/configs/${PLATFORM}_defconfig. - Use "make help" to get a list of all available + Use `make help` to get a list of all available platforms of your architecture. - "make allyesconfig" + `make allyesconfig` Create a ./.config file by setting symbol values to 'y' as much as possible. - "make allmodconfig" + `make allmodconfig` Create a ./.config file by setting symbol values to 'm' as much as possible. - "make allnoconfig" Create a ./.config file by setting symbol + `make allnoconfig` Create a ./.config file by setting symbol values to 'n' as much as possible. - "make randconfig" Create a ./.config file by setting symbol + `make randconfig` Create a ./.config file by setting symbol values to random values. - "make localmodconfig" Create a config based on current config and + `make localmodconfig` Create a config based on current config and loaded modules (lsmod). Disables any module option that is not needed for the loaded modules. @@ -225,19 +227,19 @@ CONFIGURING the kernel: The above also works when cross compiling. - "make localyesconfig" Similar to localmodconfig, except it will convert + `make localyesconfig` Similar to localmodconfig, except it will convert all module options to built in (=y) options. You can find more information on using the Linux kernel config tools in Documentation/kbuild/kconfig.txt. - - NOTES on "make config": + - NOTES on `make config`: - Having unnecessary drivers will make the kernel bigger, and can under some circumstances lead to problems: probing for a nonexistent controller card may confuse your other controllers - - Compiling the kernel with "Processor type" set higher than 386 + - Compiling the kernel with `Processor type` set higher than 386 will result in a kernel that does NOT work on a 386. The kernel will detect this on bootup, and give up. @@ -247,42 +249,42 @@ CONFIGURING the kernel: but will work on different machines regardless of whether they have a math coprocessor or not. - - The "kernel hacking" configuration details usually result in a + - The `kernel hacking` configuration details usually result in a bigger or slower kernel (or both), and can even make the kernel less stable by configuring some routines to actively try to break bad code to find kernel problems (kmalloc()). Thus you - should probably answer 'n' to the questions for "development", - "experimental", or "debugging" features. + should probably answer 'n' to the questions for `development`, + `experimental`, or `debugging` features. -COMPILING the kernel: +# COMPILING the kernel: - Make sure you have at least gcc 3.2 available. For more information, refer to Documentation/Changes. Please note that you can still run a.out user programs with this kernel. - - Do a "make" to create a compressed kernel image. It is also - possible to do "make install" if you have lilo installed to suit the + - Do a `make` to create a compressed kernel image. It is also + possible to do `make install` if you have lilo installed to suit the kernel makefiles, but you may want to check your particular lilo setup first. To do the actual install, you have to be root, but none of the normal build should require that. Don't take the name of root in vain. - If you configured any of the parts of the kernel as `modules', you - will also have to do "make modules_install". + will also have to do `make modules_install`. - Verbose kernel compile/build output: Normally, the kernel build system runs in a fairly quiet mode (but not totally silent). However, sometimes you or other kernel developers need to see compile, link, or other commands exactly as they are executed. - For this, use "verbose" build mode. This is done by inserting - "V=1" in the "make" command. E.g.: + For this, use `verbose` build mode. This is done by inserting + `V=1` in the `make` command. E.g.: make V=1 all To have the build system also tell the reason for the rebuild of each - target, use "V=2". The default is "V=0". + target, use `V=2`. The default is `V=0`. - Keep a backup kernel handy in case something goes wrong. This is especially true for the development releases, since each new release @@ -290,11 +292,11 @@ COMPILING the kernel: backup of the modules corresponding to that kernel, as well. If you are installing a new kernel with the same version number as your working kernel, make a backup of your modules directory before you - do a "make modules_install". + do a `make modules_install`. Alternatively, before compiling, use the kernel config option - "LOCALVERSION" to append a unique suffix to the regular kernel version. - LOCALVERSION can be set in the "General Setup" menu. + `LOCALVERSION` to append a unique suffix to the regular kernel version. + LOCALVERSION can be set in the `General Setup` menu. - In order to boot your new kernel, you'll need to copy the kernel image (e.g. .../linux/arch/i386/boot/bzImage after compilation) @@ -326,7 +328,7 @@ COMPILING the kernel: - Reboot with the new kernel and enjoy. -IF SOMETHING GOES WRONG: +# IF SOMETHING GOES WRONG: - If you have problems that seem to be due to kernel bugs, please check the file MAINTAINERS to see if there is a particular person associated @@ -341,7 +343,7 @@ IF SOMETHING GOES WRONG: old, please try to tell me when you first noticed it. - If the bug results in a message like - + ```sh unable to handle kernel paging request at address C0000010 Oops: 0002 EIP: 0010:XXXXXXXX @@ -350,7 +352,7 @@ IF SOMETHING GOES WRONG: ds: xxxx es: xxxx fs: xxxx gs: xxxx Pid: xx, process nr: xx xx xx xx xx xx xx xx xx xx xx - + ``` or similar kernel debugging information on your screen or in your system log, please duplicate it *exactly*. The dump may look incomprehensible to you, but it does contain information that may @@ -360,7 +362,7 @@ IF SOMETHING GOES WRONG: on making sense of the dump is in Documentation/oops-tracing.txt - If you compiled the kernel with CONFIG_KALLSYMS you can send the dump - as is, otherwise you will have to use the "ksymoops" program to make + as is, otherwise you will have to use the `ksymoops` program to make sense of the dump (but compiling with CONFIG_KALLSYMS is usually preferred). This utility can be downloaded from ftp://ftp..kernel.org/pub/linux/utils/kernel/ksymoops/ . @@ -370,16 +372,16 @@ IF SOMETHING GOES WRONG: look up what the EIP value means. The hex value as such doesn't help me or anybody else very much: it will depend on your particular kernel setup. What you should do is take the hex value from the EIP - line (ignore the "0010:"), and look it up in the kernel namelist to + line (ignore the `0010:`), and look it up in the kernel namelist to see which kernel function contains the offending address. To find out the kernel function name, you'll need to find the system binary associated with the kernel that exhibited the symptom. This is the file 'linux/vmlinux'. To extract the namelist and match it against the EIP from the kernel crash, do: - + ```sh nm vmlinux | sort | less - + ``` This will give you a list of kernel addresses sorted in ascending order, from which it is simple to find the function that contains the offending address. Note that the address given by the kernel @@ -390,7 +392,7 @@ IF SOMETHING GOES WRONG: has a starting address lower than the one you are searching for but is followed by a function with a higher address you will find the one you want. In fact, it may be a good idea to include a bit of - "context" in your problem report, giving a few lines around the + `context` in your problem report, giving a few lines around the interesting one. If you for some reason cannot do the above (you have a pre-compiled @@ -399,12 +401,12 @@ IF SOMETHING GOES WRONG: - Alternatively, you can use gdb on a running kernel. (read-only; i.e. you cannot change values or set break points.) To do this, first compile the - kernel with -g; edit arch/i386/Makefile appropriately, then do a "make - clean". You'll also need to enable CONFIG_PROC_FS (via "make config"). + kernel with -g; edit arch/i386/Makefile appropriately, then do a `make + clean`. You'll also need to enable CONFIG_PROC_FS (via `make config`). - After you've rebooted with the new kernel, do "gdb vmlinux /proc/kcore". + After you've rebooted with the new kernel, do `gdb vmlinux /proc/kcore`. You can now use all the usual gdb commands. The command to look up the - point where your system crashed is "l *0xXXXXXXXX". (Replace the XXXes + point where your system crashed is `l *0xXXXXXXXX`. (Replace the XXXes with the EIP value.) gdb'ing a non-running kernel currently fails because gdb (wrongly) diff --git a/include/uapi/linux/netfilter/xt_CONNMARK.h b/include/uapi/linux/netfilter/xt_CONNMARK.h index 2f2e48ec..efc17a83 100755 --- a/include/uapi/linux/netfilter/xt_CONNMARK.h +++ b/include/uapi/linux/netfilter/xt_CONNMARK.h @@ -1,6 +1,31 @@ -#ifndef _XT_CONNMARK_H_target -#define _XT_CONNMARK_H_target +#ifndef _XT_CONNMARK_H +#define _XT_CONNMARK_H -#include +#include -#endif /*_XT_CONNMARK_H_target*/ +/* Copyright (C) 2002,2004 MARA Systems AB + * by Henrik Nordstrom + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ + +enum { + XT_CONNMARK_SET = 0, + XT_CONNMARK_SAVE, + XT_CONNMARK_RESTORE +}; + +struct xt_connmark_tginfo1 { + __u32 ctmark, ctmask, nfmask; + __u8 mode; +}; + +struct xt_connmark_mtinfo1 { + __u32 mark, mask; + __u8 invert; +}; + +#endif /*_XT_CONNMARK_H*/ diff --git a/include/uapi/linux/netfilter/xt_DSCP.h b/include/uapi/linux/netfilter/xt_DSCP.h index 648e0b3b..15f8932a 100755 --- a/include/uapi/linux/netfilter/xt_DSCP.h +++ b/include/uapi/linux/netfilter/xt_DSCP.h @@ -1,26 +1,31 @@ -/* x_tables module for setting the IPv4/IPv6 DSCP field +/* x_tables module for matching the IPv4/IPv6 DSCP field * * (C) 2002 Harald Welte - * based on ipt_FTOS.c (C) 2000 by Matthew G. Marsh * This software is distributed under GNU GPL v2, 1991 * * See RFC2474 for a description of the DSCP field within the IP Header. * - * xt_DSCP.h,v 1.7 2002/03/14 12:03:13 laforge Exp + * xt_dscp.h,v 1.3 2002/08/05 19:00:21 laforge Exp */ -#ifndef _XT_DSCP_TARGET_H -#define _XT_DSCP_TARGET_H -#include +#ifndef _XT_DSCP_H +#define _XT_DSCP_H + #include -/* target info */ -struct xt_DSCP_info { +#define XT_DSCP_MASK 0xfc /* 11111100 */ +#define XT_DSCP_SHIFT 2 +#define XT_DSCP_MAX 0x3f /* 00111111 */ + +/* match info */ +struct xt_dscp_info { __u8 dscp; + __u8 invert; }; -struct xt_tos_target_info { - __u8 tos_value; +struct xt_tos_match_info { __u8 tos_mask; + __u8 tos_value; + __u8 invert; }; -#endif /* _XT_DSCP_TARGET_H */ +#endif /* _XT_DSCP_H */ diff --git a/include/uapi/linux/netfilter/xt_MARK.h b/include/uapi/linux/netfilter/xt_MARK.h index 41c456de..ecadc40d 100755 --- a/include/uapi/linux/netfilter/xt_MARK.h +++ b/include/uapi/linux/netfilter/xt_MARK.h @@ -1,6 +1,15 @@ -#ifndef _XT_MARK_H_target -#define _XT_MARK_H_target +#ifndef _XT_MARK_H +#define _XT_MARK_H -#include +#include -#endif /*_XT_MARK_H_target */ +struct xt_mark_tginfo2 { + __u32 mark, mask; +}; + +struct xt_mark_mtinfo1 { + __u32 mark, mask; + __u8 invert; +}; + +#endif /*_XT_MARK_H*/ diff --git a/include/uapi/linux/netfilter/xt_RATEEST.h b/include/uapi/linux/netfilter/xt_RATEEST.h index 6605e20a..d40a6196 100755 --- a/include/uapi/linux/netfilter/xt_RATEEST.h +++ b/include/uapi/linux/netfilter/xt_RATEEST.h @@ -1,15 +1,37 @@ -#ifndef _XT_RATEEST_TARGET_H -#define _XT_RATEEST_TARGET_H +#ifndef _XT_RATEEST_MATCH_H +#define _XT_RATEEST_MATCH_H #include -struct xt_rateest_target_info { - char name[IFNAMSIZ]; - __s8 interval; - __u8 ewma_log; +enum xt_rateest_match_flags { + XT_RATEEST_MATCH_INVERT = 1<<0, + XT_RATEEST_MATCH_ABS = 1<<1, + XT_RATEEST_MATCH_REL = 1<<2, + XT_RATEEST_MATCH_DELTA = 1<<3, + XT_RATEEST_MATCH_BPS = 1<<4, + XT_RATEEST_MATCH_PPS = 1<<5, +}; + +enum xt_rateest_match_mode { + XT_RATEEST_MATCH_NONE, + XT_RATEEST_MATCH_EQ, + XT_RATEEST_MATCH_LT, + XT_RATEEST_MATCH_GT, +}; + +struct xt_rateest_match_info { + char name1[IFNAMSIZ]; + char name2[IFNAMSIZ]; + __u16 flags; + __u16 mode; + __u32 bps1; + __u32 pps1; + __u32 bps2; + __u32 pps2; /* Used internally by the kernel */ - struct xt_rateest *est __attribute__((aligned(8))); + struct xt_rateest *est1 __attribute__((aligned(8))); + struct xt_rateest *est2 __attribute__((aligned(8))); }; -#endif /* _XT_RATEEST_TARGET_H */ +#endif /* _XT_RATEEST_MATCH_H */ diff --git a/include/uapi/linux/netfilter/xt_TCPMSS.h b/include/uapi/linux/netfilter/xt_TCPMSS.h index 9a6960af..fbac56b9 100755 --- a/include/uapi/linux/netfilter/xt_TCPMSS.h +++ b/include/uapi/linux/netfilter/xt_TCPMSS.h @@ -1,12 +1,11 @@ -#ifndef _XT_TCPMSS_H -#define _XT_TCPMSS_H +#ifndef _XT_TCPMSS_MATCH_H +#define _XT_TCPMSS_MATCH_H #include -struct xt_tcpmss_info { - __u16 mss; +struct xt_tcpmss_match_info { + __u16 mss_min, mss_max; + __u8 invert; }; -#define XT_TCPMSS_CLAMP_PMTU 0xffff - -#endif /* _XT_TCPMSS_H */ +#endif /*_XT_TCPMSS_MATCH_H*/ diff --git a/include/uapi/linux/netfilter_ipv4/ipt_ECN.h b/include/uapi/linux/netfilter_ipv4/ipt_ECN.h index bb88d531..0e0c063d 100755 --- a/include/uapi/linux/netfilter_ipv4/ipt_ECN.h +++ b/include/uapi/linux/netfilter_ipv4/ipt_ECN.h @@ -1,33 +1,15 @@ -/* Header file for iptables ipt_ECN target - * - * (C) 2002 by Harald Welte - * - * This software is distributed under GNU GPL v2, 1991 - * - * ipt_ECN.h,v 1.3 2002/05/29 12:17:40 laforge Exp -*/ -#ifndef _IPT_ECN_TARGET_H -#define _IPT_ECN_TARGET_H - -#include -#include - -#define IPT_ECN_IP_MASK (~XT_DSCP_MASK) - -#define IPT_ECN_OP_SET_IP 0x01 /* set ECN bits of IPv4 header */ -#define IPT_ECN_OP_SET_ECE 0x10 /* set ECE bit of TCP header */ -#define IPT_ECN_OP_SET_CWR 0x20 /* set CWR bit of TCP header */ - -#define IPT_ECN_OP_MASK 0xce - -struct ipt_ECN_info { - __u8 operation; /* bitset of operations */ - __u8 ip_ect; /* ECT codepoint of IPv4 header, pre-shifted */ - union { - struct { - __u8 ece:1, cwr:1; /* TCP ECT bits */ - } tcp; - } proto; +#ifndef _IPT_ECN_H +#define _IPT_ECN_H + +#include +#define ipt_ecn_info xt_ecn_info + +enum { + IPT_ECN_IP_MASK = XT_ECN_IP_MASK, + IPT_ECN_OP_MATCH_IP = XT_ECN_OP_MATCH_IP, + IPT_ECN_OP_MATCH_ECE = XT_ECN_OP_MATCH_ECE, + IPT_ECN_OP_MATCH_CWR = XT_ECN_OP_MATCH_CWR, + IPT_ECN_OP_MATCH_MASK = XT_ECN_OP_MATCH_MASK, }; -#endif /* _IPT_ECN_TARGET_H */ +#endif /* IPT_ECN_H */ diff --git a/include/uapi/linux/netfilter_ipv4/ipt_TTL.h b/include/uapi/linux/netfilter_ipv4/ipt_TTL.h index f6ac169d..37bee444 100755 --- a/include/uapi/linux/netfilter_ipv4/ipt_TTL.h +++ b/include/uapi/linux/netfilter_ipv4/ipt_TTL.h @@ -1,5 +1,5 @@ -/* TTL modification module for IP tables - * (C) 2000 by Harald Welte */ +/* IP tables module for matching the value of the TTL + * (C) 2000 by Harald Welte */ #ifndef _IPT_TTL_H #define _IPT_TTL_H @@ -7,14 +7,14 @@ #include enum { - IPT_TTL_SET = 0, - IPT_TTL_INC, - IPT_TTL_DEC + IPT_TTL_EQ = 0, /* equals */ + IPT_TTL_NE, /* not equals */ + IPT_TTL_LT, /* less than */ + IPT_TTL_GT, /* greater than */ }; -#define IPT_TTL_MAXMODE IPT_TTL_DEC -struct ipt_TTL_info { +struct ipt_ttl_info { __u8 mode; __u8 ttl; }; diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_HL.h b/include/uapi/linux/netfilter_ipv6/ip6t_HL.h index ebd8ead1..6e76dbc6 100755 --- a/include/uapi/linux/netfilter_ipv6/ip6t_HL.h +++ b/include/uapi/linux/netfilter_ipv6/ip6t_HL.h @@ -1,6 +1,6 @@ -/* Hop Limit modification module for ip6tables +/* ip6tables module for matching the Hop Limit value * Maciej Soltysiak - * Based on HW's TTL module */ + * Based on HW's ttl module */ #ifndef _IP6T_HL_H #define _IP6T_HL_H @@ -8,14 +8,14 @@ #include enum { - IP6T_HL_SET = 0, - IP6T_HL_INC, - IP6T_HL_DEC + IP6T_HL_EQ = 0, /* equals */ + IP6T_HL_NE, /* not equals */ + IP6T_HL_LT, /* less than */ + IP6T_HL_GT, /* greater than */ }; -#define IP6T_HL_MAXMODE IP6T_HL_DEC -struct ip6t_HL_info { +struct ip6t_hl_info { __u8 mode; __u8 hop_limit; }; diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c index ae827165..64670fc5 100755 --- a/net/netfilter/xt_DSCP.c +++ b/net/netfilter/xt_DSCP.c @@ -1,14 +1,11 @@ -/* x_tables module for setting the IPv4/IPv6 DSCP field, Version 1.8 +/* IP tables module for matching the value of the IPv4/IPv6 DSCP field * * (C) 2002 by Harald Welte - * based on ipt_FTOS.c (C) 2000 by Matthew G. Marsh * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. - * - * See RFC2474 for a description of the DSCP field within the IP Header. -*/ + */ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt #include #include @@ -17,148 +14,102 @@ #include #include -#include +#include MODULE_AUTHOR("Harald Welte "); -MODULE_DESCRIPTION("Xtables: DSCP/TOS field modification"); +MODULE_DESCRIPTION("Xtables: DSCP/TOS field match"); MODULE_LICENSE("GPL"); -MODULE_ALIAS("ipt_DSCP"); -MODULE_ALIAS("ip6t_DSCP"); -MODULE_ALIAS("ipt_TOS"); -MODULE_ALIAS("ip6t_TOS"); +MODULE_ALIAS("ipt_dscp"); +MODULE_ALIAS("ip6t_dscp"); +MODULE_ALIAS("ipt_tos"); +MODULE_ALIAS("ip6t_tos"); -static unsigned int -dscp_tg(struct sk_buff *skb, const struct xt_action_param *par) +static bool +dscp_mt(const struct sk_buff *skb, struct xt_action_param *par) { - const struct xt_DSCP_info *dinfo = par->targinfo; + const struct xt_dscp_info *info = par->matchinfo; u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT; - if (dscp != dinfo->dscp) { - if (!skb_make_writable(skb, sizeof(struct iphdr))) - return NF_DROP; - - ipv4_change_dsfield(ip_hdr(skb), (__u8)(~XT_DSCP_MASK), - dinfo->dscp << XT_DSCP_SHIFT); - - } - return XT_CONTINUE; + return (dscp == info->dscp) ^ !!info->invert; } -static unsigned int -dscp_tg6(struct sk_buff *skb, const struct xt_action_param *par) +static bool +dscp_mt6(const struct sk_buff *skb, struct xt_action_param *par) { - const struct xt_DSCP_info *dinfo = par->targinfo; + const struct xt_dscp_info *info = par->matchinfo; u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT; - if (dscp != dinfo->dscp) { - if (!skb_make_writable(skb, sizeof(struct ipv6hdr))) - return NF_DROP; - - ipv6_change_dsfield(ipv6_hdr(skb), (__u8)(~XT_DSCP_MASK), - dinfo->dscp << XT_DSCP_SHIFT); - } - return XT_CONTINUE; + return (dscp == info->dscp) ^ !!info->invert; } -static int dscp_tg_check(const struct xt_tgchk_param *par) +static int dscp_mt_check(const struct xt_mtchk_param *par) { - const struct xt_DSCP_info *info = par->targinfo; + const struct xt_dscp_info *info = par->matchinfo; if (info->dscp > XT_DSCP_MAX) { pr_info("dscp %x out of range\n", info->dscp); return -EDOM; } - return 0; -} - -static unsigned int -tos_tg(struct sk_buff *skb, const struct xt_action_param *par) -{ - const struct xt_tos_target_info *info = par->targinfo; - struct iphdr *iph = ip_hdr(skb); - u_int8_t orig, nv; - - orig = ipv4_get_dsfield(iph); - nv = (orig & ~info->tos_mask) ^ info->tos_value; - - if (orig != nv) { - if (!skb_make_writable(skb, sizeof(struct iphdr))) - return NF_DROP; - iph = ip_hdr(skb); - ipv4_change_dsfield(iph, 0, nv); - } - return XT_CONTINUE; + return 0; } -static unsigned int -tos_tg6(struct sk_buff *skb, const struct xt_action_param *par) +static bool tos_mt(const struct sk_buff *skb, struct xt_action_param *par) { - const struct xt_tos_target_info *info = par->targinfo; - struct ipv6hdr *iph = ipv6_hdr(skb); - u_int8_t orig, nv; - - orig = ipv6_get_dsfield(iph); - nv = (orig & ~info->tos_mask) ^ info->tos_value; - - if (orig != nv) { - if (!skb_make_writable(skb, sizeof(struct iphdr))) - return NF_DROP; - iph = ipv6_hdr(skb); - ipv6_change_dsfield(iph, 0, nv); - } - - return XT_CONTINUE; + const struct xt_tos_match_info *info = par->matchinfo; + + if (par->family == NFPROTO_IPV4) + return ((ip_hdr(skb)->tos & info->tos_mask) == + info->tos_value) ^ !!info->invert; + else + return ((ipv6_get_dsfield(ipv6_hdr(skb)) & info->tos_mask) == + info->tos_value) ^ !!info->invert; } -static struct xt_target dscp_tg_reg[] __read_mostly = { +static struct xt_match dscp_mt_reg[] __read_mostly = { { - .name = "DSCP", + .name = "dscp", .family = NFPROTO_IPV4, - .checkentry = dscp_tg_check, - .target = dscp_tg, - .targetsize = sizeof(struct xt_DSCP_info), - .table = "mangle", + .checkentry = dscp_mt_check, + .match = dscp_mt, + .matchsize = sizeof(struct xt_dscp_info), .me = THIS_MODULE, }, { - .name = "DSCP", + .name = "dscp", .family = NFPROTO_IPV6, - .checkentry = dscp_tg_check, - .target = dscp_tg6, - .targetsize = sizeof(struct xt_DSCP_info), - .table = "mangle", + .checkentry = dscp_mt_check, + .match = dscp_mt6, + .matchsize = sizeof(struct xt_dscp_info), .me = THIS_MODULE, }, { - .name = "TOS", + .name = "tos", .revision = 1, .family = NFPROTO_IPV4, - .table = "mangle", - .target = tos_tg, - .targetsize = sizeof(struct xt_tos_target_info), + .match = tos_mt, + .matchsize = sizeof(struct xt_tos_match_info), .me = THIS_MODULE, }, { - .name = "TOS", + .name = "tos", .revision = 1, .family = NFPROTO_IPV6, - .table = "mangle", - .target = tos_tg6, - .targetsize = sizeof(struct xt_tos_target_info), + .match = tos_mt, + .matchsize = sizeof(struct xt_tos_match_info), .me = THIS_MODULE, }, }; -static int __init dscp_tg_init(void) +static int __init dscp_mt_init(void) { - return xt_register_targets(dscp_tg_reg, ARRAY_SIZE(dscp_tg_reg)); + return xt_register_matches(dscp_mt_reg, ARRAY_SIZE(dscp_mt_reg)); } -static void __exit dscp_tg_exit(void) +static void __exit dscp_mt_exit(void) { - xt_unregister_targets(dscp_tg_reg, ARRAY_SIZE(dscp_tg_reg)); + xt_unregister_matches(dscp_mt_reg, ARRAY_SIZE(dscp_mt_reg)); } -module_init(dscp_tg_init); -module_exit(dscp_tg_exit); +module_init(dscp_mt_init); +module_exit(dscp_mt_exit); diff --git a/net/netfilter/xt_HL.c b/net/netfilter/xt_HL.c index 1535e87e..00395114 100755 --- a/net/netfilter/xt_HL.c +++ b/net/netfilter/xt_HL.c @@ -1,169 +1,96 @@ /* - * TTL modification target for IP tables - * (C) 2000,2005 by Harald Welte + * IP tables module for matching the value of the TTL + * (C) 2000,2001 by Harald Welte * - * Hop Limit modification target for ip6tables - * Maciej Soltysiak + * Hop Limit matching module + * (C) 2001-2002 Maciej Soltysiak * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. */ -#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt -#include -#include + #include #include -#include +#include +#include #include -#include -#include +#include +#include -MODULE_AUTHOR("Harald Welte "); MODULE_AUTHOR("Maciej Soltysiak "); -MODULE_DESCRIPTION("Xtables: Hoplimit/TTL Limit field modification target"); +MODULE_DESCRIPTION("Xtables: Hoplimit/TTL field match"); MODULE_LICENSE("GPL"); +MODULE_ALIAS("ipt_ttl"); +MODULE_ALIAS("ip6t_hl"); -static unsigned int -ttl_tg(struct sk_buff *skb, const struct xt_action_param *par) +static bool ttl_mt(const struct sk_buff *skb, struct xt_action_param *par) { - struct iphdr *iph; - const struct ipt_TTL_info *info = par->targinfo; - int new_ttl; - - if (!skb_make_writable(skb, skb->len)) - return NF_DROP; - - iph = ip_hdr(skb); + const struct ipt_ttl_info *info = par->matchinfo; + const u8 ttl = ip_hdr(skb)->ttl; switch (info->mode) { - case IPT_TTL_SET: - new_ttl = info->ttl; - break; - case IPT_TTL_INC: - new_ttl = iph->ttl + info->ttl; - if (new_ttl > 255) - new_ttl = 255; - break; - case IPT_TTL_DEC: - new_ttl = iph->ttl - info->ttl; - if (new_ttl < 0) - new_ttl = 0; - break; - default: - new_ttl = iph->ttl; - break; - } - - if (new_ttl != iph->ttl) { - csum_replace2(&iph->check, htons(iph->ttl << 8), - htons(new_ttl << 8)); - iph->ttl = new_ttl; + case IPT_TTL_EQ: + return ttl == info->ttl; + case IPT_TTL_NE: + return ttl != info->ttl; + case IPT_TTL_LT: + return ttl < info->ttl; + case IPT_TTL_GT: + return ttl > info->ttl; } - return XT_CONTINUE; + return false; } -static unsigned int -hl_tg6(struct sk_buff *skb, const struct xt_action_param *par) +static bool hl_mt6(const struct sk_buff *skb, struct xt_action_param *par) { - struct ipv6hdr *ip6h; - const struct ip6t_HL_info *info = par->targinfo; - int new_hl; - - if (!skb_make_writable(skb, skb->len)) - return NF_DROP; - - ip6h = ipv6_hdr(skb); + const struct ip6t_hl_info *info = par->matchinfo; + const struct ipv6hdr *ip6h = ipv6_hdr(skb); switch (info->mode) { - case IP6T_HL_SET: - new_hl = info->hop_limit; - break; - case IP6T_HL_INC: - new_hl = ip6h->hop_limit + info->hop_limit; - if (new_hl > 255) - new_hl = 255; - break; - case IP6T_HL_DEC: - new_hl = ip6h->hop_limit - info->hop_limit; - if (new_hl < 0) - new_hl = 0; - break; - default: - new_hl = ip6h->hop_limit; - break; + case IP6T_HL_EQ: + return ip6h->hop_limit == info->hop_limit; + case IP6T_HL_NE: + return ip6h->hop_limit != info->hop_limit; + case IP6T_HL_LT: + return ip6h->hop_limit < info->hop_limit; + case IP6T_HL_GT: + return ip6h->hop_limit > info->hop_limit; } - ip6h->hop_limit = new_hl; - - return XT_CONTINUE; -} - -static int ttl_tg_check(const struct xt_tgchk_param *par) -{ - const struct ipt_TTL_info *info = par->targinfo; - - if (info->mode > IPT_TTL_MAXMODE) { - pr_info("TTL: invalid or unknown mode %u\n", info->mode); - return -EINVAL; - } - if (info->mode != IPT_TTL_SET && info->ttl == 0) - return -EINVAL; - return 0; -} - -static int hl_tg6_check(const struct xt_tgchk_param *par) -{ - const struct ip6t_HL_info *info = par->targinfo; - - if (info->mode > IP6T_HL_MAXMODE) { - pr_info("invalid or unknown mode %u\n", info->mode); - return -EINVAL; - } - if (info->mode != IP6T_HL_SET && info->hop_limit == 0) { - pr_info("increment/decrement does not " - "make sense with value 0\n"); - return -EINVAL; - } - return 0; + return false; } -static struct xt_target hl_tg_reg[] __read_mostly = { +static struct xt_match hl_mt_reg[] __read_mostly = { { - .name = "TTL", + .name = "ttl", .revision = 0, .family = NFPROTO_IPV4, - .target = ttl_tg, - .targetsize = sizeof(struct ipt_TTL_info), - .table = "mangle", - .checkentry = ttl_tg_check, + .match = ttl_mt, + .matchsize = sizeof(struct ipt_ttl_info), .me = THIS_MODULE, }, { - .name = "HL", + .name = "hl", .revision = 0, .family = NFPROTO_IPV6, - .target = hl_tg6, - .targetsize = sizeof(struct ip6t_HL_info), - .table = "mangle", - .checkentry = hl_tg6_check, + .match = hl_mt6, + .matchsize = sizeof(struct ip6t_hl_info), .me = THIS_MODULE, }, }; -static int __init hl_tg_init(void) +static int __init hl_mt_init(void) { - return xt_register_targets(hl_tg_reg, ARRAY_SIZE(hl_tg_reg)); + return xt_register_matches(hl_mt_reg, ARRAY_SIZE(hl_mt_reg)); } -static void __exit hl_tg_exit(void) +static void __exit hl_mt_exit(void) { - xt_unregister_targets(hl_tg_reg, ARRAY_SIZE(hl_tg_reg)); + xt_unregister_matches(hl_mt_reg, ARRAY_SIZE(hl_mt_reg)); } -module_init(hl_tg_init); -module_exit(hl_tg_exit); -MODULE_ALIAS("ipt_TTL"); -MODULE_ALIAS("ip6t_HL"); +module_init(hl_mt_init); +module_exit(hl_mt_exit); diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c index 370adf62..ed0db15a 100755 --- a/net/netfilter/xt_RATEEST.c +++ b/net/netfilter/xt_RATEEST.c @@ -8,187 +8,150 @@ #include #include #include -#include -#include -#include -#include -#include -#include #include -#include +#include #include -static DEFINE_MUTEX(xt_rateest_mutex); -#define RATEEST_HSIZE 16 -static struct hlist_head rateest_hash[RATEEST_HSIZE] __read_mostly; -static unsigned int jhash_rnd __read_mostly; -static bool rnd_inited __read_mostly; - -static unsigned int xt_rateest_hash(const char *name) -{ - return jhash(name, FIELD_SIZEOF(struct xt_rateest, name), jhash_rnd) & - (RATEEST_HSIZE - 1); -} - -static void xt_rateest_hash_insert(struct xt_rateest *est) -{ - unsigned int h; - - h = xt_rateest_hash(est->name); - hlist_add_head(&est->list, &rateest_hash[h]); -} - -struct xt_rateest *xt_rateest_lookup(const char *name) +static bool +xt_rateest_mt(const struct sk_buff *skb, struct xt_action_param *par) { - struct xt_rateest *est; - unsigned int h; - - h = xt_rateest_hash(name); - mutex_lock(&xt_rateest_mutex); - hlist_for_each_entry(est, &rateest_hash[h], list) { - if (strcmp(est->name, name) == 0) { - est->refcnt++; - mutex_unlock(&xt_rateest_mutex); - return est; + const struct xt_rateest_match_info *info = par->matchinfo; + struct gnet_stats_rate_est *r; + u_int32_t bps1, bps2, pps1, pps2; + bool ret = true; + + spin_lock_bh(&info->est1->lock); + r = &info->est1->rstats; + if (info->flags & XT_RATEEST_MATCH_DELTA) { + bps1 = info->bps1 >= r->bps ? info->bps1 - r->bps : 0; + pps1 = info->pps1 >= r->pps ? info->pps1 - r->pps : 0; + } else { + bps1 = r->bps; + pps1 = r->pps; + } + spin_unlock_bh(&info->est1->lock); + + if (info->flags & XT_RATEEST_MATCH_ABS) { + bps2 = info->bps2; + pps2 = info->pps2; + } else { + spin_lock_bh(&info->est2->lock); + r = &info->est2->rstats; + if (info->flags & XT_RATEEST_MATCH_DELTA) { + bps2 = info->bps2 >= r->bps ? info->bps2 - r->bps : 0; + pps2 = info->pps2 >= r->pps ? info->pps2 - r->pps : 0; + } else { + bps2 = r->bps; + pps2 = r->pps; } + spin_unlock_bh(&info->est2->lock); } - mutex_unlock(&xt_rateest_mutex); - return NULL; -} -EXPORT_SYMBOL_GPL(xt_rateest_lookup); -void xt_rateest_put(struct xt_rateest *est) -{ - mutex_lock(&xt_rateest_mutex); - if (--est->refcnt == 0) { - hlist_del(&est->list); - gen_kill_estimator(&est->bstats, &est->rstats); - /* - * gen_estimator est_timer() might access est->lock or bstats, - * wait a RCU grace period before freeing 'est' - */ - kfree_rcu(est, rcu); + switch (info->mode) { + case XT_RATEEST_MATCH_LT: + if (info->flags & XT_RATEEST_MATCH_BPS) + ret &= bps1 < bps2; + if (info->flags & XT_RATEEST_MATCH_PPS) + ret &= pps1 < pps2; + break; + case XT_RATEEST_MATCH_GT: + if (info->flags & XT_RATEEST_MATCH_BPS) + ret &= bps1 > bps2; + if (info->flags & XT_RATEEST_MATCH_PPS) + ret &= pps1 > pps2; + break; + case XT_RATEEST_MATCH_EQ: + if (info->flags & XT_RATEEST_MATCH_BPS) + ret &= bps1 == bps2; + if (info->flags & XT_RATEEST_MATCH_PPS) + ret &= pps1 == pps2; + break; } - mutex_unlock(&xt_rateest_mutex); -} -EXPORT_SYMBOL_GPL(xt_rateest_put); - -static unsigned int -xt_rateest_tg(struct sk_buff *skb, const struct xt_action_param *par) -{ - const struct xt_rateest_target_info *info = par->targinfo; - struct gnet_stats_basic_packed *stats = &info->est->bstats; - spin_lock_bh(&info->est->lock); - stats->bytes += skb->len; - stats->packets++; - spin_unlock_bh(&info->est->lock); - - return XT_CONTINUE; + ret ^= info->flags & XT_RATEEST_MATCH_INVERT ? true : false; + return ret; } -static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par) +static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par) { - struct xt_rateest_target_info *info = par->targinfo; - struct xt_rateest *est; - struct { - struct nlattr opt; - struct gnet_estimator est; - } cfg; - int ret; - - if (unlikely(!rnd_inited)) { - get_random_bytes(&jhash_rnd, sizeof(jhash_rnd)); - rnd_inited = true; - } + struct xt_rateest_match_info *info = par->matchinfo; + struct xt_rateest *est1, *est2; + int ret = -EINVAL; - est = xt_rateest_lookup(info->name); - if (est) { - /* - * If estimator parameters are specified, they must match the - * existing estimator. - */ - if ((!info->interval && !info->ewma_log) || - (info->interval != est->params.interval || - info->ewma_log != est->params.ewma_log)) { - xt_rateest_put(est); - return -EINVAL; - } - info->est = est; - return 0; - } + if (hweight32(info->flags & (XT_RATEEST_MATCH_ABS | + XT_RATEEST_MATCH_REL)) != 1) + goto err1; - ret = -ENOMEM; - est = kzalloc(sizeof(*est), GFP_KERNEL); - if (!est) + if (!(info->flags & (XT_RATEEST_MATCH_BPS | XT_RATEEST_MATCH_PPS))) goto err1; - strlcpy(est->name, info->name, sizeof(est->name)); - spin_lock_init(&est->lock); - est->refcnt = 1; - est->params.interval = info->interval; - est->params.ewma_log = info->ewma_log; + switch (info->mode) { + case XT_RATEEST_MATCH_EQ: + case XT_RATEEST_MATCH_LT: + case XT_RATEEST_MATCH_GT: + break; + default: + goto err1; + } - cfg.opt.nla_len = nla_attr_size(sizeof(cfg.est)); - cfg.opt.nla_type = TCA_STATS_RATE_EST; - cfg.est.interval = info->interval; - cfg.est.ewma_log = info->ewma_log; + ret = -ENOENT; + est1 = xt_rateest_lookup(info->name1); + if (!est1) + goto err1; - ret = gen_new_estimator(&est->bstats, &est->rstats, - &est->lock, &cfg.opt); - if (ret < 0) - goto err2; + est2 = NULL; + if (info->flags & XT_RATEEST_MATCH_REL) { + est2 = xt_rateest_lookup(info->name2); + if (!est2) + goto err2; + } - info->est = est; - xt_rateest_hash_insert(est); + info->est1 = est1; + info->est2 = est2; return 0; err2: - kfree(est); + xt_rateest_put(est1); err1: return ret; } -static void xt_rateest_tg_destroy(const struct xt_tgdtor_param *par) +static void xt_rateest_mt_destroy(const struct xt_mtdtor_param *par) { - struct xt_rateest_target_info *info = par->targinfo; + struct xt_rateest_match_info *info = par->matchinfo; - xt_rateest_put(info->est); + xt_rateest_put(info->est1); + if (info->est2) + xt_rateest_put(info->est2); } -static struct xt_target xt_rateest_tg_reg __read_mostly = { - .name = "RATEEST", +static struct xt_match xt_rateest_mt_reg __read_mostly = { + .name = "rateest", .revision = 0, .family = NFPROTO_UNSPEC, - .target = xt_rateest_tg, - .checkentry = xt_rateest_tg_checkentry, - .destroy = xt_rateest_tg_destroy, - .targetsize = sizeof(struct xt_rateest_target_info), + .match = xt_rateest_mt, + .checkentry = xt_rateest_mt_checkentry, + .destroy = xt_rateest_mt_destroy, + .matchsize = sizeof(struct xt_rateest_match_info), .me = THIS_MODULE, }; -static int __init xt_rateest_tg_init(void) +static int __init xt_rateest_mt_init(void) { - unsigned int i; - - for (i = 0; i < ARRAY_SIZE(rateest_hash); i++) - INIT_HLIST_HEAD(&rateest_hash[i]); - - return xt_register_target(&xt_rateest_tg_reg); + return xt_register_match(&xt_rateest_mt_reg); } -static void __exit xt_rateest_tg_fini(void) +static void __exit xt_rateest_mt_fini(void) { - xt_unregister_target(&xt_rateest_tg_reg); + xt_unregister_match(&xt_rateest_mt_reg); } - MODULE_AUTHOR("Patrick McHardy "); MODULE_LICENSE("GPL"); -MODULE_DESCRIPTION("Xtables: packet rate estimator"); -MODULE_ALIAS("ipt_RATEEST"); -MODULE_ALIAS("ip6t_RATEEST"); -module_init(xt_rateest_tg_init); -module_exit(xt_rateest_tg_fini); +MODULE_DESCRIPTION("xtables rate estimator match"); +MODULE_ALIAS("ipt_rateest"); +MODULE_ALIAS("ip6t_rateest"); +module_init(xt_rateest_mt_init); +module_exit(xt_rateest_mt_fini); diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c index 7011c716..c53d4d18 100755 --- a/net/netfilter/xt_TCPMSS.c +++ b/net/netfilter/xt_TCPMSS.c @@ -1,336 +1,110 @@ -/* - * This is a module which is used for setting the MSS option in TCP packets. - * - * Copyright (C) 2000 Marc Boucher - * Copyright (C) 2007 Patrick McHardy +/* Kernel module to match TCP MSS values. */ + +/* Copyright (C) 2000 Marc Boucher + * Portions (C) 2005 by Harald Welte * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. */ -#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + #include #include -#include -#include -#include -#include -#include -#include -#include -#include #include +#include +#include + #include #include -#include -#include -#include MODULE_LICENSE("GPL"); MODULE_AUTHOR("Marc Boucher "); -MODULE_DESCRIPTION("Xtables: TCP Maximum Segment Size (MSS) adjustment"); -MODULE_ALIAS("ipt_TCPMSS"); -MODULE_ALIAS("ip6t_TCPMSS"); - -static inline unsigned int -optlen(const u_int8_t *opt, unsigned int offset) -{ - /* Beware zero-length options: make finite progress */ - if (opt[offset] <= TCPOPT_NOP || opt[offset+1] == 0) - return 1; - else - return opt[offset+1]; -} +MODULE_DESCRIPTION("Xtables: TCP MSS match"); +MODULE_ALIAS("ipt_tcpmss"); +MODULE_ALIAS("ip6t_tcpmss"); -static int -tcpmss_mangle_packet(struct sk_buff *skb, - const struct xt_action_param *par, - unsigned int in_mtu, - unsigned int tcphoff, - unsigned int minlen) +static bool +tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par) { - const struct xt_tcpmss_info *info = par->targinfo; - struct tcphdr *tcph; - unsigned int tcplen, i; - __be16 oldval; - u16 newmss; - u8 *opt; - - /* This is a fragment, no TCP header is available */ - if (par->fragoff != 0) - return XT_CONTINUE; - - if (!skb_make_writable(skb, skb->len)) - return -1; - - tcplen = skb->len - tcphoff; - tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); - - /* Header cannot be larger than the packet */ - if (tcplen < tcph->doff*4) - return -1; - - if (info->mss == XT_TCPMSS_CLAMP_PMTU) { - if (dst_mtu(skb_dst(skb)) <= minlen) { - net_err_ratelimited("unknown or invalid path-MTU (%u)\n", - dst_mtu(skb_dst(skb))); - return -1; + const struct xt_tcpmss_match_info *info = par->matchinfo; + const struct tcphdr *th; + struct tcphdr _tcph; + /* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */ + const u_int8_t *op; + u8 _opt[15 * 4 - sizeof(_tcph)]; + unsigned int i, optlen; + + /* If we don't have the whole header, drop packet. */ + th = skb_header_pointer(skb, par->thoff, sizeof(_tcph), &_tcph); + if (th == NULL) + goto dropit; + + /* Malformed. */ + if (th->doff*4 < sizeof(*th)) + goto dropit; + + optlen = th->doff*4 - sizeof(*th); + if (!optlen) + goto out; + + /* Truncated options. */ + op = skb_header_pointer(skb, par->thoff + sizeof(*th), optlen, _opt); + if (op == NULL) + goto dropit; + + for (i = 0; i < optlen; ) { + if (op[i] == TCPOPT_MSS + && (optlen - i) >= TCPOLEN_MSS + && op[i+1] == TCPOLEN_MSS) { + u_int16_t mssval; + + mssval = (op[i+2] << 8) | op[i+3]; + + return (mssval >= info->mss_min && + mssval <= info->mss_max) ^ info->invert; } - if (in_mtu <= minlen) { - net_err_ratelimited("unknown or invalid path-MTU (%u)\n", - in_mtu); - return -1; - } - newmss = min(dst_mtu(skb_dst(skb)), in_mtu) - minlen; - } else - newmss = info->mss; - - opt = (u_int8_t *)tcph; - for (i = sizeof(struct tcphdr); i < tcph->doff*4; i += optlen(opt, i)) { - if (opt[i] == TCPOPT_MSS && tcph->doff*4 - i >= TCPOLEN_MSS && - opt[i+1] == TCPOLEN_MSS) { - u_int16_t oldmss; - - oldmss = (opt[i+2] << 8) | opt[i+3]; - - /* Never increase MSS, even when setting it, as - * doing so results in problems for hosts that rely - * on MSS being set correctly. - */ - if (oldmss <= newmss) - return 0; - - opt[i+2] = (newmss & 0xff00) >> 8; - opt[i+3] = newmss & 0x00ff; - - inet_proto_csum_replace2(&tcph->check, skb, - htons(oldmss), htons(newmss), - 0); - return 0; - } - } - - /* There is data after the header so the option can't be added - without moving it, and doing so may make the SYN packet - itself too large. Accept the packet unmodified instead. */ - if (tcplen > tcph->doff*4) - return 0; - - /* - * MSS Option not found ?! add it.. - */ - if (skb_tailroom(skb) < TCPOLEN_MSS) { - if (pskb_expand_head(skb, 0, - TCPOLEN_MSS - skb_tailroom(skb), - GFP_ATOMIC)) - return -1; - tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); - } - - skb_put(skb, TCPOLEN_MSS); - - /* - * IPv4: RFC 1122 states "If an MSS option is not received at - * connection setup, TCP MUST assume a default send MSS of 536". - * IPv6: RFC 2460 states IPv6 has a minimum MTU of 1280 and a minimum - * length IPv6 header of 60, ergo the default MSS value is 1220 - * Since no MSS was provided, we must use the default values - */ - if (par->family == NFPROTO_IPV4) - newmss = min(newmss, (u16)536); - else - newmss = min(newmss, (u16)1220); - - opt = (u_int8_t *)tcph + sizeof(struct tcphdr); - memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr)); - - inet_proto_csum_replace2(&tcph->check, skb, - htons(tcplen), htons(tcplen + TCPOLEN_MSS), 1); - opt[0] = TCPOPT_MSS; - opt[1] = TCPOLEN_MSS; - opt[2] = (newmss & 0xff00) >> 8; - opt[3] = newmss & 0x00ff; - - inet_proto_csum_replace4(&tcph->check, skb, 0, *((__be32 *)opt), 0); - - oldval = ((__be16 *)tcph)[6]; - tcph->doff += TCPOLEN_MSS/4; - inet_proto_csum_replace2(&tcph->check, skb, - oldval, ((__be16 *)tcph)[6], 0); - return TCPOLEN_MSS; -} - -static u_int32_t tcpmss_reverse_mtu(const struct sk_buff *skb, - unsigned int family) -{ - struct flowi fl; - const struct nf_afinfo *ai; - struct rtable *rt = NULL; - u_int32_t mtu = ~0U; - - if (family == PF_INET) { - struct flowi4 *fl4 = &fl.u.ip4; - memset(fl4, 0, sizeof(*fl4)); - fl4->daddr = ip_hdr(skb)->saddr; - } else { - struct flowi6 *fl6 = &fl.u.ip6; - - memset(fl6, 0, sizeof(*fl6)); - fl6->daddr = ipv6_hdr(skb)->saddr; - } - rcu_read_lock(); - ai = nf_get_afinfo(family); - if (ai != NULL) - ai->route(&init_net, (struct dst_entry **)&rt, &fl, false); - rcu_read_unlock(); - - if (rt != NULL) { - mtu = dst_mtu(&rt->dst); - dst_release(&rt->dst); - } - return mtu; -} - -static unsigned int -tcpmss_tg4(struct sk_buff *skb, const struct xt_action_param *par) -{ - struct iphdr *iph = ip_hdr(skb); - __be16 newlen; - int ret; - - ret = tcpmss_mangle_packet(skb, par, - tcpmss_reverse_mtu(skb, PF_INET), - iph->ihl * 4, - sizeof(*iph) + sizeof(struct tcphdr)); - if (ret < 0) - return NF_DROP; - if (ret > 0) { - iph = ip_hdr(skb); - newlen = htons(ntohs(iph->tot_len) + ret); - csum_replace2(&iph->check, iph->tot_len, newlen); - iph->tot_len = newlen; + if (op[i] < 2) + i++; + else + i += op[i+1] ? : 1; } - return XT_CONTINUE; -} - -#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) -static unsigned int -tcpmss_tg6(struct sk_buff *skb, const struct xt_action_param *par) -{ - struct ipv6hdr *ipv6h = ipv6_hdr(skb); - u8 nexthdr; - __be16 frag_off; - int tcphoff; - int ret; - - nexthdr = ipv6h->nexthdr; - tcphoff = ipv6_skip_exthdr(skb, sizeof(*ipv6h), &nexthdr, &frag_off); - if (tcphoff < 0) - return NF_DROP; - ret = tcpmss_mangle_packet(skb, par, - tcpmss_reverse_mtu(skb, PF_INET6), - tcphoff, - sizeof(*ipv6h) + sizeof(struct tcphdr)); - if (ret < 0) - return NF_DROP; - if (ret > 0) { - ipv6h = ipv6_hdr(skb); - ipv6h->payload_len = htons(ntohs(ipv6h->payload_len) + ret); - } - return XT_CONTINUE; -} -#endif - -/* Must specify -p tcp --syn */ -static inline bool find_syn_match(const struct xt_entry_match *m) -{ - const struct xt_tcp *tcpinfo = (const struct xt_tcp *)m->data; - - if (strcmp(m->u.kernel.match->name, "tcp") == 0 && - tcpinfo->flg_cmp & TCPHDR_SYN && - !(tcpinfo->invflags & XT_TCP_INV_FLAGS)) - return true; +out: + return info->invert; +dropit: + par->hotdrop = true; return false; } -static int tcpmss_tg4_check(const struct xt_tgchk_param *par) -{ - const struct xt_tcpmss_info *info = par->targinfo; - const struct ipt_entry *e = par->entryinfo; - const struct xt_entry_match *ematch; - - if (info->mss == XT_TCPMSS_CLAMP_PMTU && - (par->hook_mask & ~((1 << NF_INET_FORWARD) | - (1 << NF_INET_LOCAL_OUT) | - (1 << NF_INET_POST_ROUTING))) != 0) { - pr_info("path-MTU clamping only supported in " - "FORWARD, OUTPUT and POSTROUTING hooks\n"); - return -EINVAL; - } - xt_ematch_foreach(ematch, e) - if (find_syn_match(ematch)) - return 0; - pr_info("Only works on TCP SYN packets\n"); - return -EINVAL; -} - -#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) -static int tcpmss_tg6_check(const struct xt_tgchk_param *par) -{ - const struct xt_tcpmss_info *info = par->targinfo; - const struct ip6t_entry *e = par->entryinfo; - const struct xt_entry_match *ematch; - - if (info->mss == XT_TCPMSS_CLAMP_PMTU && - (par->hook_mask & ~((1 << NF_INET_FORWARD) | - (1 << NF_INET_LOCAL_OUT) | - (1 << NF_INET_POST_ROUTING))) != 0) { - pr_info("path-MTU clamping only supported in " - "FORWARD, OUTPUT and POSTROUTING hooks\n"); - return -EINVAL; - } - xt_ematch_foreach(ematch, e) - if (find_syn_match(ematch)) - return 0; - pr_info("Only works on TCP SYN packets\n"); - return -EINVAL; -} -#endif - -static struct xt_target tcpmss_tg_reg[] __read_mostly = { +static struct xt_match tcpmss_mt_reg[] __read_mostly = { { + .name = "tcpmss", .family = NFPROTO_IPV4, - .name = "TCPMSS", - .checkentry = tcpmss_tg4_check, - .target = tcpmss_tg4, - .targetsize = sizeof(struct xt_tcpmss_info), + .match = tcpmss_mt, + .matchsize = sizeof(struct xt_tcpmss_match_info), .proto = IPPROTO_TCP, .me = THIS_MODULE, }, -#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) { + .name = "tcpmss", .family = NFPROTO_IPV6, - .name = "TCPMSS", - .checkentry = tcpmss_tg6_check, - .target = tcpmss_tg6, - .targetsize = sizeof(struct xt_tcpmss_info), + .match = tcpmss_mt, + .matchsize = sizeof(struct xt_tcpmss_match_info), .proto = IPPROTO_TCP, .me = THIS_MODULE, }, -#endif }; -static int __init tcpmss_tg_init(void) +static int __init tcpmss_mt_init(void) { - return xt_register_targets(tcpmss_tg_reg, ARRAY_SIZE(tcpmss_tg_reg)); + return xt_register_matches(tcpmss_mt_reg, ARRAY_SIZE(tcpmss_mt_reg)); } -static void __exit tcpmss_tg_exit(void) +static void __exit tcpmss_mt_exit(void) { - xt_unregister_targets(tcpmss_tg_reg, ARRAY_SIZE(tcpmss_tg_reg)); + xt_unregister_matches(tcpmss_mt_reg, ARRAY_SIZE(tcpmss_mt_reg)); } -module_init(tcpmss_tg_init); -module_exit(tcpmss_tg_exit); +module_init(tcpmss_mt_init); +module_exit(tcpmss_mt_exit); From 2574f29824175e9df2246c65b1dd3eaecf5f4cf1 Mon Sep 17 00:00:00 2001 From: ranon rat <66473662+ranon-rat@users.noreply.github.com> Date: Sun, 7 Feb 2021 16:02:28 -0600 Subject: [PATCH 2/2] new dosc --- Documentation/{android.txt => android.md} | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) rename Documentation/{android.txt => android.md} (96%) diff --git a/Documentation/android.txt b/Documentation/android.md similarity index 96% rename from Documentation/android.txt rename to Documentation/android.md index 35236075..da77c9ad 100755 --- a/Documentation/android.txt +++ b/Documentation/android.md @@ -1,6 +1,6 @@ - ============= - A N D R O I D - ============= + +# A N D R O I D + Copyright (C) 2009 Google, Inc. Written by Mike Chan @@ -16,7 +16,8 @@ CONTENTS: 1. Android -========== + +------------- Android (www.android.com) is an open source operating system for mobile devices. This document describes configurations needed to run the Android framework on @@ -33,7 +34,7 @@ After building a standard defconfig, ensure that these options are enabled in your .config or defconfig if they are not already. Based off the msm_defconfig. You should keep the rest of the default options enabled in the defconfig unless you know what you are doing. - +``` ANDROID_PARANOID_NETWORK ASHMEM CONFIG_FB_MODE_HELPERS @@ -81,16 +82,18 @@ YAFFS_AUTO_YAFFS2 YAFFS_FS YAFFS_YAFFS1 YAFFS_YAFFS2 - +``` 1.2 Required disabled config options ------------------------------------ +``` CONFIG_YAFFS_DISABLE_LAZY_LOAD DNOTIFY - +``` 1.3 Recommended enabled config options ------------------------------ +``` ANDROID_PMEM PSTORE_CONSOLE PSTORE_RAM @@ -111,10 +114,9 @@ I2C_BOARDINFO LOG_BUF_SHIFT=17 SERIAL_CORE SERIAL_CORE_CONSOLE - - +``` 2. Contact -========== +------------- website: http://android.git.kernel.org mailing-lists: android-kernel@googlegroups.com