[NETFILTER]: ipt annotations
[pandora-kernel.git] / net / ipv4 / netfilter / ipt_hashlimit.c
index 7c6836c..33ccdbf 100644 (file)
@@ -28,9 +28,6 @@
 #include <linux/jhash.h>
 #include <linux/slab.h>
 #include <linux/vmalloc.h>
-#include <linux/tcp.h>
-#include <linux/udp.h>
-#include <linux/sctp.h>
 #include <linux/proc_fs.h>
 #include <linux/seq_file.h>
 #include <linux/list.h>
@@ -53,11 +50,11 @@ static struct file_operations dl_file_ops;
 /* hash table crap */
 
 struct dsthash_dst {
-       u_int32_t src_ip;
-       u_int32_t dst_ip;
+       __be32 src_ip;
+       __be32 dst_ip;
        /* ports have to be consecutive !!! */
-       u_int16_t src_port;
-       u_int16_t dst_port;
+       __be16 src_port;
+       __be16 dst_port;
 };
 
 struct dsthash_ent {
@@ -83,6 +80,7 @@ struct ipt_hashlimit_htable {
        /* used internally */
        spinlock_t lock;                /* lock for list_head */
        u_int32_t rnd;                  /* random seed for hash */
+       int rnd_initialized;
        struct timer_list timer;        /* timer for gc */
        atomic_t count;                 /* number entries in table */
 
@@ -108,8 +106,10 @@ static inline int dst_cmp(const struct dsthash_ent *ent, struct dsthash_dst *b)
 static inline u_int32_t
 hash_dst(const struct ipt_hashlimit_htable *ht, const struct dsthash_dst *dst)
 {
-       return (jhash_3words(dst->dst_ip, (dst->dst_port<<16 | dst->src_port), 
-                            dst->src_ip, ht->rnd) % ht->cfg.size);
+       return (jhash_3words((__force u32)dst->dst_ip,
+                           ((__force u32)dst->dst_port<<16 |
+                            (__force u32)dst->src_port),
+                            (__force u32)dst->src_ip, ht->rnd) % ht->cfg.size);
 }
 
 static inline struct dsthash_ent *
@@ -137,8 +137,10 @@ __dsthash_alloc_init(struct ipt_hashlimit_htable *ht, struct dsthash_dst *dst)
 
        /* initialize hash with random val at the time we allocate
         * the first hashtable entry */
-       if (!ht->rnd)
+       if (!ht->rnd_initialized) {
                get_random_bytes(&ht->rnd, 4);
+               ht->rnd_initialized = 1;
+       }
 
        if (ht->cfg.max &&
            atomic_read(&ht->count) >= ht->cfg.max) {
@@ -217,7 +219,7 @@ static int htable_create(struct ipt_hashlimit_info *minfo)
 
        atomic_set(&hinfo->count, 0);
        atomic_set(&hinfo->use, 1);
-       hinfo->rnd = 0;
+       hinfo->rnd_initialized = 0;
        spin_lock_init(&hinfo->lock);
        hinfo->pde = create_proc_entry(minfo->name, 0, hashlimit_procdir);
        if (!hinfo->pde) {
@@ -381,49 +383,6 @@ static inline void rateinfo_recalc(struct dsthash_ent *dh, unsigned long now)
                dh->rateinfo.credit = dh->rateinfo.credit_cap;
 }
 
-static inline int get_ports(const struct sk_buff *skb, int offset, 
-                           u16 ports[2])
-{
-       union {
-               struct tcphdr th;
-               struct udphdr uh;
-               sctp_sctphdr_t sctph;
-       } hdr_u, *ptr_u;
-
-       /* Must not be a fragment. */
-       if (offset)
-               return 1;
-
-       /* Must be big enough to read ports (both UDP and TCP have
-          them at the start). */
-       ptr_u = skb_header_pointer(skb, skb->nh.iph->ihl*4, 8, &hdr_u); 
-       if (!ptr_u)
-               return 1;
-
-       switch (skb->nh.iph->protocol) {
-               case IPPROTO_TCP:
-                       ports[0] = ptr_u->th.source;
-                       ports[1] = ptr_u->th.dest;
-                       break;
-               case IPPROTO_UDP:
-                       ports[0] = ptr_u->uh.source;
-                       ports[1] = ptr_u->uh.dest;
-                       break;
-               case IPPROTO_SCTP:
-                       ports[0] = ptr_u->sctph.source;
-                       ports[1] = ptr_u->sctph.dest;
-                       break;
-               default:
-                       /* all other protocols don't supprot per-port hash
-                        * buckets */
-                       ports[0] = ports[1] = 0;
-                       break;
-       }
-
-       return 0;
-}
-
-
 static int
 hashlimit_match(const struct sk_buff *skb,
                const struct net_device *in,
@@ -449,8 +408,22 @@ hashlimit_match(const struct sk_buff *skb,
                dst.src_ip = skb->nh.iph->saddr;
        if (hinfo->cfg.mode & IPT_HASHLIMIT_HASH_DPT
            ||hinfo->cfg.mode & IPT_HASHLIMIT_HASH_SPT) {
-               u_int16_t ports[2];
-               if (get_ports(skb, offset, ports)) {
+               __be16 _ports[2], *ports;
+
+               switch (skb->nh.iph->protocol) {
+               case IPPROTO_TCP:
+               case IPPROTO_UDP:
+               case IPPROTO_SCTP:
+               case IPPROTO_DCCP:
+                       ports = skb_header_pointer(skb, skb->nh.iph->ihl*4,
+                                                  sizeof(_ports), &_ports);
+                       break;
+               default:
+                       _ports[0] = _ports[1] = 0;
+                       ports = _ports;
+                       break;
+               }
+               if (!ports) {
                        /* We've been asked to examine this packet, and we
                          can't.  Hence, no choice but to drop. */
                        *hotdrop = 1;
@@ -483,15 +456,12 @@ hashlimit_match(const struct sk_buff *skb,
                dh->rateinfo.credit_cap = user2credits(hinfo->cfg.avg * 
                                                        hinfo->cfg.burst);
                dh->rateinfo.cost = user2credits(hinfo->cfg.avg);
-
-               spin_unlock_bh(&hinfo->lock);
-               return 1;
+       } else {
+               /* update expiration timeout */
+               dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
+               rateinfo_recalc(dh, now);
        }
 
-       /* update expiration timeout */
-       dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
-
-       rateinfo_recalc(dh, now);
        if (dh->rateinfo.credit >= dh->rateinfo.cost) {
                /* We're underlimit. */
                dh->rateinfo.credit -= dh->rateinfo.cost;
@@ -510,7 +480,6 @@ hashlimit_checkentry(const char *tablename,
                     const void *inf,
                     const struct xt_match *match,
                     void *matchinfo,
-                    unsigned int matchsize,
                     unsigned int hook_mask)
 {
        struct ipt_hashlimit_info *r = matchinfo;
@@ -537,6 +506,9 @@ hashlimit_checkentry(const char *tablename,
        if (!r->cfg.expire)
                return 0;
 
+       if (r->name[sizeof(r->name) - 1] != '\0')
+               return 0;
+
        /* This is the best we've got: We cannot release and re-grab lock,
         * since checkentry() is called before ip_tables.c grabs ipt_mutex.  
         * We also cannot grab the hashtable spinlock, since htable_create will 
@@ -558,18 +530,46 @@ hashlimit_checkentry(const char *tablename,
 }
 
 static void
-hashlimit_destroy(const struct xt_match *match, void *matchinfo,
-                 unsigned int matchsize)
+hashlimit_destroy(const struct xt_match *match, void *matchinfo)
 {
-       struct ipt_hashlimit_info *r = (struct ipt_hashlimit_info *) matchinfo;
+       struct ipt_hashlimit_info *r = matchinfo;
 
        htable_put(r->hinfo);
 }
 
+#ifdef CONFIG_COMPAT
+struct compat_ipt_hashlimit_info {
+       char name[IFNAMSIZ];
+       struct hashlimit_cfg cfg;
+       compat_uptr_t hinfo;
+       compat_uptr_t master;
+};
+
+static void compat_from_user(void *dst, void *src)
+{
+       int off = offsetof(struct compat_ipt_hashlimit_info, hinfo);
+
+       memcpy(dst, src, off);
+       memset(dst + off, 0, sizeof(struct compat_ipt_hashlimit_info) - off);
+}
+
+static int compat_to_user(void __user *dst, void *src)
+{
+       int off = offsetof(struct compat_ipt_hashlimit_info, hinfo);
+
+       return copy_to_user(dst, src, off) ? -EFAULT : 0;
+}
+#endif
+
 static struct ipt_match ipt_hashlimit = {
        .name           = "hashlimit",
        .match          = hashlimit_match,
        .matchsize      = sizeof(struct ipt_hashlimit_info),
+#ifdef CONFIG_COMPAT
+       .compatsize     = sizeof(struct compat_ipt_hashlimit_info),
+       .compat_from_user = compat_from_user,
+       .compat_to_user = compat_to_user,
+#endif
        .checkentry     = hashlimit_checkentry,
        .destroy        = hashlimit_destroy,
        .me             = THIS_MODULE