panic/netfilter/tools: taint buffer, xt match align, litmus

include/uapi/linux/netfilter/xt_CONNMARK.h

@@ -1,7 +1,37 @@
-/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
-#ifndef _XT_CONNMARK_H_target
-#define _XT_CONNMARK_H_target
+/* SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note */
+/* Copyright (C) 2002,2004 MARA Systems AB <https://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ */
 
-#include <linux/netfilter/xt_connmark.h>
+#ifndef _XT_CONNMARK_H
+#define _XT_CONNMARK_H
 
-#endif /*_XT_CONNMARK_H_target*/
+#include <linux/types.h>
+
+enum {
+	XT_CONNMARK_SET = 0,
+	XT_CONNMARK_SAVE,
+	XT_CONNMARK_RESTORE
+};
+
+enum {
+	D_SHIFT_LEFT = 0,
+	D_SHIFT_RIGHT,
+};
+
+struct xt_connmark_tginfo1 {
+	__u32 ctmark, ctmask, nfmask;
+	__u8 mode;
+};
+
+struct xt_connmark_tginfo2 {
+	__u32 ctmark, ctmask, nfmask;
+	__u8 shift_dir, shift_bits, mode;
+};
+
+struct xt_connmark_mtinfo1 {
+	__u32 mark, mask;
+	__u8 invert;
+};
+
+#endif /*_XT_CONNMARK_H*/

include/uapi/linux/netfilter/xt_DSCP.h

@@ -1,27 +1,32 @@
 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
-/* x_tables module for setting the IPv4/IPv6 DSCP field
+/* x_tables module for matching the IPv4/IPv6 DSCP field
  *
  * (C) 2002 Harald Welte <laforge@gnumonks.org>
- * based on ipt_FTOS.c (C) 2000 by Matthew G. Marsh <mgm@paktronix.com>
  * This software is distributed under GNU GPL v2, 1991
  *
  * See RFC2474 for a description of the DSCP field within the IP Header.
  *
- * xt_DSCP.h,v 1.7 2002/03/14 12:03:13 laforge Exp
+ * xt_dscp.h,v 1.3 2002/08/05 19:00:21 laforge Exp
 */
-#ifndef _XT_DSCP_TARGET_H
-#define _XT_DSCP_TARGET_H
-#include <linux/netfilter/xt_dscp.h>
+#ifndef _XT_DSCP_H
+#define _XT_DSCP_H
+
 #include <linux/types.h>
 
-/* target info */
-struct xt_DSCP_info {
+#define XT_DSCP_MASK	0xfc	/* 11111100 */
+#define XT_DSCP_SHIFT	2
+#define XT_DSCP_MAX	0x3f	/* 00111111 */
+
+/* match info */
+struct xt_dscp_info {
 	__u8 dscp;
+	__u8 invert;
 };
 
-struct xt_tos_target_info {
-	__u8 tos_value;
+struct xt_tos_match_info {
 	__u8 tos_mask;
+	__u8 tos_value;
+	__u8 invert;
 };
 
-#endif /* _XT_DSCP_TARGET_H */
+#endif /* _XT_DSCP_H */

include/uapi/linux/netfilter/xt_MARK.h

@@ -1,7 +1,16 @@
 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
-#ifndef _XT_MARK_H_target
-#define _XT_MARK_H_target
+#ifndef _XT_MARK_H
+#define _XT_MARK_H
 
-#include <linux/netfilter/xt_mark.h>
+#include <linux/types.h>
 
-#endif /*_XT_MARK_H_target */
+struct xt_mark_tginfo2 {
+	__u32 mark, mask;
+};
+
+struct xt_mark_mtinfo1 {
+	__u32 mark, mask;
+	__u8 invert;
+};
+
+#endif /*_XT_MARK_H*/

include/uapi/linux/netfilter/xt_RATEEST.h

@@ -1,17 +1,39 @@
 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
-#ifndef _XT_RATEEST_TARGET_H
-#define _XT_RATEEST_TARGET_H
+#ifndef _XT_RATEEST_MATCH_H
+#define _XT_RATEEST_MATCH_H
 
 #include <linux/types.h>
 #include <linux/if.h>
 
-struct xt_rateest_target_info {
-	char			name[IFNAMSIZ];
-	__s8			interval;
-	__u8		ewma_log;
+enum xt_rateest_match_flags {
+	XT_RATEEST_MATCH_INVERT	= 1<<0,
+	XT_RATEEST_MATCH_ABS	= 1<<1,
+	XT_RATEEST_MATCH_REL	= 1<<2,
+	XT_RATEEST_MATCH_DELTA	= 1<<3,
+	XT_RATEEST_MATCH_BPS	= 1<<4,
+	XT_RATEEST_MATCH_PPS	= 1<<5,
+};
+
+enum xt_rateest_match_mode {
+	XT_RATEEST_MATCH_NONE,
+	XT_RATEEST_MATCH_EQ,
+	XT_RATEEST_MATCH_LT,
+	XT_RATEEST_MATCH_GT,
+};
+
+struct xt_rateest_match_info {
+	char			name1[IFNAMSIZ];
+	char			name2[IFNAMSIZ];
+	__u16		flags;
+	__u16		mode;
+	__u32		bps1;
+	__u32		pps1;
+	__u32		bps2;
+	__u32		pps2;
 
 	/* Used internally by the kernel */
-	struct xt_rateest	*est __attribute__((aligned(8)));
+	struct xt_rateest	*est1 __attribute__((aligned(8)));
+	struct xt_rateest	*est2 __attribute__((aligned(8)));
 };
 
-#endif /* _XT_RATEEST_TARGET_H */
+#endif /* _XT_RATEEST_MATCH_H */

include/uapi/linux/netfilter/xt_TCPMSS.h

@@ -1,13 +1,12 @@
 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
-#ifndef _XT_TCPMSS_H
-#define _XT_TCPMSS_H
+#ifndef _XT_TCPMSS_MATCH_H
+#define _XT_TCPMSS_MATCH_H
 
 #include <linux/types.h>
 
-struct xt_tcpmss_info {
-	__u16 mss;
+struct xt_tcpmss_match_info {
+    __u16 mss_min, mss_max;
+    __u8 invert;
 };
 
-#define XT_TCPMSS_CLAMP_PMTU 0xffff
-
-#endif /* _XT_TCPMSS_H */
+#endif /*_XT_TCPMSS_MATCH_H*/

include/uapi/linux/netfilter_ipv4/ipt_ECN.h

@@ -1,34 +1,16 @@
 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
-/* Header file for iptables ipt_ECN target
- *
- * (C) 2002 by Harald Welte <laforge@gnumonks.org>
- *
- * This software is distributed under GNU GPL v2, 1991
- * 
- * ipt_ECN.h,v 1.3 2002/05/29 12:17:40 laforge Exp
-*/
-#ifndef _IPT_ECN_TARGET_H
-#define _IPT_ECN_TARGET_H
+#ifndef _IPT_ECN_H
+#define _IPT_ECN_H
 
-#include <linux/types.h>
-#include <linux/netfilter/xt_DSCP.h>
+#include <linux/netfilter/xt_ecn.h>
+#define ipt_ecn_info xt_ecn_info
 
-#define IPT_ECN_IP_MASK	(~XT_DSCP_MASK)
-
-#define IPT_ECN_OP_SET_IP	0x01	/* set ECN bits of IPv4 header */
-#define IPT_ECN_OP_SET_ECE	0x10	/* set ECE bit of TCP header */
-#define IPT_ECN_OP_SET_CWR	0x20	/* set CWR bit of TCP header */
-
-#define IPT_ECN_OP_MASK		0xce
-
-struct ipt_ECN_info {
-	__u8 operation;	/* bitset of operations */
-	__u8 ip_ect;	/* ECT codepoint of IPv4 header, pre-shifted */
-	union {
-		struct {
-			__u8 ece:1, cwr:1; /* TCP ECT bits */
-		} tcp;
-	} proto;
+enum {
+	IPT_ECN_IP_MASK       = XT_ECN_IP_MASK,
+	IPT_ECN_OP_MATCH_IP   = XT_ECN_OP_MATCH_IP,
+	IPT_ECN_OP_MATCH_ECE  = XT_ECN_OP_MATCH_ECE,
+	IPT_ECN_OP_MATCH_CWR  = XT_ECN_OP_MATCH_CWR,
+	IPT_ECN_OP_MATCH_MASK = XT_ECN_OP_MATCH_MASK,
 };
 
-#endif /* _IPT_ECN_TARGET_H */
+#endif /* IPT_ECN_H */

include/uapi/linux/netfilter_ipv4/ipt_TTL.h

@@ -1,21 +1,21 @@
 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
-/* TTL modification module for IP tables
- * (C) 2000 by Harald Welte <laforge@netfilter.org> */
+/* IP tables module for matching the value of the TTL
+ * (C) 2000 by Harald Welte <laforge@gnumonks.org> */
 
 #ifndef _IPT_TTL_H
 #define _IPT_TTL_H
 
 #include <linux/types.h>
 
 enum {
-	IPT_TTL_SET = 0,
-	IPT_TTL_INC,
-	IPT_TTL_DEC
+	IPT_TTL_EQ = 0,		/* equals */
+	IPT_TTL_NE,		/* not equals */
+	IPT_TTL_LT,		/* less than */
+	IPT_TTL_GT,		/* greater than */
 };
 
-#define IPT_TTL_MAXMODE	IPT_TTL_DEC
 
-struct ipt_TTL_info {
+struct ipt_ttl_info {
 	__u8	mode;
 	__u8	ttl;
 };

include/uapi/linux/netfilter_ipv6/ip6t_HL.h

@@ -1,22 +1,22 @@
 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
-/* Hop Limit modification module for ip6tables
+/* ip6tables module for matching the Hop Limit value
  * Maciej Soltysiak <solt@dns.toxicfilms.tv>
- * Based on HW's TTL module */
+ * Based on HW's ttl module */
 
 #ifndef _IP6T_HL_H
 #define _IP6T_HL_H
 
 #include <linux/types.h>
 
 enum {
-	IP6T_HL_SET = 0,
-	IP6T_HL_INC,
-	IP6T_HL_DEC
+	IP6T_HL_EQ = 0,		/* equals */
+	IP6T_HL_NE,		/* not equals */
+	IP6T_HL_LT,		/* less than */
+	IP6T_HL_GT,		/* greater than */
 };
 
-#define IP6T_HL_MAXMODE	IP6T_HL_DEC
 
-struct ip6t_HL_info {
+struct ip6t_hl_info {
 	__u8	mode;
 	__u8	hop_limit;
 };

kernel/panic.c

@@ -628,11 +628,33 @@ void panic(const char *fmt, ...)
 }
 EXPORT_SYMBOL(panic);
 
+#define TAINT_FLAGS(_)						\
+	_(PROPRIETARY_MODULE,		'P', 'G')		\
+	_(FORCED_MODULE,		'F', ' ')		\
+	_(CPU_OUT_OF_SPEC,		'S', ' ')		\
+	_(FORCED_RMMOD,			'R', ' ')		\
+	_(MACHINE_CHECK,		'M', ' ')		\
+	_(BAD_PAGE,			'B', ' ')		\
+	_(USER,				'U', ' ')		\
+	_(DIE,				'D', ' ')		\
+	_(OVERRIDDEN_ACPI_TABLE,	'A', ' ')		\
+	_(WARN,				'W', ' ')		\
+	_(CRAP,				'C', ' ')		\
+	_(FIRMWARE_WORKAROUND,		'I', ' ')		\
+	_(OOT_MODULE,			'O', ' ')		\
+	_(UNSIGNED_MODULE,		'E', ' ')		\
+	_(SOFTLOCKUP,			'L', ' ')		\
+	_(LIVEPATCH,			'K', ' ')		\
+	_(AUX,				'X', ' ')		\
+	_(RANDSTRUCT,			'T', ' ')		\
+	_(TEST,				'N', ' ')		\
+	_(FWCTL,			'J', ' ')
+
 #define TAINT_FLAG(taint, _c_true, _c_false)				\
 	[ TAINT_##taint ] = {						\
 		.c_true = _c_true, .c_false = _c_false,			\
 		.desc = #taint,						\
-	}
+	},
 
 /*
  * NOTE: if you modify the taint_flags or TAINT_FLAGS_COUNT,
@@ -642,30 +664,35 @@ EXPORT_SYMBOL(panic);
  * /proc/sys/kernel/tainted.
  */
 const struct taint_flag taint_flags[TAINT_FLAGS_COUNT] = {
-	TAINT_FLAG(PROPRIETARY_MODULE,		'P', 'G'),
-	TAINT_FLAG(FORCED_MODULE,		'F', ' '),
-	TAINT_FLAG(CPU_OUT_OF_SPEC,		'S', ' '),
-	TAINT_FLAG(FORCED_RMMOD,		'R', ' '),
-	TAINT_FLAG(MACHINE_CHECK,		'M', ' '),
-	TAINT_FLAG(BAD_PAGE,			'B', ' '),
-	TAINT_FLAG(USER,			'U', ' '),
-	TAINT_FLAG(DIE,				'D', ' '),
-	TAINT_FLAG(OVERRIDDEN_ACPI_TABLE,	'A', ' '),
-	TAINT_FLAG(WARN,			'W', ' '),
-	TAINT_FLAG(CRAP,			'C', ' '),
-	TAINT_FLAG(FIRMWARE_WORKAROUND,		'I', ' '),
-	TAINT_FLAG(OOT_MODULE,			'O', ' '),
-	TAINT_FLAG(UNSIGNED_MODULE,		'E', ' '),
-	TAINT_FLAG(SOFTLOCKUP,			'L', ' '),
-	TAINT_FLAG(LIVEPATCH,			'K', ' '),
-	TAINT_FLAG(AUX,				'X', ' '),
-	TAINT_FLAG(RANDSTRUCT,			'T', ' '),
-	TAINT_FLAG(TEST,			'N', ' '),
-	TAINT_FLAG(FWCTL,			'J', ' '),
+	TAINT_FLAGS(TAINT_FLAG)
 };
 
 #undef TAINT_FLAG
 
+#define TAINT_DESC_LEN(taint, _c_true, _c_false)		\
+	+ (sizeof(#taint) - 1)
+
+enum { TAINT_FLAGS_DESC_LEN = 0 TAINT_FLAGS(TAINT_DESC_LEN) };
+
+#undef TAINT_DESC_LEN
+#undef TAINT_FLAGS
+
+#define TAINT_VERBOSE_PREFIX_LEN	(sizeof("Tainted: ") - 1)
+#define TAINT_VERBOSE_FLAG_LEN		4 /* "[X]=" */
+#define TAINT_VERBOSE_SEP_LEN		(sizeof(", ") - 1)
+#define TAINT_NOT_TAINTED_LEN		(sizeof("Not tainted") - 1)
+#define TAINT_MAX(a, b)			((a) > (b) ? (a) : (b))
+#define TAINT_VERBOSE_MAX						\
+	(TAINT_VERBOSE_PREFIX_LEN +					\
+	 TAINT_FLAGS_COUNT * TAINT_VERBOSE_FLAG_LEN +			\
+	 (TAINT_FLAGS_COUNT - 1) * TAINT_VERBOSE_SEP_LEN +		\
+	 TAINT_FLAGS_DESC_LEN)
+#define TAINT_NONVERBOSE_MAX		(TAINT_VERBOSE_PREFIX_LEN + \
+					 TAINT_FLAGS_COUNT)
+#define TAINT_BUF_LEN							\
+	(TAINT_MAX(TAINT_MAX(TAINT_VERBOSE_MAX, TAINT_NONVERBOSE_MAX), \
+		   TAINT_NOT_TAINTED_LEN) + 1)
+
 static void print_tainted_seq(struct seq_buf *s, bool verbose)
 {
 	const char *sep = "";
@@ -695,8 +722,7 @@ static void print_tainted_seq(struct seq_buf *s, bool verbose)
 
 static const char *_print_tainted(bool verbose)
 {
-	/* FIXME: what should the size be? */
-	static char buf[sizeof(taint_flags)];
+	static char buf[TAINT_BUF_LEN];
 	struct seq_buf s;
 
 	BUILD_BUG_ON(ARRAY_SIZE(taint_flags) != TAINT_FLAGS_COUNT);