From: Felix Fietkau Date: Thu, 9 Apr 2009 19:43:24 +0000 (+0000) Subject: netfilter: merge some fixes from upstream X-Git-Tag: reboot~24000 X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=e4f90e7fa67ed2ffd1ebad5a045df5d36f5ced8d;p=openwrt%2Fstaging%2Flynxis.git netfilter: merge some fixes from upstream SVN-Revision: 15178 --- diff --git a/target/linux/generic-2.6/patches-2.6.28/120-netfilter_upstream_fixes.patch b/target/linux/generic-2.6/patches-2.6.28/120-netfilter_upstream_fixes.patch new file mode 100644 index 0000000000..7f2424d9d9 --- /dev/null +++ b/target/linux/generic-2.6/patches-2.6.28/120-netfilter_upstream_fixes.patch @@ -0,0 +1,100 @@ +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -374,7 +374,9 @@ static int mark_source_chains(struct xt_ + && unconditional(&e->arp)) || visited) { + unsigned int oldpos, size; + +- if (t->verdict < -NF_MAX_VERDICT - 1) { ++ if ((strcmp(t->target.u.user.name, ++ ARPT_STANDARD_TARGET) == 0) && ++ t->verdict < -NF_MAX_VERDICT - 1) { + duprintf("mark_source_chains: bad " + "negative verdict (%i)\n", + t->verdict); +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -74,6 +74,25 @@ do { \ + + Hence the start of any table is given by get_table() below. */ + ++static unsigned long ifname_compare(const char *_a, const char *_b, ++ const unsigned char *_mask) ++{ ++ const unsigned long *a = (const unsigned long *)_a; ++ const unsigned long *b = (const unsigned long *)_b; ++ const unsigned long *mask = (const unsigned long *)_mask; ++ unsigned long ret; ++ ++ ret = (a[0] ^ b[0]) & mask[0]; ++ if (IFNAMSIZ > sizeof(unsigned long)) ++ ret |= (a[1] ^ b[1]) & mask[1]; ++ if (IFNAMSIZ > 2 * sizeof(unsigned long)) ++ ret |= (a[2] ^ b[2]) & mask[2]; ++ if (IFNAMSIZ > 3 * sizeof(unsigned long)) ++ ret |= (a[3] ^ b[3]) & mask[3]; ++ BUILD_BUG_ON(IFNAMSIZ > 4 * sizeof(unsigned long)); ++ return ret; ++} ++ + /* Returns whether matches rule or not. */ + /* Performance critical - called for every packet */ + static inline bool +@@ -83,7 +102,6 @@ ip_packet_match(const struct iphdr *ip, + const struct ipt_ip *ipinfo, + int isfrag) + { +- size_t i; + unsigned long ret; + + #define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg))) +@@ -110,12 +128,7 @@ ip_packet_match(const struct iphdr *ip, + return false; + } + +- /* Look for ifname matches; this should unroll nicely. */ +- for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) { +- ret |= (((const unsigned long *)indev)[i] +- ^ ((const unsigned long *)ipinfo->iniface)[i]) +- & ((const unsigned long *)ipinfo->iniface_mask)[i]; +- } ++ ret = ifname_compare(indev, ipinfo->iniface, ipinfo->iniface_mask); + + if (FWINV(ret != 0, IPT_INV_VIA_IN)) { + dprintf("VIA in mismatch (%s vs %s).%s\n", +@@ -124,11 +137,7 @@ ip_packet_match(const struct iphdr *ip, + return false; + } + +- for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) { +- ret |= (((const unsigned long *)outdev)[i] +- ^ ((const unsigned long *)ipinfo->outiface)[i]) +- & ((const unsigned long *)ipinfo->outiface_mask)[i]; +- } ++ ret = ifname_compare(outdev, ipinfo->outiface, ipinfo->outiface_mask); + + if (FWINV(ret != 0, IPT_INV_VIA_OUT)) { + dprintf("VIA out mismatch (%s vs %s).%s\n", +@@ -523,7 +532,9 @@ mark_source_chains(struct xt_table_info + && unconditional(&e->ip)) || visited) { + unsigned int oldpos, size; + +- if (t->verdict < -NF_MAX_VERDICT - 1) { ++ if ((strcmp(t->target.u.user.name, ++ IPT_STANDARD_TARGET) == 0) && ++ t->verdict < -NF_MAX_VERDICT - 1) { + duprintf("mark_source_chains: bad " + "negative verdict (%i)\n", + t->verdict); +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -525,7 +525,9 @@ mark_source_chains(struct xt_table_info + && unconditional(&e->ipv6)) || visited) { + unsigned int oldpos, size; + +- if (t->verdict < -NF_MAX_VERDICT - 1) { ++ if ((strcmp(t->target.u.user.name, ++ IP6T_STANDARD_TARGET) == 0) && ++ t->verdict < -NF_MAX_VERDICT - 1) { + duprintf("mark_source_chains: bad " + "negative verdict (%i)\n", + t->verdict);