Home Explore Help
Register Sign In
Mangix
/
libreCMC
forked from libreCMC/libreCMC
1
0
Fork 0
Files
Tree: 6e172c1c9b
Branches Tags
libreCMC
/
target
/
linux
/
generic
/
patches-4.4
/
610-netfilter_match_bypass_default_checks.patch

610-netfilter_match_bypass_default_checks.patch 2.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475 
  1. --- a/include/uapi/linux/netfilter_ipv4/ip_tables.h
    2. 

  2. +++ b/include/uapi/linux/netfilter_ipv4/ip_tables.h
    3. 

  3. @@ -87,6 +87,7 @@ struct ipt_ip {
    4. 

  4.  #define IPT_F_FRAG		0x01	/* Set if rule is a fragment rule */
    5. 

  5.  #define IPT_F_GOTO		0x02	/* Set if jump is a goto */
    6. 

  6.  #define IPT_F_MASK		0x03	/* All possible flag bits mask. */
    7. 

  7. +#define IPT_F_NO_DEF_MATCH	0x80	/* Internal: no default match rules present */
    8. 

  8.  
    9. 

  9.  /* Values for "inv" field in struct ipt_ip. */
    10. 

  10.  #define IPT_INV_VIA_IN		0x01	/* Invert the sense of IN IFACE. */
    11. 

  11. --- a/net/ipv4/netfilter/ip_tables.c
    12. 

  12. +++ b/net/ipv4/netfilter/ip_tables.c
    13. 

  13. @@ -82,6 +82,9 @@ ip_packet_match(const struct iphdr *ip,
    14. 

  14.  
    15. 

  15.  #define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg)))
    16. 

  16.  
    17. 

  17. +	if (ipinfo->flags & IPT_F_NO_DEF_MATCH)
    18. 

  18. +		return true;
    19. 

  19. +
    20. 

  20.  	if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr,
    21. 

  21.  		  IPT_INV_SRCIP) ||
    22. 

  22.  	    FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr,
    23. 

  23. @@ -135,6 +138,29 @@ ip_packet_match(const struct iphdr *ip,
    24. 

  24.  	return true;
    25. 

  25.  }
    26. 

  26.  
    27. 

  27. +static void
    28. 

  28. +ip_checkdefault(struct ipt_ip *ip)
    29. 

  29. +{
    30. 

  30. +	static const char iface_mask[IFNAMSIZ] = {};
    31. 

  31. +
    32. 

  32. +	if (ip->invflags || ip->flags & IPT_F_FRAG)
    33. 

  33. +		return;
    34. 

  34. +
    35. 

  35. +	if (memcmp(ip->iniface_mask, iface_mask, IFNAMSIZ) != 0)
    36. 

  36. +		return;
    37. 

  37. +
    38. 

  38. +	if (memcmp(ip->outiface_mask, iface_mask, IFNAMSIZ) != 0)
    39. 

  39. +		return;
    40. 

  40. +
    41. 

  41. +	if (ip->smsk.s_addr || ip->dmsk.s_addr)
    42. 

  42. +		return;
    43. 

  43. +
    44. 

  44. +	if (ip->proto)
    45. 

  45. +		return;
    46. 

  46. +
    47. 

  47. +	ip->flags |= IPT_F_NO_DEF_MATCH;
    48. 

  48. +}
    49. 

  49. +
    50. 

  50.  static bool
    51. 

  51.  ip_checkentry(const struct ipt_ip *ip)
    52. 

  52.  {
    53. 

  53. @@ -953,6 +979,7 @@ copy_entries_to_user(unsigned int total_
    54. 

  54.  	const struct xt_table_info *private = table->private;
    55. 

  55.  	int ret = 0;
    56. 

  56.  	const void *loc_cpu_entry;
    57. 

  57. +	u8 flags;
    58. 

  58.  
    59. 

  59.  	counters = alloc_counters(table);
    60. 

  60.  	if (IS_ERR(counters))
    61. 

  61. @@ -979,6 +1006,14 @@ copy_entries_to_user(unsigned int total_
    62. 

  62.  			ret = -EFAULT;
    63. 

  63.  			goto free_counters;
    64. 

  64.  		}
    65. 

  65. +
    66. 

  66. +		flags = e->ip.flags & IPT_F_MASK;
    67. 

  67. +		if (copy_to_user(userptr + off
    68. 

  68. +				 + offsetof(struct ipt_entry, ip.flags),
    69. 

  69. +				 &flags, sizeof(flags)) != 0) {
    70. 

  70. +			ret = -EFAULT;
    71. 

  71. +			goto free_counters;
    72. 

  72. +		}
    73. 

  73.  
    74. 

  74.  		for (i = sizeof(struct ipt_entry);
    75. 

  75.  		     i < e->target_offset;
    76.