06 Apr, 2019
1 commit
-
[ Upstream commit 8e2f311a68494a6677c1724bdcb10bada21af37c ]
Following command:
iptables -D FORWARD -m physdev ...
causes connectivity loss in some setups.Reason is that iptables userspace will probe kernel for the module revision
of the physdev patch, and physdev has an artificial dependency on
br_netfilter (xt_physdev use makes no sense unless a br_netfilter module
is loaded).This causes the "phydev" module to be loaded, which in turn enables the
"call-iptables" infrastructure.bridged packets might then get dropped by the iptables ruleset.
The better fix would be to change the "call-iptables" defaults to 0 and
enforce explicit setting to 1, but that breaks backwards compatibility.This does the next best thing: add a request_module call to checkentry.
This was a stray '-D ... -m physdev' won't activate br_netfilter
anymore.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Sasha Levin
15 Feb, 2018
1 commit
-
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
12 Aug, 2016
1 commit
-
Signed-off-by: Hangbin Liu
Signed-off-by: Pablo Neira Ayuso
11 Jul, 2016
1 commit
-
physdev_mt() will check skb->nf_bridge first, which was alloced in
br_nf_pre_routing. So if we want to use --physdev-out and physdev-is-out,
we need to match it in FORWARD or POSTROUTING chain. physdev_mt_check()
only checked physdev-out and missed physdev-is-out. Fix it and update the
debug message to make it clearer.Signed-off-by: Hangbin Liu
Reviewed-by: Marcelo R Leitner
Signed-off-by: Pablo Neira Ayuso
08 Apr, 2015
1 commit
-
Avoid skb->nf_bridge accesses where possible.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
16 Mar, 2015
1 commit
-
Its not needed anymore since 2bf540b73ed5b
([NETFILTER]: bridge-netfilter: remove deferred hooks).
Before this it was possible to have physoutdev set for locally generated
packets -- this isn't the case anymore:BRNF_STATE_BRIDGED flag is set when we assign nf_bridge->physoutdev,
so physoutdev != NULL means BRNF_STATE_BRIDGED is set.
If physoutdev is NULL, then we are looking at locally-delivered and
routed packet.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
03 Oct, 2014
1 commit
-
You can use physdev to match the physical interface enslaved to the
bridge device. This information is stored in skb->nf_bridge and it is
set up by br_netfilter. So, this is only available when iptables is
used from the bridge netfilter path.Since 34666d4 ("netfilter: bridge: move br_netfilter out of the core"),
the br_netfilter code is modular. To reduce the impact of this change,
we can autoload the br_netfilter if the physdev match is used since
we assume that the users need br_netfilter in place.Signed-off-by: Pablo Neira Ayuso
12 May, 2010
2 commits
-
In future, layer-3 matches will be an xt module of their own, and
need to set the fragoff and thoff fields. Adding more pointers would
needlessy increase memory requirements (esp. so for 64-bit, where
pointers are wider).Signed-off-by: Jan Engelhardt
-
Signed-off-by: Jan Engelhardt
25 Mar, 2010
2 commits
-
The following semantic patch does part of the transformation:
//
@ rule1 @
struct xt_match ops;
identifier check;
@@
ops.checkentry = check;@@
identifier rule1.check;
@@
check(...) { }@@
identifier rule1.check;
@@
check(...) { }
//Signed-off-by: Jan Engelhardt
-
Restore function signatures from bool to int so that we can report
memory allocation failures or similar using -ENOMEM rather than
always having to pass -EINVAL back.This semantic patch may not be too precise (checking for functions
that use xt_mtchk_param rather than functions referenced by
xt_match.checkentry), but reviewed, it produced the intended result.//
@@
type bool;
identifier check, par;
@@
-bool check
+int check
(struct xt_mtchk_param *par) { ... }
//Signed-off-by: Jan Engelhardt
18 Mar, 2010
1 commit
-
Signed-off-by: Jan Engelhardt
26 Mar, 2009
1 commit
-
We use same not trivial helper function in four places. We can factorize it.
Signed-off-by: Eric Dumazet
Signed-off-by: Patrick McHardy
19 Feb, 2009
2 commits
-
xt_physdev netfilter module can use an ifname_compare() helper
so that two loops are unfolded.Signed-off-by: Eric Dumazet
Signed-off-by: Patrick McHardy -
1) physdev_mt() incorrectly assumes nulldevname[] is aligned on an int
2) It also uses word comparisons, while it could use long word ones.
Signed-off-by: Eric Dumazet
Signed-off-by: Patrick McHardy
08 Oct, 2008
4 commits
-
Lots of extensions are completely family-independent, so squash some code.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy -
This patch does this for match extensions' checkentry functions.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy -
The function signatures for Xtables extensions have grown over time.
It involves a lot of typing/replication, and also a bit of stack space
even if they are not used. Realize an NFWS2008 idea and pack them into
structs. The skb remains outside of the struct so gcc can continue to
apply its optimizations.This patch does this for match extensions' match functions.
A few ambiguities have also been addressed. The "offset" parameter for
example has been renamed to "fragoff" (there are so many different
offsets already) and "protoff" to "thoff" (there is more than just one
protocol here, so clarify).Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy -
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
29 Jan, 2008
3 commits
-
Updates the MODULE_DESCRIPTION() tags for all Netfilter modules,
actually describing what the module does and not just
"netfilter XYZ target".Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Give all Netfilter modules consistent and unique symbol names.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
The IPv4 and IPv6 hook values are identical, yet some code tries to figure
out the "correct" value by looking at the address family. Introduce NF_INET_*
values for both IPv4 and IPv6. The old values are kept in a #ifndef __KERNEL__
section for userspace compatibility.Signed-off-by: Patrick McHardy
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
25 Jul, 2007
1 commit
-
This patch cleans up duplicate includes in
net/netfilter/Signed-off-by: Jesper Juhl
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
11 Jul, 2007
5 commits
-
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Make a number of variables const and/or remove unneeded casts.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Switch the return type of match functions to boolean
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Switch the return type of match functions to boolean
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Switch the "hotdrop" variables to boolean
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
13 Feb, 2007
1 commit
-
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
14 Dec, 2006
1 commit
-
Remove the deferred hooks and all related code as scheduled in
feature-removal-schedule.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
23 Sep, 2006
2 commits
-
The size is verified by x_tables and isn't needed by the modules anymore.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
18 Aug, 2006
1 commit
-
It needs netfilter_bridge.h for brnf_deferred_hooks
Signed-off-by: Andrew Morton
Signed-off-by: David S. Miller
25 Jul, 2006
1 commit
-
Add bridge netfilter deferred output hooks to feature-removal-schedule
and disable them by default. Until their removal they will be
activated by the physdev match when needed.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
29 Mar, 2006
1 commit
-
Every netfilter module uses `init' for its module_init() function and
`fini' or `cleanup' for its module_exit() function.Problem is, this creates uninformative initcall_debug output and makes
ctags rather useless.So go through and rename them all to $(filename)_init and
$(filename)_fini.Signed-off-by: Andrew Morton
Signed-off-by: David S. Miller
23 Mar, 2006
1 commit
-
Set the family field in xt_[matches|targets] registered.
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
21 Mar, 2006
2 commits
-
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
13 Jan, 2006
1 commit
-
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headersBased on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.Signed-off-by: Harald Welte
Signed-off-by: David S. Miller
