19 Jun, 2019
1 commit
-
Based on 2 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundationthis program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundation #extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-only
has been chosen to replace the boilerplate/reference in 4122 file(s).
Signed-off-by: Thomas Gleixner
Reviewed-by: Enrico Weigelt
Reviewed-by: Kate Stewart
Reviewed-by: Allison Randal
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190604081206.933168790@linutronix.de
Signed-off-by: Greg Kroah-Hartman
01 Aug, 2017
3 commits
-
Same conversion as for table names, use NFT_NAME_MAXLEN as upper
boundary as well.Signed-off-by: Phil Sutter
Signed-off-by: Pablo Neira Ayuso -
Allocate all table names dynamically to allow for arbitrary lengths but
introduce NFT_NAME_MAXLEN as an upper sanity boundary. It's value was
chosen to allow using a domain name as per RFC 1035.Signed-off-by: Phil Sutter
Signed-off-by: Pablo Neira Ayuso -
nft_trace_notify() is called only from __nft_trace_packet(), which
assigns its parameter 'chain' to info->chain. __nft_trace_packet() in
turn later dereferences 'chain' unconditionally, which indicates that
it's never NULL. Same does nft_do_chain(), the only user of the tracing
infrastructure. Hence it is safe to assume the check removed here is not
needed.Signed-off-by: Phil Sutter
Signed-off-by: Pablo Neira Ayuso
07 Apr, 2017
1 commit
-
Add and use nfnl_msg_type() function to replace opencoded nfnetlink
message type. I suggested this change, Arushi Singhal made an initial
patch to address this but was missing several spots.Signed-off-by: Pablo Neira Ayuso
03 Nov, 2016
1 commit
-
Don't copy relevant fields from hook state structure, instead use the
one that is already available in struct xt_action_param.This patch also adds a set of new wrapper functions to fetch relevant
hook state structure fields.Signed-off-by: Pablo Neira Ayuso
26 Sep, 2016
1 commit
-
Conflicts:
net/netfilter/core.c
net/netfilter/nf_tables_netdev.cResolve two conflicts before pull request for David's net-next tree:
1) Between c73c24849011 ("netfilter: nf_tables_netdev: remove redundant
ip_hdr assignment") from the net tree and commit ddc8b6027ad0
("netfilter: introduce nft_set_pktinfo_{ipv4, ipv6}_validate()").2) Between e8bffe0cf964 ("net: Add _nf_(un)register_hooks symbols") and
Aaron Conole's patches to replace list_head with single linked list.Signed-off-by: Pablo Neira Ayuso
23 Sep, 2016
1 commit
-
pkt->xt.thoff is not always set properly, but we use it without any check.
For payload expr, it will cause wrong results. For nftrace, we may notify
the wrong network or transport header to the user space, furthermore,
input the following nft rules, warning message will be printed out:
# nft add rule arp filter output meta nftrace set 1WARNING: CPU: 0 PID: 13428 at net/netfilter/nf_tables_trace.c:263
nft_trace_notify+0x4a3/0x5e0 [nf_tables]
Call Trace:
[] dump_stack+0x63/0x85
[] __warn+0xcb/0xf0
[] warn_slowpath_null+0x1d/0x20
[] nft_trace_notify+0x4a3/0x5e0 [nf_tables]
[ ... ]
[] nft_do_chain_arp+0x78/0x90 [nf_tables_arp]
[] nf_iterate+0x62/0x80
[] nf_hook_slow+0x73/0xd0
[] arp_xmit+0x8f/0xb0
[ ... ]
[] arp_solicit+0x106/0x2c0So before we use pkt->xt.thoff, check the tprot_set first.
Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
06 Sep, 2016
1 commit
-
NFTA_TRACE_POLICY attribute is big endian, but we forget to call
htonl to convert it. Fortunately, this attribute is parsed as big
endian in libnftnl.Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
24 Apr, 2016
1 commit
-
nla_data() is now aligned on a 64-bit area.
A temporary version (nla_put_be64_32bit()) is added for nla_put_net64().
This function is removed in the next patch.Signed-off-by: Nicolas Dichtel
Signed-off-by: David S. Miller
09 Dec, 2015
2 commits
-
Only needed when meta nftrace rule(s) were added.
The assumption is that no such rules are active, so the call to
nft_trace_init is "never" needed.When nftrace rules are active, we always call the nft_trace_* functions,
but will only send netlink messages when all of the following are true:- traceinfo structure was initialised
- skb->nf_trace == 1
- at least one subscriber to trace group.Adding an extra conditional
(static_branch ... && skb->nf_trace)
nft_trace_init( ..)Is possible but results in a larger nft_do_chain footprint.
Signed-off-by: Florian Westphal
Acked-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso -
nft monitor mode can then decode and display this trace data.
Parts of LL/Network/Transport headers are provided as separate
attributes.Otherwise, printing IP address data becomes virtually impossible
for userspace since in the case of the netdev family we really don't
want userspace to have to know all the possible link layer types
and/or sizes just to display/print an ip address.We also don't want userspace to have to follow ipv6 header chains
to get the s/dport info, the kernel already did this work for us.To avoid bloating nft_do_chain all data required for tracing is
encapsulated in nft_traceinfo.The structure is initialized unconditionally(!) for each nft_do_chain
invocation.This unconditionall call will be moved under a static key in a
followup patch.With lots of help from Patrick McHardy and Pablo Neira.
Signed-off-by: Florian Westphal
Acked-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso
