The netfilter debug flags (marking where an skb had been) were a great
idea for security, but fragmentation, tunnelling and other
complexities kept giving false alarms. No genuine failures have been
seen.
Hence, the debug option should be removed.
diff -urN linux-2.3-official/Documentation/Configure.help
linux-2.3-mangled/Documentation/Configure.help
--- linux-2.3-official/Documentation/Configure.help Tue Nov 30 17:58:57 1999
+++ linux-2.3-mangled/Documentation/Configure.help Tue Nov 30 18:49:07 1999
@@ -1477,10 +1477,6 @@
Chances are that you should say Y here if you compile a kernel which
will run as a router and N for regular hosts. If unsure, say N.
-Network packet filtering debugging
-CONFIG_NETFILTER_DEBUG
- Say Y to make sure packets aren't leaking.
-
SYN flood protection
CONFIG_SYN_COOKIES
Normal TCP/IP networking is open to an attack known as "SYN
diff -urN linux-2.3-official/arch/ppc/pmac_defconfig
linux-2.3-mangled/arch/ppc/pmac_defconfig
--- linux-2.3-official/arch/ppc/pmac_defconfig Tue Nov 30 17:58:32 1999
+++ linux-2.3-mangled/arch/ppc/pmac_defconfig Tue Nov 30 18:49:07 1999
@@ -134,7 +134,6 @@
# CONFIG_RTNETLINK is not set
# CONFIG_NETLINK_DEV is not set
CONFIG_NETFILTER=y
-# CONFIG_NETFILTER_DEBUG is not set
# CONFIG_FILTER is not set
CONFIG_UNIX=y
CONFIG_INET=y
diff -urN linux-2.3-official/include/linux/netfilter.h
linux-2.3-mangled/include/linux/netfilter.h
--- linux-2.3-official/include/linux/netfilter.h Tue Nov 30 17:58:19 1999
+++ linux-2.3-mangled/include/linux/netfilter.h Tue Nov 30 18:49:07 1999
@@ -103,14 +103,10 @@
/* This is gross, but inline doesn't cut it for avoiding the function
call in fast path: gcc doesn't inline (needs value tracking?). --RR */
-#ifdef CONFIG_NETFILTER_DEBUG
-#define NF_HOOK nf_hook_slow
-#else
#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \
(list_empty(&nf_hooks[(pf)][(hook)]) \
? (okfn)(skb) \
: nf_hook_slow((pf), (hook), (skb), (indev), (outdev), (okfn)))
-#endif
int nf_hook_slow(int pf, unsigned int hook, struct sk_buff *skb,
struct net_device *indev, struct net_device *outdev,
@@ -158,10 +154,6 @@
extern void nf_reinject(struct sk_buff *skb,
unsigned long mark,
unsigned int verdict);
-
-#ifdef CONFIG_NETFILTER_DEBUG
-extern void nf_dump_skb(int pf, struct sk_buff *skb);
-#endif
/* FIXME: Before cache is ever used, this must be implemented for real. */
extern void nf_invalidate_cache(int pf);
diff -urN linux-2.3-official/include/linux/netfilter_ipv4.h
linux-2.3-mangled/include/linux/netfilter_ipv4.h
--- linux-2.3-official/include/linux/netfilter_ipv4.h Tue Nov 30 17:58:19 1999
+++ linux-2.3-mangled/include/linux/netfilter_ipv4.h Tue Nov 30 18:49:07 1999
@@ -49,15 +49,6 @@
#define NF_IP_POST_ROUTING 4
#define NF_IP_NUMHOOKS 5
-#ifdef CONFIG_NETFILTER_DEBUG
-#ifdef __KERNEL__
-void debug_print_hooks_ip(unsigned int nf_debug);
-void nf_debug_ip_local_deliver(struct sk_buff *skb);
-void nf_debug_ip_loopback_xmit(struct sk_buff *newskb);
-void nf_debug_ip_finish_output2(struct sk_buff *skb);
-#endif /*__KERNEL__*/
-#endif /*CONFIG_NETFILTER_DEBUG*/
-
/* Arguments for setsockopt SOL_IP: */
/* 2.0 firewalling went from 64 through 71 (and +256, +512, etc). */
/* 2.2 firewalling (+ masq) went from 64 through 76 */
diff -urN linux-2.3-official/include/linux/skbuff.h
linux-2.3-mangled/include/linux/skbuff.h
--- linux-2.3-official/include/linux/skbuff.h Tue Nov 30 17:58:11 1999
+++ linux-2.3-mangled/include/linux/skbuff.h Tue Nov 30 18:49:07 1999
@@ -116,9 +116,6 @@
__u32 nfreason;
/* Cache info */
__u32 nfcache;
-#ifdef CONFIG_NETFILTER_DEBUG
- unsigned int nf_debug;
-#endif
#endif /*CONFIG_NETFILTER*/
#if defined(CONFIG_SHAPER) || defined(CONFIG_SHAPER_MODULE)
__u32 shapelatency; /* Latency on frame */
diff -urN linux-2.3-official/net/Config.in linux-2.3-mangled/net/Config.in
--- linux-2.3-official/net/Config.in Tue Nov 30 17:58:33 1999
+++ linux-2.3-mangled/net/Config.in Tue Nov 30 18:49:07 1999
@@ -13,9 +13,6 @@
tristate ' Netlink device emulation' CONFIG_NETLINK_DEV
fi
bool 'Network packet filtering (replaces ipchains)' CONFIG_NETFILTER
-if [ "$CONFIG_NETFILTER" = "y" ]; then
- bool ' Network packet filtering debugging' CONFIG_NETFILTER_DEBUG
-fi
bool 'Socket Filtering' CONFIG_FILTER
tristate 'Unix domain sockets' CONFIG_UNIX
bool 'TCP/IP networking' CONFIG_INET
diff -urN linux-2.3-official/net/core/netfilter.c
linux-2.3-mangled/net/core/netfilter.c
--- linux-2.3-official/net/core/netfilter.c Tue Nov 30 17:58:19 1999
+++ linux-2.3-mangled/net/core/netfilter.c Tue Nov 30 18:49:07 1999
@@ -26,7 +26,7 @@
* of skbuffs queued for userspace, and not deregister a hook unless
* this is zero, but that sucks. Now, we simply check when the
* packets come back: if the hook is gone, the packet is discarded. */
-#ifdef CONFIG_NETFILTER_DEBUG
+#if 0
#define NFDEBUG(format, args...) printk(format , ## args)
#else
#define NFDEBUG(format, args...)
@@ -57,13 +57,6 @@
{
struct list_head *i;
-#ifdef CONFIG_NETFILTER_DEBUG
- if (reg->pf<0 || reg->pf>=NPROTO || reg->hooknum >= NF_MAX_HOOKS) {
- NFDEBUG("nf_register_hook: bad vals: pf=%i, hooknum=%u.\n",
- reg->pf, reg->hooknum);
- return -EINVAL;
- }
-#endif
NFDEBUG("nf_register_hook: pf=%i hook=%u.\n", reg->pf, reg->hooknum);
write_lock_bh(&nf_lock);
@@ -80,13 +73,6 @@
void nf_unregister_hook(struct nf_hook_ops *reg)
{
-#ifdef CONFIG_NETFILTER_DEBUG
- if (reg->pf<0 || reg->pf>=NPROTO || reg->hooknum >= NF_MAX_HOOKS) {
- NFDEBUG("nf_unregister_hook: bad vals: pf=%i, hooknum=%u.\n",
- reg->pf, reg->hooknum);
- return;
- }
-#endif
write_lock_bh(&nf_lock);
list_del(®->list);
write_unlock_bh(&nf_lock);
@@ -105,22 +91,6 @@
struct list_head *i;
int ret = 0;
-#ifdef CONFIG_NETFILTER_DEBUG
- if (reg->pf<0 || reg->pf>=NPROTO) {
- NFDEBUG("nf_register_sockopt: bad val: pf=%i.\n", reg->pf);
- return -EINVAL;
- }
- if (reg->set_optmin > reg->set_optmax) {
- NFDEBUG("nf_register_sockopt: bad set val: min=%i max=%i.\n",
- reg->set_optmin, reg->set_optmax);
- return -EINVAL;
- }
- if (reg->get_optmin > reg->get_optmax) {
- NFDEBUG("nf_register_sockopt: bad get val: min=%i max=%i.\n",
- reg->get_optmin, reg->get_optmax);
- return -EINVAL;
- }
-#endif
if (down_interruptible(&nf_sockopt_mutex) != 0)
return -EINTR;
@@ -149,141 +119,12 @@
void nf_unregister_sockopt(struct nf_sockopt_ops *reg)
{
-#ifdef CONFIG_NETFILTER_DEBUG
- if (reg->pf<0 || reg->pf>=NPROTO) {
- NFDEBUG("nf_register_sockopt: bad val: pf=%i.\n", reg->pf);
- return;
- }
-#endif
/* No point being interruptible: we're probably in cleanup_module() */
down(&nf_sockopt_mutex);
list_del(®->list);
up(&nf_sockopt_mutex);
}
-#ifdef CONFIG_NETFILTER_DEBUG
-#include <net/ip.h>
-#include <net/route.h>
-#include <net/tcp.h>
-#include <linux/netfilter_ipv4.h>
-
-void nf_dump_skb(int pf, struct sk_buff *skb)
-{
- printk("skb: pf=%i %s dev=%s len=%u\n",
- pf,
- skb->sk ? "(owned)" : "(unowned)",
- skb->dev ? skb->dev->name : "(no dev)",
- skb->len);
- switch (pf) {
- case PF_INET: {
- const struct iphdr *ip = skb->nh.iph;
- __u32 *opt = (__u32 *) (ip + 1);
- int opti;
- __u16 src_port = 0, dst_port = 0;
-
- if (ip->protocol == IPPROTO_TCP
- || ip->protocol == IPPROTO_UDP) {
- struct tcphdr *tcp=(struct tcphdr *)((__u32
*)ip+ip->ihl);
- src_port = ntohs(tcp->source);
- dst_port = ntohs(tcp->dest);
- }
-
- printk("PROTO=%d %ld.%ld.%ld.%ld:%hu %ld.%ld.%ld.%ld:%hu"
- " L=%hu S=0x%2.2hX I=%hu F=0x%4.4hX T=%hu",
- ip->protocol,
- (ntohl(ip->saddr)>>24)&0xFF,
- (ntohl(ip->saddr)>>16)&0xFF,
- (ntohl(ip->saddr)>>8)&0xFF,
- (ntohl(ip->saddr))&0xFF,
- src_port,
- (ntohl(ip->daddr)>>24)&0xFF,
- (ntohl(ip->daddr)>>16)&0xFF,
- (ntohl(ip->daddr)>>8)&0xFF,
- (ntohl(ip->daddr))&0xFF,
- dst_port,
- ntohs(ip->tot_len), ip->tos, ntohs(ip->id),
- ntohs(ip->frag_off), ip->ttl);
-
- for (opti = 0; opti < (ip->ihl - sizeof(struct iphdr) / 4);
opti++)
- printk(" O=0x%8.8X", *opt++);
- printk("\n");
- }
- }
-}
-
-void nf_debug_ip_local_deliver(struct sk_buff *skb)
-{
- /* If it's a loopback packet, it must have come through
- * NF_IP_LOCAL_OUT, NF_IP_RAW_INPUT, NF_IP_PRE_ROUTING and
- * NF_IP_LOCAL_IN. Otherwise, must have gone through
- * NF_IP_RAW_INPUT and NF_IP_PRE_ROUTING. */
- if (!skb->dev) {
- printk("ip_local_deliver: skb->dev is NULL.\n");
- }
- else if (strcmp(skb->dev->name, "lo") == 0) {
- if (skb->nf_debug != ((1 << NF_IP_LOCAL_OUT)
- | (1 << NF_IP_POST_ROUTING)
- | (1 << NF_IP_PRE_ROUTING)
- | (1 << NF_IP_LOCAL_IN))) {
- printk("ip_local_deliver: bad loopback skb: ");
- debug_print_hooks_ip(skb->nf_debug);
- nf_dump_skb(PF_INET, skb);
- }
- }
- else {
- if (skb->nf_debug != ((1<<NF_IP_PRE_ROUTING)
- | (1<<NF_IP_LOCAL_IN))) {
- printk("ip_local_deliver: bad non-lo skb: ");
- debug_print_hooks_ip(skb->nf_debug);
- nf_dump_skb(PF_INET, skb);
- }
- }
-}
-
-void nf_debug_ip_loopback_xmit(struct sk_buff *newskb)
-{
- if (newskb->nf_debug != ((1 << NF_IP_LOCAL_OUT)
- | (1 << NF_IP_POST_ROUTING))) {
- printk("ip_dev_loopback_xmit: bad owned skb = %p: ",
- newskb);
- debug_print_hooks_ip(newskb->nf_debug);
- nf_dump_skb(PF_INET, newskb);
- }
- /* Clear to avoid confusing input check */
- newskb->nf_debug = 0;
-}
-
-void nf_debug_ip_finish_output2(struct sk_buff *skb)
-{
- /* If it's owned, it must have gone through the
- * NF_IP_LOCAL_OUT and NF_IP_POST_ROUTING.
- * Otherwise, must have gone through NF_IP_RAW_INPUT,
- * NF_IP_PRE_ROUTING, NF_IP_FORWARD and NF_IP_POST_ROUTING.
- */
- if (skb->sk) {
- if (skb->nf_debug != ((1 << NF_IP_LOCAL_OUT)
- | (1 << NF_IP_POST_ROUTING))) {
- printk("ip_finish_output: bad owned skb = %p: ", skb);
- debug_print_hooks_ip(skb->nf_debug);
- nf_dump_skb(PF_INET, skb);
- }
- } else {
- if (skb->nf_debug != ((1 << NF_IP_PRE_ROUTING)
-#ifdef CONFIG_IP_NETFILTER_RAW_INPUT
- | (1 << NF_IP_RAW_INPUT)
-#endif
- | (1 << NF_IP_FORWARD)
- | (1 << NF_IP_POST_ROUTING))) {
- printk("ip_finish_output: bad unowned skb = %p: ",skb);
- debug_print_hooks_ip(skb->nf_debug);
- nf_dump_skb(PF_INET, skb);
- }
- }
-}
-
-
-#endif /*CONFIG_NETFILTER_DEBUG*/
-
void nf_cacheflush(int pf, unsigned int hook, const void *packet,
const struct net_device *indev, const struct net_device
*outdev,
__u32 packetcount, __u32 bytecount)
@@ -359,25 +200,13 @@
struct nf_hook_ops *elem = (struct nf_hook_ops *)*i;
switch (elem->hook(hook, skb, indev, outdev)) {
case NF_QUEUE:
- NFDEBUG("nf_iterate: NF_QUEUE for %p.\n", *skb);
return NF_QUEUE;
case NF_STOLEN:
- NFDEBUG("nf_iterate: NF_STOLEN for %p.\n", *skb);
return NF_STOLEN;
case NF_DROP:
- NFDEBUG("nf_iterate: NF_DROP for %p.\n", *skb);
return NF_DROP;
-
-#ifdef CONFIG_NETFILTER_DEBUG
- case NF_ACCEPT:
- break;
-
- default:
- NFDEBUG("Evil return from %p(%u).\n",
- elem->hook, hook);
-#endif
}
}
return NF_ACCEPT;
@@ -427,8 +256,6 @@
}
/* Hand it to userspace for collection */
skb_queue_tail(&recip->wake->skbq, skb);
- NFDEBUG("Waking up pf=%i hook=%u mark=%lu reason=%u\n",
- pf, hook, skb->nfmark, skb->nfreason);
wake_up_interruptible(&recip->wake->sleep);
return;
@@ -454,26 +281,11 @@
unsigned int verdict;
int ret = 0;
-#ifdef CONFIG_NETFILTER_DEBUG
- if (pf < 0 || pf >= NPROTO || hook >= NF_MAX_HOOKS) {
- NFDEBUG("nf_hook: bad vals: pf=%i, hook=%u.\n",
- pf, hook);
- kfree_skb(skb);
- return -EINVAL; /* -ECODERFUCKEDUP ?*/
- }
-
- if (skb->nf_debug & (1 << hook)) {
- NFDEBUG("nf_hook: hook %i already set.\n", hook);
- nf_dump_skb(pf, skb);
- }
- skb->nf_debug |= (1 << hook);
-#endif
read_lock_bh(&nf_lock);
elem = &nf_hooks[pf][hook];
verdict = nf_iterate(&nf_hooks[pf][hook], &skb, hook, indev,
outdev, &elem);
if (verdict == NF_QUEUE) {
- NFDEBUG("nf_hook: Verdict = QUEUE.\n");
nf_queue(skb, elem, pf, hook, indev, outdev, okfn);
}
read_unlock_bh(&nf_lock);
@@ -586,36 +398,6 @@
void nf_invalidate_cache(int pf)
{
}
-
-#ifdef CONFIG_NETFILTER_DEBUG
-
-void debug_print_hooks_ip(unsigned int nf_debug)
-{
- if (nf_debug & (1 << NF_IP_PRE_ROUTING)) {
- printk("PRE_ROUTING ");
- nf_debug ^= (1 << NF_IP_PRE_ROUTING);
- }
- if (nf_debug & (1 << NF_IP_LOCAL_IN)) {
- printk("LOCAL_IN ");
- nf_debug ^= (1 << NF_IP_LOCAL_IN);
- }
- if (nf_debug & (1 << NF_IP_FORWARD)) {
- printk("FORWARD ");
- nf_debug ^= (1 << NF_IP_FORWARD);
- }
- if (nf_debug & (1 << NF_IP_LOCAL_OUT)) {
- printk("LOCAL_OUT ");
- nf_debug ^= (1 << NF_IP_LOCAL_OUT);
- }
- if (nf_debug & (1 << NF_IP_POST_ROUTING)) {
- printk("POST_ROUTING ");
- nf_debug ^= (1 << NF_IP_POST_ROUTING);
- }
- if (nf_debug)
- printk("Crap bits: 0x%04X", nf_debug);
- printk("\n");
-}
-#endif /* CONFIG_NETFILTER_DEBUG */
void __init netfilter_init(void)
{
diff -urN linux-2.3-official/net/core/skbuff.c
linux-2.3-mangled/net/core/skbuff.c
--- linux-2.3-official/net/core/skbuff.c Tue Nov 30 17:58:36 1999
+++ linux-2.3-mangled/net/core/skbuff.c Tue Nov 30 18:51:39 1999
@@ -202,9 +202,6 @@
skb->rx_dev = NULL;
#ifdef CONFIG_NETFILTER
skb->nfmark = skb->nfreason = skb->nfcache = 0;
-#ifdef CONFIG_NETFILTER_DEBUG
- skb->nf_debug = 0;
-#endif
#endif
memset(skb->cb, 0, sizeof(skb->cb));
skb->priority = 0;
@@ -327,9 +324,6 @@
n->nfmark=skb->nfmark;
n->nfreason=skb->nfreason;
n->nfcache=skb->nfcache;
-#ifdef CONFIG_NETFILTER_DEBUG
- n->nf_debug=skb->nf_debug;
-#endif
#endif
return n;
}
@@ -381,9 +375,6 @@
n->nfmark=skb->nfmark;
n->nfreason=skb->nfreason;
n->nfcache=skb->nfcache;
-#ifdef CONFIG_NETFILTER_DEBUG
- n->nf_debug=skb->nf_debug;
-#endif
#endif
return n;
}
diff -urN linux-2.3-official/net/ipv4/ip_fragment.c
linux-2.3-mangled/net/ipv4/ip_fragment.c
--- linux-2.3-official/net/ipv4/ip_fragment.c Tue Nov 30 17:57:53 1999
+++ linux-2.3-mangled/net/ipv4/ip_fragment.c Tue Nov 30 18:49:07 1999
@@ -387,10 +387,6 @@
*/
skb->security = qp->fragments->skb->security;
-#ifdef CONFIG_NETFILTER_DEBUG
- skb->nf_debug = qp->fragments->skb->nf_debug;
-#endif
-
/* Done with all fragments. Fixup the new IP header. */
iph = skb->nh.iph;
iph->frag_off = 0;
diff -urN linux-2.3-official/net/ipv4/ip_input.c
linux-2.3-mangled/net/ipv4/ip_input.c
--- linux-2.3-official/net/ipv4/ip_input.c Tue Nov 30 17:57:44 1999
+++ linux-2.3-mangled/net/ipv4/ip_input.c Tue Nov 30 18:49:07 1999
@@ -215,10 +215,6 @@
{
struct iphdr *iph = skb->nh.iph;
-#ifdef CONFIG_NETFILTER_DEBUG
- nf_debug_ip_local_deliver(skb);
-#endif /*CONFIG_NETFILTER_DEBUG*/
-
/* Free rx_dev before enqueueing to sockets */
if (skb->rx_dev) {
dev_put(skb->rx_dev);
diff -urN linux-2.3-official/net/ipv4/ip_output.c
linux-2.3-mangled/net/ipv4/ip_output.c
--- linux-2.3-official/net/ipv4/ip_output.c Tue Nov 30 17:58:59 1999
+++ linux-2.3-mangled/net/ipv4/ip_output.c Tue Nov 30 18:49:07 1999
@@ -100,9 +100,6 @@
newskb->ip_summed = CHECKSUM_UNNECESSARY;
BUG_TRAP(newskb->dst);
-#ifdef CONFIG_NETFILTER_DEBUG
- nf_debug_ip_loopback_xmit(newskb);
-#endif
netif_rx(newskb);
return 0;
}
@@ -190,10 +187,6 @@
{
struct dst_entry *dst = skb->dst;
struct hh_cache *hh = dst->hh;
-
-#ifdef CONFIG_NETFILTER_DEBUG
- nf_debug_ip_finish_output2(skb);
-#endif /*CONFIG_NETFILTER_DEBUG*/
if (hh) {
read_lock_bh(&hh->hh_lock);
--
Hacking time.
|