12 May, 2010
1 commit
-
Signed-off-by: Jan Engelhardt
25 Mar, 2010
4 commits
-
The return value of nf_ct_l3proto_get can directly be returned even in
the case of success.Signed-off-by: Jan Engelhardt
-
When extended status codes are available, such as ENOMEM on failed
allocations, or subsequent functions (e.g. nf_ct_get_l3proto), passing
them up to userspace seems like a good idea compared to just always
EINVAL.Signed-off-by: Jan Engelhardt
-
Part of the transition of done by this semantic patch:
//
@ rule1 @
struct xt_target ops;
identifier check;
@@
ops.checkentry = check;@@
identifier rule1.check;
@@
check(...) { }@@
identifier rule1.check;
@@
check(...) { }
//Signed-off-by: Jan Engelhardt
-
Restore function signatures from bool to int so that we can report
memory allocation failures or similar using -ENOMEM rather than
always having to pass -EINVAL back.//
@@
type bool;
identifier check, par;
@@
-bool check
+int check
(struct xt_tgchk_param *par) { ... }
//Minus the change it does to xt_ct_find_proto.
Signed-off-by: Jan Engelhardt
18 Mar, 2010
1 commit
-
Signed-off-by: Jan Engelhardt
08 Oct, 2008
6 commits
-
Using ->family in struct xt_*_param, multiple struct xt_{match,target}
can be squashed together.Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy -
This patch does this for target extensions' destroy functions.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy -
This patch does this for target extensions' checkentry functions.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy -
This patch does this for target extensions' target functions.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy -
This is cleaner, we already know conntrack to which event is relevant.
Signed-off-by: Alexey Dobriyan
Signed-off-by: Patrick McHardy -
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
10 Jun, 2008
1 commit
-
The following patch implements a new "security" table for iptables, so
that MAC (SELinux etc.) networking rules can be managed separately to
standard DAC rules.This is to help with distro integration of the new secmark-based
network controls, per various previous discussions.The need for a separate table arises from the fact that existing tools
and usage of iptables will likely clash with centralized MAC policy
management.The SECMARK and CONNSECMARK targets will still be valid in the mangle
table to prevent breakage of existing users.Signed-off-by: James Morris
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
14 Apr, 2008
1 commit
-
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
29 Jan, 2008
4 commits
-
Updates the MODULE_DESCRIPTION() tags for all Netfilter modules,
actually describing what the module does and not just
"netfilter XYZ target".Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Use %u format specifiers as ->family is unsigned.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
This patch adds support for James Morris' connsecmark.
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Give all Netfilter modules consistent and unique symbol names.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
30 Nov, 2007
1 commit
-
Fix forgotten module release in xt_CONNMARK and xt_CONNSECMARK
When xt_CONNMARK is used outside the mangle table and the user specified
"--restore-mark", the connmark_tg_check() function will (correctly)
error out, but (incorrectly) forgets to release the L3 conntrack module.
Same for xt_CONNSECMARK.Fix is to move the call to acquire the L3 module after the basic
constraint checks.Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: Herbert Xu
16 Oct, 2007
1 commit
-
With all the users of the double pointers removed, this patch mops up by
finally replacing all occurances of sk_buff ** in the netfilter API by
sk_buff *.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
11 Jul, 2007
3 commits
-
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Make a number of variables const and/or remove unneeded casts.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Switch the return type of target checkentry functions to boolean.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
26 Apr, 2007
1 commit
-
Remove the obsolete IPv4 only connection tracking/NAT as scheduled in
feature-removal-schedule.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
09 Feb, 2007
1 commit
-
Remove unnecessary if() constructs before assignment.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
14 Dec, 2006
1 commit
-
CLUSTERIP, CONNMARK, CONNSECMARK, and connbytes need ip_conntrack or
layer 3 protocol module of nf_conntrack.Signed-off-by: Yasuyuki Kozakai
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
23 Sep, 2006
4 commits
-
Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller -
The size is verified by x_tables and isn't needed by the modules anymore.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
18 Jun, 2006
1 commit
-
Add a new xtables target, CONNSECMARK, which is used to specify rules
for copying security marks from packets to connections, and for
copyying security marks back from connections to packets. This is
similar to the CONNMARK target, but is more limited in scope in that
it only allows copying of security marks to and from packets, as this
is all it needs to do.A typical scenario would be to apply a security mark to a 'new' packet
with SECMARK, then copy that to its conntrack via CONNMARK, and then
restore the security mark from the connection to established and
related packets on that connection.Signed-off-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: David S. Miller