From c81baf4775c6bb09ea2c2f31e494a068fe12160c Mon Sep 17 00:00:00 2001 From: Tom Lendacky Date: Fri, 28 Mar 2003 12:08:41 -0800 Subject: [IPSEC]: Missing ipv6 policy checks. --- include/net/protocol.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/net') diff --git a/include/net/protocol.h b/include/net/protocol.h index f2b31f62312d..6f493c4a23cc 100644 --- a/include/net/protocol.h +++ b/include/net/protocol.h @@ -50,6 +50,7 @@ struct inet6_protocol struct inet6_skb_parm *opt, int type, int code, int offset, __u32 info); + int no_policy; }; #endif -- cgit v1.2.3 From e99122d248d5f22aa2466a53c29997386ac2865f Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Sat, 29 Mar 2003 09:45:55 -0800 Subject: [NET]: Nuke CONFIG_FILTER. --- drivers/net/Kconfig | 2 +- include/net/sock.h | 15 --------------- net/Kconfig | 16 ---------------- net/core/Makefile | 4 +--- net/core/filter.c | 4 ---- net/core/sock.c | 11 +---------- net/ipv4/tcp_minisocks.c | 6 ++---- net/ipv4/udp.c | 2 -- net/ipv6/raw.c | 3 +-- net/ipv6/udp.c | 3 +-- net/netsyms.c | 2 -- net/packet/af_packet.c | 10 ---------- 12 files changed, 7 insertions(+), 71 deletions(-) (limited to 'include/net') diff --git a/drivers/net/Kconfig b/drivers/net/Kconfig index 7d9ab385a1ab..647058a6397a 100644 --- a/drivers/net/Kconfig +++ b/drivers/net/Kconfig @@ -2262,7 +2262,7 @@ config PPP_MULTILINK config PPP_FILTER bool "PPP filtering" - depends on PPP && FILTER + depends on PPP help Say Y here if you want to be able to filter the packets passing over PPP interfaces. This allows you to control which packets count as diff --git a/include/net/sock.h b/include/net/sock.h index df20f44552bf..6235779cc456 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -48,9 +48,7 @@ #include /* struct sk_buff */ #include -#ifdef CONFIG_FILTER #include -#endif #include #include @@ -174,10 +172,8 @@ struct sock { long rcvtimeo; long sndtimeo; -#ifdef CONFIG_FILTER /* Socket Filtering Instructions */ struct sk_filter *filter; -#endif /* CONFIG_FILTER */ /* This is where all the private (optional) areas that don't * overlap will eventually live. @@ -456,8 +452,6 @@ extern void sock_def_destruct(struct sock *); /* Initialise core socket variables */ extern void sock_init_data(struct socket *sock, struct sock *sk); -#ifdef CONFIG_FILTER - /** * __sk_filter - run a packet through a socket filter * @sk: sock associated with &sk_buff @@ -524,15 +518,6 @@ static inline void sk_filter_charge(struct sock *sk, struct sk_filter *fp) atomic_add(sk_filter_len(fp), &sk->omem_alloc); } -#else - -static inline int __sk_filter(struct sock *sk, struct sk_buff *skb, int needlock) -{ - return 0; -} - -#endif /* CONFIG_FILTER */ - static inline int sk_filter(struct sock *sk, struct sk_buff *skb, int needlock) { int err; diff --git a/net/Kconfig b/net/Kconfig index f5cf59c91665..d791c61fcc61 100644 --- a/net/Kconfig +++ b/net/Kconfig @@ -118,22 +118,6 @@ config NETFILTER_DEBUG You can say Y here if you want to get additional messages useful in debugging the netfilter code. -config FILTER - bool "Socket Filtering" - ---help--- - The Linux Socket Filter is derived from the Berkeley Packet Filter. - If you say Y here, user-space programs can attach a filter to any - socket and thereby tell the kernel that it should allow or disallow - certain types of data to get through the socket. Linux Socket - Filtering works on all socket types except TCP for now. See the - text file for more - information. - - You need to say Y here if you want to use PPP packet filtering - (see the CONFIG_PPP_FILTER option below). - - If unsure, say N. - config UNIX tristate "Unix domain sockets" ---help--- diff --git a/net/core/Makefile b/net/core/Makefile index ffbb63e471a4..b9fc9654b14f 100644 --- a/net/core/Makefile +++ b/net/core/Makefile @@ -10,9 +10,7 @@ obj-y += sysctl_net_core.o endif endif -obj-$(CONFIG_FILTER) += filter.o - -obj-$(CONFIG_NET) += dev.o dev_mcast.o dst.o neighbour.o rtnetlink.o utils.o link_watch.o +obj-$(CONFIG_NET) += dev.o dev_mcast.o dst.o neighbour.o rtnetlink.o utils.o link_watch.o filter.o obj-$(CONFIG_NETFILTER) += netfilter.o obj-$(CONFIG_NET_DIVERT) += dv.o diff --git a/net/core/filter.c b/net/core/filter.c index bfa23ac6348e..0ad6dc93d7ec 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -15,9 +15,6 @@ * Andi Kleen - Fix a few bad bugs and races. */ -#include -#if defined(CONFIG_FILTER) - #include #include #include @@ -495,4 +492,3 @@ int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk) return (err); } -#endif /* CONFIG_FILTER */ diff --git a/net/core/sock.c b/net/core/sock.c index da9bfa3ac520..7e7bf7a9ad84 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -119,9 +119,7 @@ #include #include -#ifdef CONFIG_FILTER #include -#endif #ifdef CONFIG_INET #include @@ -168,9 +166,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname, char *optval, int optlen) { struct sock *sk=sock->sk; -#ifdef CONFIG_FILTER struct sk_filter *filter; -#endif int val; int valbool; struct linger ling; @@ -381,7 +377,6 @@ int sock_setsockopt(struct socket *sock, int level, int optname, #endif -#ifdef CONFIG_FILTER case SO_ATTACH_FILTER: ret = -EINVAL; if (optlen == sizeof(struct sock_fprog)) { @@ -407,7 +402,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname, spin_unlock_bh(&sk->lock.slock); ret = -ENONET; break; -#endif + /* We implement the SO_SNDLOWAT etc to not be settable (1003.1g 5.3) */ default: @@ -614,20 +609,16 @@ struct sock *sk_alloc(int family, int priority, int zero_it, kmem_cache_t *slab) void sk_free(struct sock *sk) { -#ifdef CONFIG_FILTER struct sk_filter *filter; -#endif if (sk->destruct) sk->destruct(sk); -#ifdef CONFIG_FILTER filter = sk->filter; if (filter) { sk_filter_release(sk, filter); sk->filter = NULL; } -#endif if (atomic_read(&sk->omem_alloc)) printk(KERN_DEBUG "sk_free: optmem leakage (%d bytes) detected.\n", atomic_read(&sk->omem_alloc)); diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c index ef70735bbebc..f493a21f2f82 100644 --- a/net/ipv4/tcp_minisocks.c +++ b/net/ipv4/tcp_minisocks.c @@ -645,9 +645,7 @@ struct sock *tcp_create_openreq_child(struct sock *sk, struct open_request *req, if(newsk != NULL) { struct tcp_opt *newtp; -#ifdef CONFIG_FILTER struct sk_filter *filter; -#endif memcpy(newsk, sk, sizeof(struct tcp_sock)); newsk->state = TCP_SYN_RECV; @@ -677,10 +675,10 @@ struct sock *tcp_create_openreq_child(struct sock *sk, struct open_request *req, newsk->callback_lock = RW_LOCK_UNLOCKED; skb_queue_head_init(&newsk->error_queue); newsk->write_space = tcp_write_space; -#ifdef CONFIG_FILTER + if ((filter = newsk->filter) != NULL) sk_filter_charge(newsk, filter); -#endif + if (unlikely(xfrm_sk_clone_policy(newsk))) { /* It is still raw copy of parent, so invalidate * destructor and make plain sk_free() */ diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index 1be52464ff65..29212d8160f2 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -951,7 +951,6 @@ static int udp_queue_rcv_skb(struct sock * sk, struct sk_buff *skb) return -1; } -#if defined(CONFIG_FILTER) if (sk->filter && skb->ip_summed != CHECKSUM_UNNECESSARY) { if (__udp_checksum_complete(skb)) { UDP_INC_STATS_BH(UdpInErrors); @@ -960,7 +959,6 @@ static int udp_queue_rcv_skb(struct sock * sk, struct sk_buff *skb) } skb->ip_summed = CHECKSUM_UNNECESSARY; } -#endif if (sock_queue_rcv_skb(sk,skb)<0) { UDP_INC_STATS_BH(UdpInErrors); diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c index 296d333795c5..2615647db316 100644 --- a/net/ipv6/raw.c +++ b/net/ipv6/raw.c @@ -273,7 +273,6 @@ void rawv6_err(struct sock *sk, struct sk_buff *skb, static inline int rawv6_rcv_skb(struct sock * sk, struct sk_buff * skb) { -#if defined(CONFIG_FILTER) if (sk->filter && skb->ip_summed != CHECKSUM_UNNECESSARY) { if ((unsigned short)csum_fold(skb_checksum(skb, 0, skb->len, skb->csum))) { /* FIXME: increment a raw6 drops counter here */ @@ -282,7 +281,7 @@ static inline int rawv6_rcv_skb(struct sock * sk, struct sk_buff * skb) } skb->ip_summed = CHECKSUM_UNNECESSARY; } -#endif + /* Charge it to the socket. */ if (sock_queue_rcv_skb(sk,skb)<0) { /* FIXME: increment a raw6 drops counter here */ diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c index 442285c7a39f..9632131bb34a 100644 --- a/net/ipv6/udp.c +++ b/net/ipv6/udp.c @@ -547,7 +547,6 @@ static inline int udpv6_queue_rcv_skb(struct sock * sk, struct sk_buff *skb) return -1; } -#if defined(CONFIG_FILTER) if (sk->filter && skb->ip_summed != CHECKSUM_UNNECESSARY) { if ((unsigned short)csum_fold(skb_checksum(skb, 0, skb->len, skb->csum))) { UDP6_INC_STATS_BH(UdpInErrors); @@ -556,7 +555,7 @@ static inline int udpv6_queue_rcv_skb(struct sock * sk, struct sk_buff *skb) } skb->ip_summed = CHECKSUM_UNNECESSARY; } -#endif + if (sock_queue_rcv_skb(sk,skb)<0) { UDP6_INC_STATS_BH(UdpInErrors); kfree_skb(skb); diff --git a/net/netsyms.c b/net/netsyms.c index 195e6ee803d6..56db7f1ca615 100644 --- a/net/netsyms.c +++ b/net/netsyms.c @@ -171,10 +171,8 @@ EXPORT_SYMBOL(sock_kfree_s); EXPORT_SYMBOL(sock_map_fd); EXPORT_SYMBOL(sockfd_lookup); -#ifdef CONFIG_FILTER EXPORT_SYMBOL(sk_run_filter); EXPORT_SYMBOL(sk_chk_filter); -#endif EXPORT_SYMBOL(neigh_table_init); EXPORT_SYMBOL(neigh_table_clear); diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 86d20f6852a1..c0b3bcf55d8d 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -401,9 +401,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, struct packe struct packet_opt *po; u8 * skb_head = skb->data; int skb_len = skb->len; -#ifdef CONFIG_FILTER unsigned snaplen; -#endif if (skb->pkt_type == PACKET_LOOPBACK) goto drop; @@ -429,7 +427,6 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, struct packe } } -#ifdef CONFIG_FILTER snaplen = skb->len; if (sk->filter) { @@ -446,7 +443,6 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, struct packe if (snaplen > res) snaplen = res; } -#endif /* CONFIG_FILTER */ if (atomic_read(&sk->rmem_alloc) + skb->truesize >= (unsigned)sk->rcvbuf) goto drop_n_acct; @@ -475,10 +471,8 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, struct packe if (dev->hard_header_parse) sll->sll_halen = dev->hard_header_parse(skb, sll->sll_addr); -#ifdef CONFIG_FILTER if (pskb_trim(skb, snaplen)) goto drop_n_acct; -#endif skb_set_owner_r(skb, sk); skb->dev = NULL; @@ -494,9 +488,7 @@ drop_n_acct: po->stats.tp_drops++; spin_unlock(&sk->receive_queue.lock); -#ifdef CONFIG_FILTER drop_n_restore: -#endif if (skb_head != skb->data && skb_shared(skb)) { skb->data = skb_head; skb->len = skb_len; @@ -539,7 +531,6 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, struct pack snaplen = skb->len; -#ifdef CONFIG_FILTER if (sk->filter) { unsigned res = snaplen; struct sk_filter *filter; @@ -554,7 +545,6 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, struct pack if (snaplen > res) snaplen = res; } -#endif if (sk->type == SOCK_DGRAM) { macoff = netoff = TPACKET_ALIGN(TPACKET_HDRLEN) + 16; -- cgit v1.2.3