05 Feb, 2006
3 commits
-
netfilter's do_replace() can overflow on addition within SMP_ALIGN()
and/or on multiplication by NR_CPUS, resulting in a buffer overflow on
the copy_from_user(). In practice, the overflow on addition is
triggerable on all systems, whereas the multiplication one might require
much physical memory to be present due to the check above. Either is
sufficient to overwrite arbitrary amounts of kernel memory.I really hate adding the same check to all 4 versions of do_replace(),
but the code is duplicate...Found by Solar Designer during security audit of OpenVZ.org
Signed-Off-By: Kirill Korotaev
Signed-Off-By: Solar Designer
Signed-off-by: Patrck McHardy
Signed-off-by: David S. Miller -
The skb allocated is always of size nlbufsize, even if that is smaller than
the size needed for the current packet.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Performance tests showed that ULOG may fail on heavy loaded systems
because of failed order-N allocations (N >= 1).The default value of 4096 is not optimal in the sense that it actually
allocates _two_ contigous physical pages. Reasoning: ULOG uses
alloc_skb(), which adds another ~300 bytes for skb_shared_info.This patch sets the default value to NLMSG_GOODSIZE and adds some
documentation at the top.Signed-off-by: Holger Eitzenberger
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
01 Feb, 2006
1 commit
-
This is a simpler fix for the two races in bridge device removal.
The Xen race of delif and notify is managed now by a new deleted flag.
No need for barriers or other locking because of rtnl mutex.The del_timer_sync()'s are unnecessary, because br_stp_disable_port
delete's the timers, and they will finish running before RCU callback.Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller
18 Jan, 2006
1 commit
-
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
13 Jan, 2006
1 commit
-
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headersBased on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.Signed-off-by: Harald Welte
Signed-off-by: David S. Miller
12 Jan, 2006
3 commits
-
net: Use where capable() is used.
Signed-off-by: Randy Dunlap
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
This removes more unneeded casts on the return value for kmalloc(),
sock_kmalloc(), and vmalloc().Signed-off-by: Kris Katterjohn
Acked-by: James Morris
Signed-off-by: David S. Miller -
For compare_ether_addr()
Signed-off-by: David S. Miller
11 Jan, 2006
2 commits
-
Signed-off-by: Bart De Schuymer
Signed-off-by: David S. Miller -
This changes some memcmp(one,two,ETH_ALEN) to compare_ether_addr(one,two).
Signed-off-by: Kris Katterjohn
Signed-off-by: David S. Miller
07 Jan, 2006
2 commits
-
It looks like the bridge netfilter code does not correctly update
the hardware checksum after popping off the VLAN header.This is by inspection, I have *not* tested this.
To test you would need to set up a filtering bridge with vlans
and a device the does hardware receive checksum (skge, or sungem)Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
This uses is_multicast_ether_addr() because it has recently been
changed to do the same thing these seperate tests are doing.Signed-off-by: Kris Katterjohn
Signed-off-by: David S. Miller
06 Jan, 2006
1 commit
-
These patches add the header linux/if_ether.h and change 1500 to
ETH_DATA_LEN in some files.Signed-off-by: Kris Katterjohn
Signed-off-by: David S. Miller
05 Jan, 2006
2 commits
-
Trivial manual merge fixup for usb_find_interface clashes.
-
Leave the overloaded "hotplug" word to susbsystems which are handling
real devices. The driver core does not "plug" anything, it just exports
the state to userspace and generates events.Signed-off-by: Kay Sievers
Signed-off-by: Greg Kroah-Hartman
04 Jan, 2006
8 commits
-
One of the conversions from memcmp to compare_ether_addr is incorrect.
We need to do relative comparison to determine min MAC address to
use in bridge id.Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
To help in reducing the number of include dependencies, several files were
touched as they were getting needed headers indirectly for stuff they use.Thanks also to Alan Menegotto for pointing out that net/dccp/proto.c had
linux/dccp.h include twice.Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller -
Add version info to bridge module.
Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
Add limited ethtool support to bridge to allow disabling
features.Note: if underlying device does not support a feature (like checksum
offload), then the bridge device won't inherit it.Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
While in the learning state, run filters but drop the result.
This prevents us from acquiring bad fdb entries in learning state.Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
Speed of a interface may not be available until carrier
is detected in the case of autonegotiation. To get the correct value
we need to recheck speed after carrier event. But the check needs to
be done in a context that is similar to normal ethtool interface (can sleep).Also, delay check for 1ms to try avoid any carrier bounce transitions.
Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
Some people are using bridging to hide multiple machines from an ISP
that restricts by MAC address. So in that case allow the bridge mac
address to be set to any of the existing interfaces. I don't want to
allow any arbitrary value and confuse STP.Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
This makes ebt_log and ebt_ulog use the new nf_log api. This enables
the bridging packet filter to log packets e.g. via nfnetlink_log.Signed-off-by: Bart De Schuymer
Signed-off-by: Harald Welte
Signed-off-by: David S. Miller
27 Dec, 2005
1 commit
-
Call nf_bridge_put() before allocating a new nf_bridge structure and
potentially overwriting the pointer to a previously allocated one.
This fixes a memory leak which can occur when the bridge topology
allows for an skb to traverse more than one bridge.Signed-off-by: David Kimdon
Signed-off-by: David S. Miller
20 Dec, 2005
1 commit
-
A typo caused some bridged IPv6 packets to get dropped randomly,
as reported by Sebastien Chaumontet. The patch below fixes this
(using skb->nh.raw instead of raw) and also makes the jumbo packet
length checking up-to-date with the code in
net/ipv6/exthdrs.c::ipv6_hop_jumbo.Signed-off-by: Bart De Schuymer
Signed-off-by: David S. Miller
24 Nov, 2005
1 commit
-
We must recompute bridge features everytime the list of underlying
devices changes, or we might end up with features that are not
supported by all devices (eg. NETIF_F_TSO)
This patch adds the missing recompute when adding a device to the bridge.Signed-off-by: Olaf Rempel
Signed-off-by: David S. Miller
01 Nov, 2005
1 commit
-
Use compare_ether_addr in bridge code.
Signed-off-by: Stephen Hemminger
Signed-off-by: Arnaldo Carvalho de Melo
14 Oct, 2005
1 commit
-
Original patch by Harald Welte, with feedback from Herbert Xu
and testing by Sébastien Bernard.EBTABLES, ARP tables, and IP/IP6 tables all assume that cpus
are numbered linearly. That is not necessarily true.This patch fixes that up by calculating the largest possible
cpu number, and allocating enough per-cpu structure space given
that.Signed-off-by: David S. Miller
13 Oct, 2005
1 commit
-
This fixes the RCU race on bridge delete interface. Basically,
the network device has to be detached from the bridge in the first
step (pre-RCU), rather than later. At that point, no more bridge traffic
will come in, and the other code will not think that network device
is part of a bridge.This should also fix the XEN test problems.
Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller
23 Sep, 2005
1 commit
-
Signed-off-by: Vlad Drukker
Acked-by: Stephen Hemminger
Signed-off-by: David S. Miller
15 Sep, 2005
1 commit
-
Here's a slightly altered patch, originally from Mark Glines who
diagnosed and fixed the problem.Signed-off-by: Bart De Schuymer
Signed-off-by: David S. Miller
30 Aug, 2005
6 commits
-
This patch puts mostly read only data in the right section
(read_mostly), to help sharing of these data between CPUS without
memory ping pongs.On one of my production machine, tcp_statistics was sitting in a
heavily modified cache line, so *every* SNMP update had to force a
reload.Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Reduces skb size by 8 bytes on 64-bit.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
- Remove bogus code for compiling netlink as module
- Add module refcounting support for modules implementing a netlink
protocol
- Add support for autoloading modules that implement a netlink protocol
as soon as someone opens a socket for that protocolSigned-off-by: Harald Welte
Signed-off-by: David S. Miller -
As discussed at netconf'05, we're trying to save every bit in sk_buff.
The patch below makes sk_buff 8 bytes smaller. I did some basic
testing on my notebook and it seems to work.The only real in-tree user of nfcache was IPVS, who only needs a
single bit. Unfortunately I couldn't find some other free bit in
sk_buff to stuff that bit into, so I introduced a separate field for
them. Maybe the IPVS guys can resolve that to further save space.Initially I wanted to shrink pkt_type to three bits (PACKET_HOST and
alike are only 6 values defined), but unfortunately the bluetooth code
overloads pkt_type :(The conntrack-event-api (out-of-tree) uses nfcache, but Rusty just
came up with a way how to do it without any skb fields, so it's safe
to remove it.- remove all never-implemented 'nfcache' code
- don't have ipvs code abuse 'nfcache' field. currently get's their own
compile-conditional skb->ipvs_property field. IPVS maintainers can
decide to move this bit elswhere, but nfcache needs to die.
- remove skb->nfcache field to save 4 bytes
- move skb->nfctinfo into three unused bits to save further 4 bytesSigned-off-by: Harald Welte
Signed-off-by: David S. Miller
20 Jul, 2005
1 commit
-
BRIDGE_EBT_ARPREPLY=y and INET=n results in the following compile error:
net/built-in.o: In function `ebt_target_reply':
ebt_arpreply.c:(.text+0x68fb9): undefined reference to `arp_send'
make: *** [.tmp_vmlinux1] Error 1Signed-off-by: Adrian Bunk
Signed-off-by: David S. Miller
12 Jul, 2005
1 commit
-
Move the protocol specific config options out to the specific protocols.
With this change net/Kconfig now starts to become readable and serve as a
good basis for further re-structuring.The menu structure is left almost intact, except that indention is
fixed in most cases. Most visible are the INET changes where several
"depends on INET" are replaced with a single ifdef INET / endif pair.Several new files were created to accomplish this change - they are
small but serve the purpose that config options are now distributed
out where they belongs.Signed-off-by: Sam Ravnborg
Signed-off-by: David S. Miller
