aboutsummaryrefslogtreecommitdiffstats
path: root/testing/ipt-netflow-grsec
diff options
context:
space:
mode:
Diffstat (limited to 'testing/ipt-netflow-grsec')
-rw-r--r--testing/ipt-netflow-grsec/APKBUILD14
-rw-r--r--testing/ipt-netflow-grsec/git.patch3143
-rw-r--r--testing/ipt-netflow-grsec/kernel-4.6.patch63
3 files changed, 68 insertions, 3152 deletions
diff --git a/testing/ipt-netflow-grsec/APKBUILD b/testing/ipt-netflow-grsec/APKBUILD
index a7586dbc69..830eaff6e5 100644
--- a/testing/ipt-netflow-grsec/APKBUILD
+++ b/testing/ipt-netflow-grsec/APKBUILD
@@ -2,11 +2,11 @@
_flavor=grsec
_kpkg=linux-$_flavor
-_kver=4.4.47
+_kver=4.9.9
_kpkgrel=0
# when chaning _ver we *must* bump _mypkgrel
-_ver=2.1
+_ver=2.2
_mypkgrel=0
@@ -30,7 +30,7 @@ url="http://ipt-netflow.sourceforge.net/"
arch="all !aarch64"
license=GPL3+
source="ipt-netflow-$_ver.tar.gz::https://github.com/aabc/ipt-netflow/archive/v$_ver.tar.gz
- git.patch
+ kernel-4.6.patch
"
depends="$_kpkg-dev=$_kpkgver"
makedepends="linux-${_flavor}-dev=$_kpkgver iptables-dev bash"
@@ -65,9 +65,5 @@ dev() {
default_dev
}
-md5sums="bd8fc7d609c12832f5052f342640a839 ipt-netflow-2.1.tar.gz
-98c5286c6471e47d3bb25026ac406b30 git.patch"
-sha256sums="a3eafe7a09f09e15d330539fab983b88c887db56e5614bc820619e8462bc7749 ipt-netflow-2.1.tar.gz
-4d45daecb82ca29a513ebaed7c9bab91f0d16fa7834b52a7ff06dc0d1cd4cd3a git.patch"
-sha512sums="4ec48cb4612bd99d06ed2832d165fcddaf265f0c9555c7c49e012375c38c72cd57d5ee194a6b11e32eecfd2750e710a2bd167f3f2b2597b2e880a3f9b13ba27e ipt-netflow-2.1.tar.gz
-3714c78ae8e8ca432a3216c2067ec00f64f1e25985b39996907f4638835509ab587605937c81d823a9dc95cf3b963a0119eade75a3f2286d425aa0d333a44bc9 git.patch"
+sha512sums="e5d9039c079abfb2ef3656d96228616514ac57d87a9c71181f132ecac51e51407bcdc62aa6e1eb43d16f98be5b22d3801c58578317ea21aaa5433ed143daabe2 ipt-netflow-2.2.tar.gz
+96a250b87f8fb7d6240850dd0721aa0e1dcc7647b689abb15b07fb8758aea4338e5d169b3d0dca19e45279b38166d791cd0d412a9f4b44caf028cee2e782b72b kernel-4.6.patch"
diff --git a/testing/ipt-netflow-grsec/git.patch b/testing/ipt-netflow-grsec/git.patch
deleted file mode 100644
index 643da202c6..0000000000
--- a/testing/ipt-netflow-grsec/git.patch
+++ /dev/null
@@ -1,3143 +0,0 @@
-diff --git a/CREDITS b/CREDITS
-index 51e736e..e3fb344 100644
---- a/CREDITS
-+++ b/CREDITS
-@@ -48,6 +48,12 @@ Principal author and project maintainer:
- ABC <abc@telekom.ru> [2008-2015]
-
-
-+Compatibility layer is using code from Linux Kernel and should be
-+attributed to respective Linux developers.
-+
-+MurmurHash3 is based on smhasher (2012) of Austin Appleby.
-+
-+
- Patch authors and submitters:
-
- Ilya Evseev [2010]
-@@ -82,6 +88,7 @@ Extensive testing and other help:
- Andrew Savin @ Starlink [2014]
- Alexander Zakharov @ WAW Technologies [2015]
- Ivanov Eduard [2015]
-+ Maciej Zdeb [2015]
-
-
- (Send your names, emails, or nicks to add to the list.)
-diff --git a/Makefile.in b/Makefile.in
-index e96d50b..d72cb90 100644
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -20,15 +20,18 @@ ccflags-y = @KOPTS@
-
- all: ipt_NETFLOW.ko libipt_NETFLOW.so libip6t_NETFLOW.so @SNMPTARGET@
-
--ipt_NETFLOW.ko: version.h ipt_NETFLOW.c ipt_NETFLOW.h Makefile
-+ipt_NETFLOW.ko: version.h ipt_NETFLOW.c ipt_NETFLOW.h compat.h Makefile
- @echo Compiling for kernel $(KVERSION)
- make -C $(KDIR) M=$(CURDIR) modules CONFIG_DEBUG_INFO=y
- @touch $@
--sparse: | version.h ipt_NETFLOW.c ipt_NETFLOW.h Makefile
-+sparse: | version.h ipt_NETFLOW.c ipt_NETFLOW.h compat.h Makefile
- @rm -f ipt_NETFLOW.ko ipt_NETFLOW.o
- @echo Compiling for kernel $(KVERSION)
- make -C $(KDIR) M=$(CURDIR) modules C=1
- @touch ipt_NETFLOW.ko
-+coverity:
-+ coverity-submit -v
-+
- minstall: | ipt_NETFLOW.ko
- @echo " *"
- make -C $(KDIR) M=$(CURDIR) modules_install INSTALL_MOD_PATH=$(DESTDIR)
-@@ -66,7 +69,7 @@ sinstall: | snmp_NETFLOW.so IPT-NETFLOW-MIB.my
- %.so: %_sh.o
- gcc -shared -o $@ $<
-
--version.h: ipt_NETFLOW.c ipt_NETFLOW.h Makefile
-+version.h: ipt_NETFLOW.c ipt_NETFLOW.h compat.h Makefile
- @./version.sh --define > version.h
-
- linstall: | libipt_NETFLOW.so libip6t_NETFLOW.so
-@@ -113,3 +116,8 @@ unload:
- -rmmod ipt_NETFLOW.ko
-
- reload: unload load
-+
-+ChangeLog:
-+ gitlog-to-changelog > ChangeLog
-+.PHONY: ChangeLog
-+
-diff --git a/README b/README
-index d524b17..c82cdf7 100644
---- a/README
-+++ b/README
-@@ -1,4 +1,4 @@
--ipt_NETFLOW linux 2.6.x-3.x kernel module by <abc@telekom.ru> -- 2008-2015.
-+ipt_NETFLOW linux 2.6.x-4.x kernel module by <abc@telekom.ru> -- 2008-2015.
-
- High performance NetFlow v5, v9, IPFIX flow data export module for Linux
- kernel. Created to be useful for highly loaded linux router. It should be
-@@ -39,9 +39,9 @@ ipt_NETFLOW linux 2.6.x-3.x kernel module by <abc@telekom.ru> -- 2008-2015.
- Such as metering, exporting, sampling stat and reliability stat, sampling
- configuration, network devices ifName, ifDescr list.
-
-- * Tested to compile and work out of the box on Centos 5, 6, 7, and Debian.
-- Many vanilla Linux kernels since 2.6.18 up to the latest (as of writing
-- is 3.16) are supported and tested.
-+ * Tested to compile and work out of the box on Centos 5, 6, 7, Debian and
-+ * Ubuntu. Many vanilla Linux kernels since 2.6.18 up to the latest (as of
-+ * writing is 3.19) are supported and tested.
-
- * Module load time and run-time (via sysctl) configuration.
-
-@@ -52,14 +52,15 @@ ipt_NETFLOW linux 2.6.x-3.x kernel module by <abc@telekom.ru> -- 2008-2015.
- * SNMP-index translation rules, let convert meaningless and unstable
- interface indexes (ifIndex) to more meaningful numbering scheme.
-
-- * Easy support for catching mirrored traffic with promisc option.
-+ * Easy support for catching mirrored traffic with promisc option. Which is
-+ also supporting optional MPLS decapsulation and MPLS-aware NetFlow.
-
-
- ============================
- = OBTAINING LATEST VERSION =
- ============================
-
-- $ git clone git://git.code.sf.net/p/ipt-netflow/code ipt-netflow
-+ $ git clone git://github.com/aabc/ipt-netflow.git ipt-netflow
- $ cd ipt-netflow
-
-
-@@ -79,7 +80,7 @@ ipt_NETFLOW linux 2.6.x-3.x kernel module by <abc@telekom.ru> -- 2008-2015.
-
- ~# yum install kernel-devel
-
-- b) What to do for Debian:
-+ b) What to do for Debian and Ubuntu:
-
- ~# apt-get install module-assistant
- ~# m-a prepare
-@@ -118,7 +119,7 @@ ipt_NETFLOW linux 2.6.x-3.x kernel module by <abc@telekom.ru> -- 2008-2015.
-
- # yum install iptables-devel
-
-- b) What to do for Debian:
-+ b) What to do for Debian or Ubuntu:
-
- # apt-get install iptables-dev pkg-config
-
-@@ -134,7 +135,7 @@ ipt_NETFLOW linux 2.6.x-3.x kernel module by <abc@telekom.ru> -- 2008-2015.
-
- # yum install net-snmp net-snmp-devel
-
-- b) For Debian:
-+ b) For Debian or Ubuntu:
-
- # apt-get install snmpd libsnmp-dev
-
-@@ -161,6 +162,14 @@ ipt_NETFLOW linux 2.6.x-3.x kernel module by <abc@telekom.ru> -- 2008-2015.
- c) If you have sources in non-standard places or configure isn't able to
- find something run ./configure --help to see how to specify paths manually.
-
-+ d) To run irqtop on Debian 8 you may need to install:
-+
-+ # apt-get install ruby ruby-dev ncurses-dev
-+ # gem install curses
-+
-+ z) If all fails create ticket at
-+ https://github.com/aabc/ipt-netflow/issues
-+
- ** 5. After this point you should be able to load module and
- use -j NETFLOW target in your iptables. See next section.
-
-@@ -227,6 +236,25 @@ ipt_NETFLOW linux 2.6.x-3.x kernel module by <abc@telekom.ru> -- 2008-2015.
- only disable auto-install into DKMS, but still create dkms.conf, in
- case you will want to install it manually.
-
-+ --enable-physdev
-+ Export ingressPhysicalInterface(252) and egressPhysicalInterface(253)
-+ (relevant for bridges) in V9 and IPFIX. If your collector does not
-+ support these Elements but you still need physdevs then use
-+ --enable-physdev-override, in that case physdevs will override normal
-+ interface numbers ingressInterface(10) and egressInterface(14).
-+
-+ --enable-promisc
-+ Enables capturing of promiscuous packets into raw/PREROUTING chain.
-+ See README.promisc Solution 1 for usage details and example.
-+
-+ --promisc-mpls
-+ Enables MPLS label stack decapsulation for promiscuous packets. (For
-+ IPv4 and IPv6 packets only). This also enables MPLS-aware NetFlow (v9
-+ and IPFIX), you may wish to specify with --promisc-mpls=n how much MPLS
-+ labels you want to be recorded and exported (default is 3, maximum is
-+ 10, set to 0 to not report anything).
-+
-+
- ===========
- = RUNNING =
- ===========
-@@ -381,10 +409,15 @@ ipt_NETFLOW linux 2.6.x-3.x kernel module by <abc@telekom.ru> -- 2008-2015.
- because NetFlow v5 isn't compatible with IPv6.
-
- destination=127.0.0.1:2055
-- - where to export netflow, to this ip address
-- You will see this connection in netstat like this:
-+ - where to export netflow, to this ip address. Port is optional, default
-+ is 2055. You will see this connection in netstat like this:
-+
- udp 0 0 127.0.0.1:32772 127.0.0.1:2055 ESTABLISHED
-
-+ destination=[2001:db8::1]:2055
-+ - export target using IPv6 address. Brackets are optional, but otherwise
-+ you should delimit port with 'p' or '#' character.
-+
- destination=127.0.0.1:2055,192.0.0.1:2055
- - mirror flows to two (can be more) addresses, separate addresses
- with comma.
-@@ -523,13 +556,25 @@ ipt_NETFLOW linux 2.6.x-3.x kernel module by <abc@telekom.ru> -- 2008-2015.
- snmp-rules are compilation disabled by default, to enable you will need
- to add --enable-snmp option to ./configure script.
-
-- scan-min = 1
-+ scan-min=1
- - Minimal interval between flow export scans. Sometimes could be useful
- to reduce load on exporting CPU by increasing this interval. Value are
- in kernel jiffies units (which is x/HZ seconds).
-
-- promisc = 1
-- - Enable promisc hack. See README.promisc Solution.1 for details.
-+ promisc=1
-+ - Enables promisc hack. See README.promisc Solution 1 for details.
-+
-+ exportcpu=number
-+ - Lock exporter to single CPU. This may be useful to fine control CPU
-+ load. Common use case: with smp_affinity and RSS you spread packet
-+ processing to all CPUs except one, and lock it to the exporter. While
-+ exporter CPU load generally is not high, for someone it may be not
-+ desirable to combine it with packet processing on very highly loaded
-+ routers.
-+
-+ This option also could be changed at runtime with:
-+
-+ # echo number > /sys/module/ipt_NETFLOW/parameters/exportcpu
-
-
- ====================
-@@ -722,17 +767,26 @@ ipt_NETFLOW linux 2.6.x-3.x kernel module by <abc@telekom.ru> -- 2008-2015.
- IP TOS: ipClassOfService(5),
- and address family (IP or IPv6).
-
-- If VLAN exporting is enabled:
-+ Additional Flow Keys if VLAN exporting is enabled:
-+
- First (outer) dot1q VLAN tag: dot1qVlanId(243) and
- dot1qPriority(244) for IPFIX,
- or vlanId(243) for NetFlow v9.
- Second (customer) dot1q VLAN tag: dot1qCustomerVlanId(245)
- and dot1qCustomerPriority(246).
-
-- If MAC address exporting is enabled:
-+ Additional Flow Keys if MAC address exporting is enabled:
-+
- Destination MAC address: destinationMacAddress(80),
- Source MAC address: sourceMacAddress(56).
-
-+ Additional Flow Keys if MPLS-aware NetFlow is enabled:
-+
-+ Captured MPLS stack is fully treated as flow key (including TTL values),
-+ which is Elements from mplsTopLabelStackSection(70) to
-+ mplsLabelStackSection10(79), and, if present, mplsTopLabelTTL(200).
-+
-+
- Other Elements are not Flow Keys. Note that outer interface, which is
- egressInterface(14), is not regarded as Flow Key. Quoting RFC 7012: "For
- Information Elements ... for which the value may change from packet to packet
-diff --git a/compat.h b/compat.h
-new file mode 100644
-index 0000000..2b05994
---- /dev/null
-+++ b/compat.h
-@@ -0,0 +1,598 @@
-+/* This code is derived from the Linux Kernel sources intended
-+ * to maintain compatibility with different Kernel versions.
-+ * Copyright of original source is of respective Linux Kernel authors.
-+ * License is GPLv2.
-+ */
-+
-+#ifndef COMPAT_NETFLOW_H
-+#define COMPAT_NETFLOW_H
-+
-+
-+#ifndef NIPQUAD
-+# define NIPQUAD(addr) \
-+ ((unsigned char *)&addr)[0], \
-+ ((unsigned char *)&addr)[1], \
-+ ((unsigned char *)&addr)[2], \
-+ ((unsigned char *)&addr)[3]
-+#endif
-+#ifndef HIPQUAD
-+# if defined(__LITTLE_ENDIAN)
-+# define HIPQUAD(addr) \
-+ ((unsigned char *)&addr)[3], \
-+ ((unsigned char *)&addr)[2], \
-+ ((unsigned char *)&addr)[1], \
-+ ((unsigned char *)&addr)[0]
-+# elif defined(__BIG_ENDIAN)
-+# define HIPQUAD NIPQUAD
-+# else
-+# error "Please fix asm/byteorder.h"
-+# endif /* __LITTLE_ENDIAN */
-+#endif
-+
-+#ifndef IPT_CONTINUE
-+# define IPT_CONTINUE XT_CONTINUE
-+# define ipt_target xt_target
-+#endif
-+
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,25)
-+union nf_inet_addr {
-+ __be32 ip;
-+ __be32 ip6[4];
-+ struct in_addr in;
-+ struct in6_addr in6;
-+};
-+#endif
-+
-+#ifndef list_first_entry
-+#define list_first_entry(ptr, type, member) \
-+ list_entry((ptr)->next, type, member)
-+#endif
-+
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,24)
-+# define INIT_NET(x) x
-+#else
-+# define INIT_NET(x) init_net.x
-+#endif
-+
-+#ifndef ETH_P_8021AD
-+# define ETH_P_8021AD 0x88A8 /* 802.1ad Service VLAN */
-+#endif
-+
-+#ifndef ETH_P_QINQ1
-+# define ETH_P_QINQ1 0x9100 /* deprecated QinQ VLAN */
-+# define ETH_P_QINQ2 0x9200 /* deprecated QinQ VLAN */
-+# define ETH_P_QINQ3 0x9300 /* deprecated QinQ VLAN */
-+#endif
-+
-+#ifndef IPPROTO_MH
-+# define IPPROTO_MH 135
-+#endif
-+
-+#ifdef CONFIG_SYSCTL
-+# if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,32)
-+# define BEFORE2632(x,y) x,y
-+# else /* since 2.6.32 */
-+# define BEFORE2632(x,y)
-+# endif
-+
-+# if LINUX_VERSION_CODE >= KERNEL_VERSION(3,17,0)
-+# define ctl_table struct ctl_table
-+# endif
-+
-+# ifndef HAVE_GRSECURITY_H
-+# define ctl_table_no_const ctl_table
-+# endif
-+#endif
-+
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(3,9,0)
-+# define compat_hlist_for_each_entry hlist_for_each_entry
-+# define compat_hlist_for_each_entry_safe hlist_for_each_entry_safe
-+#else /* since 3.9.0 */
-+# define compat_hlist_for_each_entry(a,pos,c,d) hlist_for_each_entry(a,c,d)
-+# define compat_hlist_for_each_entry_safe(a,pos,c,d,e) hlist_for_each_entry_safe(a,c,d,e)
-+#endif
-+
-+#ifndef WARN_ONCE
-+#define WARN_ONCE(x,fmt...) ({ if (x) printk(KERN_WARNING fmt); })
-+#endif
-+
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,20)
-+# define IPPROTO_UDPLITE 136
-+#endif
-+
-+#ifndef time_is_before_jiffies
-+# define time_is_before_jiffies(a) time_after(jiffies, a)
-+#endif
-+#ifndef time_is_after_jiffies
-+# define time_is_after_jiffies(a) time_before(jiffies, a)
-+#endif
-+
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(3,14,0)
-+# if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
-+# define prandom_u32 get_random_int
-+# elif LINUX_VERSION_CODE < KERNEL_VERSION(3,8,0)
-+# define prandom_u32 random32
-+#endif
-+#define prandom_u32_max compat_prandom_u32_max
-+static inline u32 prandom_u32_max(u32 ep_ro)
-+{
-+ return (u32)(((u64) prandom_u32() * ep_ro) >> 32);
-+}
-+#endif
-+
-+#ifndef min_not_zero
-+# define min_not_zero(x, y) ({ \
-+ typeof(x) __x = (x); \
-+ typeof(y) __y = (y); \
-+ __x == 0 ? __y : ((__y == 0) ? __x : min(__x, __y)); })
-+#endif
-+
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(3,2,0)
-+static int __ethtool_get_settings(struct net_device *dev, struct ethtool_cmd *cmd)
-+{
-+ ASSERT_RTNL();
-+
-+ if (!dev->ethtool_ops->get_settings)
-+ return -EOPNOTSUPP;
-+
-+ memset(cmd, 0, sizeof(struct ethtool_cmd));
-+ cmd->cmd = ETHTOOL_GSET;
-+ return dev->ethtool_ops->get_settings(dev, cmd);
-+}
-+#endif
-+
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,27)
-+# define ethtool_cmd_speed(x) (x)->speed
-+#endif
-+
-+#ifndef ARPHRD_PHONET
-+# define ARPHRD_PHONET 820
-+# define ARPHRD_PHONET_PIPE 821
-+#endif
-+#ifndef ARPHRD_IEEE802154
-+# define ARPHRD_IEEE802154 804
-+#endif
-+
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,22)
-+# define for_each_netdev_ns(net, dev) for (dev = dev_base; dev; dev = dev->next)
-+#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,24)
-+# define for_each_netdev_ns(net, d) for_each_netdev(d)
-+#else
-+# define for_each_netdev_ns(net, d) for_each_netdev(net, d)
-+#endif
-+
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35)
-+# define CHECK_FAIL 0
-+# define CHECK_OK 1
-+#else
-+# define CHECK_FAIL -EINVAL
-+# define CHECK_OK 0
-+#endif
-+
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35)
-+# define use_module ref_module
-+#endif
-+
-+#ifndef NF_IP_LOCAL_IN /* 2.6.25 */
-+# define NF_IP_PRE_ROUTING NF_INET_PRE_ROUTING
-+# define NF_IP_LOCAL_IN NF_INET_LOCAL_IN
-+# define NF_IP_FORWARD NF_INET_FORWARD
-+# define NF_IP_LOCAL_OUT NF_INET_LOCAL_OUT
-+# define NF_IP_POST_ROUTING NF_INET_POST_ROUTING
-+#endif
-+
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
-+/* net/netfilter/x_tables.c */
-+static void xt_unregister_targets(struct xt_target *target, unsigned int n)
-+{
-+ unsigned int i;
-+
-+ for (i = 0; i < n; i++)
-+ xt_unregister_target(&target[i]);
-+}
-+static int xt_register_targets(struct xt_target *target, unsigned int n)
-+{
-+ unsigned int i;
-+
-+ int err = 0;
-+ for (i = 0; i < n; i++)
-+ if ((err = xt_register_target(&target[i])))
-+ goto err;
-+ return err;
-+err:
-+ if (i > 0)
-+ xt_unregister_targets(target, i);
-+ return err;
-+}
-+#endif
-+
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,11,0)
-+#define num_physpages totalram_pages
-+#endif
-+
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35)
-+# ifdef ktime_to_timeval
-+/* ktime_to_timeval is defined on 64bit and inline on 32bit cpu */
-+/* when it's defined it calls ns_to_timeval, which is not exported */
-+struct timeval portable_ns_to_timeval(const s64 nsec)
-+{
-+ struct timespec ts = ns_to_timespec(nsec);
-+ struct timeval tv;
-+
-+ tv.tv_sec = ts.tv_sec;
-+ tv.tv_usec = (suseconds_t) ts.tv_nsec / 1000;
-+
-+ return tv;
-+}
-+# define ns_to_timeval portable_ns_to_timeval
-+# endif
-+
-+static inline s64 portable_ktime_to_ms(const ktime_t kt)
-+{
-+ struct timeval tv = ktime_to_timeval(kt);
-+ return (s64) tv.tv_sec * MSEC_PER_SEC + tv.tv_usec / USEC_PER_MSEC;
-+}
-+# define ktime_to_ms portable_ktime_to_ms
-+#endif /* before 2.6.35 */
-+
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,22)
-+static inline s64 portable_ktime_to_us(const ktime_t kt)
-+{
-+ struct timeval tv = ktime_to_timeval(kt);
-+ return (s64) tv.tv_sec * USEC_PER_SEC + tv.tv_usec;
-+}
-+#define ktime_to_us portable_ktime_to_us
-+#endif
-+
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,26)
-+static inline void put_unaligned_be16(u16 val, void *p)
-+{
-+ put_unaligned(cpu_to_be16(val), (__be16 *)p);
-+}
-+static inline void put_unaligned_be32(u32 val, void *p)
-+{
-+ put_unaligned(cpu_to_be32(val), (__be32 *)p);
-+}
-+static inline void put_unaligned_be64(u64 val, void *p)
-+{
-+ put_unaligned(cpu_to_be64(val), (__be64 *)p);
-+}
-+#endif
-+
-+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,24) && !defined(RHEL_MAJOR)
-+static void *__seq_open_private(struct file *f, struct seq_operations *ops,
-+ int psize)
-+{
-+ int rc;
-+ void *private;
-+ struct seq_file *seq;
-+
-+ private = kzalloc(psize, GFP_KERNEL);
-+ if (private == NULL)
-+ goto out;
-+
-+ rc = seq_open(f, ops);
-+ if (rc < 0)
-+ goto out_free;
-+
-+ seq = f->private_data;
-+ seq->private = private;
-+ return private;
-+
-+out_free:
-+ kfree(private);
-+out:
-+ return NULL;
-+}
-+#endif
-+
-+/* disappeared in v3.19 */
-+#ifndef __get_cpu_var
-+#define __get_cpu_var(var) (*this_cpu_ptr(&(var)))
-+#endif
-+
-+#ifndef MPLS_HLEN
-+#define MPLS_HLEN 4
-+static inline int eth_p_mpls(__be16 eth_type)
-+{
-+ return eth_type == htons(ETH_P_MPLS_UC) ||
-+ eth_type == htons(ETH_P_MPLS_MC);
-+}
-+#endif
-+#ifndef MPLS_LS_S_MASK
-+struct mpls_label {
-+ __be32 entry;
-+};
-+#define MPLS_LS_S_MASK 0x00000100
-+
-+#endif
-+
-+/* sockaddr comparison functions is from fs/nfs/client.c */
-+static int sockaddr_match_ipaddr6(const struct sockaddr *sa1, const struct sockaddr *sa2)
-+{
-+ const struct sockaddr_in6 *sin1 = (const struct sockaddr_in6 *)sa1;
-+ const struct sockaddr_in6 *sin2 = (const struct sockaddr_in6 *)sa2;
-+
-+ if (!ipv6_addr_equal(&sin1->sin6_addr, &sin2->sin6_addr))
-+ return 0;
-+#if 0
-+ else if (ipv6_addr_type(&sin1->sin6_addr) & IPV6_ADDR_LINKLOCAL)
-+ return sin1->sin6_scope_id == sin2->sin6_scope_id;
-+#endif
-+ return 1;
-+}
-+
-+static int sockaddr_match_ipaddr4(const struct sockaddr *sa1, const struct sockaddr *sa2)
-+{
-+ const struct sockaddr_in *sin1 = (const struct sockaddr_in *)sa1;
-+ const struct sockaddr_in *sin2 = (const struct sockaddr_in *)sa2;
-+
-+ return sin1->sin_addr.s_addr == sin2->sin_addr.s_addr;
-+}
-+
-+static int sockaddr_cmp_ip6(const struct sockaddr *sa1, const struct sockaddr *sa2)
-+{
-+ const struct sockaddr_in6 *sin1 = (const struct sockaddr_in6 *)sa1;
-+ const struct sockaddr_in6 *sin2 = (const struct sockaddr_in6 *)sa2;
-+
-+ return sockaddr_match_ipaddr6(sa1, sa2) &&
-+ (sin1->sin6_port == sin2->sin6_port);
-+}
-+
-+static int sockaddr_cmp_ip4(const struct sockaddr *sa1, const struct sockaddr *sa2)
-+{
-+ const struct sockaddr_in *sin1 = (const struct sockaddr_in *)sa1;
-+ const struct sockaddr_in *sin2 = (const struct sockaddr_in *)sa2;
-+
-+ return sockaddr_match_ipaddr4(sa1, sa2) &&
-+ (sin1->sin_port == sin2->sin_port);
-+}
-+
-+static int sockaddr_cmp(const struct sockaddr_storage *sa1, const struct sockaddr_storage *sa2)
-+{
-+ const struct sockaddr *s1 = (const struct sockaddr *)sa1;
-+ const struct sockaddr *s2 = (const struct sockaddr *)sa2;
-+
-+ if (sa1->ss_family != sa2->ss_family)
-+ return 0;
-+
-+ switch (sa1->ss_family) {
-+ case AF_INET:
-+ return sockaddr_cmp_ip4(s1, s2);
-+ case AF_INET6:
-+ return sockaddr_cmp_ip6(s1, s2);
-+ }
-+ return 0;
-+}
-+
-+#ifndef IN6PTON_XDIGIT
-+#define hex_to_bin compat_hex_to_bin
-+/* lib/hexdump.c */
-+int hex_to_bin(char ch)
-+{
-+ if ((ch >= '0') && (ch <= '9'))
-+ return ch - '0';
-+ ch = tolower(ch);
-+ if ((ch >= 'a') && (ch <= 'f'))
-+ return ch - 'a' + 10;
-+ return -1;
-+}
-+
-+/* net/core/utils.c */
-+#define IN6PTON_XDIGIT 0x00010000
-+#define IN6PTON_DIGIT 0x00020000
-+#define IN6PTON_COLON_MASK 0x00700000
-+#define IN6PTON_COLON_1 0x00100000 /* single : requested */
-+#define IN6PTON_COLON_2 0x00200000 /* second : requested */
-+#define IN6PTON_COLON_1_2 0x00400000 /* :: requested */
-+#define IN6PTON_DOT 0x00800000 /* . */
-+#define IN6PTON_DELIM 0x10000000
-+#define IN6PTON_NULL 0x20000000 /* first/tail */
-+#define IN6PTON_UNKNOWN 0x40000000
-+
-+static inline int xdigit2bin(char c, int delim)
-+{
-+ int val;
-+
-+ if (c == delim || c == '\0')
-+ return IN6PTON_DELIM;
-+ if (c == ':')
-+ return IN6PTON_COLON_MASK;
-+ if (c == '.')
-+ return IN6PTON_DOT;
-+
-+ val = hex_to_bin(c);
-+ if (val >= 0)
-+ return val | IN6PTON_XDIGIT | (val < 10 ? IN6PTON_DIGIT : 0);
-+
-+ if (delim == -1)
-+ return IN6PTON_DELIM;
-+ return IN6PTON_UNKNOWN;
-+}
-+
-+int in4_pton(const char *src, int srclen,
-+ u8 *dst,
-+ int delim, const char **end)
-+{
-+ const char *s;
-+ u8 *d;
-+ u8 dbuf[4];
-+ int ret = 0;
-+ int i;
-+ int w = 0;
-+
-+ if (srclen < 0)
-+ srclen = strlen(src);
-+ s = src;
-+ d = dbuf;
-+ i = 0;
-+ while(1) {
-+ int c;
-+ c = xdigit2bin(srclen > 0 ? *s : '\0', delim);
-+ if (!(c & (IN6PTON_DIGIT | IN6PTON_DOT | IN6PTON_DELIM | IN6PTON_COLON_MASK))) {
-+ goto out;
-+ }
-+ if (c & (IN6PTON_DOT | IN6PTON_DELIM | IN6PTON_COLON_MASK)) {
-+ if (w == 0)
-+ goto out;
-+ *d++ = w & 0xff;
-+ w = 0;
-+ i++;
-+ if (c & (IN6PTON_DELIM | IN6PTON_COLON_MASK)) {
-+ if (i != 4)
-+ goto out;
-+ break;
-+ }
-+ goto cont;
-+ }
-+ w = (w * 10) + c;
-+ if ((w & 0xffff) > 255) {
-+ goto out;
-+ }
-+cont:
-+ if (i >= 4)
-+ goto out;
-+ s++;
-+ srclen--;
-+ }
-+ ret = 1;
-+ memcpy(dst, dbuf, sizeof(dbuf));
-+out:
-+ if (end)
-+ *end = s;
-+ return ret;
-+}
-+
-+int in6_pton(const char *src, int srclen,
-+ u8 *dst,
-+ int delim, const char **end)
-+{
-+ const char *s, *tok = NULL;
-+ u8 *d, *dc = NULL;
-+ u8 dbuf[16];
-+ int ret = 0;
-+ int i;
-+ int state = IN6PTON_COLON_1_2 | IN6PTON_XDIGIT | IN6PTON_NULL;
-+ int w = 0;
-+
-+ memset(dbuf, 0, sizeof(dbuf));
-+
-+ s = src;
-+ d = dbuf;
-+ if (srclen < 0)
-+ srclen = strlen(src);
-+
-+ while (1) {
-+ int c;
-+
-+ c = xdigit2bin(srclen > 0 ? *s : '\0', delim);
-+ if (!(c & state))
-+ goto out;
-+ if (c & (IN6PTON_DELIM | IN6PTON_COLON_MASK)) {
-+ /* process one 16-bit word */
-+ if (!(state & IN6PTON_NULL)) {
-+ *d++ = (w >> 8) & 0xff;
-+ *d++ = w & 0xff;
-+ }
-+ w = 0;
-+ if (c & IN6PTON_DELIM) {
-+ /* We've processed last word */
-+ break;
-+ }
-+ /*
-+ * COLON_1 => XDIGIT
-+ * COLON_2 => XDIGIT|DELIM
-+ * COLON_1_2 => COLON_2
-+ */
-+ switch (state & IN6PTON_COLON_MASK) {
-+ case IN6PTON_COLON_2:
-+ dc = d;
-+ state = IN6PTON_XDIGIT | IN6PTON_DELIM;
-+ if (dc - dbuf >= sizeof(dbuf))
-+ state |= IN6PTON_NULL;
-+ break;
-+ case IN6PTON_COLON_1|IN6PTON_COLON_1_2:
-+ state = IN6PTON_XDIGIT | IN6PTON_COLON_2;
-+ break;
-+ case IN6PTON_COLON_1:
-+ state = IN6PTON_XDIGIT;
-+ break;
-+ case IN6PTON_COLON_1_2:
-+ state = IN6PTON_COLON_2;
-+ break;
-+ default:
-+ state = 0;
-+ }
-+ tok = s + 1;
-+ goto cont;
-+ }
-+
-+ if (c & IN6PTON_DOT) {
-+ ret = in4_pton(tok ? tok : s, srclen + (int)(s - tok), d, delim, &s);
-+ if (ret > 0) {
-+ d += 4;
-+ break;
-+ }
-+ goto out;
-+ }
-+
-+ w = (w << 4) | (0xff & c);
-+ state = IN6PTON_COLON_1 | IN6PTON_DELIM;
-+ if (!(w & 0xf000)) {
-+ state |= IN6PTON_XDIGIT;
-+ }
-+ if (!dc && d + 2 < dbuf + sizeof(dbuf)) {
-+ state |= IN6PTON_COLON_1_2;
-+ state &= ~IN6PTON_DELIM;
-+ }
-+ if (d + 2 >= dbuf + sizeof(dbuf)) {
-+ state &= ~(IN6PTON_COLON_1|IN6PTON_COLON_1_2);
-+ }
-+cont:
-+ if ((dc && d + 4 < dbuf + sizeof(dbuf)) ||
-+ d + 4 == dbuf + sizeof(dbuf)) {
-+ state |= IN6PTON_DOT;
-+ }
-+ if (d >= dbuf + sizeof(dbuf)) {
-+ state &= ~(IN6PTON_XDIGIT|IN6PTON_COLON_MASK);
-+ }
-+ s++;
-+ srclen--;
-+ }
-+
-+ i = 15; d--;
-+
-+ if (dc) {
-+ while(d >= dc)
-+ dst[i--] = *d--;
-+ while(i >= dc - dbuf)
-+ dst[i--] = 0;
-+ while(i >= 0)
-+ dst[i--] = *d--;
-+ } else
-+ memcpy(dst, dbuf, sizeof(dbuf));
-+
-+ ret = 1;
-+out:
-+ if (end)
-+ *end = s;
-+ return ret;
-+}
-+#endif /* IN6PTON_XDIGIT */
-+
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,2,0)
-+# define sock_create_kern(f, t, p, s) sock_create_kern(&init_net, f, t, p, s)
-+#endif
-+
-+#if !defined(vlan_tx_tag_get) && defined(skb_vlan_tag_get)
-+# define vlan_tx_tag_get skb_vlan_tag_get
-+# define vlan_tx_tag_present skb_vlan_tag_present
-+#endif
-+
-+#ifndef NF_HOOK
-+# define NF_HOOK_COMPAT NF_HOOK
-+#else
-+# define NF_HOOK_COMPAT(a,b,c,d,e,f,g) NF_HOOK(a,b,d,e,f,g)
-+#endif
-+
-+#endif /* COMPAT_NETFLOW_H */
-diff --git a/configure b/configure
-index 30a928c..1278c61 100755
---- a/configure
-+++ b/configure
-@@ -263,7 +263,6 @@ show_help() {
- echo " --kver=.. kernel version (ex.: 2.6.30-std-def-alt15)"
- echo " --kdir=.. directory for kernel source (ex.: /usr/src/kernel)"
- echo " --enable-natevents enables natevents support"
-- echo " --enable-debugfs enables debugfs support for flow lists"
- echo " --enable-snmp-rules enables SNMP-index conversion rules"
- echo " --enable-macaddress enables MAC address for v9/IPFIX"
- echo " --enable-vlan enables VLAN Ids for v9/IPFIX"
-@@ -271,7 +270,11 @@ show_help() {
- echo " --enable-sampler enables Flow Sampling"
- echo " --enable-sampler=hash enables Hash sampler"
- echo " --enable-aggregation enables aggregation rules"
-- echo " --enable-promisc enables promisc hack"
-+ echo " --enable-promisc enables promisc hack mode"
-+ echo " --promisc-mpls decapsulate MPLS in promisc mode"
-+ echo " --promisc-mpls=N -- and record N labels (default 3)"
-+ echo " --enable-physdev enables physdev reporting"
-+ echo " --enable-physdev-override to override interfaces"
- echo " --disable-snmp-agent disables net-snmp agent"
- echo " --disable-dkms disables DKMS support completely"
- echo " --disable-dkms-install no DKMS install but still create dkms.conf"
-@@ -295,15 +298,17 @@ do
- --kver=*) KVERSION="$ac_optarg" ;;
- --kdir=*) KDIR="$ac_optarg" ;;
- --enable-nat*) KOPTS="$KOPTS -DENABLE_NAT" ;;
-- --enable-debug*) KOPTS="$KOPTS -DENABLE_DEBUGFS" ;;
- --enable-mac*) KOPTS="$KOPTS -DENABLE_MAC" ;;
- --enable-vlan*) KOPTS="$KOPTS -DENABLE_VLAN" ;;
- --enable-direc*) KOPTS="$KOPTS -DENABLE_DIRECTION" ;;
- --enable-sampl*hash) KOPTS="$KOPTS -DENABLE_SAMPLER -DSAMPLING_HASH" ;;
- --enable-sampl*) KOPTS="$KOPTS -DENABLE_SAMPLER" ;;
- --enable-aggr*) KOPTS="$KOPTS -DENABLE_AGGR" ;;
-- --enable-promi*) KOPTS="$KOPTS -DENABLE_PROMISC" ;;
-+ --enable-promi*) ENABLE_PROMISC=1 ;;
-+ --promisc-mpls*) ENABLE_PROMISC=1; PROMISC_MPLS=1; MPLS_DEPTH="$ac_optarg" ;;
- --enable-snmp-r*) KOPTS="$KOPTS -DENABLE_SNMP" ;;
-+ --enable-physdev) KOPTS="$KOPTS -DENABLE_PHYSDEV" ;;
-+ --enable-physdev-over*) KOPTS="$KOPTS -DENABLE_PHYSDEV_OVER" ;;
- --disable-snmp-a*) SKIPSNMP=1 ;;
- --disable-net-snmp*) SKIPSNMP=1 ;;
- --disable-dkms*) SKIPDKMS=1 ;;
-@@ -316,6 +321,18 @@ do
- esac
- done
-
-+if [ "$ENABLE_PROMISC" = 1 ]; then KOPTS="$KOPTS -DENABLE_PROMISC"; fi
-+if [ "$PROMISC_MPLS" = 1 ]; then
-+ KOPTS="$KOPTS -DPROMISC_MPLS"
-+ if [ "$MPLS_DEPTH" -gt 10 ]; then
-+ echo "! Requested MPLS stack depth is too big, limiting to 10."
-+ MPLS_DEPTH=10;
-+ elif [ ! "$MPLS_DEPTH" ]; then
-+ MPLS_DEPTH=3
-+ fi
-+ if [ "$MPLS_DEPTH" -ge 1 ]; then KOPTS="$KOPTS -DMPLS_DEPTH=$MPLS_DEPTH"; fi
-+fi
-+
- kernel_find_version() {
- KHOW=requested
- test "$KVERSION" && return 0
-@@ -436,6 +453,7 @@ kernel_check_include() {
-
- kernel_check_features() {
- kernel_check_include include/linux/llist.h -DHAVE_LLIST
-+ kernel_check_include include/linux/grsecurity.h -DHAVE_GRSECURITY_H
- }
-
- snmp_check() {
-diff --git a/ipt_NETFLOW.c b/ipt_NETFLOW.c
-index f6bd7a8..2d5e95b 100644
---- a/ipt_NETFLOW.c
-+++ b/ipt_NETFLOW.c
-@@ -26,6 +26,8 @@
- #include <linux/seq_file.h>
- #include <linux/random.h>
- #include <linux/in6.h>
-+#include <linux/inet.h>
-+#include <linux/kernel.h>
- #include <linux/ip.h>
- #include <linux/udp.h>
- #include <linux/icmp.h>
-@@ -51,69 +53,37 @@
- #ifndef ENABLE_NAT
- # undef CONFIG_NF_NAT_NEEDED
- #endif
--#ifdef ENABLE_VLAN
--#include <linux/if_vlan.h>
-+#if defined(ENABLE_VLAN) || defined(ENABLE_PROMISC)
-+# include <linux/if_vlan.h>
- #endif
- #ifdef ENABLE_MAC
--#include <linux/if_ether.h>
--#include <linux/etherdevice.h>
-+# include <linux/if_ether.h>
-+# include <linux/etherdevice.h>
- #endif
- #if defined(CONFIG_NF_NAT_NEEDED)
--#include <linux/notifier.h>
--#include <net/netfilter/nf_conntrack.h>
--#include <net/netfilter/nf_conntrack_core.h>
-+# include <linux/notifier.h>
-+# include <net/netfilter/nf_conntrack.h>
-+# include <net/netfilter/nf_conntrack_core.h>
- #endif
- #include <linux/version.h>
- #include <asm/unaligned.h>
- #ifdef HAVE_LLIST
- /* llist.h is officially defined since linux 3.1,
- * but centos6 have it backported on its 2.6.32.el6 */
--#include <linux/llist.h>
-+# include <linux/llist.h>
- #endif
-+#include "compat.h"
- #include "ipt_NETFLOW.h"
- #include "murmur3.h"
- #ifdef CONFIG_BRIDGE_NETFILTER
--#include <linux/netfilter_bridge.h>
-+# include <linux/netfilter_bridge.h>
- #endif
- #ifdef CONFIG_SYSCTL
--#include <linux/sysctl.h>
--#endif
--#ifdef ENABLE_DEBUGFS
--# ifdef CONFIG_DEBUG_FS
--# include <linux/debugfs.h>
--# else
--# undef ENABLE_DEBUGFS
--# endif
-+# include <linux/sysctl.h>
- #endif
- #ifndef CONFIG_NF_CONNTRACK_EVENTS
- /* No conntrack events in the kernel imply no natevents. */
--#undef CONFIG_NF_NAT_NEEDED
--#endif
--
--#ifndef NIPQUAD
--#define NIPQUAD(addr) \
-- ((unsigned char *)&addr)[0], \
-- ((unsigned char *)&addr)[1], \
-- ((unsigned char *)&addr)[2], \
-- ((unsigned char *)&addr)[3]
--#endif
--#ifndef HIPQUAD
--#if defined(__LITTLE_ENDIAN)
--#define HIPQUAD(addr) \
-- ((unsigned char *)&addr)[3], \
-- ((unsigned char *)&addr)[2], \
-- ((unsigned char *)&addr)[1], \
-- ((unsigned char *)&addr)[0]
--#elif defined(__BIG_ENDIAN)
--#define HIPQUAD NIPQUAD
--#else
--#error "Please fix asm/byteorder.h"
--#endif /* __LITTLE_ENDIAN */
--#endif
--
--#ifndef IPT_CONTINUE
--#define IPT_CONTINUE XT_CONTINUE
--#define ipt_target xt_target
-+# undef CONFIG_NF_NAT_NEEDED
- #endif
-
- #define IPT_NETFLOW_VERSION "2.1" /* Note that if you are using git, you
-@@ -339,7 +309,7 @@ static int metric = METRIC_DFL,
-
- static int set_hashsize(int new_size);
- static void destination_removeall(void);
--static int add_destinations(char *ptr);
-+static int add_destinations(const char *ptr);
- static int netflow_scan_and_export(int flush);
- enum {
- DONT_FLUSH, AND_FLUSH
-@@ -351,10 +321,6 @@ static int tpl_count = 0; /* how much active templates */
- static unsigned long ts_stat_last = 0; /* (jiffies) */
- static unsigned long ts_sysinf_last = 0; /* (jiffies) */
- static unsigned long ts_ifnames_last = 0; /* (jiffies) */
--#ifdef ENABLE_DEBUGFS
--static atomic_t freeze = ATOMIC_INIT(0);
--static struct dentry *flows_dump_d;
--#endif
-
- static inline __be32 bits2mask(int bits) {
- return (bits? 0xffffffff << (32 - bits) : 0);
-@@ -424,12 +390,6 @@ static inline void pause_scan_worker(void)
- _unschedule_scan_worker();
- }
-
--#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,24)
--#define INIT_NET(x) x
--#else
--#define INIT_NET(x) init_net.x
--#endif
--
- #ifdef ENABLE_SAMPLER
- static inline unsigned char get_sampler_mode(void)
- {
-@@ -457,6 +417,55 @@ static inline unsigned short sampler_nf_v5(void)
- }
- #endif
-
-+/* return value is different from usual snprintf */
-+static char *snprintf_sockaddr(char *buf, size_t len, const struct sockaddr_storage *ss)
-+{
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,32)
-+ if (ss->ss_family == AF_INET) {
-+ const struct sockaddr_in *sin = (struct sockaddr_in *)ss;
-+
-+ snprintf(buf, len, "%u.%u.%u.%u:%u",
-+ NIPQUAD(sin->sin_addr.s_addr),
-+ ntohs(sin->sin_port));
-+ } else if (ss->ss_family == AF_INET6) {
-+ const struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)ss;
-+
-+ snprintf(buf, len, "[%x:%x:%x:%x:%x:%x:%x:%x]:%u",
-+ ntohs(sin6->sin6_addr.s6_addr16[0]),
-+ ntohs(sin6->sin6_addr.s6_addr16[1]),
-+ ntohs(sin6->sin6_addr.s6_addr16[2]),
-+ ntohs(sin6->sin6_addr.s6_addr16[3]),
-+ ntohs(sin6->sin6_addr.s6_addr16[4]),
-+ ntohs(sin6->sin6_addr.s6_addr16[5]),
-+ ntohs(sin6->sin6_addr.s6_addr16[6]),
-+ ntohs(sin6->sin6_addr.s6_addr16[7]),
-+ ntohs(sin6->sin6_port));
-+ } else
-+ snprintf(buf, len, "(invalid address)");
-+#elif LINUX_VERSION_CODE < KERNEL_VERSION(3,11,0)
-+ if (ss->ss_family == AF_INET)
-+ snprintf(buf, len, "%pI4:%u",
-+ &((const struct sockaddr_in *)ss)->sin_addr,
-+ ntohs(((const struct sockaddr_in *)ss)->sin_port));
-+ else if (ss->ss_family == AF_INET6)
-+ snprintf(buf, len, "[%pI6c]:%u",
-+ &((const struct sockaddr_in6 *)ss)->sin6_addr,
-+ ntohs(((const struct sockaddr_in6 *)ss)->sin6_port));
-+ else
-+ snprintf(buf, len, "(invalid address)");
-+#else
-+ snprintf(buf, len, "%pISpc", ss);
-+#endif
-+ return buf;
-+}
-+
-+static char *print_sockaddr(const struct sockaddr_storage *ss)
-+{
-+ static char buf[64];
-+
-+ return snprintf_sockaddr(buf, sizeof(buf), ss);
-+}
-+
- #ifdef CONFIG_PROC_FS
- static inline int ABS(int x) { return x >= 0 ? x : -x; }
- #define SAFEDIV(x,y) ((y)? ({ u64 __tmp = x; do_div(__tmp, y); (int)__tmp; }) : 0)
-@@ -561,10 +570,9 @@ static int snmp_seq_show(struct seq_file *seq, void *v)
-
- if (sndbuf_peak < wmem_peak)
- sndbuf_peak = wmem_peak;
-- seq_printf(seq, "sock%d %u.%u.%u.%u:%u %d %u %u %u %u",
-+ seq_printf(seq, "sock%d %s %d %u %u %u %u",
- snum,
-- HIPQUAD(usock->ipaddr),
-- usock->port,
-+ print_sockaddr(&usock->addr),
- !!usock->sock,
- usock->err_connect,
- usock->err_full,
-@@ -606,9 +614,6 @@ static int nf_seq_show(struct seq_file *seq, void *v)
- #ifdef ENABLE_AGGR
- " aggr"
- #endif
--#ifdef ENABLE_DEBUGFS
-- " debugfs"
--#endif
- #ifdef ENABLE_DIRECTION
- " dir"
- #endif
-@@ -623,6 +628,9 @@ static int nf_seq_show(struct seq_file *seq, void *v)
- #endif
- #ifdef ENABLE_PROMISC
- " promisc"
-+# ifdef PROMISC_MPLS
-+ "+mpls"
-+# endif
- #endif
- #ifdef ENABLE_SAMPLER
- " samp"
-@@ -808,10 +816,9 @@ static int nf_seq_show(struct seq_file *seq, void *v)
-
- mutex_lock(&sock_lock);
- list_for_each_entry(usock, &usock_list, list) {
-- seq_printf(seq, "sock%d: %u.%u.%u.%u:%u",
-+ seq_printf(seq, "sock%d: %s",
- snum,
-- HIPQUAD(usock->ipaddr),
-- usock->port);
-+ print_sockaddr(&usock->addr));
- if (usock->sock) {
- struct sock *sk = usock->sock->sk;
-
-@@ -902,110 +909,171 @@ static struct file_operations snmp_seq_fops = {
- .llseek = seq_lseek,
- .release = single_release,
- };
--#endif /* CONFIG_PROC_FS */
-
--#ifdef ENABLE_DEBUGFS
--static inline int active_needs_export(const struct ipt_netflow *nf, const long a_timeout, const unsigned long jiff);
-+static inline int inactive_needs_export(const struct ipt_netflow *nf, const long i_timeout,
-+ const unsigned long jiff);
-+static inline int active_needs_export(const struct ipt_netflow *nf, const long a_timeout,
-+ const unsigned long jiff);
- static inline u_int32_t hash_netflow(const struct ipt_netflow_tuple *tuple);
-
--static int seq_stripe = -1;
-+struct flows_dump_private {
-+ int pcache; /* pos */
-+ void *vcache; /* corresponding pointer for pos */
-+ int stripe; /* current stripe */
-+ struct list_head list; /* copy of stripe */
-+ int alloc_errors;
-+};
-+
-+/* deallocate copied stripe */
-+static void nf_free_stripe(struct list_head *list)
-+{
-+ struct ipt_netflow *cf, *tmp;
-+
-+ list_for_each_entry_safe(cf, tmp, list, flows_list) {
-+ kmem_cache_free(ipt_netflow_cachep, cf);
-+ }
-+ INIT_LIST_HEAD(list);
-+}
-+
-+/* quickly clone stripe into flows_dump_private then it can be walked slowly
-+ * and lockless */
-+static void __nf_copy_stripe(struct flows_dump_private *st, const struct list_head *list)
-+{
-+ const struct ipt_netflow *nf;
-+ struct ipt_netflow *cf;
-+
-+ nf_free_stripe(&st->list);
-+ list_for_each_entry(nf, list, flows_list) {
-+ cf = kmem_cache_alloc(ipt_netflow_cachep, GFP_ATOMIC);
-+ if (!cf) {
-+ st->alloc_errors++;
-+ continue;
-+ }
-+ memcpy(cf, nf, sizeof(*cf));
-+ list_add(&cf->flows_list, &st->list);
-+ }
-+}
-
--/* get first & next ipt_netflow list entry and lock it */
--static struct list_head *nf_get_first(int nstripe)
-+/* nstripe is desired stripe, in st->stripe will be recorded actual stripe used
-+ * (with empty stripes skipped), -1 is there is no valid stripes anymore,
-+ * return first element in stripe list or NULL */
-+static struct list_head *nf_get_stripe(struct flows_dump_private *st, int nstripe)
- {
-- /* no locking here since it's under global rwlock */
-+ read_lock_bh(&htable_rwlock);
- for (; nstripe < LOCK_COUNT; nstripe++) {
- struct stripe_entry *stripe = &htable_stripes[nstripe];
-
-+ spin_lock(&stripe->lock);
- if (!list_empty(&stripe->list)) {
-- seq_stripe = nstripe;
-- return stripe->list.next;
-+ st->stripe = nstripe;
-+ __nf_copy_stripe(st, &stripe->list);
-+ spin_unlock(&stripe->lock);
-+ read_unlock_bh(&htable_rwlock);
-+ return st->list.next;
- }
-+ spin_unlock(&stripe->lock);
- }
-- seq_stripe = -1;
-+ read_unlock_bh(&htable_rwlock);
-+ st->stripe = -1;
- return NULL;
- }
-
--static struct list_head *nf_get_next(struct list_head *head)
-+/* simply next element in flows list or NULL */
-+static struct list_head *nf_get_next(struct flows_dump_private *st, struct list_head *head)
- {
-- struct stripe_entry *stripe;
--
-- if (seq_stripe < 0)
-+ if (head == SEQ_START_TOKEN)
-+ return nf_get_stripe(st, 0);
-+ if (st->stripe < 0)
- return NULL;
-- stripe = &htable_stripes[seq_stripe];
-- head = head->next;
-- if (head != &stripe->list)
-- return head;
-- return nf_get_first(seq_stripe + 1);
-+ /* next element */
-+ if (!list_is_last(head, &st->list))
-+ return head->next;
-+ /* next bucket */
-+ return nf_get_stripe(st, st->stripe + 1);
- }
-
--static int seq_pcache;
--static void *seq_vcache;
-+/* seq_file could arbitrarily start/stop iteration as it feels need,
-+ * so, I try to cache things to (significantly) speed it up. */
- static void *flows_dump_seq_start(struct seq_file *seq, loff_t *pos)
- {
-+ struct flows_dump_private *st = seq->private;
- int ppos = *pos;
- struct list_head *lh;
-
- if (!ppos) {
-- seq_pcache = 0;
-- seq_vcache = nf_get_first(0);
-- return seq_vcache;
-- }
-- if (ppos >= seq_pcache) {
-- ppos -= seq_pcache;
-- lh = seq_vcache;
-- } else
-- lh = nf_get_first(0);
-+ /* first */
-+ st->pcache = 0;
-+ st->vcache = SEQ_START_TOKEN;
-+ return st->vcache;
-+ }
-+ if (ppos >= st->pcache) {
-+ /* can iterate forward */
-+ ppos -= st->pcache;
-+ lh = st->vcache;
-+ } else /* can't, start from 0 */
-+ lh = SEQ_START_TOKEN;
-+ /* iterate forward */
- while (ppos--)
-- lh = nf_get_next(lh);
-- seq_pcache = *pos;
-- seq_vcache = lh;
-- return seq_vcache;
-+ lh = nf_get_next(st, lh);
-+ st->pcache = *pos;
-+ st->vcache = lh;
-+ return st->vcache;
- }
-
- static void *flows_dump_seq_next(struct seq_file *seq, void *v, loff_t *pos)
- {
-- seq_pcache = ++*pos;
-- seq_vcache = nf_get_next((struct list_head *)v);
-- return seq_vcache;
-+ struct flows_dump_private *st = seq->private;
-+
-+ st->pcache = ++*pos;
-+ st->vcache = nf_get_next(st, (struct list_head *)v);
-+ return st->vcache;
- }
-
- static void flows_dump_seq_stop(struct seq_file *seq, void *v)
- {
- }
-
--static unsigned long dump_start; /* jiffies */
--static unsigned int dump_err;
- /* To view this: cat /sys/kernel/debug/netflow_dump */
- static int flows_dump_seq_show(struct seq_file *seq, void *v)
- {
-- struct ipt_netflow *nf = list_entry(v, struct ipt_netflow, flows_list);
-- long i_timeout = inactive_timeout * HZ;
-- long a_timeout = active_timeout * HZ;
-- int inactive = (jiffies - nf->nf_ts_last) >= i_timeout;
-- int active = active_needs_export(nf, a_timeout, dump_start);
-- u_int32_t hash = hash_netflow(&nf->tuple);
-+ struct flows_dump_private *st = seq->private;
-+ const long i_timeout = inactive_timeout * HZ;
-+ const long a_timeout = active_timeout * HZ;
-+ const struct ipt_netflow *nf;
-
-- if (seq_pcache == 0) {
-- unsigned int nr_flows = atomic_read(&ipt_netflow_count);
--
-- seq_printf(seq, "# Attention: netflow processing is disabled while dumping. (~%u flows)\n", nr_flows);
-+ if (v == SEQ_START_TOKEN) {
-+ seq_printf(seq, "# hash a dev:i,o"
-+#ifdef SNMP_RULES
-+ " snmp:i,o"
-+#endif
-+#ifdef ENABLE_MAC
-+ " mac:src,dst"
-+#endif
-+#ifdef ENABLE_VLAN
-+ " vlan"
-+#endif
-+#if defined(ENABLE_MAC) || defined(ENABLE_VLAN)
-+ " type"
-+#endif
-+ " proto src:ip,port dst:ip,port nexthop"
-+ " tos,tcpflags,options,tcpoptions"
-+ " packets bytes ts:first,last\n");
- return 0;
- }
-
-- seq_printf(seq, "%d %02x,%04x %02d",
-- seq_pcache,
-- seq_stripe,
-- hash,
-- inactive * 10 + active);
--#ifdef SNMP_RULES
-- seq_printf(seq, " %hd,%hd(%hd,%hd)",
-- nf->i_ifcr,
-- nf->o_ifcr,
-+ nf = list_entry(v, struct ipt_netflow, flows_list);
-+ seq_printf(seq, "%d %04x %x",
-+ st->pcache,
-+ hash_netflow(&nf->tuple),
-+ (!!inactive_needs_export(nf, i_timeout, jiffies)) |
-+ (active_needs_export(nf, a_timeout, jiffies) << 1));
-+ seq_printf(seq, " %hd,%hd",
- nf->tuple.i_ifc,
- nf->o_ifc);
--#else
-+#ifdef SNMP_RULES
- seq_printf(seq, " %hd,%hd",
-+ nf->i_ifcr,
-+ nf->o_ifcr,
- nf->tuple.i_ifc,
- nf->o_ifc);
- #endif
-@@ -1013,55 +1081,44 @@ static int flows_dump_seq_show(struct seq_file *seq, void *v)
- seq_printf(seq, " %pM,%pM", &nf->tuple.h_src, &nf->tuple.h_dst);
- #endif
- #ifdef ENABLE_VLAN
-- if (nf->tuple.tag1 || nf->tuple.tag2) {
-- seq_printf(seq, ",%d", ntohs(nf->tuple.tag1));
-- if (nf->tuple.tag2)
-- seq_printf(seq, ",%d", ntohs(nf->tuple.tag2));
-+ if (nf->tuple.tag[0]) {
-+ seq_printf(seq, " %d", ntohs(nf->tuple.tag[0]));
-+ if (nf->tuple.tag[1])
-+ seq_printf(seq, ",%d", ntohs(nf->tuple.tag[1]));
- }
- #endif
- #if defined(ENABLE_MAC) || defined(ENABLE_VLAN)
-- seq_printf(seq, " [%04x]", ntohs(nf->ethernetType));
-+ seq_printf(seq, " %04x", ntohs(nf->ethernetType));
- #endif
-- seq_printf(seq, " %u,%u ",
-- nf->tuple.l3proto,
-+ seq_printf(seq, " %u ",
- nf->tuple.protocol);
- if (nf->tuple.l3proto == AF_INET) {
-- seq_printf(seq, "%pI4n:%u,%pI4n:%u %pI4n",
-+ seq_printf(seq, "%pI4n,%u %pI4n,%u %pI4n",
- &nf->tuple.src,
- ntohs(nf->tuple.s_port),
- &nf->tuple.dst,
- ntohs(nf->tuple.d_port),
- &nf->nh);
-- /* sanity check */
-- if (nf->tuple.src.ip6[1] ||
-- nf->tuple.src.ip6[2] ||
-- nf->tuple.src.ip6[3])
-- seq_puts(seq, "error:src:garbage");
-- if (nf->tuple.dst.ip6[1] ||
-- nf->tuple.dst.ip6[2] ||
-- nf->tuple.dst.ip6[3])
-- seq_puts(seq, "error:dst:garbage");
- } else if (nf->tuple.l3proto == AF_INET6) {
-- seq_printf(seq, "%pI6c#%u,%pI6c#%u %pI6c",
-+ seq_printf(seq, "%pI6c,%u %pI6c,%u %pI6c",
- &nf->tuple.src,
- ntohs(nf->tuple.s_port),
- &nf->tuple.dst,
- ntohs(nf->tuple.d_port),
- &nf->nh);
- } else {
-- seq_puts(seq, "error:l3proto:unknown");
-+ seq_puts(seq, "?,? ?,? ?");
- }
- seq_printf(seq, " %x,%x,%x,%x",
- nf->tuple.tos,
- nf->tcp_flags,
- nf->options,
- nf->tcpoptions);
-- seq_printf(seq, " %d,%d %lu,%lu\n",
-+ seq_printf(seq, " %u %u %lu,%lu\n",
- nf->nr_packets,
- nf->nr_bytes,
- jiffies - nf->nf_ts_first,
-- jiffies - nf->nf_ts_last
-- );
-+ jiffies - nf->nf_ts_last);
-
- return 0;
- }
-@@ -1073,67 +1130,54 @@ static struct seq_operations flows_dump_seq_ops = {
- .stop = flows_dump_seq_stop,
- };
-
--static int flows_dump_open(struct inode *inode, struct file *file)
-+static int flows_seq_open(struct inode *inode, struct file *file)
- {
-- int ret;
-+ struct flows_dump_private *st;
- char *buf;
-+ const size_t size = 4 * PAGE_SIZE;
-
-- if (atomic_inc_return(&freeze) > 1) {
-- /* do not let concurrent dumps. */
-- atomic_dec(&freeze);
-- return -EAGAIN;
-- }
-- buf = kmalloc(KMALLOC_MAX_SIZE, GFP_KERNEL);
-- if (!buf) {
-- atomic_dec(&freeze);
-+ buf = kmalloc(size, GFP_KERNEL);
-+ if (!buf)
- return -ENOMEM;
-- }
-- pause_scan_worker();
-- synchronize_sched();
-- /* write_lock to be sure that softirq is finished */
-- write_lock(&htable_rwlock);
--
-- dump_start = jiffies;
-- dump_err = NETFLOW_STAT_READ(freeze_err);
-
-- ret = seq_open(file, &flows_dump_seq_ops);
-- if (ret) {
-- write_unlock(&htable_rwlock);
-- cont_scan_worker();
-+ st = __seq_open_private(file, &flows_dump_seq_ops, sizeof(struct flows_dump_private));
-+ if (!st) {
- kfree(buf);
-- atomic_dec(&freeze);
-- return ret;
-+ return -ENOMEM;
- }
-+ INIT_LIST_HEAD(&st->list);
-+ /* speed up seq interface with bigger buffer */
- ((struct seq_file *)file->private_data)->buf = buf;
-- ((struct seq_file *)file->private_data)->size = KMALLOC_MAX_SIZE;
-+ ((struct seq_file *)file->private_data)->size = size;
- return 0;
-
- }
--static int flows_dump_release(struct inode *inode, struct file *file)
-+static int flows_seq_release(struct inode *inode, struct file *file)
- {
-- seq_stripe = -1;
-- write_unlock(&htable_rwlock);
-- cont_scan_worker();
-- atomic_dec(&freeze);
-+ struct seq_file *seq = file->private_data;
-+ struct flows_dump_private *st = seq->private;
-
-- printk(KERN_INFO "ipt_NETFLOW: dump finished in %lu/%lu sec, dropped %u packets.\n",
-- jiffies - dump_start,
-- msecs_to_jiffies(1000),
-- NETFLOW_STAT_READ(freeze_err) - dump_err);
-- return seq_release(inode, file);
-+ nf_free_stripe(&st->list);
-+ if (st->alloc_errors)
-+ printk(KERN_INFO "ipt_NETFLOW: alloc_errors %d\n", st->alloc_errors);
-+ return seq_release_private(inode, file);
- }
-
--static const struct file_operations flows_dump_fops = {
-+static struct file_operations flows_seq_fops = {
- .owner = THIS_MODULE,
-- .open = flows_dump_open,
-+ .open = flows_seq_open,
- .read = seq_read,
- .llseek = seq_lseek,
-- .release = flows_dump_release,
-+ .release = flows_seq_release,
- };
--#endif /* ENABLE_DEBUGFS */
-+#endif /* CONFIG_PROC_FS */
-
- #ifdef ENABLE_PROMISC
--static int promisc_finish(struct sk_buff *skb)
-+static int promisc_finish(
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,1,0)
-+ struct sock *sk,
-+#endif
-+ struct sk_buff *skb)
- {
- /* don't pass to the routing */
- kfree_skb(skb);
-@@ -1145,16 +1189,8 @@ static int promisc4_rcv(struct sk_buff *skb, struct net_device *dev, struct pack
- const struct iphdr *iph;
- u32 len;
-
-- /* what is not PACKET_OTHERHOST will be parsed at ip_rcv() */
-- if (skb->pkt_type != PACKET_OTHERHOST)
-- goto out;
--
-- NETFLOW_STAT_INC(pkt_promisc);
--
- /* clone skb and do basic IPv4 sanity checking and preparations
- * for L3, this is quick and dirty version of ip_rcv() */
-- if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)
-- goto drop;
- if (!pskb_may_pull(skb, sizeof(struct iphdr)))
- goto drop;
- iph = ip_hdr(skb);
-@@ -1176,10 +1212,10 @@ static int promisc4_rcv(struct sk_buff *skb, struct net_device *dev, struct pack
- memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
- skb_orphan(skb);
-
-- return NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, skb, dev, NULL, promisc_finish);
-+ return NF_HOOK_COMPAT(NFPROTO_IPV4, NF_INET_PRE_ROUTING, NULL,
-+ skb, dev, NULL, promisc_finish);
- drop:
- NETFLOW_STAT_INC(pkt_promisc_drop);
--out:
- kfree_skb(skb);
- return NET_RX_DROP;
- }
-@@ -1190,18 +1226,11 @@ static int promisc6_rcv(struct sk_buff *skb, struct net_device *dev, struct pack
- u32 pkt_len;
- struct inet6_dev *idev;
-
-- /* what is not PACKET_OTHERHOST will be parsed at ipv6_rcv() */
-- if (skb->pkt_type != PACKET_OTHERHOST)
-- goto out;
--
-- NETFLOW_STAT_INC(pkt_promisc);
--
- /* quick and dirty version of ipv6_rcv(), basic sanity checking
- * and preparation of skb for later processing */
- rcu_read_lock();
- idev = __in6_dev_get(skb->dev);
-- if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL ||
-- !idev || unlikely(idev->cnf.disable_ipv6))
-+ if (!idev || unlikely(idev->cnf.disable_ipv6))
- goto drop;
- memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm));
- IP6CB(skb)->iif = skb_dst(skb) ? ip6_dst_idev(skb_dst(skb))->dev->ifindex : dev->ifindex;
-@@ -1252,22 +1281,127 @@ static int promisc6_rcv(struct sk_buff *skb, struct net_device *dev, struct pack
- rcu_read_unlock();
- skb_orphan(skb);
-
-- return NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, skb, dev, NULL, promisc_finish);
-+ return NF_HOOK_COMPAT(NFPROTO_IPV6, NF_INET_PRE_ROUTING, NULL,
-+ skb, dev, NULL, promisc_finish);
- drop:
- rcu_read_unlock();
- NETFLOW_STAT_INC(pkt_promisc_drop);
--out:
- kfree_skb(skb);
- return NET_RX_DROP;
- }
-
--static struct packet_type promisc4_packet_type __read_mostly = {
-- .type = htons(ETH_P_IP),
-- .func = promisc4_rcv,
--};
--static struct packet_type promisc6_packet_type __read_mostly = {
-- .type = htons(ETH_P_IPV6),
-- .func = promisc6_rcv,
-+/* source is skb_network_protocol() and __vlan_get_protocol() */
-+static __be16 __skb_network_protocol(struct sk_buff *skb, int *depth)
-+{
-+ __be16 type = skb->protocol;
-+ unsigned int vlan_depth;
-+
-+ if (type == htons(ETH_P_TEB)) {
-+ struct ethhdr *eth;
-+
-+ if (unlikely(!pskb_may_pull(skb, sizeof(struct ethhdr))))
-+ return 0;
-+
-+ eth = (struct ethhdr *)skb_mac_header(skb);
-+ type = eth->h_proto;
-+ }
-+
-+ vlan_depth = skb->mac_len;
-+ if (type == htons(ETH_P_8021Q) || type == htons(ETH_P_8021AD)) {
-+ if (vlan_depth) {
-+ if (WARN_ON(vlan_depth < VLAN_HLEN))
-+ return 0;
-+ vlan_depth -= VLAN_HLEN;
-+ } else {
-+ vlan_depth = ETH_HLEN;
-+ }
-+ do {
-+ struct vlan_hdr *vh;
-+
-+ if (unlikely(!pskb_may_pull(skb, vlan_depth + VLAN_HLEN)))
-+ return 0;
-+
-+ vh = (struct vlan_hdr *)(skb->data + vlan_depth);
-+ type = vh->h_vlan_encapsulated_proto;
-+ vlan_depth += VLAN_HLEN;
-+ } while (type == htons(ETH_P_8021Q) ||
-+ type == htons(ETH_P_8021AD));
-+ }
-+
-+ *depth = vlan_depth;
-+
-+ return type;
-+}
-+
-+static int promisc_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, struct net_device *orig_dev)
-+{
-+ /* what is not PACKET_OTHERHOST will be processed normally */
-+ if (skb->pkt_type != PACKET_OTHERHOST)
-+ goto out;
-+
-+ NETFLOW_STAT_INC(pkt_promisc);
-+
-+ if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)
-+ goto drop;
-+
-+ /* Note about vlans:
-+ * - older kernels will pass raw packet;
-+ * - newer kernes (since 3.0) will have one vlan tag
-+ * physically stripped out of the packet, and it will
-+ * be saved into skb->vlan_tci. skb->protocol will be
-+ * untagged etherType. */
-+
-+ if (skb->protocol == cpu_to_be16(ETH_P_8021Q) ||
-+ skb->protocol == cpu_to_be16(ETH_P_8021AD)) {
-+ int vlan_depth = skb->mac_len;
-+
-+ skb_push(skb, skb->data - skb_mac_header(skb));
-+ skb->protocol = __skb_network_protocol(skb, &vlan_depth);
-+ skb_pull(skb, vlan_depth);
-+
-+ skb_reset_network_header(skb);
-+ skb_reset_mac_len(skb);
-+ }
-+# ifdef PROMISC_MPLS
-+ if (eth_p_mpls(skb->protocol)) {
-+ size_t stack_len = 0;
-+ const struct mpls_label *mpls;
-+
-+ do {
-+ stack_len += MPLS_HLEN;
-+ if (unlikely(!pskb_may_pull(skb, stack_len)))
-+ goto drop;
-+ mpls = (struct mpls_label *)(skb->data + stack_len - MPLS_HLEN);
-+ } while (!(mpls->entry & htonl(MPLS_LS_S_MASK)));
-+
-+ skb_pull(skb, stack_len);
-+ skb_reset_network_header(skb);
-+
-+ if (!pskb_may_pull(skb, 1))
-+ goto drop;
-+ switch (ip_hdr(skb)->version) {
-+ case 4: skb->protocol = htons(ETH_P_IP); break;
-+ case 6: skb->protocol = htons(ETH_P_IPV6); break;
-+ default: goto drop;
-+ }
-+ }
-+# endif
-+ switch (skb->protocol) {
-+ case htons(ETH_P_IP):
-+ return promisc4_rcv(skb, dev, pt, orig_dev);
-+ case htons(ETH_P_IPV6):
-+ return promisc6_rcv(skb, dev, pt, orig_dev);
-+ }
-+drop:
-+ NETFLOW_STAT_INC(pkt_promisc_drop);
-+out:
-+ kfree_skb(skb);
-+ return 0;
-+}
-+
-+static struct packet_type promisc_packet_type __read_mostly = {
-+ .type = htons(ETH_P_ALL),
-+ .func = promisc_rcv,
- };
-
- /* should not have promisc passed as parameter */
-@@ -1277,13 +1411,10 @@ static int switch_promisc(int newpromisc)
- mutex_lock(&promisc_lock);
- if (newpromisc == promisc)
- goto unlock;
-- if (newpromisc) {
-- dev_add_pack(&promisc4_packet_type);
-- dev_add_pack(&promisc6_packet_type);
-- } else {
-- dev_remove_pack(&promisc4_packet_type);
-- dev_remove_pack(&promisc6_packet_type);
-- }
-+ if (newpromisc)
-+ dev_add_pack(&promisc_packet_type);
-+ else
-+ dev_remove_pack(&promisc_packet_type);
- printk(KERN_INFO "ipt_NETFLOW: promisc hack is %s\n",
- newpromisc? "enabled" : "disabled");
- promisc = newpromisc;
-@@ -1294,21 +1425,6 @@ unlock:
- #endif
-
- #ifdef CONFIG_SYSCTL
--
--#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,32)
--#define BEFORE2632(x,y) x,y
--#else /* since 2.6.32 */
--#define BEFORE2632(x,y)
--#endif
--
--#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,17,0)
--#define ctl_table struct ctl_table
--#endif
--
--#ifndef CONFIG_GRKERNSEC
--#define ctl_table_no_const ctl_table
--#endif
--
- /* sysctl /proc/sys/net/netflow */
- static int hsize_procctl(ctl_table *ctl, int write, BEFORE2632(struct file *filp,)
- void __user *buffer, size_t *lenp, loff_t *fpos)
-@@ -1753,30 +1869,25 @@ static void sk_error_report(struct sock *sk)
- return;
- }
-
--static struct socket *usock_open_sock(const __be32 ipaddr, const unsigned short port, void *u)
-+static struct socket *usock_open_sock(const struct sockaddr_storage *addr, void *user_data)
- {
-- struct sockaddr_in sin;
- struct socket *sock;
- int error;
-
-- if ((error = sock_create_kern(PF_INET, SOCK_DGRAM, IPPROTO_UDP, &sock)) < 0) {
-+ if ((error = sock_create_kern(addr->ss_family, SOCK_DGRAM, IPPROTO_UDP, &sock)) < 0) {
- printk(KERN_ERR "ipt_NETFLOW: sock_create_kern error %d\n", -error);
- return NULL;
- }
- sock->sk->sk_allocation = GFP_ATOMIC;
- sock->sk->sk_prot->unhash(sock->sk); /* hidden from input */
- sock->sk->sk_error_report = &sk_error_report; /* clear ECONNREFUSED */
-- sock->sk->sk_user_data = u;
-+ sock->sk->sk_user_data = user_data; /* usock */
- if (sndbuf)
- sock->sk->sk_sndbuf = sndbuf;
- else
- sndbuf = sock->sk->sk_sndbuf;
-- memset(&sin, 0, sizeof(sin));
-- sin.sin_family = AF_INET;
-- sin.sin_addr.s_addr = htonl(ipaddr);
-- sin.sin_port = htons(port);
-- if ((error = sock->ops->connect(sock, (struct sockaddr *)&sin,
-- sizeof(sin), 0)) < 0) {
-+ error = sock->ops->connect(sock, (struct sockaddr *)addr, sizeof(*addr), 0);
-+ if (error < 0) {
- printk(KERN_ERR "ipt_NETFLOW: error connecting UDP socket %d,"
- " don't worry, will try reconnect later.\n", -error);
- /* ENETUNREACH when no interfaces */
-@@ -1788,18 +1899,16 @@ static struct socket *usock_open_sock(const __be32 ipaddr, const unsigned short
-
- static void usock_connect(struct ipt_netflow_sock *usock, const int sendmsg)
- {
-- usock->sock = usock_open_sock(usock->ipaddr, usock->port, usock);
-+ usock->sock = usock_open_sock(&usock->addr, usock);
- if (usock->sock) {
- if (sendmsg || debug)
-- printk(KERN_INFO "ipt_NETFLOW: connected %u.%u.%u.%u:%u\n",
-- HIPQUAD(usock->ipaddr),
-- usock->port);
-+ printk(KERN_INFO "ipt_NETFLOW: connected %s\n",
-+ print_sockaddr(&usock->addr));
- } else {
- usock->err_connect++;
- if (debug)
-- printk(KERN_INFO "ipt_NETFLOW: connect to %u.%u.%u.%u:%u failed%s.\n",
-- HIPQUAD(usock->ipaddr),
-- usock->port,
-+ printk(KERN_INFO "ipt_NETFLOW: connect to %s failed%s.\n",
-+ print_sockaddr(&usock->addr),
- (sendmsg)? " (pdu lost)" : "");
- }
- atomic_set(&usock->wmem_peak, 0);
-@@ -1888,9 +1997,8 @@ static void netflow_sendmsg(void *buffer, const int len)
-
- static void usock_close_free(struct ipt_netflow_sock *usock)
- {
-- printk(KERN_INFO "ipt_NETFLOW: removed destination %u.%u.%u.%u:%u\n",
-- HIPQUAD(usock->ipaddr),
-- usock->port);
-+ printk(KERN_INFO "ipt_NETFLOW: removed destination %s\n",
-+ print_sockaddr(&usock->addr));
- usock_close(usock);
- vfree(usock);
- }
-@@ -1917,17 +2025,15 @@ static void add_usock(struct ipt_netflow_sock *usock)
- mutex_lock(&sock_lock);
- /* don't need duplicated sockets */
- list_for_each_entry(sk, &usock_list, list) {
-- if (sk->ipaddr == usock->ipaddr &&
-- sk->port == usock->port) {
-+ if (sockaddr_cmp(&sk->addr, &usock->addr)) {
- mutex_unlock(&sock_lock);
- usock_close_free(usock);
- return;
- }
- }
- list_add_tail(&usock->list, &usock_list);
-- printk(KERN_INFO "ipt_NETFLOW: added destination %u.%u.%u.%u:%u%s\n",
-- HIPQUAD(usock->ipaddr),
-- usock->port,
-+ printk(KERN_INFO "ipt_NETFLOW: added destination %s%s\n",
-+ print_sockaddr(&usock->addr),
- (!usock->sock)? " (unconnected)" : "");
- mutex_unlock(&sock_lock);
- }
-@@ -2105,33 +2211,76 @@ static inline int resolve_snmp(const struct net_device *ifc)
- }
- #endif /* SNMP_RULES */
-
-+/* count how much character c is in the string */
-+static size_t strncount(const char *s, size_t count, int c)
-+{
-+ size_t amount = 0;
-+
-+ for (; count-- && *s != '\0'; ++s)
-+ if (*s == (char)c)
-+ ++amount;
-+ return amount;
-+}
-+
- #define SEPARATORS " ,;\t\n"
--static int add_destinations(char *ptr)
-+static int add_destinations(const char *ptr)
- {
-- while (ptr) {
-- unsigned char ip[4];
-- unsigned short port;
-+ int len;
-
-- ptr += strspn(ptr, SEPARATORS);
-+ for (; ptr; ptr += len) {
-+ struct sockaddr_storage ss;
-+ struct ipt_netflow_sock *usock;
-+ const char *end;
-+ int succ = 0;
-
-- if (sscanf(ptr, "%hhu.%hhu.%hhu.%hhu:%hu",
-- ip, ip + 1, ip + 2, ip + 3, &port) == 5) {
-- struct ipt_netflow_sock *usock;
-+ /* skip initial separators */
-+ ptr += strspn(ptr, SEPARATORS);
-
-- if (!(usock = vmalloc(sizeof(*usock)))) {
-- printk(KERN_ERR "ipt_NETFLOW: can't vmalloc socket\n");
-- return -ENOMEM;
-+ len = strcspn(ptr, SEPARATORS);
-+ if (!len)
-+ break;
-+ memset(&ss, 0, sizeof(ss));
-+
-+ if (strncount(ptr, len, ':') >= 2) {
-+ struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&ss;
-+ const char *c = ptr;
-+ int clen = len;
-+
-+ sin6->sin6_family = AF_INET6;
-+ sin6->sin6_port = htons(2055);
-+ if (*c == '[') {
-+ ++c;
-+ --clen;
- }
-+ succ = in6_pton(c, clen, (u8 *)&sin6->sin6_addr, -1, &end);
-+ if (succ && *ptr == '[' && *end == ']')
-+ ++end;
-+ if (succ &&
-+ (*end == ':' || *end == '.' || *end == 'p' || *end == '#'))
-+ sin6->sin6_port = htons(simple_strtoul(++end, NULL, 0));
-+ } else {
-+ struct sockaddr_in *sin = (struct sockaddr_in *)&ss;
-
-- memset(usock, 0, sizeof(*usock));
-- usock->ipaddr = ntohl(*(__be32 *)ip);
-- usock->port = port;
-- usock_connect(usock, 0);
-- add_usock(usock);
-- } else
-- break;
-+ sin->sin_family = AF_INET;
-+ sin->sin_port = htons(2055);
-+ succ = in4_pton(ptr, len, (u8 *)&sin->sin_addr, -1, &end);
-+ if (succ && *end == ':')
-+ sin->sin_port = htons(simple_strtoul(++end, NULL, 0));
-+ }
-+ if (!succ) {
-+ printk(KERN_ERR "ipt_NETFLOW: can't parse destination: %.*s\n",
-+ len, ptr);
-+ continue;
-+ }
-
-- ptr = strpbrk(ptr, SEPARATORS);
-+ if (!(usock = vmalloc(sizeof(*usock)))) {
-+ printk(KERN_ERR "ipt_NETFLOW: can't vmalloc socket\n");
-+ return -ENOMEM;
-+ }
-+ memset(usock, 0, sizeof(*usock));
-+ usock->addr = ss;
-+ usock_connect(usock, 0);
-+ add_usock(usock);
- }
- return 0;
- }
-@@ -2246,12 +2395,7 @@ ipt_netflow_find(const struct ipt_netflow_tuple *tuple, const unsigned int hash)
- {
- struct ipt_netflow *nf;
- #if LINUX_VERSION_CODE < KERNEL_VERSION(3,9,0)
--#define compat_hlist_for_each_entry hlist_for_each_entry
--#define compat_hlist_for_each_entry_safe hlist_for_each_entry_safe
- struct hlist_node *pos;
--#else /* since 3.9.0 */
--#define compat_hlist_for_each_entry(a,pos,c,d) hlist_for_each_entry(a,c,d)
--#define compat_hlist_for_each_entry_safe(a,pos,c,d,e) hlist_for_each_entry_safe(a,c,d,e)
- #endif
-
- compat_hlist_for_each_entry(nf, pos, &htable[hash], hlist) {
-@@ -2529,7 +2673,7 @@ static inline void pdu_rewind_space(const size_t size)
- /* allocate data space in pdu, or export (reallocate) and fail. */
- static inline unsigned char *pdu_alloc_fail_export(const size_t size)
- {
-- if (!pdu_have_space(size)) {
-+ if (unlikely(!pdu_have_space(size))) {
- netflow_export_pdu();
- return NULL;
- }
-@@ -2585,6 +2729,7 @@ struct base_template {
- #define BTPL_DIRECTION 0x00200000 /* flowDirection */
- #define BTPL_SAMPLERID 0x00400000 /* samplerId (v9) */
- #define BTPL_SELECTORID 0x00800000 /* selectorId (IPFIX) */
-+#define BTPL_MPLS 0x01000000 /* MPLS stack */
- #define BTPL_OPTION 0x80000000 /* Options Template */
- #define BTPL_MAX 32
- /* Options Templates */
-@@ -2604,6 +2749,10 @@ static struct base_template template_base_9 = {
- .types = {
- INPUT_SNMP,
- OUTPUT_SNMP,
-+#ifdef ENABLE_PHYSDEV
-+ ingressPhysicalInterface,
-+ egressPhysicalInterface,
-+#endif
- IN_PKTS,
- IN_BYTES,
- FIRST_SWITCHED,
-@@ -2617,12 +2766,17 @@ static struct base_template template_base_ipfix = {
- .types = {
- ingressInterface,
- egressInterface,
-+#ifdef ENABLE_PHYSDEV
-+ ingressPhysicalInterface,
-+ egressPhysicalInterface,
-+#endif
- packetDeltaCount,
- octetDeltaCount,
- flowStartMilliseconds,
- flowEndMilliseconds,
- protocolIdentifier,
- ipClassOfService,
-+ flowEndReason,
- 0
- }
- };
-@@ -2660,6 +2814,27 @@ static struct base_template template_vlan_inner = {
- }
- };
- #endif
-+#ifdef MPLS_DEPTH
-+static struct base_template template_mpls = {
-+ .types = {
-+ mplsTopLabelTTL,
-+ /* do not just add element here, becasue this array
-+ * is truncated in ipt_netflow_init() */
-+#define MPLS_LABELS_BASE_INDEX 1
-+ MPLS_LABEL_1,
-+ MPLS_LABEL_2,
-+ MPLS_LABEL_3,
-+ MPLS_LABEL_4,
-+ MPLS_LABEL_5,
-+ MPLS_LABEL_6,
-+ MPLS_LABEL_7,
-+ MPLS_LABEL_8,
-+ MPLS_LABEL_9,
-+ MPLS_LABEL_10,
-+ 0
-+ }
-+};
-+#endif
- #ifdef ENABLE_DIRECTION
- static struct base_template template_direction = {
- .types = { DIRECTION, 0 }
-@@ -3026,6 +3201,10 @@ static struct data_template *get_template(const unsigned int tmask)
- if (tmask & BTPL_ETHERTYPE)
- tlist[tnum++] = &template_ethertype;
- #endif
-+#ifdef MPLS_DEPTH
-+ if (tmask & BTPL_MPLS)
-+ tlist[tnum++] = &template_mpls;
-+#endif
- #ifdef ENABLE_DIRECTION
- if (tmask & BTPL_DIRECTION)
- tlist[tnum++] = &template_direction;
-@@ -3176,23 +3355,6 @@ static void pdu_add_template(struct data_template *tpl)
- pdu_tpl_records++;
- }
-
--#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35)
--static inline s64 portable_ktime_to_ms(const ktime_t kt)
--{
-- struct timeval tv = ktime_to_timeval(kt);
-- return (s64) tv.tv_sec * MSEC_PER_SEC + tv.tv_usec / USEC_PER_MSEC;
--}
--#define ktime_to_ms portable_ktime_to_ms
--#endif
--#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,22)
--static inline s64 portable_ktime_to_us(const ktime_t kt)
--{
-- struct timeval tv = ktime_to_timeval(kt);
-- return (s64) tv.tv_sec * USEC_PER_SEC + tv.tv_usec;
--}
--#define ktime_to_us portable_ktime_to_us
--#endif
--
- #ifdef ENABLE_DIRECTION
- static inline __u8 hook2dir(const __u8 hooknum)
- {
-@@ -3209,21 +3371,6 @@ static inline __u8 hook2dir(const __u8 hooknum)
- }
- #endif
-
--#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,26)
--static inline void put_unaligned_be16(u16 val, void *p)
--{
-- put_unaligned(cpu_to_be16(val), (__be16 *)p);
--}
--static inline void put_unaligned_be32(u32 val, void *p)
--{
-- put_unaligned(cpu_to_be32(val), (__be32 *)p);
--}
--static inline void put_unaligned_be64(u64 val, void *p)
--{
-- put_unaligned(cpu_to_be64(val), (__be64 *)p);
--}
--#endif
--
- static inline void put_unaligned_be24(u32 val, unsigned char *p)
- {
- *p++ = val >> 16;
-@@ -3260,9 +3407,6 @@ static inline s64 jiffies_to_ms_abs(unsigned long j)
- return jiffies_base.ms + (s64)jiffies_to_msecs(-jdiff);
- }
-
--#ifndef WARN_ONCE
--#define WARN_ONCE(x,fmt...) ({ if (x) printk(KERN_WARNING fmt); })
--#endif
- typedef struct in6_addr in6_t;
- /* encode one field (data records only) */
- static inline void add_tpl_field(__u8 *ptr, const int type, const struct ipt_netflow *nf)
-@@ -3286,14 +3430,20 @@ static inline void add_tpl_field(__u8 *ptr, const int type, const struct ipt_net
- case INPUT_SNMP: put_unaligned_be16(nf->tuple.i_ifc, ptr); break;
- case OUTPUT_SNMP: put_unaligned_be16(nf->o_ifc, ptr); break;
- #endif
-+#ifdef ENABLE_PHYSDEV
-+ case ingressPhysicalInterface:
-+ put_unaligned_be16(nf->i_ifphys, ptr); break;
-+ case egressPhysicalInterface:
-+ put_unaligned_be16(nf->o_ifphys, ptr); break;
-+#endif
- #ifdef ENABLE_VLAN
- #define EXTRACT_VLAN_PRIO(tag) ((ntohs(tag) & VLAN_PRIO_MASK) >> VLAN_PRIO_SHIFT)
- case SRC_VLAN:
-- case dot1qVlanId: put_unaligned(nf->tuple.tag1 & htons(VLAN_VID_MASK), (__be16 *)ptr); break;
-- case dot1qPriority: *ptr = EXTRACT_VLAN_PRIO(nf->tuple.tag1); break;
-+ case dot1qVlanId: put_unaligned(nf->tuple.tag[0] & htons(VLAN_VID_MASK), (__be16 *)ptr); break;
-+ case dot1qPriority: *ptr = EXTRACT_VLAN_PRIO(nf->tuple.tag[0]); break;
- case dot1qCustomerVlanId:
-- put_unaligned(nf->tuple.tag2 & htons(VLAN_VID_MASK), (__be16 *)ptr); break;
-- case dot1qCustomerPriority: *ptr = EXTRACT_VLAN_PRIO(nf->tuple.tag2); break;
-+ put_unaligned(nf->tuple.tag[1] & htons(VLAN_VID_MASK), (__be16 *)ptr); break;
-+ case dot1qCustomerPriority: *ptr = EXTRACT_VLAN_PRIO(nf->tuple.tag[1]); break;
- #endif
- #if defined(ENABLE_MAC) || defined(ENABLE_VLAN)
- case ethernetType: put_unaligned(nf->ethernetType, (__be16 *)ptr); break;
-@@ -3302,6 +3452,21 @@ static inline void add_tpl_field(__u8 *ptr, const int type, const struct ipt_net
- case destinationMacAddress: memcpy(ptr, &nf->tuple.h_dst, ETH_ALEN); break;
- case sourceMacAddress: memcpy(ptr, &nf->tuple.h_src, ETH_ALEN); break;
- #endif
-+#ifdef MPLS_DEPTH
-+ case MPLS_LABEL_1: memcpy(ptr, &nf->tuple.mpls[0], 3); break;
-+ case MPLS_LABEL_2: memcpy(ptr, &nf->tuple.mpls[1], 3); break;
-+ case MPLS_LABEL_3: memcpy(ptr, &nf->tuple.mpls[2], 3); break;
-+# if MPLS_DEPTH > 3
-+ case MPLS_LABEL_4: memcpy(ptr, &nf->tuple.mpls[3], 3); break;
-+ case MPLS_LABEL_5: memcpy(ptr, &nf->tuple.mpls[4], 3); break;
-+ case MPLS_LABEL_6: memcpy(ptr, &nf->tuple.mpls[5], 3); break;
-+ case MPLS_LABEL_7: memcpy(ptr, &nf->tuple.mpls[6], 3); break;
-+ case MPLS_LABEL_8: memcpy(ptr, &nf->tuple.mpls[7], 3); break;
-+ case MPLS_LABEL_9: memcpy(ptr, &nf->tuple.mpls[8], 3); break;
-+ case MPLS_LABEL_10: memcpy(ptr, &nf->tuple.mpls[9], 3); break;
-+# endif
-+ case mplsTopLabelTTL: *ptr = ntohl(nf->tuple.mpls[0]); break;
-+#endif
- #ifdef ENABLE_DIRECTION
- case DIRECTION: *ptr = hook2dir(nf->hooknumx - 1); break;
- #endif
-@@ -3321,6 +3486,7 @@ static inline void add_tpl_field(__u8 *ptr, const int type, const struct ipt_net
- case icmpTypeCodeIPv4: /*FALLTHROUGH*/
- case icmpTypeCodeIPv6: put_unaligned(nf->tuple.d_port, (__be16 *)ptr); break;
- case MUL_IGMP_TYPE: *ptr = nf->tuple.d_port; break;
-+ case flowEndReason: *ptr = nf->flowEndReason; break;
- #ifdef CONFIG_NF_NAT_NEEDED
- case postNATSourceIPv4Address: put_unaligned(nf->nat->post.s_addr, (__be32 *)ptr); break;
- case postNATDestinationIPv4Address: put_unaligned(nf->nat->post.d_addr, (__be32 *)ptr); break;
-@@ -3363,18 +3529,6 @@ static inline unsigned long timeout_rate_j(void)
- return t_rate_j;
- }
-
--#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,20)
--#define IPPROTO_UDPLITE 136
--#endif
--
--#ifndef time_is_before_jiffies
--#define time_is_before_jiffies(a) time_after(jiffies, a)
--#endif
--#ifndef time_is_after_jiffies
--#define time_is_after_jiffies(a) time_before(jiffies, a)
--#endif
--
--
- /* return buffer where to write records data */
- static unsigned char *alloc_record_tpl(struct data_template *tpl)
- {
-@@ -3382,9 +3536,9 @@ static unsigned char *alloc_record_tpl(struct data_template *tpl)
-
- /* If previous write was to the same template and there is room, then we just add new record,
- * otherwise we (re)allocate flowset (and/or whole pdu). */
-- if (unlikely(!pdu_flowset ||
-+ if (!pdu_flowset ||
- pdu_flowset->flowset_id != tpl->template_id_n ||
-- !(ptr = pdu_alloc_fail_export(tpl->rec_size)))) {
-+ !(ptr = pdu_alloc_fail_export(tpl->rec_size))) {
-
- /* if there was previous data template we should pad it to 4 bytes */
- if (pdu_flowset) {
-@@ -3427,18 +3581,6 @@ static unsigned char *alloc_record_key(const unsigned int t_key, struct data_tem
- return alloc_record_tpl(tpl);
- }
-
--#if LINUX_VERSION_CODE < KERNEL_VERSION(3,14,0)
--#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
--#define prandom_u32 get_random_int
--#elif LINUX_VERSION_CODE < KERNEL_VERSION(3,8,0)
--#define prandom_u32 random32
--#endif
--static inline u32 prandom_u32_max(u32 ep_ro)
--{
-- return (u32)(((u64) prandom_u32() * ep_ro) >> 32);
--}
--#endif
--
- static void netflow_export_flow_tpl(struct ipt_netflow *nf)
- {
- unsigned char *ptr;
-@@ -3497,12 +3639,12 @@ static void netflow_export_flow_tpl(struct ipt_netflow *nf)
- tpl_mask |= BTPL_MAC;
- #endif
- #ifdef ENABLE_VLAN
-- if (nf->tuple.tag1) {
-+ if (nf->tuple.tag[0]) {
- if (protocol == 9)
- tpl_mask |= BTPL_VLAN9;
- else {
- tpl_mask |= BTPL_VLANX;
-- if (nf->tuple.tag2)
-+ if (nf->tuple.tag[1])
- tpl_mask |= BTPL_VLANI;
- }
- }
-@@ -3511,6 +3653,10 @@ static void netflow_export_flow_tpl(struct ipt_netflow *nf)
- if (nf->ethernetType)
- tpl_mask |= BTPL_ETHERTYPE;
- #endif
-+#ifdef MPLS_DEPTH
-+ if (nf->tuple.mpls[0])
-+ tpl_mask |= BTPL_MPLS;
-+#endif
- #ifdef ENABLE_DIRECTION
- if (nf->hooknumx)
- tpl_mask |= BTPL_DIRECTION;
-@@ -3657,13 +3803,6 @@ static inline void export_stat(const unsigned int tpl_mask)
- export_stat_st(tpl_mask, NULL);
- }
-
--#ifndef min_not_zero
--#define min_not_zero(x, y) ({ \
-- typeof(x) __x = (x); \
-- typeof(y) __y = (y); \
-- __x == 0 ? __y : ((__y == 0) ? __x : min(__x, __y)); })
--#endif
--
- static void netflow_export_stats(void)
- {
- struct ipt_netflow_stat t = { 0 };
-@@ -3748,20 +3887,6 @@ static void export_sampler_parameters(void)
- }
- #endif
-
--#if LINUX_VERSION_CODE < KERNEL_VERSION(3,2,0)
--int __ethtool_get_settings(struct net_device *dev, struct ethtool_cmd *cmd)
--{
-- ASSERT_RTNL();
--
-- if (!dev->ethtool_ops->get_settings)
-- return -EOPNOTSUPP;
--
-- memset(cmd, 0, sizeof(struct ethtool_cmd));
-- cmd->cmd = ETHTOOL_GSET;
-- return dev->ethtool_ops->get_settings(dev, cmd);
--}
--#endif
--
- static int ethtool_drvinfo(unsigned char *ptr, size_t size, struct net_device *dev)
- {
- struct ethtool_drvinfo info = { 0 };
-@@ -3774,8 +3899,8 @@ static int ethtool_drvinfo(unsigned char *ptr, size_t size, struct net_device *d
- return 0;
- if (ops->begin) {
- /* was not called before __ethtool_get_settings() though */
-- if (ops->begin(dev) < 0);
-- return 0;
-+ if (ops->begin(dev) < 0)
-+ return 0;
- }
-
- /* driver name */
-@@ -3792,13 +3917,13 @@ static int ethtool_drvinfo(unsigned char *ptr, size_t size, struct net_device *d
- if (!n || len <= 1) /* have room for separator too */
- goto ret;
-
-- /* append basic parameters: speed and port */
-- if (!__ethtool_get_settings(dev, &ecmd)) {
-+ /* only get_settings for running devices to not trigger link negotiation */
-+ if (dev->flags & IFF_UP &&
-+ dev->flags & IFF_RUNNING &&
-+ !__ethtool_get_settings(dev, &ecmd)) {
- char *s, *p;
-
--#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,27)
--#define ethtool_cmd_speed(x) (x)->speed
--#endif
-+ /* append basic parameters: speed and port */
- switch (ethtool_cmd_speed(&ecmd)) {
- case SPEED_10000: s = "10Gb"; break;
- case SPEED_2500: s = "2.5Gb"; break;
-@@ -3827,14 +3952,6 @@ ret:
- return size - len;
- }
-
--#ifndef ARPHRD_PHONET
--#define ARPHRD_PHONET 820
--#define ARPHRD_PHONET_PIPE 821
--#endif
--#ifndef ARPHRD_IEEE802154
--#define ARPHRD_IEEE802154 804
--#endif
--
- static const unsigned short netdev_type[] =
- {ARPHRD_NETROM, ARPHRD_ETHER, ARPHRD_AX25,
- ARPHRD_IEEE802, ARPHRD_ARCNET,
-@@ -3939,13 +4056,6 @@ static void export_dev(struct net_device *dev)
- pdu_ts_mod = jiffies;
- }
-
--#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,22)
--#define for_each_netdev_ns(net, dev) for (dev = dev_base; dev; dev = dev->next)
--#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,24)
--#define for_each_netdev_ns(net, d) for_each_netdev(d)
--#else
--#define for_each_netdev_ns(net, d) for_each_netdev(net, d)
--#endif
- static void export_ifnames(void)
- {
- struct net_device *dev;
-@@ -4041,14 +4151,40 @@ static void export_nat_event(struct nat_event *nel)
- }
- #endif /* CONFIG_NF_NAT_NEEDED */
-
--static inline int active_needs_export(const struct ipt_netflow *nf, const long a_timeout, const unsigned long jiff)
-+static inline int active_needs_export(const struct ipt_netflow *nf, const long a_timeout,
-+ const unsigned long j)
-+{
-+ return ((j - nf->nf_ts_first) > a_timeout) ||
-+ nf->nr_bytes >= FLOW_FULL_WATERMARK;
-+}
-+
-+/* return flowEndReason (rfc5102) */
-+/* i_timeout == 0 is flush */
-+static inline int inactive_needs_export(const struct ipt_netflow *nf, const long i_timeout,
-+ const unsigned long j)
- {
-- /* active too long, finishing, or having too much bytes */
-- return ((jiff - nf->nf_ts_first) > a_timeout) ||
-- (nf->tuple.protocol == IPPROTO_TCP &&
-- (nf->tcp_flags & TCP_FIN_RST) &&
-- (jiff - nf->nf_ts_last) > (1 * HZ)) ||
-- nf->nr_bytes >= FLOW_FULL_WATERMARK;
-+ if (likely(i_timeout)) {
-+ if (unlikely((j - nf->nf_ts_last) > i_timeout)) {
-+ if (nf->tuple.protocol == IPPROTO_TCP &&
-+ (nf->tcp_flags & TCP_FIN_RST))
-+ return 0x03; /* end of Flow detected */
-+ else
-+ return 0x01; /* idle timeout */
-+ } else
-+ return 0;
-+ } else
-+ return 0x04; /* forced end */
-+}
-+
-+/* helper which also record to nf->flowEndReason */
-+static inline int needs_export_rec(struct ipt_netflow *nf, const long i_timeout,
-+ const long a_timeout, const unsigned long j)
-+{
-+ int reason = inactive_needs_export(nf, i_timeout, j);
-+
-+ if (!reason && active_needs_export(nf, a_timeout, j))
-+ reason = 0x02; /* active timeout or just active flow */
-+ return (nf->flowEndReason = reason);
- }
-
- /* could be called with zero to flush cache and pdu */
-@@ -4056,13 +4192,12 @@ static inline int active_needs_export(const struct ipt_netflow *nf, const long a
- /* return number of pdus sent */
- static int netflow_scan_and_export(const int flush)
- {
-- long i_timeout = inactive_timeout * HZ;
-+ const long i_timeout = flush? 0 : inactive_timeout * HZ;
-+ const long a_timeout = active_timeout * HZ;
- #ifdef HAVE_LLIST
- struct llist_node *node;
--#else
-- long a_timeout = active_timeout * HZ;
- #endif
-- int pdu_c = pdu_count;
-+ const int pdu_c = pdu_count;
- LIST_HEAD(export_list);
- struct ipt_netflow *nf, *tmp;
- int i;
-@@ -4070,9 +4205,6 @@ static int netflow_scan_and_export(const int flush)
- unsigned char mode;
- #endif
-
-- if (flush)
-- i_timeout = 0;
--
- if (protocol >= 9) {
- netflow_export_stats();
- #ifdef ENABLE_SAMPLER
-@@ -4091,14 +4223,7 @@ static int netflow_scan_and_export(const int flush)
- }
- list_for_each_entry_safe_reverse(nf, tmp, &stripe->list, flows_list) {
- ++wk_count;
-- if (((jiffies - nf->nf_ts_last) >= i_timeout)
--#ifdef HAVE_LLIST
-- /* exportable actives already go into export_llist,
-- * thus this check is redundant. */
--#else
-- || active_needs_export(nf, a_timeout, jiffies)
--#endif
-- ) {
-+ if (needs_export_rec(nf, i_timeout, a_timeout, jiffies)) {
- hlist_del(&nf->hlist);
- list_del(&nf->flows_list);
- list_add(&nf->flows_list, &export_list);
-@@ -4387,13 +4512,6 @@ netflow_target_check(const struct xt_tgchk_param *par)
- if (strcmp("nat", tablename) == 0) {
- /* In the nat table we only see single packet per flow, which is useless. */
- printk(KERN_ERR "%s target: is not valid in %s table\n", target->name, tablename);
--#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35)
--#define CHECK_FAIL 0
--#define CHECK_OK 1
--#else
--#define CHECK_FAIL -EINVAL
--#define CHECK_OK 0
--#endif
- return CHECK_FAIL;
- }
- if (target->family == AF_INET6 && protocol == 5) {
-@@ -4404,9 +4522,6 @@ netflow_target_check(const struct xt_tgchk_param *par)
- }
-
- #define SetXBit(x) (0x8000 >> (x)) /* Proper bit for htons later. */
--#ifndef IPPROTO_MH
--#define IPPROTO_MH 135
--#endif
- static inline __u16 observed_hdrs(const __u8 currenthdr)
- {
- switch (currenthdr) {
-@@ -4537,69 +4652,80 @@ static inline __u32 tcp_options(const struct sk_buff *skb, const unsigned int pt
- return ret;
- }
-
--#ifdef ENABLE_VLAN
--/* double tagged header */
--struct vlan_ethhdr2 {
-- unsigned char h_dest[ETH_ALEN];
-- unsigned char h_source[ETH_ALEN];
-- __be16 h_vlan_proto;
-- __be16 h_vlan_TCI;
-- __be16 h2_vlan_proto;
-- __be16 h2_vlan_TCI;
-- __be16 h2_vlan_encapsulated_proto;
--};
--static inline struct vlan_ethhdr2 *vlan_eth_hdr2(const struct sk_buff *skb)
-+/* check if data region is in header boundary */
-+inline static int skb_in_header(const struct sk_buff *skb, const void *ptr, size_t off)
- {
-- return (struct vlan_ethhdr2 *)skb_mac_header(skb);
-+ return ((unsigned char *)ptr + off) <= skb->data;
- }
--#define VLAN_ETH_H2LEN (VLAN_ETH_HLEN + 4)
--#ifndef ETH_P_8021AD
--#define ETH_P_8021AD 0x88A8 /* 802.1ad Service VLAN */
--#endif
--#ifndef ETH_P_QINQ1
--#define ETH_P_QINQ1 0x9100 /* deprecated QinQ VLAN */
--#define ETH_P_QINQ2 0x9200 /* deprecated QinQ VLAN */
--#define ETH_P_QINQ3 0x9300 /* deprecated QinQ VLAN */
--#endif
--/* http://tools.ietf.org/html/rfc7133 */
--static inline __u16 parse_vlan_tags(const struct sk_buff *skb, struct ipt_netflow_tuple *tuple)
--{
-- /* no even untagged ethernet header */
-- if (skb_mac_header(skb) < skb->head ||
-- skb_mac_header(skb) + ETH_HLEN > skb->data)
-- return 0;
--
-- switch (eth_hdr(skb)->h_proto) {
-- case htons(ETH_P_QINQ1):
-- case htons(ETH_P_QINQ2):
-- case htons(ETH_P_QINQ3):
-- case htons(ETH_P_8021AD): /* S-TAG or B-TAG */
-- case htons(ETH_P_8021Q): /* C-TAG */
-- /* tagged and have full vlan header */
-- if (skb_mac_header(skb) + VLAN_ETH_HLEN <= skb->data)
-- break;
-- /* FALLTHROUGH */
-- default:
-- return eth_hdr(skb)->h_proto;
-- }
-
-- /* outer tag */
-- tuple->tag1 = vlan_eth_hdr(skb)->h_vlan_TCI;
-+static inline int eth_p_vlan(__be16 eth_type)
-+{
-+ return eth_type == htons(ETH_P_8021Q) ||
-+ eth_type == htons(ETH_P_8021AD);
-+}
-
-- switch (vlan_eth_hdr(skb)->h_vlan_encapsulated_proto) {
-- case htons(ETH_P_8021Q): /* C-TAG */
-- if (skb_mac_header(skb) + VLAN_ETH_H2LEN <= skb->data)
-- break;
-- /* FALLTHROUGH */
-- default:
-- return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto;
-- }
-+/* Extract all L2 header data, currently (in iptables) skb->data is
-+ * pointing to network_header, so we use mac_header instead. */
-+/* Parse eth header, then vlans, then mpls. */
-+static void parse_l2_header(const struct sk_buff *skb, struct ipt_netflow_tuple *tuple)
-+{
-+#if defined(ENABLE_MAC) || defined(ENABLE_VLAN) || defined(MPLS_DEPTH)
-+#define ENABLE_L2
-+ unsigned char *mac_header = skb_mac_header(skb);
-+# if defined(ENABLE_VLAN) || defined(MPLS_DEPTH)
-+ unsigned int hdr_depth;
-+ __be16 proto;
-+# endif
-+# ifdef ENABLE_VLAN
-+ int tag_num = 0;
-
-- /* second tag */
-- tuple->tag2 = vlan_eth_hdr2(skb)->h2_vlan_TCI;
-- return vlan_eth_hdr2(skb)->h2_vlan_encapsulated_proto;
-+ /* get vlan tag that is saved in skb->vlan_tci */
-+ if (vlan_tx_tag_present(skb))
-+ tuple->tag[tag_num++] = htons(vlan_tx_tag_get(skb));
-+# endif
-+ if (mac_header < skb->head ||
-+ mac_header + ETH_HLEN > skb->data)
-+ return;
-+# ifdef ENABLE_MAC
-+ memcpy(&tuple->h_dst, eth_hdr(skb)->h_dest, ETH_ALEN);
-+ memcpy(&tuple->h_src, eth_hdr(skb)->h_source, ETH_ALEN);
-+# endif
-+# if defined(ENABLE_VLAN) || defined(MPLS_DEPTH)
-+ hdr_depth = ETH_HLEN;
-+ proto = eth_hdr(skb)->h_proto;
-+ if (eth_p_vlan(proto)) {
-+ do {
-+ const struct vlan_hdr *vh;
-+
-+ vh = (struct vlan_hdr *)(mac_header + hdr_depth);
-+ if (!skb_in_header(skb, vh, VLAN_HLEN))
-+ return;
-+ proto = vh->h_vlan_encapsulated_proto;
-+# ifdef ENABLE_VLAN
-+ if (tag_num < MAX_VLAN_TAGS)
-+ tuple->tag[tag_num++] = vh->h_vlan_TCI;
-+# endif
-+ hdr_depth += VLAN_HLEN;
-+ } while (eth_p_vlan(proto));
-+ }
-+# ifdef MPLS_DEPTH
-+ if (eth_p_mpls(proto)) {
-+ const struct mpls_label *mpls;
-+ int label_num = 0;
-+
-+ do {
-+ mpls = (struct mpls_label *)(mac_header + hdr_depth);
-+ if (!skb_in_header(skb, mpls, MPLS_HLEN))
-+ return;
-+ if (label_num < MPLS_DEPTH)
-+ tuple->mpls[label_num++] = mpls->entry;
-+ hdr_depth += MPLS_HLEN;
-+ } while (!(mpls->entry & htonl(MPLS_LS_S_MASK)));
-+ }
-+# endif
-+# endif /* defined(ENABLE_VLAN) || defined(MPLS_DEPTH) */
-+#endif /* defined(ENABLE_MAC) || defined(ENABLE_VLAN) || defined(MPLS_DEPTH) */
- }
--#endif /* ENABLE_VLAN */
-
- /* packet receiver */
- static unsigned int netflow_target(
-@@ -4622,6 +4748,8 @@ static unsigned int netflow_target(
- const void *targinfo
- # endif
- #else /* since 2.6.28 */
-+# define if_in par->in
-+# define if_out par->out
- # if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35)
- const struct xt_target_param *par
- # else
-@@ -4631,7 +4759,11 @@ static unsigned int netflow_target(
- )
- {
- #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,24)
-- const struct sk_buff *skb = *pskb;
-+# ifndef ENABLE_L2
-+ /* pskb_may_pull() may modify skb */
-+ const
-+# endif
-+ struct sk_buff *skb = *pskb;
- #endif
- union {
- struct iphdr ip;
-@@ -4660,12 +4792,15 @@ static unsigned int netflow_target(
- int options = 0;
- int tcpoptions = 0;
- struct stripe_entry *stripe;
--#if defined(ENABLE_MAC) || defined(ENABLE_VLAN)
-- __be16 ethernetType = 0;
--#endif
-
-- iph = skb_header_pointer(skb, 0, (likely(family == AF_INET))? sizeof(_iph.ip) : sizeof(_iph.ip6), &iph);
-- if (unlikely(iph == NULL)) {
-+ if (unlikely(
-+#ifdef ENABLE_L2
-+ /* to ensure that full L2 headers are present */
-+ unlikely(!pskb_may_pull(skb, 0)) ||
-+#endif
-+ !(iph = skb_header_pointer(skb, 0,
-+ (likely(family == AF_INET))? sizeof(_iph.ip) : sizeof(_iph.ip6),
-+ &iph)))) {
- NETFLOW_STAT_INC(truncated);
- NETFLOW_STAT_INC(pkt_drop);
- NETFLOW_STAT_ADD(traf_drop, skb->len);
-@@ -4673,46 +4808,18 @@ static unsigned int netflow_target(
- return IPT_CONTINUE;
- }
-
--#ifdef ENABLE_DEBUGFS
-- if (atomic_read(&freeze)) {
-- NETFLOW_STAT_INC(freeze_err);
-- NETFLOW_STAT_INC(pkt_drop);
-- NETFLOW_STAT_ADD(traf_drop, skb->len);
-- NETFLOW_STAT_TS(drop);
-- return IPT_CONTINUE;
-- }
-+ memset(&tuple, 0, sizeof(tuple));
-+ tuple.l3proto = family;
-+#ifdef ENABLE_PHYSDEV_OVER
-+ if (skb->nf_bridge && skb->nf_bridge->physindev)
-+ tuple.i_ifc = skb->nf_bridge->physindev->ifindex;
-+ else /* FALLTHROUGH */
- #endif
--
-- tuple.l3proto = family;
-- tuple.s_port = 0;
-- tuple.d_port = 0;
--#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,28)
- tuple.i_ifc = if_in? if_in->ifindex : -1;
--#else
-- tuple.i_ifc = par->in? par->in->ifindex : -1;
--#endif
-- tcp_flags = 0; /* Cisco sometimes have TCP ACK for non TCP packets, don't get it */
-+ tcp_flags = 0;
- s_mask = 0;
- d_mask = 0;
--#ifdef ENABLE_MAC
-- if (skb_mac_header(skb) >= skb->head &&
-- skb_mac_header(skb) + ETH_HLEN <= skb->data) {
-- memcpy(&tuple.h_dst, eth_hdr(skb)->h_dest, ETH_ALEN);
-- memcpy(&tuple.h_src, eth_hdr(skb)->h_source, ETH_ALEN);
--#ifndef ENABLE_VLAN
-- ethernetType = eth_hdr(skb)->h_proto;
--#endif
-- } else {
-- memset(&tuple.h_dst, 0, ETH_ALEN);
-- memset(&tuple.h_src, 0, ETH_ALEN);
-- }
--#endif
--#ifdef ENABLE_VLAN
-- tuple.tag2 = tuple.tag1 = 0;
-- if (vlan_tx_tag_present(skb))
-- tuple.tag1 = htons(vlan_tx_tag_get(skb));
-- ethernetType = parse_vlan_tags(skb, &tuple);
--#endif
-+ parse_l2_header(skb, &tuple);
-
- if (likely(family == AF_INET)) {
- tuple.src = (union nf_inet_addr){ .ip = iph->ip.saddr };
-@@ -4832,16 +4939,16 @@ do_protocols:
- case IPPROTO_ICMP: {
- struct icmphdr _hdr, *hp;
-
-- if (likely(family == AF_INET &&
-- (hp = skb_header_pointer(skb, ptr, 2, &_hdr))))
-+ if (likely(family == AF_INET) &&
-+ likely(hp = skb_header_pointer(skb, ptr, 2, &_hdr)))
- tuple.d_port = htons((hp->type << 8) | hp->code);
- break;
- }
- case IPPROTO_ICMPV6: {
- struct icmp6hdr _icmp6h, *ic;
-
-- if (likely(family == AF_INET6 &&
-- (ic = skb_header_pointer(skb, ptr, 2, &_icmp6h))))
-+ if (likely(family == AF_INET6) &&
-+ likely(ic = skb_header_pointer(skb, ptr, 2, &_icmp6h)))
- tuple.d_port = htons((ic->icmp6_type << 8) | ic->icmp6_code);
- break;
- }
-@@ -4856,8 +4963,8 @@ do_protocols:
- struct ip_auth_hdr _hdr, *hp;
-
- /* This is for IPv4 only. IPv6 it's parsed above. */
-- if (likely(family == AF_INET &&
-- (hp = skb_header_pointer(skb, ptr, 8, &_hdr))))
-+ if (likely(family == AF_INET) &&
-+ likely(hp = skb_header_pointer(skb, ptr, 8, &_hdr)))
- SAVE_SPI(tuple, hp->spi);
- break;
- }
-@@ -4967,27 +5074,43 @@ do_protocols:
- #endif
- nf->nf_ts_first = jiffies;
- nf->tcp_flags = tcp_flags;
--#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,28)
- nf->o_ifc = if_out? if_out->ifindex : -1;
--#else
-- nf->o_ifc = par->out? par->out->ifindex : -1;
-+#ifdef ENABLE_PHYSDEV_OVER
-+ if (skb->nf_bridge && skb->nf_bridge->physoutdev)
-+ nf->o_ifc = skb->nf_bridge->physoutdev->ifindex;
- #endif
-+
- #ifdef SNMP_RULES
- rcu_read_lock();
--# if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,28)
-+#else
-+# define resolve_snmp(dev) ((dev)? (dev)->ifindex : -1)
-+#endif
-+/* copy and snmp-resolve device with physdev overriding normal dev */
-+#define copy_dev(out, physdev, dev) \
-+ if (skb->nf_bridge && skb->nf_bridge->physdev) \
-+ out = resolve_snmp(skb->nf_bridge->physdev); \
-+ else \
-+ out = resolve_snmp(dev);
-+#ifdef ENABLE_PHYSDEV
-+ copy_dev(nf->o_ifphys, physoutdev, if_out);
-+ copy_dev(nf->i_ifphys, physindev, if_in);
-+#endif
-+#ifdef SNMP_RULES
-+# ifdef ENABLE_PHYSDEV_OVER
-+ copy_dev(nf->o_ifcr, physoutdev, if_out);
-+ copy_dev(nf->i_ifcr, physindev, if_in);
-+# else
- nf->o_ifcr = resolve_snmp(if_out);
- nf->i_ifcr = resolve_snmp(if_in);
--# else
-- nf->o_ifcr = resolve_snmp(par->out);
-- nf->i_ifcr = resolve_snmp(par->in);
- # endif
- rcu_read_unlock();
-+
- #endif
- nf->s_mask = s_mask;
- nf->d_mask = d_mask;
-
- #if defined(ENABLE_MAC) || defined(ENABLE_VLAN)
-- nf->ethernetType = ethernetType;
-+ nf->ethernetType = skb->protocol;
- #endif
-
- #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,26)
-@@ -5034,7 +5157,7 @@ do_protocols:
-
- #define LIST_IS_NULL(name) (!(name)->next)
-
-- if (likely(active_needs_export(nf, active_timeout * HZ, jiffies))) {
-+ if (unlikely(active_needs_export(nf, active_timeout * HZ, jiffies))) {
- /* ok, if this is active flow to be exported */
- #ifdef HAVE_LLIST
- /* delete from hash and add to the export llist */
-@@ -5150,9 +5273,6 @@ static void register_ct_events(void)
- /* Reference netlink module to prevent it's unsafe unload before us. */
- if (!referenced && (netlink_m = find_module(NETLINK_M))) {
- referenced++;
--#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35)
--#define use_module ref_module
--#endif
- use_module(THIS_MODULE, netlink_m);
- }
-
-@@ -5190,39 +5310,6 @@ static void unregister_ct_events(void)
- }
- #endif /* CONFIG_NF_NAT_NEEDED */
-
--#ifndef NF_IP_LOCAL_IN /* 2.6.25 */
--#define NF_IP_PRE_ROUTING NF_INET_PRE_ROUTING
--#define NF_IP_LOCAL_IN NF_INET_LOCAL_IN
--#define NF_IP_FORWARD NF_INET_FORWARD
--#define NF_IP_LOCAL_OUT NF_INET_LOCAL_OUT
--#define NF_IP_POST_ROUTING NF_INET_POST_ROUTING
--#endif
--
--#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
--/* net/netfilter/x_tables.c */
--static void xt_unregister_targets(struct xt_target *target, unsigned int n)
--{
-- unsigned int i;
--
-- for (i = 0; i < n; i++)
-- xt_unregister_target(&target[i]);
--}
--static int xt_register_targets(struct xt_target *target, unsigned int n)
--{
-- unsigned int i;
--
-- int err = 0;
-- for (i = 0; i < n; i++)
-- if ((err = xt_register_target(&target[i])))
-- goto err;
-- return err;
--err:
-- if (i > 0)
-- xt_unregister_targets(target, i);
-- return err;
--}
--#endif
--
- static struct ipt_target ipt_netflow_reg[] __read_mostly = {
- {
- .name = "NETFLOW",
-@@ -5296,9 +5383,6 @@ static int __init ipt_netflow_init(void)
- clear_ipt_netflow_stat();
-
- if (!hashsize) {
--#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,11,0)
--#define num_physpages totalram_pages
--#endif
- /* use 1/1024 of memory, 1M for hash table on 1G box */
- unsigned long memksize = (num_physpages << PAGE_SHIFT) / 1024;
-
-@@ -5318,6 +5402,11 @@ static int __init ipt_netflow_init(void)
- goto err;
- }
-
-+#ifdef MPLS_DEPTH
-+ if (MPLS_DEPTH >= 0 && MPLS_DEPTH < 10)
-+ template_mpls.types[MPLS_LABELS_BASE_INDEX + MPLS_DEPTH] = 0;
-+#endif
-+
- for (i = 0; i < LOCK_COUNT; i++) {
- spin_lock_init(&htable_stripes[i].lock);
- INIT_LIST_HEAD(&htable_stripes[i].list);
-@@ -5339,10 +5428,8 @@ static int __init ipt_netflow_init(void)
- goto err_free_netflow_slab;
- if (!register_stat("ipt_netflow_snmp", &snmp_seq_fops))
- goto err_free_proc_stat1;
--
--#ifdef ENABLE_DEBUGFS
-- flows_dump_d = debugfs_create_file("netflow_dump", S_IRUGO, NULL, NULL, &flows_dump_fops);
--#endif
-+ if (!register_stat("ipt_netflow_flows", &flows_seq_fops))
-+ goto err_free_proc_stat2;
-
- #ifdef CONFIG_SYSCTL
- ctl_table_renumber(netflow_sysctl_table);
-@@ -5357,7 +5444,7 @@ static int __init ipt_netflow_init(void)
- #endif
- if (!netflow_sysctl_header) {
- printk(KERN_ERR "netflow: can't register to sysctl\n");
-- goto err_free_proc_stat2;
-+ goto err_free_proc_stat3;
- } else
- printk(KERN_INFO "netflow: registered: sysctl net.netflow\n");
- #endif
-@@ -5443,12 +5530,11 @@ err_stop_timer:
- err_free_sysctl:
- #ifdef CONFIG_SYSCTL
- unregister_sysctl_table(netflow_sysctl_header);
--err_free_proc_stat2:
--#endif
--#ifdef ENABLE_DEBUGFS
-- debugfs_remove(flows_dump_d);
- #endif
-+err_free_proc_stat3:
- #ifdef CONFIG_PROC_FS
-+ remove_proc_entry("ipt_netflow_flows", INIT_NET(proc_net_stat));
-+err_free_proc_stat2:
- remove_proc_entry("ipt_netflow_snmp", INIT_NET(proc_net_stat));
- err_free_proc_stat1:
- remove_proc_entry("ipt_netflow", INIT_NET(proc_net_stat));
-@@ -5469,10 +5555,8 @@ static void __exit ipt_netflow_fini(void)
- #ifdef CONFIG_SYSCTL
- unregister_sysctl_table(netflow_sysctl_header);
- #endif
--#ifdef ENABLE_DEBUGFS
-- debugfs_remove(flows_dump_d);
--#endif
- #ifdef CONFIG_PROC_FS
-+ remove_proc_entry("ipt_netflow_flows", INIT_NET(proc_net_stat));
- remove_proc_entry("ipt_netflow_snmp", INIT_NET(proc_net_stat));
- remove_proc_entry("ipt_netflow", INIT_NET(proc_net_stat));
- #endif
-diff --git a/ipt_NETFLOW.h b/ipt_NETFLOW.h
-index 59512f0..eb00e94 100644
---- a/ipt_NETFLOW.h
-+++ b/ipt_NETFLOW.h
-@@ -16,8 +16,8 @@
- *
- */
-
--#ifndef _IP_NETFLOW_H
--#define _IP_NETFLOW_H
-+#ifndef _IPT_NETFLOW_H
-+#define _IPT_NETFLOW_H
-
- /*
- * Some tech info:
-@@ -113,9 +113,20 @@ struct netflow5_pdu {
- two(61, DIRECTION, flowDirection, 1) \
- two(62, IPV6_NEXT_HOP, ipNextHopIPv6Address, 16) \
- two(64, IPV6_OPTION_HEADERS, ipv6ExtensionHeaders, 2) \
-+ two(70, MPLS_LABEL_1, mplsTopLabelStackSection, 3) \
-+ two(71, MPLS_LABEL_2, mplsLabelStackSection2, 3) \
-+ two(72, MPLS_LABEL_3, mplsLabelStackSection3, 3) \
-+ two(73, MPLS_LABEL_4, mplsLabelStackSection4, 3) \
-+ two(74, MPLS_LABEL_5, mplsLabelStackSection5, 3) \
-+ two(75, MPLS_LABEL_6, mplsLabelStackSection6, 3) \
-+ two(76, MPLS_LABEL_7, mplsLabelStackSection7, 3) \
-+ two(77, MPLS_LABEL_8, mplsLabelStackSection8, 3) \
-+ two(78, MPLS_LABEL_9, mplsLabelStackSection9, 3) \
-+ two(79, MPLS_LABEL_10, mplsLabelStackSection10, 3) \
- one(80, destinationMacAddress, 6) \
- two(82, IF_NAME, interfaceName, IF_NAME_SZ) \
- two(83, IF_DESC, interfaceDescription, IF_DESC_SZ) \
-+ one(136, flowEndReason, 1) \
- one(138, observationPointId, 4) \
- one(139, icmpTypeCodeIPv6, 2) \
- one(141, LineCardId, 4) \
-@@ -135,6 +146,9 @@ struct netflow5_pdu {
- one(166, notSentFlowTotalCount, 8) \
- one(167, notSentPacketTotalCount, 8) \
- one(168, notSentOctetTotalCount, 8) \
-+ one(200, mplsTopLabelTTL, 1) \
-+ one(201, mplsLabelStackLength, 1) \
-+ one(202, mplsLabelStackDepth, 1) \
- one(208, ipv4Options, 4) \
- one(209, tcpOptions, 4) \
- one(225, postNATSourceIPv4Address, 4) \
-@@ -146,6 +160,8 @@ struct netflow5_pdu {
- one(244, dot1qPriority, 1) \
- one(245, dot1qCustomerVlanId, 2) \
- one(246, dot1qCustomerPriority, 1) \
-+ one(252, ingressPhysicalInterface, 2) \
-+ one(253, egressPhysicalInterface, 2) \
- one(256, ethernetType, 2) \
- one(295, IPSecSPI, 4) \
- one(300, observationDomainName, 128) \
-@@ -240,18 +256,10 @@ struct ipfix_pdu {
- * not searchable and will be exported soon. */
- #define FLOW_FULL_WATERMARK 0xffefffff
-
--#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,25)
--union nf_inet_addr {
-- __be32 ip;
-- __be32 ip6[4];
-- struct in_addr in;
-- struct in6_addr in6;
--};
--#endif
--
- #define EXTRACT_SPI(tuple) ((tuple.s_port << 16) | tuple.d_port)
- #define SAVE_SPI(tuple, spi) { tuple.s_port = spi >> 16; \
- tuple.d_port = spi; }
-+#define MAX_VLAN_TAGS 2
-
- /* hashed data which identify unique flow */
- /* 16+16 + 2+2 + 2+1+1+1 = 41 */
-@@ -260,10 +268,12 @@ struct ipt_netflow_tuple {
- union nf_inet_addr dst;
- __be16 s_port; // Network byte order
- __be16 d_port; // -"-
-+#ifdef MPLS_DEPTH
-+ __be32 mpls[MPLS_DEPTH]; /* Network byte order */
-+#endif
- __u16 i_ifc; // Host byte order
- #ifdef ENABLE_VLAN
-- __be16 tag1; // Network byte order (outer tag)
-- __be16 tag2; // -"-
-+ __be16 tag[MAX_VLAN_TAGS]; // Network byte order (outer tag first)
- #endif
- __u8 protocol;
- __u8 tos;
-@@ -287,13 +297,18 @@ struct ipt_netflow {
- __be16 ethernetType; /* Network byte order */
- #endif
- __u16 o_ifc;
-+#ifdef ENABLE_PHYSDEV
-+ __u16 i_ifphys;
-+ __u16 o_ifphys;
-+#endif
- #ifdef SNMP_RULES
-- __u16 i_ifcr;
-+ __u16 i_ifcr; /* translated interface numbers*/
- __u16 o_ifcr;
- #endif
- __u8 s_mask;
- __u8 d_mask;
- __u8 tcp_flags; /* `OR' of all tcp flags */
-+ __u8 flowEndReason;
- #ifdef ENABLE_DIRECTION
- __u8 hooknumx; /* hooknum + 1 */
- #endif
-@@ -362,8 +377,7 @@ static inline int ipt_netflow_tuple_equal(const struct ipt_netflow_tuple *t1,
- struct ipt_netflow_sock {
- struct list_head list;
- struct socket *sock;
-- __be32 ipaddr; // destination
-- unsigned short port;
-+ struct sockaddr_storage addr; // destination
- atomic_t wmem_peak; // sk_wmem_alloc peak value
- unsigned int err_connect; // connect errors
- unsigned int err_full; // socket filled error
-@@ -446,9 +460,6 @@ struct ipt_netflow_stat {
- unsigned int frags; // packets stat (drop)
- unsigned int maxflows_err; // maxflows reached (drop)
- unsigned int alloc_err; // failed to allocate memory (drop & lost)
--#ifdef ENABLE_DEBUGFS
-- unsigned int freeze_err; // freeze errors (drop)
--#endif
- struct duration drop;
- unsigned int send_success; // sendmsg() ok
- unsigned int send_failed; // sendmsg() failed
-@@ -478,10 +489,5 @@ struct ipt_netflow_stat {
- int metric; // one minute ewma of hash efficiency
- };
-
--#ifndef list_first_entry
--#define list_first_entry(ptr, type, member) \
-- list_entry((ptr)->next, type, member)
--#endif
--
- #endif
- /* vim: set sw=8: */
-diff --git a/snmp_NETFLOW.c b/snmp_NETFLOW.c
-index cf1d743..62457db 100644
---- a/snmp_NETFLOW.c
-+++ b/snmp_NETFLOW.c
-@@ -368,10 +368,10 @@ static int iptNetflowSysctl_handler(
- return sysctl_read(request, obj);
- case MODE_SET_RESERVE1:
- sys = find_varinfo(sysctls, obj);
-- if (request->requestvb->type != sys->type)
-- netsnmp_request_set_error(request, SNMP_ERR_WRONGTYPE);
-- if (!sysctl_access_ok(sys->name))
-+ if (!sys || !sysctl_access_ok(sys->name))
- netsnmp_request_set_error(request, SNMP_ERR_NOSUCHNAME);
-+ if (sys && request->requestvb->type != sys->type)
-+ netsnmp_request_set_error(request, SNMP_ERR_WRONGTYPE);
- break;
- case MODE_SET_RESERVE2:
- case MODE_SET_FREE:
-diff --git a/testing.sh b/testing.sh
-index b465c8d..45a0619 100755
---- a/testing.sh
-+++ b/testing.sh
-@@ -6,7 +6,7 @@ if [ "$1" = "" ]; then
- echo Maintainer only tool.
- exit 1
- elif [ "$1" = all ]; then
-- exec bash $0 linux-2.6.18 centos5 linux-3.11.2 centos6 linux-3.4.66 linux-3.9.11 centos7 linux-3.14 linux-3.17
-+ exec bash $0 linux-2.6.18 centos5 linux-3.11.2 centos6 linux-3.4.66 linux-3.9.11 centos7 linux-3.14 linux-3.17 linux-3.19
- exit 1
- fi
-
-@@ -28,11 +28,17 @@ readarray -t opts <<EOF
- --enable-snmp-rules
- --enable-macaddress
- --enable-vlan
-+ --promisc-mpls
- --enable-direction
- --enable-sampler
- --enable-sampler=hash
-- --enable-promisc
-+ --enable-promisc --promisc-mpls
-+ --enable-physdev
-+ --enable-physdev-override
- EOF
-+if [ "$SHORT" ]; then
-+ opts=("$SHORT")
-+fi
-
- colorecho() {
- echo -e "\033[1;32m$@\033[m"
-diff --git a/version.sh b/version.sh
-index e39433b..2509149 100755
---- a/version.sh
-+++ b/version.sh
-@@ -7,25 +7,29 @@ PATH=$PATH:/usr/local/bin:/usr/bin:/bin
- MVERSION=`sed -n 's/^#define.*IPT_NETFLOW_VERSION.*"\(.*\)".*/\1/p' ipt_NETFLOW.c`
-
- # GITVERSION overrides base version.
--if [ -e version.h ]; then
-+if [ -e version.h ] && grep -q GITVERSION version.h; then
- MVERSION=`sed -n 's/#define GITVERSION "\(.*\)".*/\1/p' version.h`
- fi
-
- # git describe overrides version from the source.
- if [ -d .git ] && which git >/dev/null 2>&1; then \
-- GVERSION=`git describe --dirty`
-- MVERSION=${GVERSION#v}
-+ GVERSION=`git describe --dirty 2>/dev/null`
-+ if [ "$GVERSION" ]; then
-+ MVERSION=${GVERSION#v}
-+ fi
- else
- GVERSION=
- fi
-
- if [ "$1" = --define ]; then
-- # output version.h which is GITVERSION or empty.
-+ # called from Makefile to create version.h
-+ # which should contain GITVERSION or be empty.
- if [ "$GVERSION" ]; then
- echo "#define GITVERSION \"$MVERSION\""
- else
-- echo "/* kernel doesn't like empty files */"
-+ echo "/* placeholder, because kernel doesn't like empty files */"
- fi
- else
-+ # normal run
- echo $MVERSION
- fi
diff --git a/testing/ipt-netflow-grsec/kernel-4.6.patch b/testing/ipt-netflow-grsec/kernel-4.6.patch
new file mode 100644
index 0000000000..79fba3c5bf
--- /dev/null
+++ b/testing/ipt-netflow-grsec/kernel-4.6.patch
@@ -0,0 +1,63 @@
+From c16ffc6cb679b3377a0d4a30a6bbcf5e2f3d0214 Mon Sep 17 00:00:00 2001
+From: ABC <abc@telekom.ru>
+Date: Sun, 22 May 2016 22:07:14 +0300
+Subject: [PATCH] Support ETHTOOL_xLINKSETTINGS API (new in linux 4.6).
+
+Thus, making support for 4.6 kernels.
+Reference to linux commit:
+ https://github.com/torvalds/linux/commit/3f1ac7a700d
+
+Fixes #56, thanks karel-un.
+---
+ ipt_NETFLOW.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/ipt_NETFLOW.c b/ipt_NETFLOW.c
+index 067fd50..d27eea2 100644
+--- a/ipt_NETFLOW.c
++++ b/ipt_NETFLOW.c
+@@ -3904,7 +3904,13 @@ static int ethtool_drvinfo(unsigned char *ptr, size_t size, struct net_device *d
+ {
+ struct ethtool_drvinfo info = { 0 };
+ const struct ethtool_ops *ops = dev->ethtool_ops;
++#ifndef ETHTOOL_GLINKSETTINGS
+ struct ethtool_cmd ecmd;
++#define _KSETTINGS(x, y) (x)
++#else
++ struct ethtool_link_ksettings ekmd;
++#define _KSETTINGS(x, y) (y)
++#endif
+ int len = size;
+ int n;
+
+@@ -3933,11 +3939,11 @@ static int ethtool_drvinfo(unsigned char *ptr, size_t size, struct net_device *d
+ /* only get_settings for running devices to not trigger link negotiation */
+ if (dev->flags & IFF_UP &&
+ dev->flags & IFF_RUNNING &&
+- !__ethtool_get_settings(dev, &ecmd)) {
++ !_KSETTINGS(__ethtool_get_settings(dev, &ecmd), __ethtool_get_link_ksettings(dev, &ekmd))) {
+ char *s, *p;
+
+ /* append basic parameters: speed and port */
+- switch (ethtool_cmd_speed(&ecmd)) {
++ switch (_KSETTINGS(ethtool_cmd_speed(&ecmd), ekmd.base.speed)) {
+ case SPEED_10000: s = "10Gb"; break;
+ case SPEED_2500: s = "2.5Gb"; break;
+ case SPEED_1000: s = "1Gb"; break;
+@@ -3945,7 +3951,7 @@ static int ethtool_drvinfo(unsigned char *ptr, size_t size, struct net_device *d
+ case SPEED_10: s = "10Mb"; break;
+ default: s = "";
+ }
+- switch (ecmd.port) {
++ switch (_KSETTINGS(ecmd.port, ekmd.base.port)) {
+ case PORT_TP: p = "tp"; break;
+ case PORT_AUI: p = "aui"; break;
+ case PORT_MII: p = "mii"; break;
+@@ -3964,6 +3970,7 @@ static int ethtool_drvinfo(unsigned char *ptr, size_t size, struct net_device *d
+ ops->complete(dev);
+ return size - len;
+ }
++#undef _KSETTINGS
+
+ static const unsigned short netdev_type[] =
+ {ARPHRD_NETROM, ARPHRD_ETHER, ARPHRD_AX25,