netfilter: only do skb_checksum_help on CHECKSUM_PARTIAL in ip6_queue

[safe/jmp/linux-2.6] / net / ipv6 / netfilter / ip6_queue.c

diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c
index 9014ada..39856a2 100644 (file)
--- a/net/ipv6/netfilter/ip6_queue.c
+++ b/net/ipv6/netfilter/ip6_queue.c
@@ -36,7 +36,6 @@
 
 #define IPQ_QMAX_DEFAULT 1024
 #define IPQ_PROC_FS_NAME "ip6_queue"
-#define NET_IPQ_QMAX 2088
 #define NET_IPQ_QMAX_NAME "ip6_queue_maxlen"
 
 typedef int (*ipq_cmpfn)(struct nf_queue_entry *, unsigned long);
@@ -53,14 +52,6 @@ static struct sock *ipqnl __read_mostly;
 static LIST_HEAD(queue_list);
 static DEFINE_MUTEX(ipqnl_mutex);
 
-static void
-ipq_issue_verdict(struct nf_queue_entry *entry, int verdict)
-{
-       local_bh_disable();
-       nf_reinject(entry, verdict);
-       local_bh_enable();
-}
-
 static inline void
 __ipq_enqueue_entry(struct nf_queue_entry *entry)
 {
@@ -137,7 +128,7 @@ __ipq_flush(ipq_cmpfn cmpfn, unsigned long data)
                if (!cmpfn || cmpfn(entry, data)) {
                        list_del(&entry->list);
                        queue_total--;
-                       ipq_issue_verdict(entry, NF_DROP);
+                       nf_reinject(entry, NF_DROP);
                }
        }
 }
@@ -167,12 +158,10 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp)
        case IPQ_COPY_META:
        case IPQ_COPY_NONE:
                size = NLMSG_SPACE(sizeof(*pmsg));
-               data_len = 0;
                break;
 
        case IPQ_COPY_PACKET:
-               if ((entry->skb->ip_summed == CHECKSUM_PARTIAL ||
-                    entry->skb->ip_summed == CHECKSUM_COMPLETE) &&
+               if (entry->skb->ip_summed == CHECKSUM_PARTIAL &&
                    (*errp = skb_checksum_help(entry->skb))) {
                        read_unlock_bh(&queue_lock);
                        return NULL;
@@ -234,8 +223,6 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp)
        return skb;
 
 nlmsg_failure:
-       if (skb)
-               kfree_skb(skb);
        *errp = -EINVAL;
        printk(KERN_ERR "ip6_queue: error creating packet message\n");
        return NULL;
@@ -293,8 +280,8 @@ static int
 ipq_mangle_ipv6(ipq_verdict_msg_t *v, struct nf_queue_entry *e)
 {
        int diff;
-       int err;
        struct ipv6hdr *user_iph = (struct ipv6hdr *)v->payload;
+       struct sk_buff *nskb;
 
        if (v->data_len < sizeof(*user_iph))
                return 0;
@@ -306,14 +293,15 @@ ipq_mangle_ipv6(ipq_verdict_msg_t *v, struct nf_queue_entry *e)
                if (v->data_len > 0xFFFF)
                        return -EINVAL;
                if (diff > skb_tailroom(e->skb)) {
-                       err = pskb_expand_head(e->skb, 0,
-                                              diff - skb_tailroom(e->skb),
-                                              GFP_ATOMIC);
-                       if (err) {
+                       nskb = skb_copy_expand(e->skb, skb_headroom(e->skb),
+                                              diff, GFP_ATOMIC);
+                       if (!nskb) {
                                printk(KERN_WARNING "ip6_queue: OOM "
                                      "in mangle, dropping packet\n");
-                               return err;
+                               return -ENOMEM;
                        }
+                       kfree_skb(e->skb);
+                       e->skb = nskb;
                }
                skb_put(e->skb, diff);
        }
@@ -343,7 +331,7 @@ ipq_set_verdict(struct ipq_verdict_msg *vmsg, unsigned int len)
                        if (ipq_mangle_ipv6(vmsg, entry) < 0)
                                verdict = NF_DROP;
 
-               ipq_issue_verdict(entry, verdict);
+               nf_reinject(entry, verdict);
                return 0;
        }
 }
@@ -490,7 +478,7 @@ ipq_rcv_dev_event(struct notifier_block *this,
 {
        struct net_device *dev = ptr;
 
-       if (dev->nd_net != &init_net)
+       if (!net_eq(dev_net(dev), &init_net))
                return NOTIFY_DONE;
 
        /* Drop any packets associated with the downed device */
@@ -509,10 +497,9 @@ ipq_rcv_nl_event(struct notifier_block *this,
 {
        struct netlink_notify *n = ptr;
 
-       if (event == NETLINK_URELEASE &&
-           n->protocol == NETLINK_IP6_FW && n->pid) {
+       if (event == NETLINK_URELEASE && n->protocol == NETLINK_IP6_FW) {
                write_lock_bh(&queue_lock);
-               if ((n->net == &init_net) && (n->pid == peer_pid))
+               if ((net_eq(n->net, &init_net)) && (n->pid == peer_pid))
                        __ipq_reset();
                write_unlock_bh(&queue_lock);
        }
@@ -523,40 +510,22 @@ static struct notifier_block ipq_nl_notifier = {
        .notifier_call  = ipq_rcv_nl_event,
 };
 
+#ifdef CONFIG_SYSCTL
 static struct ctl_table_header *ipq_sysctl_header;
 
 static ctl_table ipq_table[] = {
        {
-               .ctl_name       = NET_IPQ_QMAX,
                .procname       = NET_IPQ_QMAX_NAME,
                .data           = &queue_maxlen,
                .maxlen         = sizeof(queue_maxlen),
                .mode           = 0644,
                .proc_handler   = proc_dointvec
        },
-       { .ctl_name = 0 }
-};
-
-static ctl_table ipq_dir_table[] = {
-       {
-               .ctl_name       = NET_IPV6,
-               .procname       = "ipv6",
-               .mode           = 0555,
-               .child          = ipq_table
-       },
-       { .ctl_name = 0 }
-};
-
-static ctl_table ipq_root_table[] = {
-       {
-               .ctl_name       = CTL_NET,
-               .procname       = "net",
-               .mode           = 0555,
-               .child          = ipq_dir_table
-       },
-       { .ctl_name = 0 }
+       { }
 };
+#endif
 
+#ifdef CONFIG_PROC_FS
 static int ip6_queue_show(struct seq_file *m, void *v)
 {
        read_lock_bh(&queue_lock);
@@ -593,6 +562,7 @@ static const struct file_operations ip6_queue_proc_fops = {
        .release        = single_release,
        .owner          = THIS_MODULE,
 };
+#endif
 
 static const struct nf_queue_handler nfqh = {
        .name   = "ip6_queue",
@@ -602,7 +572,7 @@ static const struct nf_queue_handler nfqh = {
 static int __init ip6_queue_init(void)
 {
        int status = -ENOMEM;
-       struct proc_dir_entry *proc;
+       struct proc_dir_entry *proc __maybe_unused;
 
        netlink_register_notifier(&ipq_nl_notifier);
        ipqnl = netlink_kernel_create(&init_net, NETLINK_IP6_FW, 0,
@@ -612,19 +582,19 @@ static int __init ip6_queue_init(void)
                goto cleanup_netlink_notifier;
        }
 
-       proc = create_proc_entry(IPQ_PROC_FS_NAME, 0, init_net.proc_net);
-       if (proc) {
-               proc->owner = THIS_MODULE;
-               proc->proc_fops = &ip6_queue_proc_fops;
-       } else {
+#ifdef CONFIG_PROC_FS
+       proc = proc_create(IPQ_PROC_FS_NAME, 0, init_net.proc_net,
+                          &ip6_queue_proc_fops);
+       if (!proc) {
                printk(KERN_ERR "ip6_queue: failed to create proc entry\n");
                goto cleanup_ipqnl;
        }
-
+#endif
        register_netdevice_notifier(&ipq_dev_notifier);
-       ipq_sysctl_header = register_sysctl_table(ipq_root_table);
-
-       status = nf_register_queue_handler(PF_INET6, &nfqh);
+#ifdef CONFIG_SYSCTL
+       ipq_sysctl_header = register_sysctl_paths(net_ipv6_ctl_path, ipq_table);
+#endif
+       status = nf_register_queue_handler(NFPROTO_IPV6, &nfqh);
        if (status < 0) {
                printk(KERN_ERR "ip6_queue: failed to register queue handler\n");
                goto cleanup_sysctl;
@@ -632,12 +602,14 @@ static int __init ip6_queue_init(void)
        return status;
 
 cleanup_sysctl:
+#ifdef CONFIG_SYSCTL
        unregister_sysctl_table(ipq_sysctl_header);
+#endif
        unregister_netdevice_notifier(&ipq_dev_notifier);
        proc_net_remove(&init_net, IPQ_PROC_FS_NAME);
 
-cleanup_ipqnl:
-       sock_release(ipqnl->sk_socket);
+cleanup_ipqnl: __maybe_unused
+       netlink_kernel_release(ipqnl);
        mutex_lock(&ipqnl_mutex);
        mutex_unlock(&ipqnl_mutex);
 
@@ -649,14 +621,16 @@ cleanup_netlink_notifier:
 static void __exit ip6_queue_fini(void)
 {
        nf_unregister_queue_handlers(&nfqh);
-       synchronize_net();
+
        ipq_flush(NULL, 0);
 
+#ifdef CONFIG_SYSCTL
        unregister_sysctl_table(ipq_sysctl_header);
+#endif
        unregister_netdevice_notifier(&ipq_dev_notifier);
        proc_net_remove(&init_net, IPQ_PROC_FS_NAME);
 
-       sock_release(ipqnl->sk_socket);
+       netlink_kernel_release(ipqnl);
        mutex_lock(&ipqnl_mutex);
        mutex_unlock(&ipqnl_mutex);
 
@@ -665,6 +639,7 @@ static void __exit ip6_queue_fini(void)
 
 MODULE_DESCRIPTION("IPv6 packet queue handler");
 MODULE_LICENSE("GPL");
+MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_IP6_FW);
 
 module_init(ip6_queue_init);
 module_exit(ip6_queue_fini);