Doug / smarc-fsl-linux-kernel

20 Sep, 2013

1 commit

  • 703133de3   ip: generate unique IP identificator if local fragmentation is allowed ... Browse Code »

    If local fragmentation is allowed, then ip_select_ident() and
    ip_select_ident_more() need to generate unique IDs to ensure
    correct defragmentation on the peer.

    For example, if IPsec (tunnel mode) has to encrypt large skbs
    that have local_df bit set, then all IP fragments that belonged
    to different ESP datagrams would have used the same identificator.
    If one of these IP fragments would get lost or reordered, then
    peer could possibly stitch together wrong IP fragments that did
    not belong to the same datagram. This would lead to a packet loss
    or data corruption.

    Signed-off-by: Ansis Atteka
    Signed-off-by: David S. Miller

    Ansis Atteka
     

17 Sep, 2013

5 commits

  • 0a0d80eb3   netfilter: nfnetlink_queue: use network skb for sequence adjustment ... Browse Code »

    Instead of the netlink skb.

    Signed-off-by: Gao feng
    Signed-off-by: Pablo Neira Ayuso

    Gao feng
     
  • 2cf55125c   netfilter: ipset: Fix serious failure in CIDR tracking ... Browse Code »

    This fixes a serious bug affecting all hash types with a net element -
    specifically, if a CIDR value is deleted such that none of the same size
    exist any more, all larger (less-specific) values will then fail to
    match. Adding back any prefix with a CIDR equal to or more specific than
    the one deleted will fix it.

    Steps to reproduce:
    ipset -N test hash:net
    ipset -A test 1.1.0.0/16
    ipset -A test 2.2.2.0/24
    ipset -T test 1.1.1.1 #1.1.1.1 IS in set
    ipset -D test 2.2.2.0/24
    ipset -T test 1.1.1.1 #1.1.1.1 IS NOT in set

    This is due to the fact that the nets counter was unconditionally
    decremented prior to the iteration that shifts up the entries. Now, we
    first check if there is a proceeding entry and if not, decrement it and
    return. Otherwise, we proceed to iterate and then zero the last element,
    which, in most cases, will already be zero.

    Signed-off-by: Oliver Smith
    Signed-off-by: Jozsef Kadlecsik

    Oliver Smith
     
  • 169faa2e1   netfilter: ipset: Validate the set family and not the set type family at swapping ... Browse Code »

    This closes netfilter bugzilla #843, reported by Quentin Armitage.

    Signed-off-by: Jozsef Kadlecsik

    Jozsef Kadlecsik
     
  • 0f1799ba1   netfilter: ipset: Consistent userspace testing with nomatch flag ... Browse Code »

    The "nomatch" commandline flag should invert the matching at testing,
    similarly to the --return-nomatch flag of the "set" match of iptables.
    Until now it worked with the elements with "nomatch" flag only. From
    now on it works with elements without the flag too, i.e:

    # ipset n test hash:net
    # ipset a test 10.0.0.0/24 nomatch
    # ipset t test 10.0.0.1
    10.0.0.1 is NOT in set test.
    # ipset t test 10.0.0.1 nomatch
    10.0.0.1 is in set test.

    # ipset a test 192.168.0.0/24
    # ipset t test 192.168.0.1
    192.168.0.1 is in set test.
    # ipset t test 192.168.0.1 nomatch
    192.168.0.1 is NOT in set test.

    Before the patch the results were

    ...
    # ipset t test 192.168.0.1
    192.168.0.1 is in set test.
    # ipset t test 192.168.0.1 nomatch
    192.168.0.1 is in set test.

    Signed-off-by: Jozsef Kadlecsik

    Jozsef Kadlecsik
     
  • 55524c219   netfilter: ipset: Skip really non-first fragments for IPv6 when getting port/protocol ... Browse Code »

    Signed-off-by: Jozsef Kadlecsik

    Jozsef Kadlecsik
     

06 Sep, 2013

1 commit

  • 1a5bbfc3d   netfilter: Fix build errors with xt_socket.c ... Browse Code »

    As reported by Randy Dunlap:

    ====================
    when CONFIG_IPV6=m
    and CONFIG_NETFILTER_XT_MATCH_SOCKET=y:

    net/built-in.o: In function `socket_mt6_v1_v2':
    xt_socket.c:(.text+0x51b55): undefined reference to `udp6_lib_lookup'
    net/built-in.o: In function `socket_mt_init':
    xt_socket.c:(.init.text+0x1ef8): undefined reference to `nf_defrag_ipv6_enable'
    ====================

    Like several other modules under net/netfilter/ we have to
    have a dependency "IPV6 disabled or set compatibly with this
    module" clause.

    Reported-by: Randy Dunlap
    Signed-off-by: David S. Miller

    David S. Miller
     

04 Sep, 2013

2 commits

  • 1205e1fa6   netfilter: xt_TCPMSS: correct return value in tcpmss_mangle_packet ... Browse Code »

    In commit b396966c4 (netfilter: xt_TCPMSS: Fix missing fragmentation handling),
    I attempted to add safe fragment handling to xt_TCPMSS. However, Andy Padavan
    of Project N56U correctly points out that returning XT_CONTINUE in this
    function does not work. The callers (tcpmss_tg[46]) expect to receive a value
    of 0 in order to return XT_CONTINUE.

    Signed-off-by: Phil Oester
    Signed-off-by: Pablo Neira Ayuso

    Phil Oester
     
  • f4de4c89d   netfilter: synproxy_core: fix warning in __nf_ct_ext_add_length() ... Browse Code »

    With CONFIG_NETFILTER_DEBUG we get the following warning during SYNPROXY init:

    [ 80.558906] WARNING: CPU: 1 PID: 4833 at net/netfilter/nf_conntrack_extend.c:80 __nf_ct_ext_add_length+0x217/0x220 [nf_conntrack]()

    The reason is that the conntrack template is set to confirmed before adding
    the extension and it is invalid to add extensions to already confirmed
    conntracks. Fix by adding the extensions before setting the conntrack to
    confirmed.

    Reported-by: Jesper Dangaard Brouer
    Signed-off-by: Patrick McHardy
    Acked-by: Jesper Dangaard Brouer
    Signed-off-by: Pablo Neira Ayuso

    Patrick McHardy
     

28 Aug, 2013

3 commits

  • b7e092c05   netfilter: ctnetlink: fix uninitialized variable ... Browse Code »

    net/netfilter/nf_conntrack_netlink.c: In function 'ctnetlink_nfqueue_attach_expect':
    'helper' may be used uninitialized in this function

    It was only initialized in if CTA_EXPECT_HELP_NAME attribute was
    present, it must be NULL otherwise.

    Problem added recently in bd077937
    (netfilter: nfnetlink_queue: allow to attach expectations to conntracks).

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     
  • 48b1de4c1   netfilter: add SYNPROXY core/target ... Browse Code »

    Add a SYNPROXY for netfilter. The code is split into two parts, the synproxy
    core with common functions and an address family specific target.

    The SYNPROXY receives the connection request from the client, responds with
    a SYN/ACK containing a SYN cookie and announcing a zero window and checks
    whether the final ACK from the client contains a valid cookie.

    It then establishes a connection to the original destination and, if
    successful, sends a window update to the client with the window size
    announced by the server.

    Support for timestamps, SACK, window scaling and MSS options can be
    statically configured as target parameters if the features of the server
    are known. If timestamps are used, the timestamp value sent back to
    the client in the SYN/ACK will be different from the real timestamp of
    the server. In order to now break PAWS, the timestamps are translated in
    the direction server->client.

    Signed-off-by: Patrick McHardy
    Tested-by: Martin Topholm
    Signed-off-by: Jesper Dangaard Brouer
    Signed-off-by: Pablo Neira Ayuso

    Patrick McHardy
     
  • 41d73ec05   netfilter: nf_conntrack: make sequence number adjustments usuable without NAT ... Browse Code »

    Split out sequence number adjustments from NAT and move them to the conntrack
    core to make them usable for SYN proxying. The sequence number adjustment
    information is moved to a seperate extend. The extend is added to new
    conntracks when a NAT mapping is set up for a connection using a helper.

    As a side effect, this saves 24 bytes per connection with NAT in the common
    case that a connection does not have a helper assigned.

    Signed-off-by: Patrick McHardy
    Tested-by: Martin Topholm
    Signed-off-by: Jesper Dangaard Brouer
    Signed-off-by: Pablo Neira Ayuso

    Patrick McHardy
     

21 Aug, 2013

1 commit

  • 89d5e2321   Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next ... Browse Code »

    Conflicts:
    net/netfilter/nf_conntrack_proto_tcp.c

    The conflict had to do with overlapping changes dealing with
    fixing the use of an "s32" to hold the value returned by
    NAT_OFFSET().

    Pablo Neira Ayuso says:

    ====================
    The following batch contains Netfilter/IPVS updates for your net-next tree.
    More specifically, they are:

    * Trivial typo fix in xt_addrtype, from Phil Oester.

    * Remove net_ratelimit in the conntrack logging for consistency with other
    logging subsystem, from Patrick McHardy.

    * Remove unneeded includes from the recently added xt_connlabel support, from
    Florian Westphal.

    * Allow to update conntracks via nfqueue, don't need NFQA_CFG_F_CONNTRACK for
    this, from Florian Westphal.

    * Remove tproxy core, now that we have socket early demux, from Florian
    Westphal.

    * A couple of patches to refactor conntrack event reporting to save a good
    bunch of lines, from Florian Westphal.

    * Fix missing locking in NAT sequence adjustment, it did not manifested in
    any known bug so far, from Patrick McHardy.

    * Change sequence number adjustment variable to 32 bits, to delay the
    possible early overflow in long standing connections, also from Patrick.

    * Comestic cleanups for IPVS, from Dragos Foianu.

    * Fix possible null dereference in IPVS in the SH scheduler, from Daniel
    Borkmann.

    * Allow to attach conntrack expectations via nfqueue. Before this patch, you
    had to use ctnetlink instead, thus, we save the conntrack lookup.

    * Export xt_rpfilter and xt_HMARK header files, from Nicolas Dichtel.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     

17 Aug, 2013

1 commit

13 Aug, 2013

2 commits

11 Aug, 2013

1 commit

  • 356d7d88e   netfilter: nf_conntrack: fix tcp_in_window for Fast Open ... Browse Code »

    Currently the conntrack checks if the ending sequence of a packet
    falls within the observed receive window. However it does so even
    if it has not observe any packet from the remote yet and uses an
    uninitialized receive window (td_maxwin).

    If a connection uses Fast Open to send a SYN-data packet which is
    dropped afterward in the network. The subsequent SYNs retransmits
    will all fail this check and be discarded, leading to a connection
    timeout. This is because the SYN retransmit does not contain data
    payload so

    end == initial sequence number (isn) + 1
    sender->td_end == isn + syn_data_len
    receiver->td_maxwin == 0

    The fix is to only apply this check after td_maxwin is initialized.

    Reported-by: Michael Chan
    Signed-off-by: Yuchung Cheng
    Acked-by: Eric Dumazet
    Acked-by: Jozsef Kadlecsik
    Signed-off-by: Pablo Neira Ayuso

    Yuchung Cheng
     

09 Aug, 2013

1 commit

07 Aug, 2013

1 commit

06 Aug, 2013

1 commit

05 Aug, 2013

2 commits

04 Aug, 2013

1 commit

01 Aug, 2013

7 commits

31 Jul, 2013

5 commits

28 Jul, 2013

1 commit

15 Jul, 2013

2 commits

  • baf60efa5   netfilter: xt_socket: fix broken v0 support ... Browse Code »

    commit 681f130f39e10 ("netfilter: xt_socket: add XT_SOCKET_NOWILDCARD
    flag") added a potential NULL dereference if an old iptables package
    uses v0 of the match.

    Fix this by removing the test on @info in fast path.

    IPv6 can remove the test as well, as it uses v1 or v2.

    Reported-by: Neal Cardwell
    Signed-off-by: Eric Dumazet
    Cc: Patrick McHardy
    Signed-off-by: Pablo Neira Ayuso

    Eric Dumazet
     
  • f09eca8db   netfilter: ctnetlink: fix incorrect NAT expectation dumping ... Browse Code »

    nf_ct_expect_alloc leaves unset the expectation NAT fields. However,
    ctnetlink_exp_dump_expect expects them to be zeroed in case they are
    not used, which may not be the case. This results in dumping the NAT
    tuple of the expectation when it should not.

    Fix it by zeroing the NAT fields of the expectation.

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

04 Jul, 2013

1 commit

  • 0c1072ae0   Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net ... Browse Code »

    Conflicts:
    drivers/net/ethernet/freescale/fec_main.c
    drivers/net/ethernet/renesas/sh_eth.c
    net/ipv4/gre.c

    The GRE conflict is between a bug fix (kfree_skb --> kfree_skb_list)
    and the splitting of the gre.c code into seperate files.

    The FEC conflict was two sets of changes adding ethtool support code
    in an "!CONFIG_M5272" CPP protected block.

    Finally the sh_eth.c conflict was between one commit add bits set
    in the .eesr_err_check mask whilst another commit removed the
    .tx_error_check member and assignments.

    Signed-off-by: David S. Miller

    David S. Miller
     

01 Jul, 2013

1 commit

  • 496e4ae7d   netfilter: nf_queue: add NFQA_SKB_CSUM_NOTVERIFIED info flag ... Browse Code »

    The common case is that TCP/IP checksums have already been
    verified, e.g. by hardware (rx checksum offload), or conntrack.

    Userspace can use this flag to determine when the checksum
    has not been validated yet.

    If the flag is set, this doesn't necessarily mean that the packet has
    an invalid checksum, e.g. if NIC doesn't support rx checksum.

    Userspace that sucessfully enabled NFQA_CFG_F_GSO queue feature flag can
    infer that IP/TCP checksum has already been validated if either the
    SKB_INFO attribute is not present or the NFQA_SKB_CSUM_NOTVERIFIED
    flag is unset.

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal