28 May, 2011
1 commit
-
Several networking headers were depending upon the implicit
linux/sysctl.h include they get when including linux/net.hAdd explicit includes.
Signed-off-by: David S. Miller
04 Apr, 2011
2 commits
-
ipv6 fib lookup can set RT6_LOOKUP_F_IFACE flag to restrict search
to an interface, but this flag cannot be set via struct flowi.Also, it cannot be set via ip6_route_output: this function uses the
passed sock struct to determine if this flag is required
(by testing for nonzero sk_bound_dev_if).Work around this by passing in an artificial struct sk in case
'strict' argument is true.This is required to replace the rt6_lookup call in xt_addrtype.c with
nf_afinfo->route().Signed-off-by: Florian Westphal
Acked-by: David S. Miller
Signed-off-by: Patrick McHardy -
This is required to eventually replace the rt6_lookup call in
xt_addrtype.c with nf_afinfo->route().Signed-off-by: Florian Westphal
Acked-by: David S. Miller
Signed-off-by: Patrick McHardy
18 Jan, 2011
2 commits
-
If an skb is to be NF_QUEUE'd, but no program has opened the queue, the
packet is dropped.This adds a v2 target revision of xt_NFQUEUE that allows packets to
continue through the ruleset instead.Because the actual queueing happens outside of the target context, the
'bypass' flag has to be communicated back to the netfilter core.Unfortunately the only choice to do this without adding a new function
argument is to use the target function return value (i.e. the verdict).In the NF_QUEUE case, the upper 16bit already contain the queue number
to use. The previous patch reduced NF_VERDICT_MASK to 0xff, i.e.
we now have extra room for a new flag.If a hook issued a NF_QUEUE verdict, then the netfilter core will
continue packet processing if the queueing hook
returns -ESRCH (== "this queue does not exist") and the new
NF_VERDICT_FLAG_QUEUE_BYPASS flag is set in the verdict value.Note: If the queue exists, but userspace does not consume packets fast
enough, the skb will still be dropped.Signed-off-by: Florian Westphal
Signed-off-by: Patrick McHardy -
NF_VERDICT_MASK is currently 0xffff. This is because the upper
16 bits are used to store errno (for NF_DROP) or the queue number
(NF_QUEUE verdict).As there are up to 0xffff different queues available, there is no more
room to store additional flags.At the moment there are only 6 different verdicts, i.e. we can reduce
NF_VERDICT_MASK to 0xff to allow storing additional flags in the 0xff00 space.NF_VERDICT_BITS would then be reduced to 8, but because the value is
exported to userspace, this might cause breakage; e.g.:e.g. 'queuenr = (1 << NF_VERDICT_BITS) | NF_QUEUE' would now break.
Thus, remove NF_VERDICT_BITS usage in the kernel and move the old value
to the 'userspace compat' section.Signed-off-by: Florian Westphal
Signed-off-by: Patrick McHardy
13 Jan, 2011
1 commit
18 Nov, 2010
1 commit
-
SELinux would like to pass certain fatal errors back up the stack. This patch
implements the generic netfilter support for this functionality.Based-on-patch-by: Patrick McHardy
Signed-off-by: Eric Paris
Signed-off-by: David S. Miller
16 Nov, 2010
1 commit
-
Add some __rcu annotations and use helpers to reduce number of sparse
warnings (CONFIG_SPARSE_RCU_POINTER=y)Signed-off-by: Eric Dumazet
Signed-off-by: Patrick McHardy
12 Nov, 2010
1 commit
-
The NF_HOOK_COND returns 0 when it shouldn't due to what I believe to be an
error in the code as the order of operations is not what was intended. C will
evalutate == before =. Which means ret is getting set to the bool result,
rather than the return value of the function call. The code saysif (ret = function() == 1)
when it meant to say:
if ((ret = function()) == 1)Normally the compiler would warn, but it doesn't notice it because its
a actually complex conditional and so the wrong code is wrapped in an explict
set of () [exactly what the compiler wants you to do if this was intentional].
Fixing this means that errors when netfilter denies a packet get propagated
back up the stack rather than lost.Problem introduced by commit 2249065f (netfilter: get rid of the grossness
in netfilter.h).Signed-off-by: Eric Paris
Cc: stable@kernel.org
Signed-off-by: Patrick McHardy
19 Feb, 2010
1 commit
-
Commit 2249065 ("netfilter: get rid of the grossness in netfilter.h")
inverted the logic for conditional hook invocation, breaking the
POST_ROUTING hook invoked by ip_output().Correct the logic and remove an unnecessary initialization.
Reported-by: Stephen Hemminger
Signed-off-by: Patrick McHardy
15 Feb, 2010
2 commits
-
GCC is now smart enough to follow the inline trail correctly.
vmlinux size remain the same.Signed-off-by: Jan Engelhardt
-
No changes in vmlinux filesize.
Signed-off-by: Jan Engelhardt
02 Feb, 2010
1 commit
-
Ifdef out
struct nf_sockopt_ops::compat_set
struct nf_sockopt_ops::compat_get
struct xt_match::compat_from_user
struct xt_match::compat_to_user
struct xt_match::compatsize
to make structures smaller on COMPAT=n kernels.Signed-off-by: Alexey Dobriyan
Signed-off-by: Patrick McHardy
05 Nov, 2009
1 commit
-
This cleanup patch puts struct/union/enum opening braces,
in first line to ease grep games.struct something
{becomes :
struct something {
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
01 Oct, 2009
1 commit
-
This provides safety against negative optlen at the type
level instead of depending upon (sometimes non-trivial)
checks against this sprinkled all over the the place, in
each and every implementation.Based upon work done by Arjan van de Ven and feedback
from Linus Torvalds.Signed-off-by: David S. Miller
08 Oct, 2008
3 commits
-
Now that dev_net() exists, the usefullness of them is even less. Also they're
a big problem in resolving circular header dependencies necessary for
NOTRACK-in-netns patch. See below.Signed-off-by: Alexey Dobriyan
Signed-off-by: Patrick McHardy -
The netfilter subsystem only supports a handful of protocols (much
less than PF_*) and even non-PF protocols like ARP and
pseudo-protocols like PF_BRIDGE. By creating NFPROTO_*, we can earn a
few memory savings on arrays that previously were always PF_MAX-sized
and keep the pseudo-protocols to ourselves.Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy -
and (try to) consistently use u_int8_t for the L3 family.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
22 May, 2008
1 commit
-
Greg Steuck points out that some of the netfilter
headers can't be used in userspace without including linux/types.h
first. The headers include their own linux/types.h include statements,
these are stripped by make headers-install because they are inside
#ifdef __KERNEL__ however. Move them out to fix this.Reported and Tested by Greg Steuck.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
14 Apr, 2008
2 commits
-
Move the UDP-Lite conntrack checksum validation to a generic helper
similar to nf_checksum() and make it fall back to nf_checksum()
in case the full packet is to be checksummed and hardware checksums
are available. This is to be used by DCCP conntrack, which also
needs to verify partial checksums.Signed-off-by: Patrick McHardy
-
Commit 9335f047fe61587ec82ff12fbb1220bcfdd32006 aka
"[NETFILTER]: ip_tables: per-netns FILTER, MANGLE, RAW"
added per-netns _view_ of iptables rules. They were shown to user, but
ignored by filtering code. Now that it's possible to at least ping loopback,
per-netns tables can affect filtering decisions.netns is taken in case of
PRE_ROUTING, LOCAL_IN -- from in device,
POST_ROUTING, LOCAL_OUT -- from out device,
FORWARD -- from in device which should be equal to out device's netns.
This code is relatively new, so BUG_ON was plugged.Wrappers were added to a) keep code the same from CONFIG_NET_NS=n users
(overwhelming majority), b) consolidate code in one place -- similar
changes will be done in ipv6 and arp netfilter code.Signed-off-by: Alexey Dobriyan
Signed-off-by: Patrick McHardy
26 Mar, 2008
1 commit
-
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
28 Feb, 2008
1 commit
-
Properly add parens around the macro argument. This is not needed by
the kernel but the macro is exported to userspace, so it shouldn't
make any assumptions.Also use NF_VERDICT_BITS instead of NF_VERDICT_QBTIS for the left-shift
since thats whats logically correct.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
20 Feb, 2008
1 commit
-
As reported by David Woodhouse , using u_int32_t
in struct nf_inet_addr breaks the busybox build. Fix by using __u32.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
29 Jan, 2008
15 commits
-
Extend union nf_inet_addr with struct in_addr and in6_addr. Useful
because a lot of in-kernel IPv4 and IPv6 functions use
in_addr/in6_addr.Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
The conntracks subsystem has a similar infrastructure
to maintain ctl_paths, but since we already have it
on the generic level, I think it's OK to switch to
using it.So, basically, this patch just replaces the ctl_table-s
with ctl_path-s, nf_register_sysctl_table with
register_sysctl_paths() and removes no longer needed code.After this the net/netfilter/nf_sysctl.c file contains
the paths only.Signed-off-by: Pavel Emelyanov
Acked-by: Patrick McHardy
Signed-off-by: David S. Miller -
A few netfilter modules provide their own union of IPv4 and IPv6
address storage. Will unify that in this patch series.(1/4): Rename union nf_conntrack_address to union nf_inet_addr and
move it to x_tables.h.Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
We need to use rcu_assign_pointer/rcu_dereference to avoid races.
Also remove an obsolete CONFIG_IP_NAT_NEEDED ifdef.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Move common fields for queue management to struct nf_info and rename it
to struct nf_queue_entry. The avoids one allocation/free per packet and
simplifies the code a bit.Alternatively we could add some private room at the tail, but since
all current users use identical structs this seems easier.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Remove the data pointer from struct nf_queue_handler. It has never been used
and is useless for the only handler that really matters, nfnetlink_queue,
since the handler is shared between all instances.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
nf_conntrack_h323 needs ip6_route_output for the call forwarding filter.
Add a ->route function to nf_afinfo and use that to avoid pulling in the
ipv6 module.Fix the #ifdef for the IPv6 code while I'm at it - the IPv6 support is
only needed when IPv6 conntrack is enabled.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Kill the defines again, convert to the new checksum helper names and
remove the dependency of NET_ACT_NAT on NETFILTER.Signed-off-by: Patrick McHardy
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
This allows to get rid of the CONFIG_NETFILTER dependency of NET_ACT_NAT.
This patch redefines the old names to keep the noise low, the next patch
converts all users.Signed-off-by: Patrick McHardy
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
The IPv4 and IPv6 hook values are identical, yet some code tries to figure
out the "correct" value by looking at the address family. Introduce NF_INET_*
values for both IPv4 and IPv6. The old values are kept in a #ifndef __KERNEL__
section for userspace compatibility.Signed-off-by: Patrick McHardy
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
16 Oct, 2007
1 commit
-
With all the users of the double pointers removed, this patch mops up by
finally replacing all occurances of sk_buff ** in the netfilter API by
sk_buff *.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
