21 May, 2019
1 commit
-
Based on 1 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 or
later as published by the free software foundationextracted by the scancode license scanner the SPDX license identifier
GPL-2.0-or-later
has been chosen to replace the boilerplate/reference in 9 file(s).
Signed-off-by: Thomas Gleixner
Reviewed-by: Steve Winslow
Reviewed-by: Jilayne Lovejoy
Reviewed-by: Allison Randal
Reviewed-by: Kate Stewart
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190519154040.848507137@linutronix.de
Signed-off-by: Greg Kroah-Hartman
11 Oct, 2018
2 commits
-
checkentry(tee_tg_check) should initialize priv->oif from dev if possible.
But only netdevice notifier handler can set that.
Hence priv->oif is always -1 until notifier handler is called.Fixes: 9e2f6c5d78db ("netfilter: Rework xt_TEE netdevice notifier")
Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso -
TEE netdevice notifier handler checks only interface name. however
each netns can have same interface name. hence other netns's interface
could be selected.test commands:
%ip netns add vm1
%iptables -I INPUT -p icmp -j TEE --gateway 192.168.1.1 --oif enp2s0
%ip link set enp2s0 netns vm1Above rule is in the root netns. but that rule could get enp2s0
ifindex of vm1 by notifier handler.After this patch, TEE rule is added to the per-netns list.
Fixes: 9e2f6c5d78db ("netfilter: Rework xt_TEE netdevice notifier")
Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
17 Jul, 2018
1 commit
-
... from IPV6 to NF_TABLES_IPV6 and IP6_NF_IPTABLES.
In some cases module selects depend on IPV6, but this means that they
select another module even if eg. NF_TABLES_IPV6 is not set in which
case the selected module is useless due to the lack of IPv6 nf_tables
functionality.The same applies for IP6_NF_IPTABLES and iptables.
Joint work with: Arnd Bermann
Signed-off-by: Máté Eckl
Signed-off-by: Pablo Neira Ayuso
30 Mar, 2018
1 commit
-
Register netdevice notifier for every iptable entry
is not good, since this breaks modularity, and
the hidden synchronization is based on rtnl_lock().This patch reworks the synchronization via new lock,
while the rest of logic remains as it was before.
This is required for the next patch.Tested via:
while :; do
unshare -n iptables -t mangle -A OUTPUT -j TEE --gateway 1.1.1.2 --oif lo;
doneSigned-off-by: Kirill Tkhai
Acked-by: Pablo Neira Ayuso
Signed-off-by: David S. Miller
10 Jan, 2017
1 commit
-
In matches and targets that define a kernel-only tail to their
xt_match and xt_target data structs, add a field .usersize that
specifies up to where data is to be shared with userspace.Performed a search for comment "Used internally by the kernel" to find
relevant matches and targets. Manually inspected the structs to derive
a valid offsetof.Signed-off-by: Willem de Bruijn
Signed-off-by: Pablo Neira Ayuso
03 Nov, 2016
1 commit
-
Place pointer to hook state in xt_action_param structure instead of
copying the fields that we need. After this change xt_action_param fits
into one cacheline.This patch also adds a set of new wrapper functions to fetch relevant
hook state structure fields.Signed-off-by: Pablo Neira Ayuso
13 Sep, 2016
1 commit
-
There are some codes of netfilter module which did not check the return
value of register_netdevice_notifier. Add the checks now.Signed-off-by: Gao Feng
Signed-off-by: Pablo Neira Ayuso
08 Feb, 2016
1 commit
-
The NETFILTER_XT_TARGET_TEE option selects NF_DUP_IPV6 whenever
IP6_NF_IPTABLES is enabled, and it ensures that it cannot be
builtin itself if NF_CONNTRACK is a loadable module, as that
is a dependency for NF_DUP_IPV6.However, NF_DUP_IPV6 can be enabled even if IP6_NF_IPTABLES is
turned off, and it only really depends on IPV6. With the current
check in tee_tg6, we call nf_dup_ipv6() whenever NF_DUP_IPV6
is enabled. This can however be a loadable module which is
unreachable from a built-in xt_TEE:net/built-in.o: In function `tee_tg6':
:(.text+0x67728): undefined reference to `nf_dup_ipv6'The bug was originally introduced in the split of the xt_TEE module
into separate modules for ipv4 and ipv6, and two patches tried
to fix it unsuccessfully afterwards.This is a revert of the the first incorrect attempt to fix it,
going back to depending on IPV6 as the dependency, and we
adapt the 'select' condition accordingly.Signed-off-by: Arnd Bergmann
Fixes: bbde9fc1824a ("netfilter: factor out packet duplication for IPv4/IPv6")
Fixes: 116984a316c3 ("netfilter: xt_TEE: use IS_ENABLED(CONFIG_NF_DUP_IPV6)")
Fixes: 74ec4d55c4d2 ("netfilter: fix xt_TEE and xt_TPROXY dependencies")
Signed-off-by: Pablo Neira Ayuso
05 Nov, 2015
1 commit
-
Conflicts:
net/netfilter/xt_TEE.cPablo Neira Ayuso says:
====================
Netfilter fixes for netThe following patchset contains Netfilter fixes for your net tree,
they are:1) Fix crash when TEE target is used with no --oif, from Eric Dumazet.
2) Oneliner to fix a crash on the redirect traffic to localhost
infrastructure when interface has not yet an address, from
Munehisa Kamata.3) Oneliner not to request module all the time from nfnetlink due to
wrong type value, from Florian Westphal.I'll make sure these patches 1 and 2 hit -stable.
====================The conflict in net/netfilter/xt_TEE.c was minor, a change
to the 'oif' selection overlapping a function signature
change for the nf_dup_ipv{4,6}() routines.Signed-off-by: David S. Miller
22 Oct, 2015
1 commit
-
iptables -I INPUT ... -j TEE --gateway 10.1.2.3
because --oif was not specified
tee_tg_check() sets ->priv pointer to NULL in this case.
Fixes: bbde9fc1824a ("netfilter: factor out packet duplication for IPv4/IPv6")
Signed-off-by: Eric Dumazet
Signed-off-by: Pablo Neira Ayuso
19 Sep, 2015
1 commit
-
This allows them to stop guessing the network namespace with pick_net.
Signed-off-by: "Eric W. Biederman"
Signed-off-by: Pablo Neira Ayuso
22 Aug, 2015
1 commit
-
Instead of IS_ENABLED(CONFIG_IPV6), otherwise we hit:
et/built-in.o: In function `tee_tg6':
>> xt_TEE.c:(.text+0x6cd8c): undefined reference to `nf_dup_ipv6'when:
CONFIG_IPV6=y
CONFIG_NF_DUP_IPV4=y
# CONFIG_NF_DUP_IPV6 is not set
CONFIG_NETFILTER_XT_TARGET_TEE=yReported-by: kbuild test robot
Signed-off-by: Pablo Neira Ayuso
07 Aug, 2015
2 commits
-
Extracted from the xtables TEE target. This creates two new modules for IPv4
and IPv6 that are shared between the TEE target and the new nf_tables dup
expressions.Signed-off-by: Pablo Neira Ayuso
-
Use IS_ENABLED(CONFIG_NF_CONNTRACK) instead.
Signed-off-by: Pablo Neira Ayuso
16 Jul, 2015
2 commits
-
Don't bother testing if we need to switch to alternate stack
unless TEE target is used.Suggested-by: Eric Dumazet
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
This prepares for a TEE like expression in nftables.
We want to ensure only one duplicate is sent, so both will
use the same percpu variable to detect duplication.The other use case is detection of recursive call to xtables, but since
we don't want dependency from nft to xtables core its put into core.c
instead of the x_tables core.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
26 May, 2015
1 commit
-
The neighbor look-up used to depend on the rt6i_gateway (if
there is a gateway) or the rt6i_dst (if it is a RTF_CACHE clone)
as the nexthop address. Note that rt6i_dst is set to fl6->daddr
for the RTF_CACHE clone where fl6->daddr is the one used to do
the route look-up.Now, we only create RTF_CACHE clone after encountering exception.
When doing the neighbor look-up with a route that is neither a gateway
nor a RTF_CACHE clone, the daddr in skb will be used as the nexthop.In some cases, the daddr in skb is not the one used to do
the route look-up. One example is in ip_vs_dr_xmit_v6() where the
real nexthop server address is different from the one in the skb.This patch is going to follow the IPv4 approach and ask the
ip6_pol_route() callers to set the FLOWI_FLAG_KNOWN_NH properly.In the next patch, ip6_pol_route() will honor the FLOWI_FLAG_KNOWN_NH
and create a RTF_CACHE clone.Signed-off-by: Martin KaFai Lau
Acked-by: Julian Anastasov
Tested-by: Julian Anastasov
Cc: Hannes Frederic Sowa
Cc: Steffen Klassert
Signed-off-by: David S. Miller
29 May, 2013
1 commit
-
So far, only net_device * could be passed along with netdevice notifier
event. This patch provides a possibility to pass custom structure
able to provide info that event listener needs to know.Signed-off-by: Jiri Pirko
v2->v3: fix typo on simeth
shortened dev_getter
shortened notifier_info struct name
v1->v2: fix notifier_call parameter in call_netdevice_notifier()
Signed-off-by: David S. Miller
17 Oct, 2012
1 commit
-
Torsten Luettgert bisected TEE regression starting with commit
f8126f1d5136be1 (ipv4: Adjust semantics of rt->rt_gateway.)The problem is that it tries to ARP-lookup the original destination
address of the forwarded packet, not the address of the gateway.Fix this using FLOWI_FLAG_KNOWN_NH Julian added in commit
c92b96553a80c1 (ipv4: Add FLOWI_FLAG_KNOWN_NH), so that known
nexthop (info->gw.ip) has preference on resolving.Reported-by: Torsten Luettgert
Bisected-by: Torsten Luettgert
Tested-by: Torsten Luettgert
Cc: Julian Anastasov
Signed-off-by: Eric Dumazet
Signed-off-by: Pablo Neira Ayuso
15 May, 2012
1 commit
-
percpu_xxx funcs are duplicated with this_cpu_xxx funcs, so replace
them for further code clean up.And in preempt safe scenario, __this_cpu_xxx funcs may has a bit
better performance since __this_cpu_xxx has no redundant
preempt_enable/preempt_disable on some architectures.Signed-off-by: Alex Shi
Acked-by: Eric Dumazet
Acked-by: David S. Miller
Cc: Patrick McHardy
Signed-off-by: Andrew Morton
Signed-off-by: Tejun Heo
23 Feb, 2012
1 commit
-
ip6_route_output() never returns NULL, so it is wrong to
check if the return value is NULL.Signed-off-by: RongQing.Li
Signed-off-by: David S. Miller
17 Dec, 2011
1 commit
-
Use IS_ENABLED(CONFIG_FOO)
instead of defined(CONFIG_FOO) || defined (CONFIG_FOO_MODULE)Signed-off-by: Igor Maravić
Signed-off-by: David S. Miller
12 Dec, 2011
1 commit
-
Instead of testing defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
13 Mar, 2011
3 commits
-
Signed-off-by: David S. Miller
-
Signed-off-by: David S. Miller
-
I intend to turn struct flowi into a union of AF specific flowi
structs. There will be a common structure that each variant includes
first, much like struct sock_common.This is the first step to move in that direction.
Signed-off-by: David S. Miller
03 Mar, 2011
1 commit
-
Instead of on the stack.
Signed-off-by: David S. Miller
18 Nov, 2010
1 commit
-
Use the macros defined for the members of flowi to clean the code up.
Signed-off-by: Changli Gao
Signed-off-by: David S. Miller
15 Jun, 2010
1 commit
-
Conflicts:
include/net/netfilter/xt_rateest.h
net/bridge/br_netfilter.c
net/netfilter/nf_conntrack_core.cSigned-off-by: Patrick McHardy
11 Jun, 2010
1 commit
-
remove useless union keyword in rtable, rt6_info and dn_route.
Since there is only one member in a union, the union keyword isn't useful.
Signed-off-by: Changli Gao
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
08 Jun, 2010
1 commit
-
NOTRACK makes all cpus share a cache line on nf_conntrack_untracked
twice per packet. This is bad for performance.
__read_mostly annotation is also a bad choice.This patch introduces IPS_UNTRACKED bit so that we can use later a
per_cpu untrack structure more easily.A new helper, nf_ct_untracked_get() returns a pointer to
nf_conntrack_untracked.Another one, nf_ct_untracked_status_or() is used by nf_nat_init() to add
IPS_NAT_DONE_MASK bits to untracked status.nf_ct_is_untracked() prototype is changed to work on a nf_conn pointer.
Signed-off-by: Eric Dumazet
Signed-off-by: Patrick McHardy
28 May, 2010
1 commit
-
After commit 7fee226a (net: add a noref bit on skb dst), its wrong to
use : dst_release(skb_dst(skb)), since we could decrement a refcount
while skb dst was not refcounted.We should use skb_dst_drop(skb) instead.
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
12 May, 2010
1 commit
-
Signed-off-by: Jan Engelhardt
20 Apr, 2010
1 commit
-
Replace the runtime oif name resolving by netdevice notifier based
resolving. When an oif is given, a netdevice notifier is registered
to resolve the name on NETDEV_REGISTER or NETDEV_CHANGE and unresolve
it again on NETDEV_UNREGISTER or NETDEV_CHANGE to a different name.Signed-off-by: Patrick McHardy
19 Apr, 2010
2 commits
-
Since Xtables is now reentrant/nestable, the cloned packet can also go
through Xtables and be subject to rules itself.Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy -
xt_TEE can be used to clone and reroute a packet. This can for
example be used to copy traffic at a router for logging purposes
to another dedicated machine.References: http://www.gossamer-threads.com/lists/iptables/devel/68781
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy