- patches.apparmor/remove_suid_new_case_in_2.6.22.diff: Merge fix.

[linux-flexiantxendom0-3.2.10.git] / net / netfilter / xt_conntrack.c

diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 2885c37..189ded5 100644 (file)
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -10,121 +10,15 @@
 
 #include <linux/module.h>
 #include <linux/skbuff.h>
-
-#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
-#include <linux/netfilter_ipv4/ip_conntrack.h>
-#include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
-#else
-#include <net/netfilter/nf_conntrack.h>
-#endif
-
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_conntrack.h>
-#include <net/netfilter/nf_conntrack_compat.h>
+#include <net/netfilter/nf_conntrack.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
 MODULE_DESCRIPTION("iptables connection tracking match module");
 MODULE_ALIAS("ipt_conntrack");
 
-#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
-
-static int
-match(const struct sk_buff *skb,
-      const struct net_device *in,
-      const struct net_device *out,
-      const struct xt_match *match,
-      const void *matchinfo,
-      int offset,
-      unsigned int protoff,
-      int *hotdrop)
-{
-       const struct xt_conntrack_info *sinfo = matchinfo;
-       struct ip_conntrack *ct;
-       enum ip_conntrack_info ctinfo;
-       unsigned int statebit;
-
-       ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
-
-#define FWINV(bool, invflg) ((bool) ^ !!(sinfo->invflags & invflg))
-
-       if (ct == &ip_conntrack_untracked)
-               statebit = XT_CONNTRACK_STATE_UNTRACKED;
-       else if (ct)
-               statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
-       else
-               statebit = XT_CONNTRACK_STATE_INVALID;
-
-       if (sinfo->flags & XT_CONNTRACK_STATE) {
-               if (ct) {
-                       if (test_bit(IPS_SRC_NAT_BIT, &ct->status))
-                               statebit |= XT_CONNTRACK_STATE_SNAT;
-                       if (test_bit(IPS_DST_NAT_BIT, &ct->status))
-                               statebit |= XT_CONNTRACK_STATE_DNAT;
-               }
-               if (FWINV((statebit & sinfo->statemask) == 0,
-                         XT_CONNTRACK_STATE))
-                       return 0;
-       }
-
-       if (ct == NULL) {
-               if (sinfo->flags & ~XT_CONNTRACK_STATE)
-                       return 0;
-               return 1;
-       }
-
-       if (sinfo->flags & XT_CONNTRACK_PROTO &&
-           FWINV(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum !=
-                 sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum,
-                 XT_CONNTRACK_PROTO))
-               return 0;
-
-       if (sinfo->flags & XT_CONNTRACK_ORIGSRC &&
-           FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip &
-                  sinfo->sipmsk[IP_CT_DIR_ORIGINAL].s_addr) !=
-                 sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip,
-                 XT_CONNTRACK_ORIGSRC))
-               return 0;
-
-       if (sinfo->flags & XT_CONNTRACK_ORIGDST &&
-           FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip &
-                  sinfo->dipmsk[IP_CT_DIR_ORIGINAL].s_addr) !=
-                 sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip,
-                 XT_CONNTRACK_ORIGDST))
-               return 0;
-
-       if (sinfo->flags & XT_CONNTRACK_REPLSRC &&
-           FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip &
-                  sinfo->sipmsk[IP_CT_DIR_REPLY].s_addr) !=
-                 sinfo->tuple[IP_CT_DIR_REPLY].src.ip,
-                 XT_CONNTRACK_REPLSRC))
-               return 0;
-
-       if (sinfo->flags & XT_CONNTRACK_REPLDST &&
-           FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip &
-                  sinfo->dipmsk[IP_CT_DIR_REPLY].s_addr) !=
-                 sinfo->tuple[IP_CT_DIR_REPLY].dst.ip,
-                 XT_CONNTRACK_REPLDST))
-               return 0;
-
-       if (sinfo->flags & XT_CONNTRACK_STATUS &&
-           FWINV((ct->status & sinfo->statusmask) == 0,
-                 XT_CONNTRACK_STATUS))
-               return 0;
-
-       if (sinfo->flags & XT_CONNTRACK_EXPIRES) {
-               unsigned long expires = timer_pending(&ct->timeout) ?
-                                       (ct->timeout.expires - jiffies)/HZ : 0;
-
-               if (FWINV(!(expires >= sinfo->expires_min &&
-                           expires <= sinfo->expires_max),
-                         XT_CONNTRACK_EXPIRES))
-                       return 0;
-       }
-       return 1;
-}
-
-#else /* CONFIG_IP_NF_CONNTRACK */
 static int
 match(const struct sk_buff *skb,
       const struct net_device *in,
@@ -220,8 +114,6 @@ match(const struct sk_buff *skb,
        return 1;
 }
 
-#endif /* CONFIG_NF_IP_CONNTRACK */
-
 static int
 checkentry(const char *tablename,
           const void *ip,
@@ -242,12 +134,66 @@ static void destroy(const struct xt_match *match, void *matchinfo)
        nf_ct_l3proto_module_put(match->family);
 }
 
+#ifdef CONFIG_COMPAT
+struct compat_xt_conntrack_info
+{
+       compat_uint_t                   statemask;
+       compat_uint_t                   statusmask;
+       struct ip_conntrack_old_tuple   tuple[IP_CT_DIR_MAX];
+       struct in_addr                  sipmsk[IP_CT_DIR_MAX];
+       struct in_addr                  dipmsk[IP_CT_DIR_MAX];
+       compat_ulong_t                  expires_min;
+       compat_ulong_t                  expires_max;
+       u_int8_t                        flags;
+       u_int8_t                        invflags;
+};
+
+static void compat_from_user(void *dst, void *src)
+{
+       struct compat_xt_conntrack_info *cm = src;
+       struct xt_conntrack_info m = {
+               .statemask      = cm->statemask,
+               .statusmask     = cm->statusmask,
+               .expires_min    = cm->expires_min,
+               .expires_max    = cm->expires_max,
+               .flags          = cm->flags,
+               .invflags       = cm->invflags,
+       };
+       memcpy(m.tuple, cm->tuple, sizeof(m.tuple));
+       memcpy(m.sipmsk, cm->sipmsk, sizeof(m.sipmsk));
+       memcpy(m.dipmsk, cm->dipmsk, sizeof(m.dipmsk));
+       memcpy(dst, &m, sizeof(m));
+}
+
+static int compat_to_user(void __user *dst, void *src)
+{
+       struct xt_conntrack_info *m = src;
+       struct compat_xt_conntrack_info cm = {
+               .statemask      = m->statemask,
+               .statusmask     = m->statusmask,
+               .expires_min    = m->expires_min,
+               .expires_max    = m->expires_max,
+               .flags          = m->flags,
+               .invflags       = m->invflags,
+       };
+       memcpy(cm.tuple, m->tuple, sizeof(cm.tuple));
+       memcpy(cm.sipmsk, m->sipmsk, sizeof(cm.sipmsk));
+       memcpy(cm.dipmsk, m->dipmsk, sizeof(cm.dipmsk));
+       return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
+}
+#endif
+
 static struct xt_match conntrack_match = {
        .name           = "conntrack",
        .match          = match,
        .checkentry     = checkentry,
        .destroy        = destroy,
        .matchsize      = sizeof(struct xt_conntrack_info),
+#ifdef CONFIG_COMPAT
+       .compatsize     = sizeof(struct compat_xt_conntrack_info),
+       .compat_from_user = compat_from_user,
+       .compat_to_user = compat_to_user,
+#endif
        .family         = AF_INET,
        .me             = THIS_MODULE,
 };