Eric Lee / smarc-fsl-linux-kernel

27 Dec, 2019

1 commit

  • ec34c0157   Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf ... Browse Code »

    Pablo Neira Ayuso says:

    ====================
    Netfilter fixes for net

    The following patchset contains Netfilter fixes for net:

    1) Fix endianness issue in flowtable TCP flags dissector,
    from Arnd Bergmann.

    2) Extend flowtable test script with dnat rules, from Florian Westphal.

    3) Reject padding in ebtables user entries and validate computed user
    offset, reported by syzbot, from Florian Westphal.

    4) Fix endianness in nft_tproxy, from Phil Sutter.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     

20 Dec, 2019

1 commit

  • 8cb4ec44d   netfilter: nft_tproxy: Fix port selector on Big Endian ... Browse Code »

    On Big Endian architectures, u16 port value was extracted from the wrong
    parts of u32 sreg_port, just like commit 10596608c4d62 ("netfilter:
    nf_tables: fix mismatch in big-endian system") describes.

    Fixes: 4ed8eb6570a49 ("netfilter: nf_tables: Add native tproxy support")
    Signed-off-by: Phil Sutter
    Acked-by: Florian Westphal
    Acked-by: Máté Eckl
    Signed-off-by: Pablo Neira Ayuso

    Phil Sutter
     

10 Dec, 2019

1 commit

  • c593642c8   treewide: Use sizeof_field() macro ... Browse Code »

    Replace all the occurrences of FIELD_SIZEOF() with sizeof_field() except
    at places where these are defined. Later patches will remove the unused
    definition of FIELD_SIZEOF().

    This patch is generated using following script:

    EXCLUDE_FILES="include/linux/stddef.h|include/linux/kernel.h"

    git grep -l -e "\bFIELD_SIZEOF\b" | while read file;
    do

    if [[ "$file" =~ $EXCLUDE_FILES ]]; then
    continue
    fi
    sed -i -e 's/\bFIELD_SIZEOF\b/sizeof_field/g' $file;
    done

    Signed-off-by: Pankaj Bharadiya
    Link: https://lore.kernel.org/r/20190924105839.110713-3-pankaj.laxminarayan.bharadiya@intel.com
    Co-developed-by: Kees Cook
    Signed-off-by: Kees Cook
    Acked-by: David Miller # for net

    Pankaj Bharadiya
     

17 Aug, 2018

1 commit

  • 90d827f06   netfilter: nft_tproxy: Fix missing-braces warning ... Browse Code »

    This patch fixes a warning reported by the kbuild test robot (from linux-next
    tree):
    net/netfilter/nft_tproxy.c: In function 'nft_tproxy_eval_v6':
    >> net/netfilter/nft_tproxy.c:85:9: warning: missing braces around initializer [-Wmissing-braces]
    struct in6_addr taddr = {0};
    ^
    net/netfilter/nft_tproxy.c:85:9: warning: (near initialization for 'taddr.in6_u') [-Wmissing-braces]

    This warning is actually caused by a gcc bug already resolved in newer
    versions (kbuild used 4.9) so this kind of initialization is omitted and
    memset is used instead.

    Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support")
    Signed-off-by: Máté Eckl
    Signed-off-by: Pablo Neira Ayuso

    Máté Eckl
     

04 Aug, 2018

1 commit

  • 033eab53f   netfilter: nft_tproxy: Add missing config check ... Browse Code »

    A config check was missing form the code when using
    nf_defrag_ipv6_enable with NFT_TPROXY != n and NF_DEFRAG_IPV6 = n and
    this caused the following error:

    ../net/netfilter/nft_tproxy.c: In function 'nft_tproxy_init':
    ../net/netfilter/nft_tproxy.c:237:3: error: implicit declaration of function
    +'nf_defrag_ipv6_enable' [-Werror=implicit-function-declaration]
    err = nf_defrag_ipv6_enable(ctx->net);

    This patch adds a check for NF_TABLES_IPV6 when NF_DEFRAG_IPV6 is
    selected by Kconfig.

    Reported-by: Randy Dunlap
    Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support")
    Signed-off-by: Máté Eckl
    Acked-by: Randy Dunlap
    Signed-off-by: Pablo Neira Ayuso

    Máté Eckl
     

30 Jul, 2018

1 commit

  • 4ed8eb657   netfilter: nf_tables: Add native tproxy support ... Browse Code »

    A great portion of the code is taken from xt_TPROXY.c

    There are some changes compared to the iptables implementation:
    - tproxy statement is not terminal here
    - Either address or port has to be specified, but at least one of them
    is necessary. If one of them is not specified, the evaluation will be
    performed with the original attribute of the packet (ie. target port
    is not specified => the packet's dport will be used).

    To make this work in inet tables, the tproxy structure has a family
    member (typically called priv->family) which is not necessarily equal to
    ctx->family.

    priv->family can have three values legally:
    - NFPROTO_IPV4 if the table family is ip OR if table family is inet,
    but an ipv4 address is specified as a target address. The rule only
    evaluates ipv4 packets in this case.
    - NFPROTO_IPV6 if the table family is ip6 OR if table family is inet,
    but an ipv6 address is specified as a target address. The rule only
    evaluates ipv6 packets in this case.
    - NFPROTO_UNSPEC if the table family is inet AND if only the port is
    specified. The rule will evaluate both ipv4 and ipv6 packets.

    Signed-off-by: Máté Eckl
    Signed-off-by: Pablo Neira Ayuso

    Máté Eckl