diff options
author | John Crispin <john@phrozen.org> | 2016-12-25 20:11:34 +0100 |
---|---|---|
committer | John Crispin <john@phrozen.org> | 2017-08-05 08:46:36 +0200 |
commit | 74d00a8c3849c1340efd713eb94b786e304c201f (patch) | |
tree | de481743de61c34da96ab5f9dba3af3edcfb8260 /target/linux/generic/pending-4.4/611-netfilter_match_bypass_default_table.patch | |
parent | de350550ef648d9728351b986b0516fa29465c45 (diff) | |
download | upstream-74d00a8c3849c1340efd713eb94b786e304c201f.tar.gz upstream-74d00a8c3849c1340efd713eb94b786e304c201f.tar.bz2 upstream-74d00a8c3849c1340efd713eb94b786e304c201f.zip |
kernel: split patches folder up into backport, pending and hack folders
* properly format/comment all patches
* merge debloat patches
* merge Kconfig patches
* merge swconfig patches
* merge hotplug patches
* drop 200-fix_localversion.patch - upstream
* drop 222-arm_zimage_none.patch - unused
* drop 252-mv_cesa_depends.patch - no longer required
* drop 410-mtd-move-forward-declaration-of-struct-mtd_info.patch - unused
* drop 661-fq_codel_keep_dropped_stats.patch - outdated
* drop 702-phy_add_aneg_done_function.patch - upstream
* drop 840-rtc7301.patch - unused
* drop 841-rtc_pt7c4338.patch - upstream
* drop 921-use_preinit_as_init.patch - unused
* drop spio-gpio-old and gpio-mmc - unused
Signed-off-by: John Crispin <john@phrozen.org>
Diffstat (limited to 'target/linux/generic/pending-4.4/611-netfilter_match_bypass_default_table.patch')
-rw-r--r-- | target/linux/generic/pending-4.4/611-netfilter_match_bypass_default_table.patch | 111 |
1 files changed, 111 insertions, 0 deletions
diff --git a/target/linux/generic/pending-4.4/611-netfilter_match_bypass_default_table.patch b/target/linux/generic/pending-4.4/611-netfilter_match_bypass_default_table.patch new file mode 100644 index 0000000000..1c565198b4 --- /dev/null +++ b/target/linux/generic/pending-4.4/611-netfilter_match_bypass_default_table.patch @@ -0,0 +1,111 @@ +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -308,6 +308,33 @@ struct ipt_entry *ipt_next_entry(const s + return (void *)entry + entry->next_offset; + } + ++static bool ++ipt_handle_default_rule(struct ipt_entry *e, unsigned int *verdict) ++{ ++ struct xt_entry_target *t; ++ struct xt_standard_target *st; ++ ++ if (e->target_offset != sizeof(struct ipt_entry)) ++ return false; ++ ++ if (!(e->ip.flags & IPT_F_NO_DEF_MATCH)) ++ return false; ++ ++ t = ipt_get_target(e); ++ if (t->u.kernel.target->target) ++ return false; ++ ++ st = (struct xt_standard_target *) t; ++ if (st->verdict == XT_RETURN) ++ return false; ++ ++ if (st->verdict >= 0) ++ return false; ++ ++ *verdict = (unsigned)(-st->verdict) - 1; ++ return true; ++} ++ + /* Returns one of the generic firewall policies, like NF_ACCEPT. */ + unsigned int + ipt_do_table(struct sk_buff *skb, +@@ -328,28 +355,8 @@ ipt_do_table(struct sk_buff *skb, + unsigned int addend; + + /* Initialization */ +- stackidx = 0; +- ip = ip_hdr(skb); +- indev = state->in ? state->in->name : nulldevname; +- outdev = state->out ? state->out->name : nulldevname; +- /* We handle fragments by dealing with the first fragment as +- * if it was a normal packet. All other fragments are treated +- * normally, except that they will NEVER match rules that ask +- * things we don't know, ie. tcp syn flag or ports). If the +- * rule is also a fragment-specific rule, non-fragments won't +- * match it. */ +- acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET; +- acpar.thoff = ip_hdrlen(skb); +- acpar.hotdrop = false; +- acpar.net = state->net; +- acpar.in = state->in; +- acpar.out = state->out; +- acpar.family = NFPROTO_IPV4; +- acpar.hooknum = hook; +- + IP_NF_ASSERT(table->valid_hooks & (1 << hook)); + local_bh_disable(); +- addend = xt_write_recseq_begin(); + private = table->private; + cpu = smp_processor_id(); + /* +@@ -358,6 +365,23 @@ ipt_do_table(struct sk_buff *skb, + */ + smp_read_barrier_depends(); + table_base = private->entries; ++ ++ e = get_entry(table_base, private->hook_entry[hook]); ++ if (ipt_handle_default_rule(e, &verdict)) { ++ struct xt_counters *counter; ++ ++ counter = xt_get_this_cpu_counter(&e->counters); ++ ADD_COUNTER(*counter, skb->len, 1); ++ local_bh_enable(); ++ return verdict; ++ } ++ ++ stackidx = 0; ++ ip = ip_hdr(skb); ++ indev = state->in ? state->in->name : nulldevname; ++ outdev = state->out ? state->out->name : nulldevname; ++ ++ addend = xt_write_recseq_begin(); + jumpstack = (struct ipt_entry **)private->jumpstack[cpu]; + + /* Switch to alternate jumpstack if we're being invoked via TEE. +@@ -370,7 +394,20 @@ ipt_do_table(struct sk_buff *skb, + if (static_key_false(&xt_tee_enabled)) + jumpstack += private->stacksize * __this_cpu_read(nf_skb_duplicated); + +- e = get_entry(table_base, private->hook_entry[hook]); ++ /* We handle fragments by dealing with the first fragment as ++ * if it was a normal packet. All other fragments are treated ++ * normally, except that they will NEVER match rules that ask ++ * things we don't know, ie. tcp syn flag or ports). If the ++ * rule is also a fragment-specific rule, non-fragments won't ++ * match it. */ ++ acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET; ++ acpar.thoff = ip_hdrlen(skb); ++ acpar.hotdrop = false; ++ acpar.net = state->net; ++ acpar.in = state->in; ++ acpar.out = state->out; ++ acpar.family = NFPROTO_IPV4; ++ acpar.hooknum = hook; + + pr_debug("Entering %s(hook %u), UF %p\n", + table->name, hook, |