16 Feb, 2006
2 commits
-
Locally generated ICMPv6 errors should be associated with the conntrack
of the original packet. Since the conntrack entry may not be in the hash
tables (for the first packet), it must be manually attached.Signed-off-by: Yasuyuki Kozakai
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
TCP RSTs generated by the REJECT target should be associated with the
conntrack of the original TCP packet. Since the conntrack entry is
usually not is the hash tables, it must be manually attached.Signed-off-by: Yasuyuki Kozakai
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
14 Feb, 2006
1 commit
-
Signed-off-by: Nicolas DICHTEL
Signed-off-by: David S. Miller
09 Feb, 2006
1 commit
-
If you set network interface down and up again, the IPv6 address
autoconfiguration does not work. 'ip addr' shows that the link-local
address is in tentative state. We don't even react to periodical router
advertisements.During NETDEV_DOWN we clear IF_READY, and we don't set it back in
NETDEV_UP. While starting to perform DAD on the link-local address, we
notice that the device is not in IF_READY, and we abort autoconfiguration
process (which would eventually send router solicitations).Acked-by: Juha-Matti Tapio
Acked-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller
08 Feb, 2006
2 commits
-
Signed-off-by: Al Viro
-
A bunch of asm/bug.h includes are both not needed (since it will get
pulled anyway) and bogus (since they are done too early). Removed.Signed-off-by: Al Viro
06 Feb, 2006
2 commits
-
percpu_data blindly allocates bootmem memory to store NR_CPUS instances of
cpudata, instead of allocating memory only for possible cpus.As a preparation for changing that, we need to convert various 0 -> NR_CPUS
loops to use for_each_cpu().(The above only applies to users of asm-generic/percpu.h. powerpc has gone it
alone and is presently only allocating memory for present CPUs, so it's
currently corrupting memory).Signed-off-by: Eric Dumazet
Cc: "David S. Miller"
Cc: James Bottomley
Acked-by: Ingo Molnar
Cc: Jens Axboe
Cc: Anton Blanchard
Acked-by: William Irwin
Cc: Andi Kleen
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
05 Feb, 2006
4 commits
-
The IPv4 and IPv6 version of the policy match are identical besides address
comparison and the data structure used for userspace communication. Unify
the data structures to break compatiblity now (before it is released), so
we can port it to x_tables in 2.6.17.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Fix two bugs in ip6t_policy address matching:
- misorder arguments to ip6_masked_addrcmp, mask must be the second argument
- inversion incorrectly applied to the entire expression instead of just
the address comparisonSigned-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
netfilter's do_replace() can overflow on addition within SMP_ALIGN()
and/or on multiplication by NR_CPUS, resulting in a buffer overflow on
the copy_from_user(). In practice, the overflow on addition is
triggerable on all systems, whereas the multiplication one might require
much physical memory to be present due to the check above. Either is
sufficient to overwrite arbitrary amounts of kernel memory.I really hate adding the same check to all 4 versions of do_replace(),
but the code is duplicate...Found by Solar Designer during security audit of OpenVZ.org
Signed-Off-By: Kirill Korotaev
Signed-Off-By: Solar Designer
Signed-off-by: Patrck McHardy
Signed-off-by: David S. Miller
03 Feb, 2006
2 commits
-
On Tue, Jan 31, 2006 at 10:24:32PM +0100, Ingo Molnar wrote:
>
> [] _write_lock+0x8/0x10
> [] inet6_destroy_sock+0x25/0x100
> [] tcp_v6_destroy_sock+0x12/0x20
> [] inet_csk_destroy_sock+0x4a/0x150
> [] tcp_rcv_state_process+0xd4c/0xdd0
> [] tcp_v4_do_rcv+0xa9/0x340
> [] tcp_v4_rcv+0x8eb/0x9d0OK this is definitely broken. We should never touch the dst lock in
softirq context. Since inet6_destroy_sock may be called from that
context due to the asynchronous nature of sockets, we can't take the
lock there.In fact this sk_dst_reset is totally redundant since all IPv6 sockets
use inet_sock_destruct as their socket destructor which always cleans
up the dst anyway. So the solution is to simply remove the call.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
Currently the logic in ipv6_ifa_notify is to hold an extra reference
count for addrconf dst's that get added to the routing table. Thus,
when addrconf dst entries are taken out of the routing table, we need
to drop that dst. However, addrconf dst entries may be removed from
the routing table by means other than __ipv6_ifa_notify.So we're faced with the choice of either fixing up all places where
addrconf dst entries are removed, or dropping the extra reference count
altogether.I chose the latter because the ifp itself always holds a dst reference
count of 1 while it's alive. This is dropped just before we kfree the
ifp object. Therefore we know that in __ipv6_ifa_notify we will always
hold that count.This bug was found by Eric W. Biederman.
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
01 Feb, 2006
1 commit
-
This patch fix dst reference counting in tcp_v6_send_synack
Analysis:
Currently tcp_v6_send_synack is never called with a dst entry
so dst always comes in as NULL.ip6_dst_lookup calls ip6_route_output which calls dst_hold
before it returns the dst entry. Neither xfrm_lookup
nor tcp_make_synack consume the dst entry so we still have
a dst_entry with a bumped refrence count at the end of
this function.Therefore we need to call dst_release just before we return
just like tcp_v4_send_synack does.Signed-off-by: Eric W. Biederman
Signed-off-by: David S. Miller
25 Jan, 2006
1 commit
-
The following patch fixes these problems in MLDv2:
1) Add/remove "delete" records for sending change reports when
addition of a filter results in that filter transitioning to/from
inactive. [same as recent IPv4 IGMPv3 fix]
2) Remove 2 redundant "group_type" checks (can't be IPV6_ADDR_ANY
within that loop, so checks are always true)
3) change an is_in() "return 0" to "return type == MLD2_MODE_IS_INCLUDE".
It should always be "0" to get here, but it improves code locality
to not assume it, and if some race allowed otherwise, doing
the check would return the correct result.Signed-off-by: David L Stevens
Signed-off-by: David S. Miller
17 Jan, 2006
4 commits
-
Signed-off-by: Yasuyuki Kozakai
Signed-off-by: Harald Welte
Signed-off-by: David S. Miller -
These are replaced with x_tables matches and no longer exist.
Signed-off-by: Yasuyuki Kozakai
Signed-off-by: Harald Welte
Signed-off-by: David S. Miller -
ip[6]t_policy argument conversion slipped when merging with x_tables
Signed-off-by: Benoit Boissinot
Signed-off-by: Harald Welte
Signed-off-by: David S. Miller -
Procfs always output IPV6 addresses without the colon
characters, and we cannot change that.Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller
14 Jan, 2006
2 commits
-
When the source address of a tunnel is given as 0.0.0.0 do a routing lookup
to get the real source address for the destination and fill that into the
acquire message. This allows to specify policies like this:spdadd 172.16.128.13/32 172.16.0.0/20 any -P out ipsec
esp/tunnel/0.0.0.0-x.x.x.x/require;
spdadd 172.16.0.0/20 172.16.128.13/32 any -P in ipsec
esp/tunnel/x.x.x.x-0.0.0.0/require;Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
There are errors and inconsistency in the display of NIP6 strings.
ie: net/ipv6/ip6_flowlabel.cThere are errors and inconsistency in the display of NIPQUAD strings too.
ie: net/netfilter/nf_conntrack_ftp.cThis patch:
adds NIP6_FMT to kernel.h
changes all code to use NIP6_FMT
fixes net/ipv6/ip6_flowlabel.c
adds NIPQUAD_FMT to kernel.h
fixes net/netfilter/nf_conntrack_ftp.c
changes a few uses of "%u.%u.%u.%u" to NIPQUAD_FMT for symmetry to NIP6_FMTSigned-off-by: Joe Perches
Signed-off-by: David S. Miller
13 Jan, 2006
1 commit
-
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headersBased on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.Signed-off-by: Harald Welte
Signed-off-by: David S. Miller
12 Jan, 2006
4 commits
-
net: Use where capable() is used.
Signed-off-by: Randy Dunlap
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
This removes more unneeded casts on the return value for kmalloc(),
sock_kmalloc(), and vmalloc().Signed-off-by: Kris Katterjohn
Acked-by: James Morris
Signed-off-by: David S. Miller -
The ip6_xmit() function now assumes that its sk argument is non-NULL,
which isn't currently true when TCPv6 code is sending RST or ACK
packets. This fixes that code to use a socket of its own for sending
such packets, as TCPv4 does. (Thanks Andi for the pointer).Signed-off-by: David Woodhouse
Signed-off-by: David S. Miller -
For compare_ether_addr()
Signed-off-by: David S. Miller
11 Jan, 2006
4 commits
-
Also, drop __exit marker from ipv6_netfilter_fini() as this
can be invoked from inet6_init() error handling paths.Based upon a report from Stephen Hemminger.
Signed-off-by: David S. Miller
-
The connection tracking timeout variables are unsigned long, but
proc_dointvec_jiffies is used with sizeof(unsigned int) in the sysctl
tables. Since there is no proc_doulongvec_jiffies function, change the
timeout variables to unsigned int.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Don't wrap entire file in #ifdef CONFIG_NETFILTER, remove a few
unneccessary includes.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
This changes some memcmp(one,two,ETH_ALEN) to compare_ether_addr(one,two).
Signed-off-by: Kris Katterjohn
Signed-off-by: David S. Miller
10 Jan, 2006
2 commits
-
Set skb->priority = sk->sk_priority as in raw.c and IPv4.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
09 Jan, 2006
1 commit
-
__alloc_percpu and alloc_percpu both take an 'align' argument which is
completely ignored. snmp6_mib_init() in net/ipv6/af_inet6.c attempts to use
it, but it will be ignored. Therefore, remove the 'align' argument and fixup
the lone caller.Signed-off-by: Matthew Dobson
Acked-by: Manfred Spraul
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
08 Jan, 2006
6 commits
-
This patch contains the following cleanups:
- addrconf.c: make addrconf_dad_stop() static
- inet6_connection_sock.c should #include
for getting the prototypes of it's global functionsSigned-off-by: Adrian Bunk
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
ip_route_me_harder doesn't use the port numbers of the xfrm lookup and
uses ip_route_input for non-local addresses which doesn't do a xfrm
lookup, ip6_route_me_harder doesn't do a xfrm lookup at all.Use xfrm_decode_session and do the lookup manually, make sure both
only do the lookup if the packet hasn't been transformed already.Makeing sure the lookup only happens once needs a new field in the
IP6CB, which exceeds the size of skb->cb. The size of skb->cb is
increased to 48b. Apparently the IPv6 mobile extensions need some
more room anyway.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Reset IPSKB_XFRM_TUNNEL_SIZE flags in ipip and ip_gre hard_start_xmit
function before the packet reenters IP. This is neccessary so the
encapsulated packets are checked not to be oversized in xfrm4_output.c
again. Reset all flags in sit when a packet changes its address family.Also remove some obsolete IPSKB flags.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
When the innermost transform uses transport mode the decapsulated packet
is not visible to netfilter. Pass the packet through the PRE_ROUTING and
LOCAL_IN hooks again before handing it to upper layer protocols to make
netfilter-visibility symetrical to the output path.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Move nextheader offset to the IP6CB to make it possible to pass a
packet to ip6_input_finish multiple times and have it skip already
parsed headers. As a nice side effect this gets rid of the manual
hopopts skipping in ip6_input_finish.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
