Клонирование Git Repo, и у него уже есть грязный рабочий каталог ... Whaaaaa?
Итак, я смущен как то, что происходит. Я никогда не взломал на ядро Linux, так что, возможно, это обычное дело. Если это так, извините за новый вопрос.
$ git clone https://github.com/torvalds/linux.git
Затем
$ git status
.
# On branch master
# Changes not staged for commit:
# (use "git add <file>..." to update what will be committed)
# (use "git checkout -- <file>..." to discard changes in working directory)
#
# modified: include/linux/netfilter/xt_CONNMARK.h
# modified: include/linux/netfilter/xt_DSCP.h
# modified: include/linux/netfilter/xt_MARK.h
# modified: include/linux/netfilter/xt_RATEEST.h
# modified: include/linux/netfilter/xt_TCPMSS.h
# modified: include/linux/netfilter_ipv4/ipt_ECN.h
# modified: include/linux/netfilter_ipv4/ipt_TTL.h
# modified: include/linux/netfilter_ipv6/ip6t_HL.h
# modified: net/ipv4/netfilter/ipt_ECN.c
# modified: net/netfilter/xt_DSCP.c
# modified: net/netfilter/xt_HL.c
# modified: net/netfilter/xt_RATEEST.c
# modified: net/netfilter/xt_TCPMSS.c
#
# Untracked files:
# (use "git add <file>..." to include in what will be committed)
#
# samples/hidraw/
Что такое сделка?
Редактировать : Diff Reff:
diff --git a/include/linux/netfilter/xt_CONNMARK.h b/include/linux/netfilter/xt_CONNMARK.h
index 2f2e48e..efc17a8 100644
--- a/include/linux/netfilter/xt_CONNMARK.h
+++ b/include/linux/netfilter/xt_CONNMARK.h
@@ -1,6 +1,31 @@
-#ifndef _XT_CONNMARK_H_target
-#define _XT_CONNMARK_H_target
+#ifndef _XT_CONNMARK_H
+#define _XT_CONNMARK_H
-#include <linux/netfilter/xt_connmark.h>
+#include <linux/types.h>
-#endif /*_XT_CONNMARK_H_target*/
+/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+enum {
+ XT_CONNMARK_SET = 0,
+ XT_CONNMARK_SAVE,
+ XT_CONNMARK_RESTORE
+};
+
+struct xt_connmark_tginfo1 {
+ __u32 ctmark, ctmask, nfmask;
+ __u8 mode;
+};
+
+struct xt_connmark_mtinfo1 {
+ __u32 mark, mask;
+ __u8 invert;
+};
+
+#endif /*_XT_CONNMARK_H*/
diff --git a/include/linux/netfilter/xt_DSCP.h b/include/linux/netfilter/xt_DSCP.h
index 648e0b3..15f8932 100644
--- a/include/linux/netfilter/xt_DSCP.h
+++ b/include/linux/netfilter/xt_DSCP.h
@@ -1,26 +1,31 @@
-/* x_tables module for setting the IPv4/IPv6 DSCP field
+/* x_tables module for matching the IPv4/IPv6 DSCP field
*
* (C) 2002 Harald Welte <laforge@gnumonks.org>
- * based on ipt_FTOS.c (C) 2000 by Matthew G. Marsh <mgm@paktronix.com>
* This software is distributed under GNU GPL v2, 1991
*
* See RFC2474 for a description of the DSCP field within the IP Header.
*
- * xt_DSCP.h,v 1.7 2002/03/14 12:03:13 laforge Exp
+ * xt_dscp.h,v 1.3 2002/08/05 19:00:21 laforge Exp
*/
-#ifndef _XT_DSCP_TARGET_H
-#define _XT_DSCP_TARGET_H
-#include <linux/netfilter/xt_dscp.h>
+#ifndef _XT_DSCP_H
+#define _XT_DSCP_H
+
#include <linux/types.h>
-/* target info */
-struct xt_DSCP_info {
+#define XT_DSCP_MASK 0xfc /* 11111100 */
+#define XT_DSCP_SHIFT 2
+#define XT_DSCP_MAX 0x3f /* 00111111 */
+
+/* match info */
+struct xt_dscp_info {
__u8 dscp;
+ __u8 invert;
};
-struct xt_tos_target_info {
- __u8 tos_value;
+struct xt_tos_match_info {
__u8 tos_mask;
+ __u8 tos_value;
+ __u8 invert;
};
-#endif /* _XT_DSCP_TARGET_H */
+#endif /* _XT_DSCP_H */
diff --git a/include/linux/netfilter/xt_MARK.h b/include/linux/netfilter/xt_MARK.h
index 41c456d..ecadc40 100644
--- a/include/linux/netfilter/xt_MARK.h
+++ b/include/linux/netfilter/xt_MARK.h
@@ -1,6 +1,15 @@
-#ifndef _XT_MARK_H_target
-#define _XT_MARK_H_target
+#ifndef _XT_MARK_H
+#define _XT_MARK_H
-#include <linux/netfilter/xt_mark.h>
+#include <linux/types.h>
-#endif /*_XT_MARK_H_target */
+struct xt_mark_tginfo2 {
+ __u32 mark, mask;
+};
+
+struct xt_mark_mtinfo1 {
+ __u32 mark, mask;
+ __u8 invert;
+};
+
+#endif /*_XT_MARK_H*/
diff --git a/include/linux/netfilter/xt_RATEEST.h b/include/linux/netfilter/xt_RATEEST.h
index 6605e20..d40a619 100644
--- a/include/linux/netfilter/xt_RATEEST.h
+++ b/include/linux/netfilter/xt_RATEEST.h
@@ -1,15 +1,37 @@
-#ifndef _XT_RATEEST_TARGET_H
-#define _XT_RATEEST_TARGET_H
+#ifndef _XT_RATEEST_MATCH_H
+#define _XT_RATEEST_MATCH_H
#include <linux/types.h>
-struct xt_rateest_target_info {
- char name[IFNAMSIZ];
- __s8 interval;
- __u8 ewma_log;
+enum xt_rateest_match_flags {
+ XT_RATEEST_MATCH_INVERT = 1<<0,
+ XT_RATEEST_MATCH_ABS = 1<<1,
+ XT_RATEEST_MATCH_REL = 1<<2,
+ XT_RATEEST_MATCH_DELTA = 1<<3,
+ XT_RATEEST_MATCH_BPS = 1<<4,
+ XT_RATEEST_MATCH_PPS = 1<<5,
+};
+
+enum xt_rateest_match_mode {
+ XT_RATEEST_MATCH_NONE,
+ XT_RATEEST_MATCH_EQ,
+ XT_RATEEST_MATCH_LT,
+ XT_RATEEST_MATCH_GT,
+};
+
+struct xt_rateest_match_info {
+ char name1[IFNAMSIZ];
+ char name2[IFNAMSIZ];
+ __u16 flags;
+ __u16 mode;
+ __u32 bps1;
+ __u32 pps1;
+ __u32 bps2;
+ __u32 pps2;
/* Used internally by the kernel */
- struct xt_rateest *est __attribute__((aligned(8)));
+ struct xt_rateest *est1 __attribute__((aligned(8)));
+ struct xt_rateest *est2 __attribute__((aligned(8)));
};
-#endif /* _XT_RATEEST_TARGET_H */
+#endif /* _XT_RATEEST_MATCH_H */
diff --git a/include/linux/netfilter/xt_TCPMSS.h b/include/linux/netfilter/xt_TCPMSS.h
index 9a6960a..fbac56b 100644
--- a/include/linux/netfilter/xt_TCPMSS.h
+++ b/include/linux/netfilter/xt_TCPMSS.h
@@ -1,12 +1,11 @@
-#ifndef _XT_TCPMSS_H
-#define _XT_TCPMSS_H
+#ifndef _XT_TCPMSS_MATCH_H
+#define _XT_TCPMSS_MATCH_H
#include <linux/types.h>
-struct xt_tcpmss_info {
- __u16 mss;
+struct xt_tcpmss_match_info {
+ __u16 mss_min, mss_max;
+ __u8 invert;
};
-#define XT_TCPMSS_CLAMP_PMTU 0xffff
-
-#endif /* _XT_TCPMSS_H */
+#endif /*_XT_TCPMSS_MATCH_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_ECN.h b/include/linux/netfilter_ipv4/ipt_ECN.h
index bb88d53..eabf95f 100644
--- a/include/linux/netfilter_ipv4/ipt_ECN.h
+++ b/include/linux/netfilter_ipv4/ipt_ECN.h
@@ -1,33 +1,35 @@
-/* Header file for iptables ipt_ECN target
+/* iptables module for matching the ECN header in IPv4 and TCP header
*
- * (C) 2002 by Harald Welte <laforge@gnumonks.org>
+ * (C) 2002 Harald Welte <laforge@gnumonks.org>
*
* This software is distributed under GNU GPL v2, 1991
*
- * ipt_ECN.h,v 1.3 2002/05/29 12:17:40 laforge Exp
+ * ipt_ecn.h,v 1.4 2002/08/05 19:39:00 laforge Exp
*/
-#ifndef _IPT_ECN_TARGET_H
-#define _IPT_ECN_TARGET_H
+#ifndef _IPT_ECN_H
+#define _IPT_ECN_H
#include <linux/types.h>
-#include <linux/netfilter/xt_DSCP.h>
+#include <linux/netfilter/xt_dscp.h>
#define IPT_ECN_IP_MASK (~XT_DSCP_MASK)
-#define IPT_ECN_OP_SET_IP 0x01 /* set ECN bits of IPv4 header */
-#define IPT_ECN_OP_SET_ECE 0x10 /* set ECE bit of TCP header */
-#define IPT_ECN_OP_SET_CWR 0x20 /* set CWR bit of TCP header */
+#define IPT_ECN_OP_MATCH_IP 0x01
+#define IPT_ECN_OP_MATCH_ECE 0x10
+#define IPT_ECN_OP_MATCH_CWR 0x20
-#define IPT_ECN_OP_MASK 0xce
+#define IPT_ECN_OP_MATCH_MASK 0xce
-struct ipt_ECN_info {
- __u8 operation; /* bitset of operations */
- __u8 ip_ect; /* ECT codepoint of IPv4 header, pre-shifted */
+/* match info */
+struct ipt_ecn_info {
+ __u8 operation;
+ __u8 invert;
+ __u8 ip_ect;
union {
struct {
- __u8 ece:1, cwr:1; /* TCP ECT bits */
+ __u8 ect;
} tcp;
} proto;
};
-#endif /* _IPT_ECN_TARGET_H */
+#endif /* _IPT_ECN_H */
diff --git a/include/linux/netfilter_ipv4/ipt_TTL.h b/include/linux/netfilter_ipv4/ipt_TTL.h
index f6ac169..37bee44 100644
--- a/include/linux/netfilter_ipv4/ipt_TTL.h
+++ b/include/linux/netfilter_ipv4/ipt_TTL.h
@@ -1,5 +1,5 @@
-/* TTL modification module for IP tables
- * (C) 2000 by Harald Welte <laforge@netfilter.org> */
+/* IP tables module for matching the value of the TTL
+ * (C) 2000 by Harald Welte <laforge@gnumonks.org> */
#ifndef _IPT_TTL_H
#define _IPT_TTL_H
@@ -7,14 +7,14 @@
#include <linux/types.h>
enum {
- IPT_TTL_SET = 0,
- IPT_TTL_INC,
- IPT_TTL_DEC
+ IPT_TTL_EQ = 0, /* equals */
+ IPT_TTL_NE, /* not equals */
+ IPT_TTL_LT, /* less than */
+ IPT_TTL_GT, /* greater than */
};
-#define IPT_TTL_MAXMODE IPT_TTL_DEC
-struct ipt_TTL_info {
+struct ipt_ttl_info {
__u8 mode;
__u8 ttl;
};
diff --git a/include/linux/netfilter_ipv6/ip6t_HL.h b/include/linux/netfilter_ipv6/ip6t_HL.h
index ebd8ead..6e76dbc 100644
--- a/include/linux/netfilter_ipv6/ip6t_HL.h
+++ b/include/linux/netfilter_ipv6/ip6t_HL.h
@@ -1,6 +1,6 @@
-/* Hop Limit modification module for ip6tables
+/* ip6tables module for matching the Hop Limit value
* Maciej Soltysiak <solt@dns.toxicfilms.tv>
- * Based on HW's TTL module */
+ * Based on HW's ttl module */
#ifndef _IP6T_HL_H
#define _IP6T_HL_H
@@ -8,14 +8,14 @@
#include <linux/types.h>
enum {
- IP6T_HL_SET = 0,
- IP6T_HL_INC,
- IP6T_HL_DEC
+ IP6T_HL_EQ = 0, /* equals */
+ IP6T_HL_NE, /* not equals */
+ IP6T_HL_LT, /* less than */
+ IP6T_HL_GT, /* greater than */
};
-#define IP6T_HL_MAXMODE IP6T_HL_DEC
-struct ip6t_HL_info {
+struct ip6t_hl_info {
__u8 mode;
__u8 hop_limit;
};
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index 4bf3dc4..2b57e52 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -1,138 +1,127 @@
-/* iptables module for the IPv4 and TCP ECN bits, Version 1.5
+/* IP tables module for matching the value of the IPv4 and TCP ECN bits
*
- * (C) 2002 by Harald Welte <laforge@netfilter.org>
+ * (C) 2002 by Harald Welte <laforge@gnumonks.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
-*/
+ */
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/in.h>
-#include <linux/module.h>
-#include <linux/skbuff.h>
#include <linux/ip.h>
#include <net/ip.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
#include <linux/tcp.h>
-#include <net/checksum.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_ECN.h>
+#include <linux/netfilter_ipv4/ipt_ecn.h>
-MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("Xtables: Explicit Congestion Notification (ECN) flag modification");
+MODULE_DESCRIPTION("Xtables: Explicit Congestion Notification (ECN) flag match for IPv4");
+MODULE_LICENSE("GPL");
-/* set ECT codepoint from IP header.
- * return false if there was an error. */
-static inline bool
-set_ect_ip(struct sk_buff *skb, const struct ipt_ECN_info *einfo)
+static inline bool match_ip(const struct sk_buff *skb,
+ const struct ipt_ecn_info *einfo)
{
- struct iphdr *iph = ip_hdr(skb);
-
- if ((iph->tos & IPT_ECN_IP_MASK) != (einfo->ip_ect & IPT_ECN_IP_MASK)) {
- __u8 oldtos;
- if (!skb_make_writable(skb, sizeof(struct iphdr)))
- return false;
- iph = ip_hdr(skb);
- oldtos = iph->tos;
- iph->tos &= ~IPT_ECN_IP_MASK;
- iph->tos |= (einfo->ip_ect & IPT_ECN_IP_MASK);
- csum_replace2(&iph->check, htons(oldtos), htons(iph->tos));
- }
- return true;
+ return ((ip_hdr(skb)->tos & IPT_ECN_IP_MASK) == einfo->ip_ect) ^
+ !!(einfo->invert & IPT_ECN_OP_MATCH_IP);
}
-/* Return false if there was an error. */
-static inline bool
-set_ect_tcp(struct sk_buff *skb, const struct ipt_ECN_info *einfo)
+static inline bool match_tcp(const struct sk_buff *skb,
+ const struct ipt_ecn_info *einfo,
+ bool *hotdrop)
{
- struct tcphdr _tcph, *tcph;
- __be16 oldval;
-
- /* Not enough header? */
- tcph = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_tcph), &_tcph);
- if (!tcph)
+ struct tcphdr _tcph;
+ const struct tcphdr *th;
+
+ /* In practice, TCP match does this, so can't fail. But let's
+ * be good citizens.
+ */
+ th = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_tcph), &_tcph);
+ if (th == NULL) {
+ *hotdrop = false;
return false;
+ }
- if ((!(einfo->operation & IPT_ECN_OP_SET_ECE) ||
- tcph->ece == einfo->proto.tcp.ece) &&
- (!(einfo->operation & IPT_ECN_OP_SET_CWR) ||
- tcph->cwr == einfo->proto.tcp.cwr))
- return true;
-
- if (!skb_make_writable(skb, ip_hdrlen(skb) + sizeof(*tcph)))
- return false;
- tcph = (void *)ip_hdr(skb) + ip_hdrlen(skb);
...
(усечено, потому что он превысит ограничение по почту StackoveFlow в противном случае.)
21
задан Derrick 12 September 2011 в 05:57
поделиться
0 ответов
Другие вопросы по тегам: