*	This is a bit simpler as we don't have to walk		 *	an interface chain as you do in BSD - same logic		 *	however.		 */		/*		 *	Match can become 0x01 (a "normal" match was found),		 *	0x02 (a reverse match was found), and 0x03 (the		 *	IP addresses match in both directions).		 *	Now we know in which direction(s) we should look		 *	for a match for the TCP/UDP ports.  Both directions		 *	might match (e.g., when both addresses are on the		 *	same network for which an address/mask is given), but		 *	the ports might only match in one direction.		 *	This was obviously wrong in the original BSD code.		 */		match = 0x00;		if ((src & f->fw_smsk.s_addr) == f->fw_src.s_addr &&		    (dst & f->fw_dmsk.s_addr) == f->fw_dst.s_addr)			/* normal direction */			match |= 0x01;		if ((f->fw_flg & IP_FW_F_BIDIR) &&		    (dst & f->fw_smsk.s_addr) == f->fw_src.s_addr &&		    (src & f->fw_dmsk.s_addr) == f->fw_dst.s_addr)			/* reverse direction */			match |= 0x02;		if (!match)			continue;		/*		 *	Look for a VIA device match		 */		if (f->fw_viadev) {			if (rif != f->fw_viadev)				continue;	/* Mismatch */		}		/* This looks stupid, because we scan almost static		   list, searching for static key. However, this way seems		   to be only reasonable way of handling fw_via rules		   (btw bsd makes the same thing).		   It will not affect performance if you will follow		   the following simple rules:		   - if interface is aliased, ALWAYS specify fw_viadev,		     so that previous check will guarantee, that we will		     not waste time when packet arrive on another interface.		   - avoid using fw_via.s_addr if fw_via.s_addr is owned		     by an aliased interface.		                                                       --ANK		 */		if (f->fw_via.s_addr && rif) {			struct in_ifaddr *ifa;			if (rif->ip_ptr == NULL)				continue;	/* Mismatch */			for (ifa = ((struct in_device*)(rif->ip_ptr))->ifa_list;			     ifa; ifa = ifa->ifa_next) {				if (ifa->ifa_local == f->fw_via.s_addr)					goto ifa_ok;			}			continue;	/* Mismatch */		ifa_ok:;		}		/*		 *	Ok the chain addresses match.		 */#ifdef CONFIG_IP_ACCT		/*		 *	See if we're in accounting mode and only want to		 *	count incoming or outgoing packets.		 */		if (mode & (IP_FW_MODE_ACCT_IN|IP_FW_MODE_ACCT_OUT) &&		   ((mode == IP_FW_MODE_ACCT_IN && f->fw_flg&IP_FW_F_ACCTOUT) ||		    (mode == IP_FW_MODE_ACCT_OUT && f->fw_flg&IP_FW_F_ACCTIN)))			continue;#endif		/*		 * For all non-TCP packets and/or non-first fragments,		 * notcpsyn and notcpack will always be FALSE,		 * so the IP_FW_F_TCPSYN and IP_FW_F_TCPACK flags		 * are actually ignored for these packets.		 */		if((f->fw_flg&IP_FW_F_TCPSYN) && notcpsyn)		 	continue;		if((f->fw_flg&IP_FW_F_TCPACK) && notcpack)		 	continue;		f_prt=f->fw_flg&IP_FW_F_KIND;		if (f_prt != IP_FW_F_ALL) {			/*			 *	Specific firewall - packet's protocol			 *	must match firewall's.			 */			if (prt != f_prt)				continue;			if((prt==IP_FW_F_ICMP &&				! port_match(&f->fw_pts[0], f->fw_nsp,					icmp_type,f->fw_flg&IP_FW_F_SRNG)) ||			    !(prt==IP_FW_F_ICMP || ((match & 0x01) &&				port_match(&f->fw_pts[0], f->fw_nsp, src_port,					f->fw_flg&IP_FW_F_SRNG) &&				port_match(&f->fw_pts[f->fw_nsp], f->fw_ndp, dst_port,					f->fw_flg&IP_FW_F_DRNG)) || ((match & 0x02) &&				port_match(&f->fw_pts[0], f->fw_nsp, dst_port,					f->fw_flg&IP_FW_F_SRNG) &&				port_match(&f->fw_pts[f->fw_nsp], f->fw_ndp, src_port,					f->fw_flg&IP_FW_F_DRNG))))			{				continue;			}		}#ifdef CONFIG_IP_FIREWALL_VERBOSE		if (f->fw_flg & IP_FW_F_PRN)		{			char buf[16];			print_packet(pskb, src_port, dst_port, icmp_type,				     chain_name(chain, mode),				     rule_name(f, mode, buf),				     rif ? rif->name : "-");		}#endif		if (mode != IP_FW_MODE_CHK) {			f->fw_bcnt += ntohs((*pskb)->nh.iph->tot_len);			f->fw_pcnt++;		}		if (!(mode & (IP_FW_MODE_ACCT_IN|IP_FW_MODE_ACCT_OUT)))			break;	} /* Loop */	if (!(mode & (IP_FW_MODE_ACCT_IN|IP_FW_MODE_ACCT_OUT))) {		/*		 * We rely on policy defined in the rejecting entry or, if no match		 * was found, we rely on the general policy variable for this type		 * of firewall.		 */		if (f != NULL) {			policy = f->fw_flg;			tosand = f->fw_tosand;			tosxor = f->fw_tosxor;		} else {			tosand = 0xFF;			tosxor = 0x00;		}		if (policy & IP_FW_F_ACCEPT) {			/* Adjust priority and recompute checksum */			__u8 tos = (*pskb)->nh.iph->tos;			if (((tos & tosand) ^ tosxor) != tos) {				if (!skb_ip_make_writable(pskb,					  offsetof(struct iphdr, tos)+1))					goto drop_it;				(*pskb)->nh.iph->tos = (tos & tosand) ^ tosxor;		 		ip_send_check((*pskb)->nh.iph);			}#ifdef CONFIG_IP_TRANSPARENT_PROXY			if (policy & IP_FW_F_REDIR) {				if (redirport)					if ((*redirport = htons(f->fw_pts[f->fw_nsp+f->fw_ndp])) == 0) {						/* Wildcard redirection.						 * Note that redirport will become						 * 0xFFFF for non-TCP/UDP packets.						 */						*redirport = htons(dst_port);					}				answer = FW_REDIRECT;			} else#endif#ifdef CONFIG_IP_MASQUERADE			if (policy & IP_FW_F_MASQ)				answer = FW_MASQUERADE;			else#endif				answer = FW_ACCEPT;		} else if (policy & IP_FW_F_ICMPRPL)			answer = FW_REJECT;		else {		drop_it:			answer = FW_BLOCK;		}#ifdef CONFIG_IP_FIREWALL_NETLINK		if ((policy & IP_FW_F_PRN) && (answer == FW_REJECT || answer == FW_BLOCK))		{			struct sk_buff *skb = alloc_skb(128,					(mode == IP_FW_MODE_CHK) ?					GFP_KERNEL : GFP_ATOMIC);			if (skb) {				int len = min_t(unsigned int,					128,					ntohs((*pskb)->nh.iph->tot_len));				skb_put(skb, len);				skb_copy_bits(*pskb,					((char *)(*pskb)->nh.iph -					 (char *)(*pskb)->data),					skb->data, len);				if (netlink_post(NETLINK_FIREWALL, skb))					kfree_skb(skb);			}		}#endif	} else		/* we're doing accounting, always ok */		answer = 0;		if (mode == IP_FW_MODE_CHK)		READ_UNLOCK(&ip_fw_lock);	else		WRITE_UNLOCK(&ip_fw_lock);	return answer;}static void zero_fw_chain(struct ip_fw *chainptr){	struct ip_fw *ctmp=chainptr;		WRITE_LOCK(&ip_fw_lock);	while(ctmp)	{		ctmp->fw_pcnt=0L;		ctmp->fw_bcnt=0L;		ctmp=ctmp->fw_next;	}	WRITE_UNLOCK(&ip_fw_lock);}static void free_fw_chain(struct ip_fw *volatile* chainptr){	WRITE_LOCK(&ip_fw_lock);	while ( *chainptr != NULL )	{		struct ip_fw *ftmp;		ftmp = *chainptr;		*chainptr = ftmp->fw_next;		if (ftmp->fw_viadev		    && ftmp->fw_viadev != (struct net_device *)-1)			dev_put(ftmp->fw_viadev);		kfree(ftmp);		/* We will block in cleanup's unregister sockopt if unloaded,		   so this is safe. */		module_put(THIS_MODULE);	}	WRITE_UNLOCK(&ip_fw_lock);}/* Volatiles to keep some of the compiler versions amused */static int insert_in_chain(struct ip_fw *volatile* chainptr, struct ip_fw *frwl,int len){	struct ip_fw *ftmp;	/* Are we unloading now?  We will block on nf_unregister_sockopt */	if (!try_module_get(THIS_MODULE))		return ENOPROTOOPT;	ftmp = kmalloc( sizeof(struct ip_fw), GFP_KERNEL );	if ( ftmp == NULL )	{#ifdef DEBUG_IP_FIREWALL		printk("ip_fw_ctl:  malloc said no\n");#endif		return( ENOMEM );	}	memcpy(ftmp, frwl, len);	/*	 *	Allow the more recent "minimise cost" flag to be	 *	set. [Rob van Nieuwkerk]	 */	ftmp->fw_tosand |= 0x01;	ftmp->fw_tosxor &= 0xFE;	ftmp->fw_pcnt=0L;	ftmp->fw_bcnt=0L;	WRITE_LOCK(&ip_fw_lock);	if ((ftmp->fw_vianame)[0]) {		if (!(ftmp->fw_viadev = dev_get_by_name(ftmp->fw_vianame)))			ftmp->fw_viadev = (struct net_device *) -1;	} else		ftmp->fw_viadev = NULL;	ftmp->fw_next = *chainptr;       	*chainptr=ftmp;	WRITE_UNLOCK(&ip_fw_lock);	return(0);}static int append_to_chain(struct ip_fw *volatile* chainptr, struct ip_fw *frwl,int len){	struct ip_fw *ftmp;	struct ip_fw *chtmp=NULL;	struct ip_fw *volatile chtmp_prev=NULL;	/* Are we unloading now?  We will block on nf_unregister_sockopt */	if (!try_module_get(THIS_MODULE))		return ENOPROTOOPT;	ftmp = kmalloc( sizeof(struct ip_fw), GFP_KERNEL );	if ( ftmp == NULL )	{#ifdef DEBUG_IP_FIREWALL		printk("ip_fw_ctl:  malloc said no\n");#endif		return( ENOMEM );	}	memcpy(ftmp, frwl, len);	/*	 *	Allow the more recent "minimise cost" flag to be	 *	set. [Rob van Nieuwkerk]	 */	ftmp->fw_tosand |= 0x01;	ftmp->fw_tosxor &= 0xFE;	ftmp->fw_pcnt=0L;	ftmp->fw_bcnt=0L;	ftmp->fw_next = NULL;	WRITE_LOCK(&ip_fw_lock);	if ((ftmp->fw_vianame)[0]) {		if (!(ftmp->fw_viadev = dev_get_by_name(ftmp->fw_vianame)))			ftmp->fw_viadev = (struct net_device *) -1;	} else		ftmp->fw_viadev = NULL;	chtmp_prev=NULL;	for (chtmp=*chainptr;chtmp!=NULL;chtmp=chtmp->fw_next)		chtmp_prev=chtmp;	if (chtmp_prev)		chtmp_prev->fw_next=ftmp;	else        	*chainptr=ftmp;	WRITE_UNLOCK(&ip_fw_lock);	return(0);}static int del_from_chain(struct ip_fw *volatile*chainptr, struct ip_fw *frwl){	struct ip_fw 	*ftmp,*ltmp;	unsigned short	tport1,tport2,tmpnum;	char		matches,was_found;	WRITE_LOCK(&ip_fw_lock);	ftmp=*chainptr;	if ( ftmp == NULL )	{#ifdef DEBUG_IP_FIREWALL		printk("ip_fw_ctl:  chain is empty\n");#endif		WRITE_UNLOCK(&ip_fw_lock);		return( EINVAL );	}	ltmp=NULL;	was_found=0;	while( !was_found && ftmp != NULL )	{		matches=1;		if (ftmp->fw_src.s_addr!=frwl->fw_src.s_addr		     ||  ftmp->fw_dst.s_addr!=frwl->fw_dst.s_addr		     ||  ftmp->fw_smsk.s_addr!=frwl->fw_smsk.s_addr		     ||  ftmp->fw_dmsk.s_addr!=frwl->fw_dmsk.s_addr		     ||  ftmp->fw_via.s_addr!=frwl->fw_via.s_addr		     ||  ftmp->fw_flg!=frwl->fw_flg)        		matches=0;		tport1=ftmp->fw_nsp+ftmp->fw_ndp;		tport2=frwl->fw_nsp+frwl->fw_ndp;		if (tport1!=tport2)		        matches=0;		else if (tport1!=0)		{			for (tmpnum=0;tmpnum < tport1 && tmpnum < IP_FW_MAX_PORTS;tmpnum++)        		if (ftmp->fw_pts[tmpnum]!=frwl->fw_pts[tmpnum])				matches=0;		}		if (strncmp(ftmp->fw_vianame, frwl->fw_vianame, IFNAMSIZ))		        matches=0;		if(matches)		{			was_found=1;			if (ftmp->fw_viadev			    && ftmp->fw_viadev != (struct net_device *)-1)				dev_put(ftmp->fw_viadev);			if (ltmp)			{				ltmp->fw_next=ftmp->fw_next;				kfree(ftmp);				ftmp=ltmp->fw_next;        		}      			else      			{      				*chainptr=ftmp->fw_next;	 			kfree(ftmp);				ftmp=*chainptr;			}		}		else		{			ltmp = ftmp;			ftmp = ftmp->fw_next;		 }	}	WRITE_UNLOCK(&ip_fw_lock);	if (was_found) {		/* We will block in cleanup's unregister sockopt if unloaded,		   so this is safe. */		module_put(THIS_MODULE);		return 0;	} else		return(EINVAL);}#endif  /* CONFIG_IP_ACCT || CONFIG_IP_FIREWALL */struct ip_fw *check_ipfw_struct(struct ip_fw *frwl, int len){	if ( len != sizeof(struct ip_fw) )	{#ifdef DEBUG_IP_FIREWALL		printk("ip_fw_ctl: len=%d, want %d\n",len, sizeof(struct ip_fw));#endif		return(NULL);	}	if ( (frwl->fw_flg & ~IP_FW_F_MASK) != 0 )	{#ifdef DEBUG_IP_FIREWALL		printk("ip_fw_ctl: undefined flag bits set (flags=%x)\n",			frwl->fw_flg);#endif		return(NULL);	}#ifndef CONFIG_IP_TRANSPARENT_PROXY	if (frwl->fw_flg & IP_FW_F_REDIR) {#ifdef DEBUG_IP_FIREWALL		printk("ip_fw_ctl: unsupported flag IP_FW_F_REDIR\n");#endif		return(NULL);	}#endif#ifndef CONFIG_IP_MASQUERADE	if (frwl->fw_flg & IP_FW_F_MASQ) {#ifdef DEBUG_IP_FIREWALL		printk("ip_fw_ctl: unsupported flag IP_FW_F_MASQ\n");#endif		return(NULL);	}#endif	if ( (frwl->fw_flg & IP_FW_F_SRNG) && frwl->fw_nsp < 2 )