Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says: ==================== pull request: Netfilter/IPVS fixes for net The following patchset contains seven Netfilter fixes for your net tree, they are: 1) Make the NAT infrastructure independent of x_tables, some users are already starting to test nf_tables with NAT without enabling x_tables. Without this patch for Kconfig, there's a superfluous dependency between NAT and x_tables. 2) Allow to use 0 in the cgroup match, the kernel rejects with -EINVAL with no good reason. From Daniel Borkmann. 3) Select CONFIG_NF_NAT from the nf_tables NAT expression, this also resolves another NAT dependency with x_tables. 4) Use HAVE_JUMP_LABEL instead of CONFIG_JUMP_LABEL in the Netfilter hook code as elsewhere in the kernel to resolve toolchain problems, from Zhouyi Zhou. 5) Use iptunnel_handle_offloads() to set up tunnel encapsulation depending on the offload capabilities, reported by Alex Gartrell patch from Julian Anastasov. 6) Fix wrong family when registering the ip_vs_local_reply6() hook, also from Julian. 7) Select the NF_LOG_* symbols from NETFILTER_XT_TARGET_LOG. Rafał Miłecki reported that when jumping from 3.16 to 3.17-rc, his log target is not selected anymore due to changes in the previous development cycle to accomodate the full logging support for nf_tables. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>hifive-unleashed-5.1
commit
abccc5878a
|
@ -9,6 +9,7 @@
|
||||||
#include <linux/in6.h>
|
#include <linux/in6.h>
|
||||||
#include <linux/wait.h>
|
#include <linux/wait.h>
|
||||||
#include <linux/list.h>
|
#include <linux/list.h>
|
||||||
|
#include <linux/static_key.h>
|
||||||
#include <uapi/linux/netfilter.h>
|
#include <uapi/linux/netfilter.h>
|
||||||
#ifdef CONFIG_NETFILTER
|
#ifdef CONFIG_NETFILTER
|
||||||
static inline int NF_DROP_GETERR(int verdict)
|
static inline int NF_DROP_GETERR(int verdict)
|
||||||
|
@ -99,9 +100,9 @@ void nf_unregister_sockopt(struct nf_sockopt_ops *reg);
|
||||||
|
|
||||||
extern struct list_head nf_hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
|
extern struct list_head nf_hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
|
||||||
|
|
||||||
#if defined(CONFIG_JUMP_LABEL)
|
#ifdef HAVE_JUMP_LABEL
|
||||||
#include <linux/static_key.h>
|
|
||||||
extern struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
|
extern struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
|
||||||
|
|
||||||
static inline bool nf_hooks_active(u_int8_t pf, unsigned int hook)
|
static inline bool nf_hooks_active(u_int8_t pf, unsigned int hook)
|
||||||
{
|
{
|
||||||
if (__builtin_constant_p(pf) &&
|
if (__builtin_constant_p(pf) &&
|
||||||
|
|
|
@ -82,6 +82,52 @@ config NF_TABLES_ARP
|
||||||
help
|
help
|
||||||
This option enables the ARP support for nf_tables.
|
This option enables the ARP support for nf_tables.
|
||||||
|
|
||||||
|
config NF_NAT_IPV4
|
||||||
|
tristate "IPv4 NAT"
|
||||||
|
depends on NF_CONNTRACK_IPV4
|
||||||
|
default m if NETFILTER_ADVANCED=n
|
||||||
|
select NF_NAT
|
||||||
|
help
|
||||||
|
The IPv4 NAT option allows masquerading, port forwarding and other
|
||||||
|
forms of full Network Address Port Translation. This can be
|
||||||
|
controlled by iptables or nft.
|
||||||
|
|
||||||
|
if NF_NAT_IPV4
|
||||||
|
|
||||||
|
config NF_NAT_SNMP_BASIC
|
||||||
|
tristate "Basic SNMP-ALG support"
|
||||||
|
depends on NF_CONNTRACK_SNMP
|
||||||
|
depends on NETFILTER_ADVANCED
|
||||||
|
default NF_NAT && NF_CONNTRACK_SNMP
|
||||||
|
---help---
|
||||||
|
|
||||||
|
This module implements an Application Layer Gateway (ALG) for
|
||||||
|
SNMP payloads. In conjunction with NAT, it allows a network
|
||||||
|
management system to access multiple private networks with
|
||||||
|
conflicting addresses. It works by modifying IP addresses
|
||||||
|
inside SNMP payloads to match IP-layer NAT mapping.
|
||||||
|
|
||||||
|
This is the "basic" form of SNMP-ALG, as described in RFC 2962
|
||||||
|
|
||||||
|
To compile it as a module, choose M here. If unsure, say N.
|
||||||
|
|
||||||
|
config NF_NAT_PROTO_GRE
|
||||||
|
tristate
|
||||||
|
depends on NF_CT_PROTO_GRE
|
||||||
|
|
||||||
|
config NF_NAT_PPTP
|
||||||
|
tristate
|
||||||
|
depends on NF_CONNTRACK
|
||||||
|
default NF_CONNTRACK_PPTP
|
||||||
|
select NF_NAT_PROTO_GRE
|
||||||
|
|
||||||
|
config NF_NAT_H323
|
||||||
|
tristate
|
||||||
|
depends on NF_CONNTRACK
|
||||||
|
default NF_CONNTRACK_H323
|
||||||
|
|
||||||
|
endif # NF_NAT_IPV4
|
||||||
|
|
||||||
config IP_NF_IPTABLES
|
config IP_NF_IPTABLES
|
||||||
tristate "IP tables support (required for filtering/masq/NAT)"
|
tristate "IP tables support (required for filtering/masq/NAT)"
|
||||||
default m if NETFILTER_ADVANCED=n
|
default m if NETFILTER_ADVANCED=n
|
||||||
|
@ -170,19 +216,21 @@ config IP_NF_TARGET_SYNPROXY
|
||||||
To compile it as a module, choose M here. If unsure, say N.
|
To compile it as a module, choose M here. If unsure, say N.
|
||||||
|
|
||||||
# NAT + specific targets: nf_conntrack
|
# NAT + specific targets: nf_conntrack
|
||||||
config NF_NAT_IPV4
|
config IP_NF_NAT
|
||||||
tristate "IPv4 NAT"
|
tristate "iptables NAT support"
|
||||||
depends on NF_CONNTRACK_IPV4
|
depends on NF_CONNTRACK_IPV4
|
||||||
default m if NETFILTER_ADVANCED=n
|
default m if NETFILTER_ADVANCED=n
|
||||||
select NF_NAT
|
select NF_NAT
|
||||||
|
select NF_NAT_IPV4
|
||||||
|
select NETFILTER_XT_NAT
|
||||||
help
|
help
|
||||||
The IPv4 NAT option allows masquerading, port forwarding and other
|
This enables the `nat' table in iptables. This allows masquerading,
|
||||||
forms of full Network Address Port Translation. It is controlled by
|
port forwarding and other forms of full Network Address Port
|
||||||
the `nat' table in iptables: see the man page for iptables(8).
|
Translation.
|
||||||
|
|
||||||
To compile it as a module, choose M here. If unsure, say N.
|
To compile it as a module, choose M here. If unsure, say N.
|
||||||
|
|
||||||
if NF_NAT_IPV4
|
if IP_NF_NAT
|
||||||
|
|
||||||
config IP_NF_TARGET_MASQUERADE
|
config IP_NF_TARGET_MASQUERADE
|
||||||
tristate "MASQUERADE target support"
|
tristate "MASQUERADE target support"
|
||||||
|
@ -214,47 +262,7 @@ config IP_NF_TARGET_REDIRECT
|
||||||
(e.g. when running oldconfig). It selects
|
(e.g. when running oldconfig). It selects
|
||||||
CONFIG_NETFILTER_XT_TARGET_REDIRECT.
|
CONFIG_NETFILTER_XT_TARGET_REDIRECT.
|
||||||
|
|
||||||
endif
|
endif # IP_NF_NAT
|
||||||
|
|
||||||
config NF_NAT_SNMP_BASIC
|
|
||||||
tristate "Basic SNMP-ALG support"
|
|
||||||
depends on NF_CONNTRACK_SNMP && NF_NAT_IPV4
|
|
||||||
depends on NETFILTER_ADVANCED
|
|
||||||
default NF_NAT && NF_CONNTRACK_SNMP
|
|
||||||
---help---
|
|
||||||
|
|
||||||
This module implements an Application Layer Gateway (ALG) for
|
|
||||||
SNMP payloads. In conjunction with NAT, it allows a network
|
|
||||||
management system to access multiple private networks with
|
|
||||||
conflicting addresses. It works by modifying IP addresses
|
|
||||||
inside SNMP payloads to match IP-layer NAT mapping.
|
|
||||||
|
|
||||||
This is the "basic" form of SNMP-ALG, as described in RFC 2962
|
|
||||||
|
|
||||||
To compile it as a module, choose M here. If unsure, say N.
|
|
||||||
|
|
||||||
# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
|
|
||||||
# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
|
|
||||||
# From kconfig-language.txt:
|
|
||||||
#
|
|
||||||
# <expr> '&&' <expr> (6)
|
|
||||||
#
|
|
||||||
# (6) Returns the result of min(/expr/, /expr/).
|
|
||||||
|
|
||||||
config NF_NAT_PROTO_GRE
|
|
||||||
tristate
|
|
||||||
depends on NF_NAT_IPV4 && NF_CT_PROTO_GRE
|
|
||||||
|
|
||||||
config NF_NAT_PPTP
|
|
||||||
tristate
|
|
||||||
depends on NF_CONNTRACK && NF_NAT_IPV4
|
|
||||||
default NF_NAT_IPV4 && NF_CONNTRACK_PPTP
|
|
||||||
select NF_NAT_PROTO_GRE
|
|
||||||
|
|
||||||
config NF_NAT_H323
|
|
||||||
tristate
|
|
||||||
depends on NF_CONNTRACK && NF_NAT_IPV4
|
|
||||||
default NF_NAT_IPV4 && NF_CONNTRACK_H323
|
|
||||||
|
|
||||||
# mangle + specific targets
|
# mangle + specific targets
|
||||||
config IP_NF_MANGLE
|
config IP_NF_MANGLE
|
||||||
|
|
|
@ -43,7 +43,7 @@ obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o
|
||||||
# the three instances of ip_tables
|
# the three instances of ip_tables
|
||||||
obj-$(CONFIG_IP_NF_FILTER) += iptable_filter.o
|
obj-$(CONFIG_IP_NF_FILTER) += iptable_filter.o
|
||||||
obj-$(CONFIG_IP_NF_MANGLE) += iptable_mangle.o
|
obj-$(CONFIG_IP_NF_MANGLE) += iptable_mangle.o
|
||||||
obj-$(CONFIG_NF_NAT_IPV4) += iptable_nat.o
|
obj-$(CONFIG_IP_NF_NAT) += iptable_nat.o
|
||||||
obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
|
obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
|
||||||
obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o
|
obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o
|
||||||
|
|
||||||
|
|
|
@ -60,6 +60,16 @@ config NF_LOG_IPV6
|
||||||
depends on NETFILTER_ADVANCED
|
depends on NETFILTER_ADVANCED
|
||||||
select NF_LOG_COMMON
|
select NF_LOG_COMMON
|
||||||
|
|
||||||
|
config NF_NAT_IPV6
|
||||||
|
tristate "IPv6 NAT"
|
||||||
|
depends on NF_CONNTRACK_IPV6
|
||||||
|
depends on NETFILTER_ADVANCED
|
||||||
|
select NF_NAT
|
||||||
|
help
|
||||||
|
The IPv6 NAT option allows masquerading, port forwarding and other
|
||||||
|
forms of full Network Address Port Translation. This can be
|
||||||
|
controlled by iptables or nft.
|
||||||
|
|
||||||
config IP6_NF_IPTABLES
|
config IP6_NF_IPTABLES
|
||||||
tristate "IP6 tables support (required for filtering)"
|
tristate "IP6 tables support (required for filtering)"
|
||||||
depends on INET && IPV6
|
depends on INET && IPV6
|
||||||
|
@ -232,19 +242,21 @@ config IP6_NF_SECURITY
|
||||||
|
|
||||||
If unsure, say N.
|
If unsure, say N.
|
||||||
|
|
||||||
config NF_NAT_IPV6
|
config IP6_NF_NAT
|
||||||
tristate "IPv6 NAT"
|
tristate "ip6tables NAT support"
|
||||||
depends on NF_CONNTRACK_IPV6
|
depends on NF_CONNTRACK_IPV6
|
||||||
depends on NETFILTER_ADVANCED
|
depends on NETFILTER_ADVANCED
|
||||||
select NF_NAT
|
select NF_NAT
|
||||||
|
select NF_NAT_IPV6
|
||||||
|
select NETFILTER_XT_NAT
|
||||||
help
|
help
|
||||||
The IPv6 NAT option allows masquerading, port forwarding and other
|
This enables the `nat' table in ip6tables. This allows masquerading,
|
||||||
forms of full Network Address Port Translation. It is controlled by
|
port forwarding and other forms of full Network Address Port
|
||||||
the `nat' table in ip6tables, see the man page for ip6tables(8).
|
Translation.
|
||||||
|
|
||||||
To compile it as a module, choose M here. If unsure, say N.
|
To compile it as a module, choose M here. If unsure, say N.
|
||||||
|
|
||||||
if NF_NAT_IPV6
|
if IP6_NF_NAT
|
||||||
|
|
||||||
config IP6_NF_TARGET_MASQUERADE
|
config IP6_NF_TARGET_MASQUERADE
|
||||||
tristate "MASQUERADE target support"
|
tristate "MASQUERADE target support"
|
||||||
|
@ -265,7 +277,7 @@ config IP6_NF_TARGET_NPT
|
||||||
|
|
||||||
To compile it as a module, choose M here. If unsure, say N.
|
To compile it as a module, choose M here. If unsure, say N.
|
||||||
|
|
||||||
endif # NF_NAT_IPV6
|
endif # IP6_NF_NAT
|
||||||
|
|
||||||
endif # IP6_NF_IPTABLES
|
endif # IP6_NF_IPTABLES
|
||||||
|
|
||||||
|
|
|
@ -8,7 +8,7 @@ obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o
|
||||||
obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o
|
obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o
|
||||||
obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o
|
obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o
|
||||||
obj-$(CONFIG_IP6_NF_SECURITY) += ip6table_security.o
|
obj-$(CONFIG_IP6_NF_SECURITY) += ip6table_security.o
|
||||||
obj-$(CONFIG_NF_NAT_IPV6) += ip6table_nat.o
|
obj-$(CONFIG_IP6_NF_NAT) += ip6table_nat.o
|
||||||
|
|
||||||
# objects for l3 independent conntrack
|
# objects for l3 independent conntrack
|
||||||
nf_conntrack_ipv6-y := nf_conntrack_l3proto_ipv6.o nf_conntrack_proto_icmpv6.o
|
nf_conntrack_ipv6-y := nf_conntrack_l3proto_ipv6.o nf_conntrack_proto_icmpv6.o
|
||||||
|
|
|
@ -499,7 +499,7 @@ config NFT_LIMIT
|
||||||
config NFT_NAT
|
config NFT_NAT
|
||||||
depends on NF_TABLES
|
depends on NF_TABLES
|
||||||
depends on NF_CONNTRACK
|
depends on NF_CONNTRACK
|
||||||
depends on NF_NAT
|
select NF_NAT
|
||||||
tristate "Netfilter nf_tables nat module"
|
tristate "Netfilter nf_tables nat module"
|
||||||
help
|
help
|
||||||
This option adds the "nat" expression that you can use to perform
|
This option adds the "nat" expression that you can use to perform
|
||||||
|
@ -747,7 +747,9 @@ config NETFILTER_XT_TARGET_LED
|
||||||
|
|
||||||
config NETFILTER_XT_TARGET_LOG
|
config NETFILTER_XT_TARGET_LOG
|
||||||
tristate "LOG target support"
|
tristate "LOG target support"
|
||||||
depends on NF_LOG_IPV4 && NF_LOG_IPV6
|
select NF_LOG_COMMON
|
||||||
|
select NF_LOG_IPV4
|
||||||
|
select NF_LOG_IPV6 if IPV6
|
||||||
default m if NETFILTER_ADVANCED=n
|
default m if NETFILTER_ADVANCED=n
|
||||||
help
|
help
|
||||||
This option adds a `LOG' target, which allows you to create rules in
|
This option adds a `LOG' target, which allows you to create rules in
|
||||||
|
|
|
@ -95,7 +95,7 @@ obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
|
||||||
obj-$(CONFIG_NETFILTER_XT_MARK) += xt_mark.o
|
obj-$(CONFIG_NETFILTER_XT_MARK) += xt_mark.o
|
||||||
obj-$(CONFIG_NETFILTER_XT_CONNMARK) += xt_connmark.o
|
obj-$(CONFIG_NETFILTER_XT_CONNMARK) += xt_connmark.o
|
||||||
obj-$(CONFIG_NETFILTER_XT_SET) += xt_set.o
|
obj-$(CONFIG_NETFILTER_XT_SET) += xt_set.o
|
||||||
obj-$(CONFIG_NF_NAT) += xt_nat.o
|
obj-$(CONFIG_NETFILTER_XT_NAT) += xt_nat.o
|
||||||
|
|
||||||
# targets
|
# targets
|
||||||
obj-$(CONFIG_NETFILTER_XT_TARGET_AUDIT) += xt_AUDIT.o
|
obj-$(CONFIG_NETFILTER_XT_TARGET_AUDIT) += xt_AUDIT.o
|
||||||
|
|
|
@ -54,7 +54,7 @@ EXPORT_SYMBOL_GPL(nf_unregister_afinfo);
|
||||||
struct list_head nf_hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS] __read_mostly;
|
struct list_head nf_hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS] __read_mostly;
|
||||||
EXPORT_SYMBOL(nf_hooks);
|
EXPORT_SYMBOL(nf_hooks);
|
||||||
|
|
||||||
#if defined(CONFIG_JUMP_LABEL)
|
#ifdef HAVE_JUMP_LABEL
|
||||||
struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
|
struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
|
||||||
EXPORT_SYMBOL(nf_hooks_needed);
|
EXPORT_SYMBOL(nf_hooks_needed);
|
||||||
#endif
|
#endif
|
||||||
|
@ -72,7 +72,7 @@ int nf_register_hook(struct nf_hook_ops *reg)
|
||||||
}
|
}
|
||||||
list_add_rcu(®->list, elem->list.prev);
|
list_add_rcu(®->list, elem->list.prev);
|
||||||
mutex_unlock(&nf_hook_mutex);
|
mutex_unlock(&nf_hook_mutex);
|
||||||
#if defined(CONFIG_JUMP_LABEL)
|
#ifdef HAVE_JUMP_LABEL
|
||||||
static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]);
|
static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]);
|
||||||
#endif
|
#endif
|
||||||
return 0;
|
return 0;
|
||||||
|
@ -84,7 +84,7 @@ void nf_unregister_hook(struct nf_hook_ops *reg)
|
||||||
mutex_lock(&nf_hook_mutex);
|
mutex_lock(&nf_hook_mutex);
|
||||||
list_del_rcu(®->list);
|
list_del_rcu(®->list);
|
||||||
mutex_unlock(&nf_hook_mutex);
|
mutex_unlock(&nf_hook_mutex);
|
||||||
#if defined(CONFIG_JUMP_LABEL)
|
#ifdef HAVE_JUMP_LABEL
|
||||||
static_key_slow_dec(&nf_hooks_needed[reg->pf][reg->hooknum]);
|
static_key_slow_dec(&nf_hooks_needed[reg->pf][reg->hooknum]);
|
||||||
#endif
|
#endif
|
||||||
synchronize_net();
|
synchronize_net();
|
||||||
|
|
|
@ -1906,7 +1906,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
|
||||||
{
|
{
|
||||||
.hook = ip_vs_local_reply6,
|
.hook = ip_vs_local_reply6,
|
||||||
.owner = THIS_MODULE,
|
.owner = THIS_MODULE,
|
||||||
.pf = NFPROTO_IPV4,
|
.pf = NFPROTO_IPV6,
|
||||||
.hooknum = NF_INET_LOCAL_OUT,
|
.hooknum = NF_INET_LOCAL_OUT,
|
||||||
.priority = NF_IP6_PRI_NAT_DST + 1,
|
.priority = NF_IP6_PRI_NAT_DST + 1,
|
||||||
},
|
},
|
||||||
|
|
|
@ -38,6 +38,7 @@
|
||||||
#include <net/route.h> /* for ip_route_output */
|
#include <net/route.h> /* for ip_route_output */
|
||||||
#include <net/ipv6.h>
|
#include <net/ipv6.h>
|
||||||
#include <net/ip6_route.h>
|
#include <net/ip6_route.h>
|
||||||
|
#include <net/ip_tunnels.h>
|
||||||
#include <net/addrconf.h>
|
#include <net/addrconf.h>
|
||||||
#include <linux/icmpv6.h>
|
#include <linux/icmpv6.h>
|
||||||
#include <linux/netfilter.h>
|
#include <linux/netfilter.h>
|
||||||
|
@ -862,11 +863,15 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
|
||||||
old_iph = ip_hdr(skb);
|
old_iph = ip_hdr(skb);
|
||||||
}
|
}
|
||||||
|
|
||||||
skb->transport_header = skb->network_header;
|
|
||||||
|
|
||||||
/* fix old IP header checksum */
|
/* fix old IP header checksum */
|
||||||
ip_send_check(old_iph);
|
ip_send_check(old_iph);
|
||||||
|
|
||||||
|
skb = iptunnel_handle_offloads(skb, false, SKB_GSO_IPIP);
|
||||||
|
if (IS_ERR(skb))
|
||||||
|
goto tx_error;
|
||||||
|
|
||||||
|
skb->transport_header = skb->network_header;
|
||||||
|
|
||||||
skb_push(skb, sizeof(struct iphdr));
|
skb_push(skb, sizeof(struct iphdr));
|
||||||
skb_reset_network_header(skb);
|
skb_reset_network_header(skb);
|
||||||
memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
|
memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
|
||||||
|
@ -900,7 +905,8 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
|
||||||
return NF_STOLEN;
|
return NF_STOLEN;
|
||||||
|
|
||||||
tx_error:
|
tx_error:
|
||||||
kfree_skb(skb);
|
if (!IS_ERR(skb))
|
||||||
|
kfree_skb(skb);
|
||||||
rcu_read_unlock();
|
rcu_read_unlock();
|
||||||
LeaveFunction(10);
|
LeaveFunction(10);
|
||||||
return NF_STOLEN;
|
return NF_STOLEN;
|
||||||
|
@ -953,6 +959,11 @@ ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
|
||||||
old_iph = ipv6_hdr(skb);
|
old_iph = ipv6_hdr(skb);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* GSO: we need to provide proper SKB_GSO_ value for IPv6 */
|
||||||
|
skb = iptunnel_handle_offloads(skb, false, 0); /* SKB_GSO_SIT/IPV6 */
|
||||||
|
if (IS_ERR(skb))
|
||||||
|
goto tx_error;
|
||||||
|
|
||||||
skb->transport_header = skb->network_header;
|
skb->transport_header = skb->network_header;
|
||||||
|
|
||||||
skb_push(skb, sizeof(struct ipv6hdr));
|
skb_push(skb, sizeof(struct ipv6hdr));
|
||||||
|
@ -988,7 +999,8 @@ ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
|
||||||
return NF_STOLEN;
|
return NF_STOLEN;
|
||||||
|
|
||||||
tx_error:
|
tx_error:
|
||||||
kfree_skb(skb);
|
if (!IS_ERR(skb))
|
||||||
|
kfree_skb(skb);
|
||||||
rcu_read_unlock();
|
rcu_read_unlock();
|
||||||
LeaveFunction(10);
|
LeaveFunction(10);
|
||||||
return NF_STOLEN;
|
return NF_STOLEN;
|
||||||
|
|
|
@ -31,7 +31,7 @@ static int cgroup_mt_check(const struct xt_mtchk_param *par)
|
||||||
if (info->invert & ~1)
|
if (info->invert & ~1)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
return info->id ? 0 : -EINVAL;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
|
|
Loading…
Reference in New Issue