diff options
author | Felix Fietkau <nbd@openwrt.org> | 2011-08-06 12:39:31 +0000 |
---|---|---|
committer | Felix Fietkau <nbd@openwrt.org> | 2011-08-06 12:39:31 +0000 |
commit | 03ef679b98b1c91c284af80019c0f266b943f0c1 (patch) | |
tree | 7c63f722b1fcb6f396384be5599dd67bfe7febfd /target/linux/generic/patches-2.6.39 | |
parent | 7130952b436e2944d4297e3aba54a745cea8376d (diff) | |
download | upstream-03ef679b98b1c91c284af80019c0f266b943f0c1.tar.gz upstream-03ef679b98b1c91c284af80019c0f266b943f0c1.tar.bz2 upstream-03ef679b98b1c91c284af80019c0f266b943f0c1.zip |
kernel: add missing checks in the netfilter optimization patch which broke some rules containing only source/destination address checks
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27923 3c298f89-4303-0410-b956-a3cf2f4a3e73
Diffstat (limited to 'target/linux/generic/patches-2.6.39')
-rw-r--r-- | target/linux/generic/patches-2.6.39/610-netfilter_match_bypass_default_checks.patch | 13 | ||||
-rw-r--r-- | target/linux/generic/patches-2.6.39/611-netfilter_match_bypass_default_table.patch | 6 |
2 files changed, 11 insertions, 8 deletions
diff --git a/target/linux/generic/patches-2.6.39/610-netfilter_match_bypass_default_checks.patch b/target/linux/generic/patches-2.6.39/610-netfilter_match_bypass_default_checks.patch index ac0fd151cd..98c28c7433 100644 --- a/target/linux/generic/patches-2.6.39/610-netfilter_match_bypass_default_checks.patch +++ b/target/linux/generic/patches-2.6.39/610-netfilter_match_bypass_default_checks.patch @@ -20,7 +20,7 @@ if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr, IPT_INV_SRCIP) || FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr, -@@ -143,6 +146,26 @@ ip_packet_match(const struct iphdr *ip, +@@ -143,6 +146,29 @@ ip_packet_match(const struct iphdr *ip, return true; } @@ -38,6 +38,9 @@ + if (memcmp(ip->outiface_mask, iface_mask, IFNAMSIZ) != 0) + return; + ++ if (ip->smsk.s_addr || ip->dmsk.s_addr) ++ return; ++ + if (ip->proto) + return; + @@ -47,7 +50,7 @@ static bool ip_checkentry(const struct ipt_ip *ip) { -@@ -566,7 +589,7 @@ static void cleanup_match(struct xt_entr +@@ -566,7 +592,7 @@ static void cleanup_match(struct xt_entr } static int @@ -56,7 +59,7 @@ { const struct xt_entry_target *t; -@@ -575,6 +598,8 @@ check_entry(const struct ipt_entry *e, c +@@ -575,6 +601,8 @@ check_entry(const struct ipt_entry *e, c return -EINVAL; } @@ -65,7 +68,7 @@ if (e->target_offset + sizeof(struct xt_entry_target) > e->next_offset) return -EINVAL; -@@ -936,6 +961,7 @@ copy_entries_to_user(unsigned int total_ +@@ -936,6 +964,7 @@ copy_entries_to_user(unsigned int total_ const struct xt_table_info *private = table->private; int ret = 0; const void *loc_cpu_entry; @@ -73,7 +76,7 @@ counters = alloc_counters(table); if (IS_ERR(counters)) -@@ -967,6 +993,14 @@ copy_entries_to_user(unsigned int total_ +@@ -967,6 +996,14 @@ copy_entries_to_user(unsigned int total_ goto free_counters; } diff --git a/target/linux/generic/patches-2.6.39/611-netfilter_match_bypass_default_table.patch b/target/linux/generic/patches-2.6.39/611-netfilter_match_bypass_default_table.patch index f2004a6b12..0ea58c95d9 100644 --- a/target/linux/generic/patches-2.6.39/611-netfilter_match_bypass_default_table.patch +++ b/target/linux/generic/patches-2.6.39/611-netfilter_match_bypass_default_table.patch @@ -1,6 +1,6 @@ --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c -@@ -316,6 +316,33 @@ struct ipt_entry *ipt_next_entry(const s +@@ -319,6 +319,33 @@ struct ipt_entry *ipt_next_entry(const s return (void *)entry + entry->next_offset; } @@ -34,7 +34,7 @@ /* Returns one of the generic firewall policies, like NF_ACCEPT. */ unsigned int ipt_do_table(struct sk_buff *skb, -@@ -339,6 +366,23 @@ ipt_do_table(struct sk_buff *skb, +@@ -342,6 +369,23 @@ ipt_do_table(struct sk_buff *skb, ip = ip_hdr(skb); indev = in ? in->name : nulldevname; outdev = out ? out->name : nulldevname; @@ -58,7 +58,7 @@ /* We handle fragments by dealing with the first fragment as * if it was a normal packet. All other fragments are treated * normally, except that they will NEVER match rules that ask -@@ -353,17 +397,6 @@ ipt_do_table(struct sk_buff *skb, +@@ -356,17 +400,6 @@ ipt_do_table(struct sk_buff *skb, acpar.family = NFPROTO_IPV4; acpar.hooknum = hook; |