X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=linux-2.6-522-iptables-connection-tagging.patch;h=24939be6f0dd73b4feefe30dc6a8bff0de004a3c;hb=refs%2Fheads%2F2.6.27.45;hp=4fb0b36603b8de4733eb5fcb6f71f1ad56daa5da;hpb=4afd06091e4bb29d6e3ba945a5ad65a88c56aa93;p=linux-2.6.git diff --git a/linux-2.6-522-iptables-connection-tagging.patch b/linux-2.6-522-iptables-connection-tagging.patch index 4fb0b3660..24939be6f 100644 --- a/linux-2.6-522-iptables-connection-tagging.patch +++ b/linux-2.6-522-iptables-connection-tagging.patch @@ -1,6 +1,117 @@ +diff -Nurb linux-2.6.27-521/include/linux/netfilter/xt_MARK.h linux-2.6.27-522/include/linux/netfilter/xt_MARK.h +--- linux-2.6.27-521/include/linux/netfilter/xt_MARK.h 2008-10-09 18:13:53.000000000 -0400 ++++ linux-2.6.27-522/include/linux/netfilter/xt_MARK.h 2009-12-10 12:09:35.000000000 -0500 +@@ -11,6 +11,7 @@ + XT_MARK_SET=0, + XT_MARK_AND, + XT_MARK_OR, ++ XT_MARK_COPYXID, + }; + + struct xt_mark_target_info_v1 { +diff -Nurb linux-2.6.27-521/include/linux/netfilter/xt_SETXID.h linux-2.6.27-522/include/linux/netfilter/xt_SETXID.h +--- linux-2.6.27-521/include/linux/netfilter/xt_SETXID.h 1969-12-31 19:00:00.000000000 -0500 ++++ linux-2.6.27-522/include/linux/netfilter/xt_SETXID.h 2009-12-10 12:09:35.000000000 -0500 +@@ -0,0 +1,14 @@ ++#ifndef _XT_SETXID_H_target ++#define _XT_SETXID_H_target ++ ++/* Version 1 */ ++enum { ++ XT_SET_PACKET_XID=0 ++}; ++ ++struct xt_setxid_target_info_v1 { ++ unsigned long mark; ++ u_int8_t mode; ++}; ++ ++#endif /*_XT_SETXID_H_target*/ +diff -Nurb linux-2.6.27-521/include/linux/netfilter_ipv4/ipt_MARK.h linux-2.6.27-522/include/linux/netfilter_ipv4/ipt_MARK.h +--- linux-2.6.27-521/include/linux/netfilter_ipv4/ipt_MARK.h 2008-10-09 18:13:53.000000000 -0400 ++++ linux-2.6.27-522/include/linux/netfilter_ipv4/ipt_MARK.h 2009-12-10 12:09:35.000000000 -0500 +@@ -12,6 +12,7 @@ + #define IPT_MARK_SET XT_MARK_SET + #define IPT_MARK_AND XT_MARK_AND + #define IPT_MARK_OR XT_MARK_OR ++#define IPT_MARK_COPYXID XT_MARK_COPYXID + + #define ipt_mark_target_info_v1 xt_mark_target_info_v1 + +diff -Nurb linux-2.6.27-521/include/linux/netfilter_ipv4/ipt_SETXID.h linux-2.6.27-522/include/linux/netfilter_ipv4/ipt_SETXID.h +--- linux-2.6.27-521/include/linux/netfilter_ipv4/ipt_SETXID.h 1969-12-31 19:00:00.000000000 -0500 ++++ linux-2.6.27-522/include/linux/netfilter_ipv4/ipt_SETXID.h 2009-12-10 12:09:35.000000000 -0500 +@@ -0,0 +1,13 @@ ++#ifndef _IPT_SETXID_H_target ++#define _IPT_SETXID_H_target ++ ++/* Backwards compatibility for old userspace */ ++ ++#include ++ ++/* Version 1 */ ++#define IPT_SET_PACKET_XID XT_SET_PACKET_XID ++ ++#define ipt_setxid_target_info_v1 xt_setxid_target_info_v1 ++ ++#endif /*_IPT_SETXID_H_target*/ +diff -Nurb linux-2.6.27-521/include/net/netfilter/nf_conntrack.h linux-2.6.27-522/include/net/netfilter/nf_conntrack.h +--- linux-2.6.27-521/include/net/netfilter/nf_conntrack.h 2008-10-09 18:13:53.000000000 -0400 ++++ linux-2.6.27-522/include/net/netfilter/nf_conntrack.h 2009-12-10 12:09:35.000000000 -0500 +@@ -121,6 +121,9 @@ + /* Storage reserved for other modules: */ + union nf_conntrack_proto proto; + ++ /* PLANETLAB. VNET-specific */ ++ int xid[IP_CT_DIR_MAX]; ++ + /* Extensions */ + struct nf_ct_ext *ext; + +diff -Nurb linux-2.6.27-521/net/netfilter/Kconfig linux-2.6.27-522/net/netfilter/Kconfig +--- linux-2.6.27-521/net/netfilter/Kconfig 2008-10-09 18:13:53.000000000 -0400 ++++ linux-2.6.27-522/net/netfilter/Kconfig 2009-12-10 12:09:35.000000000 -0500 +@@ -477,6 +477,13 @@ + This option adds a "TCPOPTSTRIP" target, which allows you to strip + TCP options from TCP packets. + ++config NETFILTER_XT_TARGET_SETXID ++ tristate '"SETXID" target support' ++ depends on NETFILTER_XTABLES ++ help ++ This option adds a `SETXID' target, which allows you to alter the ++ xid of a socket. ++ + config NETFILTER_XT_MATCH_COMMENT + tristate '"comment" match support' + depends on NETFILTER_XTABLES +diff -Nurb linux-2.6.27-521/net/netfilter/Makefile linux-2.6.27-522/net/netfilter/Makefile +--- linux-2.6.27-521/net/netfilter/Makefile 2008-10-09 18:13:53.000000000 -0400 ++++ linux-2.6.27-522/net/netfilter/Makefile 2009-12-10 12:09:35.000000000 -0500 +@@ -38,6 +38,7 @@ + obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o + + # targets ++obj-$(CONFIG_NETFILTER_XT_TARGET_SETXID) += xt_SETXID.o + obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o + obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o + obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o +diff -Nurb linux-2.6.27-521/net/netfilter/nf_conntrack_core.c linux-2.6.27-522/net/netfilter/nf_conntrack_core.c +--- linux-2.6.27-521/net/netfilter/nf_conntrack_core.c 2008-10-09 18:13:53.000000000 -0400 ++++ linux-2.6.27-522/net/netfilter/nf_conntrack_core.c 2009-12-10 12:09:35.000000000 -0500 +@@ -595,6 +595,9 @@ + /* Overload tuple linked list to put us in unconfirmed list. */ + hlist_add_head(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode, &unconfirmed); + ++ ct->xid[IP_CT_DIR_ORIGINAL] = -1; ++ ct->xid[IP_CT_DIR_REPLY] = -1; ++ + spin_unlock_bh(&nf_conntrack_lock); + + if (exp) { diff -Nurb linux-2.6.27-521/net/netfilter/xt_MARK.c linux-2.6.27-522/net/netfilter/xt_MARK.c --- linux-2.6.27-521/net/netfilter/xt_MARK.c 2008-10-09 18:13:53.000000000 -0400 -+++ linux-2.6.27-522/net/netfilter/xt_MARK.c 2009-06-02 11:12:59.000000000 -0400 ++++ linux-2.6.27-522/net/netfilter/xt_MARK.c 2009-12-16 01:39:55.000000000 -0500 @@ -13,7 +13,13 @@ #include #include @@ -24,7 +135,7 @@ diff -Nurb linux-2.6.27-521/net/netfilter/xt_MARK.c linux-2.6.27-522/net/netfilt static unsigned int mark_tg_v0(struct sk_buff *skb, const struct net_device *in, const struct net_device *out, unsigned int hooknum, -@@ -61,14 +69,242 @@ +@@ -61,14 +69,256 @@ return XT_CONTINUE; } @@ -69,63 +180,66 @@ diff -Nurb linux-2.6.27-521/net/netfilter/xt_MARK.c linux-2.6.27-522/net/netfilt + } +} + -+static struct sock *__udp4_lib_lookup(__be32 saddr, __be16 sport, -+ __be32 daddr, __be16 dport, -+ int dif, struct hlist_head udptable[]) ++static struct sock *__udp4_lib_lookup(struct net *net, __be32 saddr, ++ __be16 sport, __be32 daddr, __be16 dport, ++ int dif, struct hlist_head udptable[]) +{ -+ struct sock *sk, *result = NULL; -+ struct hlist_node *node; -+ unsigned short hnum = ntohs(dport); -+ int badness = -1; -+ -+ read_lock(&udp_hash_lock); -+ -+ sk_for_each(sk, node, &udptable[hnum & (UDP_HTABLE_SIZE - 1)]) { -+ struct inet_sock *inet = inet_sk(sk); -+ -+ if (sk->sk_hash == hnum && !ipv6_only_sock(sk)) { -+ int score = (sk->sk_family == PF_INET ? 1 : 0); -+ -+ if (inet->rcv_saddr) { -+ if (inet->rcv_saddr != daddr) -+ continue; -+ score+=2; -+ } else { -+ /* block non nx_info ips */ -+ if (!v4_addr_in_nx_info(sk->sk_nx_info, -+ daddr, NXA_MASK_BIND)) -+ continue; -+ } -+ if (inet->daddr) { -+ if (inet->daddr != saddr) -+ continue; -+ score+=2; -+ } -+ if (inet->dport) { -+ if (inet->dport != sport) -+ continue; -+ score+=2; -+ } -+ if (sk->sk_bound_dev_if) { -+ if (sk->sk_bound_dev_if != dif) -+ continue; -+ score+=2; -+ } -+ if (score == 9) { -+ result = sk; -+ break; -+ } else if (score > badness) { -+ result = sk; -+ badness = score; -+ } -+ } -+ } ++ struct sock *sk, *result = NULL; ++ struct hlist_node *node; ++ unsigned short hnum = ntohs(dport); ++ int badness = -1; ++ ++ read_lock(&udp_hash_lock); ++ sk_for_each(sk, node, &udptable[udp_hashfn(net, hnum)]) { ++ struct inet_sock *inet = inet_sk(sk); ++ ++ if (net_eq(sock_net(sk), net) && sk->sk_hash == hnum && ++ !ipv6_only_sock(sk)) { ++ int score = (sk->sk_family == PF_INET ? 1 : 0); ++ ++ if (inet->rcv_saddr) { ++ if (inet->rcv_saddr != daddr) ++ continue; ++ score+=2; ++ } else { ++ /* block non nx_info ips */ ++ if (!v4_addr_in_nx_info(sk->sk_nx_info, ++ daddr, NXA_MASK_BIND)) ++ continue; ++ } ++ if (inet->daddr) { ++ if (inet->daddr != saddr) ++ continue; ++ score+=2; ++ } ++ if (inet->dport) { ++ if (inet->dport != sport) ++ continue; ++ score+=2; ++ } ++ if (sk->sk_bound_dev_if) { ++ if (sk->sk_bound_dev_if != dif) ++ continue; ++ score+=2; ++ } ++ if (score == 9) { ++ result = sk; ++ break; ++ } else if (score > badness) { ++ result = sk; ++ badness = score; ++ } ++ } ++ } + -+ if (result) -+ sock_hold(result); -+ read_unlock(&udp_hash_lock); -+ return result; ++ if (result) ++ sock_hold(result); ++ read_unlock(&udp_hash_lock); ++ return result; +} ++ ++int onceonly = 1; ++ static unsigned int mark_tg(struct sk_buff *skb, const struct net_device *in, const struct net_device *out, unsigned int hooknum, @@ -146,7 +260,18 @@ diff -Nurb linux-2.6.27-521/net/netfilter/xt_MARK.c linux-2.6.27-522/net/netfilt + u_int32_t ip; + u_int16_t port; + ++ + if (info->mark == ~0U) { ++ // As of 2.6.27.39, Dec 8 2009, ++ // NetNS + VNET = Trouble ++ // Let's handle this as a special case ++ struct net *net = dev_net(skb->dev); ++ if (!net_eq(net, &init_net)) { ++ WARN_ON(onceonly); ++ onceonly = 0; ++ return XT_CONTINUE; ++ } ++ + /* copy-xid */ + dif = ((struct rtable *)(skb->dst))->rt_iif; + @@ -174,7 +299,7 @@ diff -Nurb linux-2.6.27-521/net/netfilter/xt_MARK.c linux-2.6.27-522/net/netfilt + else if (proto == 17) { + struct sock *sk; + if (!skb->mark) { -+ sk = __udp4_lib_lookup(src_ip, src_port, ++ sk = __udp4_lib_lookup(net,src_ip, src_port, + ip, port, dif, udp_hash); + + if (sk && hooknum == NF_INET_LOCAL_IN) @@ -189,7 +314,6 @@ diff -Nurb linux-2.6.27-521/net/netfilter/xt_MARK.c linux-2.6.27-522/net/netfilt + } + else if (proto == 6) /* TCP */{ + int sockettype = 0; /* Established socket */ -+ struct net *net = &init_net; + + /* Looks for an established socket or a listening + socket corresponding to the 4-tuple, in that order. @@ -206,6 +330,11 @@ diff -Nurb linux-2.6.27-521/net/netfilter/xt_MARK.c linux-2.6.27-522/net/netfilt + } + + if (connection_sk) { ++ if (connection_sk->sk_state == TCP_TIME_WAIT) { ++ inet_twsk_put(inet_twsk(connection_sk)); ++ goto out_mark_finish; ++ } ++ + /* The peercred is not set. We set it if the other side has an xid. */ + if (!PEERCRED_SET(connection_sk->sk_peercred.uid) + && ct->xid[!dir] > 0 && (sockettype == 0)) { @@ -229,11 +358,7 @@ diff -Nurb linux-2.6.27-521/net/netfilter/xt_MARK.c linux-2.6.27-522/net/netfilt + if (mark == -1 && (ct->xid[dir] != 0)) + mark = ct->xid[dir]; + -+ if (connection_sk->sk_state == TCP_TIME_WAIT) { -+ inet_twsk_put(inet_twsk(connection_sk)); -+ goto out_mark_finish; -+ } else -+ sock_put(connection_sk); ++ sock_put(connection_sk); + } + + /* All else failed. Is this a connection over raw sockets? @@ -268,542 +393,86 @@ diff -Nurb linux-2.6.27-521/net/netfilter/xt_MARK.c linux-2.6.27-522/net/netfilt return XT_CONTINUE; } -diff -Nurb linux-2.6.27-521/net/netfilter/xt_MARK.c.orig linux-2.6.27-522/net/netfilter/xt_MARK.c.orig ---- linux-2.6.27-521/net/netfilter/xt_MARK.c.orig 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.27-522/net/netfilter/xt_MARK.c.orig 2009-06-02 10:14:55.000000000 -0400 -@@ -0,0 +1,381 @@ -+/* -+ * xt_MARK - Netfilter module to modify the NFMARK field of an skb -+ * -+ * (C) 1999-2001 Marc Boucher -+ * Copyright © CC Computer Consultants GmbH, 2007 - 2008 -+ * Jan Engelhardt -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License version 2 as -+ * published by the Free Software Foundation. -+ */ -+ +diff -Nurb linux-2.6.27-521/net/netfilter/xt_SETXID.c linux-2.6.27-522/net/netfilter/xt_SETXID.c +--- linux-2.6.27-521/net/netfilter/xt_SETXID.c 1969-12-31 19:00:00.000000000 -0500 ++++ linux-2.6.27-522/net/netfilter/xt_SETXID.c 2009-12-10 12:09:35.000000000 -0500 +@@ -0,0 +1,79 @@ +#include +#include +#include +#include ++#include + +#include -+#include ++#include + +MODULE_LICENSE("GPL"); -+MODULE_AUTHOR("Marc Boucher "); -+MODULE_DESCRIPTION("Xtables: packet mark modification"); -+MODULE_ALIAS("ipt_MARK"); -+MODULE_ALIAS("ip6t_MARK"); -+ -+static unsigned int -+mark_tg_v0(struct sk_buff *skb, const struct net_device *in, -+ const struct net_device *out, unsigned int hooknum, -+ const struct xt_target *target, const void *targinfo) -+{ -+ const struct xt_mark_target_info *markinfo = targinfo; -+ -+ skb->mark = markinfo->mark; -+ return XT_CONTINUE; -+} ++MODULE_AUTHOR(""); ++MODULE_DESCRIPTION(""); ++MODULE_ALIAS("ipt_SETXID"); + +static unsigned int -+mark_tg_v1(struct sk_buff *skb, const struct net_device *in, -+ const struct net_device *out, unsigned int hooknum, -+ const struct xt_target *target, const void *targinfo) ++target_v1(struct sk_buff **pskb, ++ const struct net_device *in, ++ const struct net_device *out, ++ unsigned int hooknum, ++ const struct xt_target *target, ++ const void *targinfo) +{ -+ const struct xt_mark_target_info_v1 *markinfo = targinfo; -+ int mark = 0; -+ -+ switch (markinfo->mode) { -+ case XT_MARK_SET: -+ mark = markinfo->mark; -+ break; -+ -+ case XT_MARK_AND: -+ mark = skb->mark & markinfo->mark; -+ break; ++ const struct xt_setxid_target_info_v1 *setxidinfo = targinfo; + -+ case XT_MARK_OR: -+ mark = skb->mark | markinfo->mark; ++ switch (setxidinfo->mode) { ++ case XT_SET_PACKET_XID: ++ (*pskb)->skb_tag = setxidinfo->mark; + break; + } -+ -+ skb->mark = mark; + return XT_CONTINUE; +} + -+static unsigned int -+mark_tg(struct sk_buff *skb, const struct net_device *in, -+ const struct net_device *out, unsigned int hooknum, -+ const struct xt_target *target, const void *targinfo) -+{ -+ const struct xt_mark_tginfo2 *info = targinfo; -+ long mark = -1; -+ -+ if (info->mark == ~0U) { -+ /* copy-xid */ -+ enum ip_conntrack_info ctinfo; -+ struct sock *connection_sk; -+ int dif; -+ struct nf_conn *ct; -+ extern struct inet_hashinfo tcp_hashinfo; -+ enum ip_conntrack_dir dir; -+ int *curtag; -+ u_int32_t src_ip; -+ u_int32_t dst_ip; -+ u_int16_t proto, src_port; -+ u_int32_t ip; -+ u_int16_t port; -+ -+ dif = ((struct rtable *)(skb->dst))->rt_iif; -+ -+ ct = nf_ct_get(skb, &ctinfo); -+ if (!ct) -+ break; -+ -+ dir = CTINFO2DIR(ctinfo); -+ src_ip = ct->tuplehash[dir].tuple.src.u3.ip; -+ dst_ip = ct->tuplehash[dir].tuple.dst.u3.ip; -+ src_port = get_src_port(&ct->tuplehash[dir].tuple); -+ proto = ct->tuplehash[dir].tuple.dst.protonum; -+ -+ ip = ct->tuplehash[dir].tuple.dst.u3.ip; -+ port = get_dst_port(&ct->tuplehash[dir].tuple); -+ -+ if (proto == 1) { -+ if (skb->mark > 0) -+ /* The packet is marked, it's going out */ -+ ct->xid[0] = skb->mark; -+ -+ if (ct->xid[0] > 0) -+ mark = ct->xid[0]; -+ } -+ else if (proto == 17) { -+ struct sock *sk; -+ if (!skb->mark) { -+ sk = __udp4_lib_lookup(src_ip, src_port, -+ ip, port, dif, udp_hash); -+ -+ if (sk && hooknum == NF_INET_LOCAL_IN) -+ mark = sk->sk_nid; + -+ if (sk) -+ sock_put(sk); -+ } -+ else if (skb->mark > 0) -+ /* The packet is marked, it's going out */ -+ ct->xid[0] = skb->mark; -+ } -+ else if (proto == 6) /* TCP */{ -+ int sockettype = 0; /* Established socket */ -+ struct net *net = &init_net; -+ -+ /* Looks for an established socket or a listening -+ socket corresponding to the 4-tuple, in that order. -+ The order is important for Codemux connections -+ to be handled properly */ -+ -+ connection_sk = inet_lookup_established(net, -+ &tcp_hashinfo, src_ip, src_port, ip, port, dif); -+ -+ if (!connection_sk) { -+ connection_sk = inet_lookup_listener(net, -+ &tcp_hashinfo, ip, port, dif); -+ sockettype = 1; /* Listening socket */ -+ } -+ -+ if (connection_sk) { -+ /* The peercred is not set. We set it if the other side has an xid. */ -+ if (!PEERCRED_SET(connection_sk->sk_peercred.uid) -+ && ct->xid[!dir] > 0 && (sockettype == 0)) { -+ connection_sk->sk_peercred.gid = -+ connection_sk->sk_peercred.uid = ct->xid[!dir]; -+ } -+ -+ /* The peercred is set, and is not equal to the XID of 'the other side' */ -+ else if (PEERCRED_SET(connection_sk->sk_peercred.uid) && -+ (connection_sk->sk_peercred.uid != ct->xid[!dir]) && -+ (sockettype == 0)) { -+ mark = connection_sk->sk_peercred.uid; -+ } -+ -+ /* Has this connection already been tagged? */ -+ if (ct->xid[dir] < 1) { -+ /* No - let's tag it */ -+ ct->xid[dir]=connection_sk->sk_nid; -+ } -+ -+ if (mark == -1 && (ct->xid[dir] != 0)) -+ mark = ct->xid[dir]; -+ -+ if (connection_sk->sk_state == TCP_TIME_WAIT) { -+ inet_twsk_put(inet_twsk(connection_sk)); -+ break; -+ } else -+ sock_put(connection_sk); -+ } -+ -+ /* All else failed. Is this a connection over raw sockets? -+ That explains why we couldn't get anything out of skb->sk, -+ or look up a "real" connection. */ -+ if (ct->xid[dir] < 1) { -+ if (skb->skb_tag) -+ ct->xid[dir] = skb->skb_tag; -+ } -+ -+ /* Covers CoDemux case */ -+ if (mark < 1 && (ct->xid[dir] > 0)) -+ mark = ct->xid[dir]; -+ -+ if (mark < 1 && (ct->xid[!dir] > 0)) -+ mark = ct->xid[!dir]; -+ break; -+ } -+ } -+ else -+ mark = (skb->mark & ~info->mask) ^ info->mark; -+ -+ if (mark != -1) -+ skb->mark = mark; -+ -+ curtag = &__get_cpu_var(sknid_elevator); -+ if (mark > 0 && *curtag == -2 && hooknum == NF_INET_LOCAL_IN) -+ *curtag = mark; -+ -+ return XT_CONTINUE; -+} -+ -+static bool -+mark_tg_check_v0(const char *tablename, const void *entry, -+ const struct xt_target *target, void *targinfo, -+ unsigned int hook_mask) ++static int ++checkentry_v1(const char *tablename, ++ const void *entry, ++ const struct xt_target *target, ++ void *targinfo, ++ unsigned int hook_mask) +{ -+ const struct xt_mark_target_info *markinfo = targinfo; -+ -+ if (markinfo->mark > 0xffffffff) { -+ printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n"); -+ return false; -+ } -+ return true; -+} ++ struct xt_setxid_target_info_v1 *setxidinfo = targinfo; + -+static bool -+mark_tg_check_v1(const char *tablename, const void *entry, -+ const struct xt_target *target, void *targinfo, -+ unsigned int hook_mask) -+{ -+ const struct xt_mark_target_info_v1 *markinfo = targinfo; -+ -+ if (markinfo->mode != XT_MARK_SET -+ && markinfo->mode != XT_MARK_AND -+ && markinfo->mode != XT_MARK_OR) { -+ printk(KERN_WARNING "MARK: unknown mode %u\n", -+ markinfo->mode); -+ return false; -+ } -+ if (markinfo->mark > 0xffffffff) { -+ printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n"); -+ return false; ++ if (setxidinfo->mode != XT_SET_PACKET_XID) { ++ printk(KERN_WARNING "SETXID: unknown mode %u\n", ++ setxidinfo->mode); ++ return 0; + } -+ return true; -+} -+ -+#ifdef CONFIG_COMPAT -+struct compat_xt_mark_target_info { -+ compat_ulong_t mark; -+}; + -+static void mark_tg_compat_from_user_v0(void *dst, void *src) -+{ -+ const struct compat_xt_mark_target_info *cm = src; -+ struct xt_mark_target_info m = { -+ .mark = cm->mark, -+ }; -+ memcpy(dst, &m, sizeof(m)); ++ return 1; +} + -+static int mark_tg_compat_to_user_v0(void __user *dst, void *src) -+{ -+ const struct xt_mark_target_info *m = src; -+ struct compat_xt_mark_target_info cm = { -+ .mark = m->mark, -+ }; -+ return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0; -+} -+ -+struct compat_xt_mark_target_info_v1 { -+ compat_ulong_t mark; -+ u_int8_t mode; -+ u_int8_t __pad1; -+ u_int16_t __pad2; -+}; -+ -+static void mark_tg_compat_from_user_v1(void *dst, void *src) -+{ -+ const struct compat_xt_mark_target_info_v1 *cm = src; -+ struct xt_mark_target_info_v1 m = { -+ .mark = cm->mark, -+ .mode = cm->mode, -+ }; -+ memcpy(dst, &m, sizeof(m)); -+} -+ -+static int mark_tg_compat_to_user_v1(void __user *dst, void *src) -+{ -+ const struct xt_mark_target_info_v1 *m = src; -+ struct compat_xt_mark_target_info_v1 cm = { -+ .mark = m->mark, -+ .mode = m->mode, -+ }; -+ return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0; -+} -+#endif /* CONFIG_COMPAT */ -+ -+static struct xt_target mark_tg_reg[] __read_mostly = { -+ { -+ .name = "MARK", -+ .family = AF_INET, -+ .revision = 0, -+ .checkentry = mark_tg_check_v0, -+ .target = mark_tg_v0, -+ .targetsize = sizeof(struct xt_mark_target_info), -+#ifdef CONFIG_COMPAT -+ .compatsize = sizeof(struct compat_xt_mark_target_info), -+ .compat_from_user = mark_tg_compat_from_user_v0, -+ .compat_to_user = mark_tg_compat_to_user_v0, -+#endif -+ .table = "mangle", -+ .me = THIS_MODULE, -+ }, ++static struct xt_target xt_setxid_target[] = { + { -+ .name = "MARK", ++ .name = "SETXID", + .family = AF_INET, + .revision = 1, -+ .checkentry = mark_tg_check_v1, -+ .target = mark_tg_v1, -+ .targetsize = sizeof(struct xt_mark_target_info_v1), -+#ifdef CONFIG_COMPAT -+ .compatsize = sizeof(struct compat_xt_mark_target_info_v1), -+ .compat_from_user = mark_tg_compat_from_user_v1, -+ .compat_to_user = mark_tg_compat_to_user_v1, -+#endif -+ .table = "mangle", -+ .me = THIS_MODULE, -+ }, -+ { -+ .name = "MARK", -+ .family = AF_INET6, -+ .revision = 0, -+ .checkentry = mark_tg_check_v0, -+ .target = mark_tg_v0, -+ .targetsize = sizeof(struct xt_mark_target_info), -+#ifdef CONFIG_COMPAT -+ .compatsize = sizeof(struct compat_xt_mark_target_info), -+ .compat_from_user = mark_tg_compat_from_user_v0, -+ .compat_to_user = mark_tg_compat_to_user_v0, -+#endif -+ .table = "mangle", -+ .me = THIS_MODULE, -+ }, -+ { -+ .name = "MARK", -+ .family = AF_INET6, -+ .revision = 1, -+ .checkentry = mark_tg_check_v1, -+ .target = mark_tg_v1, -+ .targetsize = sizeof(struct xt_mark_target_info_v1), -+#ifdef CONFIG_COMPAT -+ .compatsize = sizeof(struct compat_xt_mark_target_info_v1), -+ .compat_from_user = mark_tg_compat_from_user_v1, -+ .compat_to_user = mark_tg_compat_to_user_v1, -+#endif ++ .checkentry = checkentry_v1, ++ .target = target_v1, ++ .targetsize = sizeof(struct xt_setxid_target_info_v1), + .table = "mangle", + .me = THIS_MODULE, -+ }, -+ { -+ .name = "MARK", -+ .revision = 2, -+ .family = AF_INET, -+ .target = mark_tg, -+ .targetsize = sizeof(struct xt_mark_tginfo2), -+ .me = THIS_MODULE, -+ }, -+ { -+ .name = "MARK", -+ .revision = 2, -+ .family = AF_INET6, -+ .target = mark_tg, -+ .targetsize = sizeof(struct xt_mark_tginfo2), -+ .me = THIS_MODULE, -+ }, ++ } +}; + -+static int __init mark_tg_init(void) ++static int __init init(void) +{ -+ return xt_register_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg)); ++ int err; ++ ++ err = xt_register_targets(xt_setxid_target, ARRAY_SIZE(xt_setxid_target)); ++ return err; +} + -+static void __exit mark_tg_exit(void) ++static void __exit fini(void) +{ -+ xt_unregister_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg)); ++ xt_unregister_targets(xt_setxid_target, ARRAY_SIZE(xt_setxid_target)); +} + -+module_init(mark_tg_init); -+module_exit(mark_tg_exit); -diff -Nurb linux-2.6.27-521/scripts/basic/.docproc.cmd linux-2.6.27-522/scripts/basic/.docproc.cmd ---- linux-2.6.27-521/scripts/basic/.docproc.cmd 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.27-522/scripts/basic/.docproc.cmd 2009-06-02 10:59:54.000000000 -0400 -@@ -0,0 +1,68 @@ -+cmd_scripts/basic/docproc := gcc -Wp,-MD,scripts/basic/.docproc.d -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer -o scripts/basic/docproc scripts/basic/docproc.c -+ -+deps_scripts/basic/docproc := \ -+ scripts/basic/docproc.c \ -+ /usr/include/stdio.h \ -+ /usr/include/features.h \ -+ /usr/include/sys/cdefs.h \ -+ /usr/include/bits/wordsize.h \ -+ /usr/include/gnu/stubs.h \ -+ /usr/include/gnu/stubs-32.h \ -+ /usr/lib/gcc/i686-pc-linux-gnu/4.1.1/include/stddef.h \ -+ /usr/include/bits/types.h \ -+ /usr/include/bits/typesizes.h \ -+ /usr/include/libio.h \ -+ /usr/include/_G_config.h \ -+ /usr/include/wchar.h \ -+ /usr/include/bits/wchar.h \ -+ /usr/include/gconv.h \ -+ /usr/lib/gcc/i686-pc-linux-gnu/4.1.1/include/stdarg.h \ -+ /usr/include/bits/stdio_lim.h \ -+ /usr/include/bits/sys_errlist.h \ -+ /usr/include/bits/stdio.h \ -+ /usr/include/stdlib.h \ -+ /usr/include/sys/types.h \ -+ /usr/include/time.h \ -+ /usr/include/endian.h \ -+ /usr/include/bits/endian.h \ -+ /usr/include/sys/select.h \ -+ /usr/include/bits/select.h \ -+ /usr/include/bits/sigset.h \ -+ /usr/include/bits/time.h \ -+ /usr/include/sys/sysmacros.h \ -+ /usr/include/bits/pthreadtypes.h \ -+ /usr/include/alloca.h \ -+ /usr/include/string.h \ -+ /usr/include/bits/string.h \ -+ /usr/include/bits/string2.h \ -+ /usr/include/ctype.h \ -+ /usr/include/unistd.h \ -+ /usr/include/bits/posix_opt.h \ -+ /usr/include/bits/confname.h \ -+ /usr/include/getopt.h \ -+ /usr/lib/gcc/i686-pc-linux-gnu/4.1.1/include/limits.h \ -+ /usr/lib/gcc/i686-pc-linux-gnu/4.1.1/include/syslimits.h \ -+ /usr/include/limits.h \ -+ /usr/include/bits/posix1_lim.h \ -+ /usr/include/bits/local_lim.h \ -+ /usr/include/linux/limits.h \ -+ /usr/include/bits/posix2_lim.h \ -+ /usr/include/sys/wait.h \ -+ /usr/include/signal.h \ -+ /usr/include/bits/signum.h \ -+ /usr/include/bits/siginfo.h \ -+ /usr/include/bits/sigaction.h \ -+ /usr/include/bits/sigcontext.h \ -+ /usr/include/asm/sigcontext.h \ -+ /usr/include/asm/types.h \ -+ /usr/include/asm-generic/int-ll64.h \ -+ /usr/include/bits/sigstack.h \ -+ /usr/include/bits/sigthread.h \ -+ /usr/include/sys/resource.h \ -+ /usr/include/bits/resource.h \ -+ /usr/include/bits/waitflags.h \ -+ /usr/include/bits/waitstatus.h \ -+ -+scripts/basic/docproc: $(deps_scripts/basic/docproc) -+ -+$(deps_scripts/basic/docproc): -diff -Nurb linux-2.6.27-521/scripts/basic/.fixdep.cmd linux-2.6.27-522/scripts/basic/.fixdep.cmd ---- linux-2.6.27-521/scripts/basic/.fixdep.cmd 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.27-522/scripts/basic/.fixdep.cmd 2009-06-02 10:59:54.000000000 -0400 -@@ -0,0 +1,76 @@ -+cmd_scripts/basic/fixdep := gcc -Wp,-MD,scripts/basic/.fixdep.d -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer -o scripts/basic/fixdep scripts/basic/fixdep.c -+ -+deps_scripts/basic/fixdep := \ -+ scripts/basic/fixdep.c \ -+ $(wildcard include/config/his/driver.h) \ -+ $(wildcard include/config/my/option.h) \ -+ $(wildcard include/config/.h) \ -+ $(wildcard include/config/foo.h) \ -+ $(wildcard include/config/boom.h) \ -+ /usr/include/sys/types.h \ -+ /usr/include/features.h \ -+ /usr/include/sys/cdefs.h \ -+ /usr/include/bits/wordsize.h \ -+ /usr/include/gnu/stubs.h \ -+ /usr/include/gnu/stubs-32.h \ -+ /usr/include/bits/types.h \ -+ /usr/lib/gcc/i686-pc-linux-gnu/4.1.1/include/stddef.h \ -+ /usr/include/bits/typesizes.h \ -+ /usr/include/time.h \ -+ /usr/include/endian.h \ -+ /usr/include/bits/endian.h \ -+ /usr/include/sys/select.h \ -+ /usr/include/bits/select.h \ -+ /usr/include/bits/sigset.h \ -+ /usr/include/bits/time.h \ -+ /usr/include/sys/sysmacros.h \ -+ /usr/include/bits/pthreadtypes.h \ -+ /usr/include/sys/stat.h \ -+ /usr/include/bits/stat.h \ -+ /usr/include/sys/mman.h \ -+ /usr/include/bits/mman.h \ -+ /usr/include/unistd.h \ -+ /usr/include/bits/posix_opt.h \ -+ /usr/include/bits/confname.h \ -+ /usr/include/getopt.h \ -+ /usr/include/fcntl.h \ -+ /usr/include/bits/fcntl.h \ -+ /usr/include/string.h \ -+ /usr/include/bits/string.h \ -+ /usr/include/bits/string2.h \ -+ /usr/include/stdlib.h \ -+ /usr/include/alloca.h \ -+ /usr/include/stdio.h \ -+ /usr/include/libio.h \ -+ /usr/include/_G_config.h \ -+ /usr/include/wchar.h \ -+ /usr/include/bits/wchar.h \ -+ /usr/include/gconv.h \ -+ /usr/lib/gcc/i686-pc-linux-gnu/4.1.1/include/stdarg.h \ -+ /usr/include/bits/stdio_lim.h \ -+ /usr/include/bits/sys_errlist.h \ -+ /usr/include/bits/stdio.h \ -+ /usr/lib/gcc/i686-pc-linux-gnu/4.1.1/include/limits.h \ -+ /usr/lib/gcc/i686-pc-linux-gnu/4.1.1/include/syslimits.h \ -+ /usr/include/limits.h \ -+ /usr/include/bits/posix1_lim.h \ -+ /usr/include/bits/local_lim.h \ -+ /usr/include/linux/limits.h \ -+ /usr/include/bits/posix2_lim.h \ -+ /usr/include/ctype.h \ -+ /usr/include/arpa/inet.h \ -+ /usr/include/netinet/in.h \ -+ /usr/include/stdint.h \ -+ /usr/include/sys/socket.h \ -+ /usr/include/sys/uio.h \ -+ /usr/include/bits/uio.h \ -+ /usr/include/bits/socket.h \ -+ /usr/include/bits/sockaddr.h \ -+ /usr/include/asm/socket.h \ -+ /usr/include/asm/sockios.h \ -+ /usr/include/bits/in.h \ -+ /usr/include/bits/byteswap.h \ -+ -+scripts/basic/fixdep: $(deps_scripts/basic/fixdep) -+ -+$(deps_scripts/basic/fixdep): -Files linux-2.6.27-521/scripts/basic/docproc and linux-2.6.27-522/scripts/basic/docproc differ -Files linux-2.6.27-521/scripts/basic/fixdep and linux-2.6.27-522/scripts/basic/fixdep differ ++module_init(init); ++module_exit(fini);