05 May, 2008
2 commits
-
This actually had to be merged with the patch #1, but I decided not to
mix two changes in one patch.There are already two calls to free_netdev() in there, so merge them
into one.Signed-off-by: Pavel Emelyanov
Signed-off-by: David S. Miller -
In case the register_netdevice() call fails the device is leaked,
since the out: label is just rtnl_unlock()+return.Free the device.
Signed-off-by: Pavel Emelyanov
Signed-off-by: David S. Miller
03 May, 2008
2 commits
-
The forwarding table binary interface (my bad choice), only exposes
the port number of the first 8 bits. The bridge code was limited to
256 ports at the time, but now the kernel supports up 1024 ports, so
the upper bits are lost when doing:brctl showmacs
The fix is to squeeze the extra bits into small hole left in data
structure, to maintain binary compatiablity.Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
Signed-off-by: Harvey Harrison
Signed-off-by: David S. Miller
29 Apr, 2008
2 commits
-
There is a race condition when unloading bridge and netfilter.
The problem happens if __fake_rtable is in use by a skb
coming in, while someone starts to unload bridge.ko.
br_netfilter_fini() is called at the beginning of unload
in br_deinit() while skbs still are being forwarded and
transferred to local ip stack. Thus there is a possibility
of the __fake_rtable pointer not being removed in a skb that
goes up to ip stack. This results in a kernel panic, as
ip_rcv() calls the input-function of __fake_rtable, which
is NULL.Moving the call of br_netfilter_fini() to the end of
br_deinit() solves the problem.Signed-off-by: Bodo Stroesser
Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
When device is added to bridge its refcnt is incremented (in new_nbp()), but if
error occurs during further br_add_if() operations this counter is not
decremented back. Fix it by adding dev_put() call in the error path.Signed-off-by: Volodymyr G Lukiianyk
Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller
14 Apr, 2008
5 commits
-
Conflicts:
drivers/net/ehea/ehea_main.c
drivers/net/wireless/iwlwifi/Kconfig
drivers/net/wireless/rt2x00/rt61pci.c
net/ipv4/inet_timewait_sock.c
net/ipv6/raw.c
net/mac80211/ieee80211_sta.c -
This patch adds the ebtables nflog watcher to the kernel in order to
allow ebtables log through the nfnetlink_log backend.Signed-off-by: Peter Warasin
Signed-off-by: Patrick McHardy -
Signed-off-by: Robert P. J. Day
Signed-off-by: Patrick McHardy -
The bridge netfilter code attaches a fake dst_entry with a pointer to a
fake net_device structure to skbs it passes up to IPv4 netfilter. This
leads to crashes when the skb is passed to __ip_route_output_key when
dereferencing the namespace pointer.Since bridging can currently only operate in the init_net namespace,
the easiest fix for now is to initialize the nd_net pointer of the
fake net_device struct to &init_net.Should fix bugzilla 10323: http://bugzilla.kernel.org/show_bug.cgi?id=10323
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
26 Mar, 2008
2 commits
-
Introduce per-sock inlines: sock_net(), sock_net_set()
and per-inet_timewait_sock inlines: twsk_net(), twsk_net_set().
Without CONFIG_NET_NS, no namespace other than &init_net exists.
Let's explicitly define them to help compiler optimizations.Signed-off-by: YOSHIFUJI Hideaki
-
Introduce per-net_device inlines: dev_net(), dev_net_set().
Without CONFIG_NET_NS, no namespace other than &init_net exists.
Let's explicitly define them to help compiler optimizations.Signed-off-by: YOSHIFUJI Hideaki
21 Mar, 2008
2 commits
-
In br_fdb_cleanup() next_timer and this_timer are in jiffies, so they
should be compared using the time_after() macro.Signed-off-by: Fabio Checconi
Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller
06 Mar, 2008
2 commits
-
__FUNCTION__ is gcc-specific, use __func__
Signed-off-by: Harvey Harrison
Signed-off-by: David S. Miller -
(Anonymous) unions can help us to avoid ugly casts.
A common cast it the (struct rtable *)skb->dst one.
Defining an union like :
union {
struct dst_entry *dst;
struct rtable *rtable;
};
permits to use skb->rtable in place.Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
24 Feb, 2008
1 commit
-
The function ebt_do_table doesn't take NF_DROP as a verdict from the targets.
Signed-off-by: Joonwoo Park
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
20 Feb, 2008
1 commit
-
http://bugzilla.kernel.org/show_bug.cgi?id=9920
The function skb_make_writable returns true or false.Signed-off-by: Joonwoo Park
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
01 Feb, 2008
4 commits
-
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Update the MODULES_DESCRIPTION() tags for all Ebtables modules.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Before the removal of the deferred output hooks, netoutdev was used in
case of VLANs on top of a bridge to store the VLAN device, so the
deferred hooks would see the correct output device. This isn't
necessary anymore since we're calling the output hooks for the correct
device directly in the IP stack.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
29 Jan, 2008
13 commits
-
Needed to propagate it down to the ip_route_output_flow.
Signed-off-by: Denis V. Lunev
Signed-off-by: David S. Miller -
Create a specific helper for netlink kernel socket disposal. This just
let the code look better and provides a ground for proper disposal
inside a namespace.Signed-off-by: Denis V. Lunev
Tested-by: Alexey Dobriyan
Signed-off-by: David S. Miller -
In net/bridge/netfilter/ebtables.c,
- remove unused include of a header file (linux/tty.h) and remove the
corresponding comment above it.Signed-off-by: Rami Rosen
Signed-off-by: David S. Miller -
Remove two unused macros, INV_FLAG and SET_BITMASK
from net/bridge/netfilter/ebt_vlan.c.Signed-off-by: Rami Rosen
Signed-off-by: David S. Miller -
This patch includes many places, that only required
replacing the ctl_table-s with appropriate ctl_paths
and call register_sysctl_paths().Nothing special was done with them.
Signed-off-by: Pavel Emelyanov
Signed-off-by: David S. Miller -
The NETFILTER_ADVANCED option hides lots of the rather obscure netfilter
options when disabled and provides defaults (M) that should allow to
run a distribution firewall without further thinking.Defaults to 'y' to avoid breaking current configurations.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
After this patch none of the netlink callback support anything
except the initial network namespace but the rtnetlink infrastructure
now handles multiple network namespaces.Changes from v2:
- IPv6 addrlabel processingChanges from v1:
- no need for special rtnl_unlock handling
- fixed IPv6 ndiscSigned-off-by: Denis V. Lunev
Signed-off-by: Eric W. Biederman
Signed-off-by: David S. Miller -
Before I can enable rtnetlink to work in all network namespaces I need
to be certain that something won't break. So this patch deliberately
disables all of the rtnletlink methods in everything except the
initial network namespace. After the methods have been audited this
extra check can be disabled.Changes from v1:
- added IPv6 addrlabel protectionSigned-off-by: Denis V. Lunev
Signed-off-by: Eric W. Biederman
Signed-off-by: David S. Miller
Signed-off-by: Herbert Xu -
The IPv4 and IPv6 hook values are identical, yet some code tries to figure
out the "correct" value by looking at the address family. Introduce NF_INET_*
values for both IPv4 and IPv6. The old values are kept in a #ifndef __KERNEL__
section for userspace compatibility.Signed-off-by: Patrick McHardy
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
25 Jan, 2008
3 commits
-
There is no need for kobject_unregister() anymore, thanks to Kay's
kobject cleanup changes, so replace all instances of it with
kobject_put().Cc: Kay Sievers
Signed-off-by: Greg Kroah-Hartman -
This converts the code to use the new kobject functions, cleaning up the
logic in doing so.Cc: Stephen Hemminger
Cc: Kay Sievers
Signed-off-by: Greg Kroah-Hartman -
The kobject in the bridge code is only used for registering with sysfs,
not for any lifespan rules. This patch changes it to be only a pointer
and use the simpler api for this kind of thing.Cc: Stephen Hemminger
Cc: Kay Sievers
Signed-off-by: Greg Kroah-Hartman
21 Jan, 2008
1 commit
-
When packets are flood-forwarded to multiple output devices, the
bridge-netfilter code reuses skb->nf_bridge for each clone to store
the bridge port. When queueing packets using NFQUEUE netfilter takes
a reference to skb->nf_bridge->physoutdev, which is overwritten
when the packet is forwarded to the second port. This causes
refcount unterflows for the first device and refcount leaks for all
others. Additionally this provides incorrect data to the iptables
physdev match.Unshare skb->nf_bridge by copying it if it is shared before assigning
the physoutdev device.Reported, tested and based on initial patch by
Jan Christoph Nordholz .Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller