hi,
after Andreas Herrmann's letters I checked the kernel part of the
ip6tables/netfilter with all the available extensions/patches.
I used the 2.4.18 kernel tree and the the CVS (03.01)
The differences:
- SMP_ALIGN (by Andreas Herrmann)
- TABLE_OFFSET macro
used inconsistently in the src code (with and without the cpu_number_map())
- set the owner of the ip6_tables_names in /proc to the module
- MAC match: register to the FORWARD hook, too
The other parts were idetical (more or less).
(The Command option of the Owner patch is missing.)
--- Andreas Herrmann ---
Kernel: SMP CPU alignment
--- net/ipv6/netfilter/ip6_tables.c~ Wed Oct 31 00:08:12 2001
+++ net/ipv6/netfilter/ip6_tables.c Wed Feb 20 17:38:18 2002
@@ -906,7 +906,7 @@
/* And one copy for every other CPU */
for (i = 1; i < smp_num_cpus; i++) {
- memcpy(newinfo->entries + SMP_ALIGN(newinfo->size*i),
+ memcpy(newinfo->entries + SMP_ALIGN(newinfo->size)*i,
newinfo->entries,
SMP_ALIGN(newinfo->size));
}
--- kisza ---
Kernel: SMP TABLE_OFFSET fix - ordered CPUs
--- linux/net/ipv6/netfilter/ip6_tables.c.old Sat Mar 2 00:14:06 2002
+++ linux/net/ipv6/netfilter/ip6_tables.c Sat Mar 2 00:14:14 2002
@@ -110,7 +110,7 @@
#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0)
#ifdef CONFIG_SMP
-#define TABLE_OFFSET(t,p) (SMP_ALIGN((t)->size)*cpu_number_map(p))
+#define TABLE_OFFSET(t,p) (SMP_ALIGN((t)->size)*(p))
#else
#define TABLE_OFFSET(t,p) 0
#endif
@@ -336,7 +336,8 @@
read_lock_bh(&table->lock);
IP_NF_ASSERT(table->valid_hooks & (1 << hook));
table_base = (void *)table->private->entries
- + TABLE_OFFSET(table->private, smp_processor_id());
+ + TABLE_OFFSET(table->private,
+ cpu_number_map(smp_processor_id()));
e = get_entry(table_base, table->private->hook_entry[hook]);
#ifdef CONFIG_NETFILTER_DEBUG
Kernel: Set /proc entry owner
--- linux/net/ipv6/netfilter/ip6_tables.c.old Sat Mar 2 00:14:06 2002
+++ linux/net/ipv6/netfilter/ip6_tables.c Sat Mar 2 00:30:01 2002
@@ -1795,10 +1795,16 @@
}
#ifdef CONFIG_PROC_FS
- if (!proc_net_create("ip6_tables_names", 0, ip6t_get_tables)) {
+ {
+ struct proc_dir_entry *proc;
+
+ proc = proc_net_create("ip6_tables_names", 0, ip6t_get_tables);
+ if (!proc) {
nf_unregister_sockopt(&ip6t_sockopts);
- return -ENOMEM;
- }
+ return -ENOMEM;
+ }
+ proc->owner = THIS_MODULE;
+ }
#endif
printk("ip6_tables: (C) 2000-2002 Netfilter core team\n");
Kernel: MAC match: register for FORWARD, too
--- linux/net/ipv6/netfilter/ip6t_mac.c.old Sat Mar 2 00:54:16 2002
+++ linux/net/ipv6/netfilter/ip6t_mac.c Sat Mar 2 00:59:08 2002
@@ -34,8 +34,9 @@
unsigned int hook_mask)
{
if (hook_mask
- & ~((1 << NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_IN))) {
- printk("ip6t_mac: only valid for PRE_ROUTING or LOCAL_IN.\n");
+ & ~((1 << NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_IN)
+ | (1 << NF_IP_FORWARD))) {
+ printk("ip6t_mac: only valid for PRE_ROUTINGi, LOCAL_IN or
+FORWARD.\n");
return 0;
}
@@ -60,3 +61,5 @@
module_init(init);
module_exit(fini);
+MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("MAC address matching module for IPv6");
--
Andras Kis-Szabo Security Development, Design and Audit
-------------------------/ Zorp, NetFilter and IPv6
[EMAIL PROTECTED] /-----Member of the BUTE-MIS-SEARCHlab---------->
