24 Jun, 2016

1 commit

• 7643507fe   netfilter: xt_NFLOG: nflog-range does not truncate packets ... Browse Code »

  li->u.ulog.copy_len is currently ignored by the kernel, we should truncate
  the packet to either li->u.ulog.copy_len (if set) or copy_range before
  sending it to userspace. 0 is a valid input for copy_len, so add a new
  flag to indicate whether this was option was specified by the user or not.

  Add two flags to indicate whether nflog-size/copy_len was set or not.
  XT_NFLOG_F_COPY_LEN is for XT_NFLOG and NFLOG_F_COPY_LEN for nfnetlink_log

  On the userspace side, this was initially represented by the option
  nflog-range, this will be replaced by --nflog-size now. --nflog-range would
  still exist but does not do anything.

  Reported-by: Joe Dollard
  Reviewed-by: Josh Hunt
  Signed-off-by: Vishwanath Pai
  Signed-off-by: Pablo Neira Ayuso

  Vishwanath Pai

  2016-06-24 17:03:23 +0800  

19 Sep, 2015

1 commit

• 686c9b508   netfilter: x_tables: Use par->net instead of computing from the passed net devices ... Browse Code »

  Signed-off-by: "Eric W. Biederman"
  Signed-off-by: Pablo Neira Ayuso

  Eric W. Biederman

  2015-09-19 03:58:25 +0800  

15 May, 2013

1 commit

• 8cdb46da0   netfilter: log: netns NULL ptr bug when calling from conntrack ... Browse Code »

  Since (69b34fb netfilter: xt_LOG: add net namespace support
  for xt_LOG), we hit this:

  [ 4224.708977] BUG: unable to handle kernel NULL pointer dereference at 0000000000000388
  [ 4224.709074] IP: [] ipt_log_packet+0x29/0x270

  when callling log functions from conntrack both in and out
  are NULL i.e. the net pointer is invalid.

  Adding struct net *net in call to nf_logfn() will secure that
  there always is a vaild net ptr.

  Reported as netfilter's bugzilla bug 818:
  https://bugzilla.netfilter.org/show_bug.cgi?id=818

  Reported-by: Ronald
  Signed-off-by: Hans Schillstrom
  Signed-off-by: Pablo Neira Ayuso

  Hans Schillstrom

  2013-05-15 20:11:07 +0800  

12 May, 2010

1 commit

• 4b560b447   netfilter: xtables: substitute temporary defines by final name ... Browse Code »

  Signed-off-by: Jan Engelhardt

  Jan Engelhardt

  2010-05-12 00:31:17 +0800  

25 Mar, 2010

2 commits

• d6b00a534   netfilter: xtables: change targets to return error code ... Browse Code »

  Part of the transition of done by this semantic patch:
  //
  @ rule1 @
  struct xt_target ops;
  identifier check;
  @@
  ops.checkentry = check;

  @@
  identifier rule1.check;
  @@
  check(...) { }

  @@
  identifier rule1.check;
  @@
  check(...) { }
  //

  Signed-off-by: Jan Engelhardt

  Jan Engelhardt

  2010-03-25 23:55:49 +0800  
• 135367b8f   netfilter: xtables: change xt_target.checkentry return type ... Browse Code »

  Restore function signatures from bool to int so that we can report
  memory allocation failures or similar using -ENOMEM rather than
  always having to pass -EINVAL back.

  //
  @@
  type bool;
  identifier check, par;
  @@
  -bool check
  +int check
  (struct xt_tgchk_param *par) { ... }
  //

  Minus the change it does to xt_ct_find_proto.

  Signed-off-by: Jan Engelhardt

  Jan Engelhardt

  2010-03-25 23:04:33 +0800  

04 Nov, 2008

1 commit

• 5f7340eff   netfilter: xt_NFLOG: don't call nf_log_packet in NFLOG module. ... Browse Code »

  This patch modifies xt_NFLOG to suppress the call to nf_log_packet()
  function. The call of this wrapper in xt_NFLOG was causing NFLOG to
  use the first initialized module. Thus, if ipt_ULOG is loaded before
  nfnetlink_log all NFLOG rules are treated as plain LOG rules.

  Signed-off-by: Eric Leblond
  Signed-off-by: Patrick McHardy

  Eric Leblond

  2008-11-04 21:21:08 +0800  

08 Oct, 2008

4 commits

• 92f3b2b1b   netfilter: xtables: cut down on static data for family-independent extensions ... Browse Code »

  Using ->family in struct xt_*_param, multiple struct xt_{match,target}
  can be squashed together.

  Signed-off-by: Jan Engelhardt
  Signed-off-by: Patrick McHardy

  Jan Engelhardt

  2008-10-08 17:35:20 +0800  
• af5d6dc20   netfilter: xtables: move extension arguments into compound structure (5/6) ... Browse Code »

  This patch does this for target extensions' checkentry functions.

  Signed-off-by: Jan Engelhardt
  Signed-off-by: Patrick McHardy

  Jan Engelhardt

  2008-10-08 17:35:19 +0800  
• 7eb355865   netfilter: xtables: move extension arguments into compound structure (4/6) ... Browse Code »

  This patch does this for target extensions' target functions.

  Signed-off-by: Jan Engelhardt
  Signed-off-by: Patrick McHardy

  Jan Engelhardt

  2008-10-08 17:35:19 +0800  
• ee999d8b9   netfilter: x_tables: use NFPROTO_* in extensions ... Browse Code »

  Signed-off-by: Jan Engelhardt
  Signed-off-by: Patrick McHardy

  Jan Engelhardt

  2008-10-08 17:35:01 +0800  

29 Jan, 2008

3 commits

• 2ae15b64e   [NETFILTER]: Update modules' descriptions ... Browse Code »

  Updates the MODULE_DESCRIPTION() tags for all Netfilter modules,
  actually describing what the module does and not just
  "netfilter XYZ target".

  Signed-off-by: Jan Engelhardt
  Signed-off-by: Patrick McHardy
  Signed-off-by: David S. Miller

  Jan Engelhardt

  2008-01-29 07:02:26 +0800  
• f01ffbd6e   [NETFILTER]: nf_log: move logging stuff to seperate header ... Browse Code »

  Signed-off-by: Patrick McHardy
  Signed-off-by: David S. Miller

  Patrick McHardy

  2008-01-29 06:58:58 +0800  
• d3c5ee6d5   [NETFILTER]: x_tables: consistent and unique symbol names ... Browse Code »

  Give all Netfilter modules consistent and unique symbol names.

  Signed-off-by: Jan Engelhardt
  Signed-off-by: Patrick McHardy
  Signed-off-by: David S. Miller

  Jan Engelhardt

  2008-01-29 06:55:53 +0800  

16 Oct, 2007

1 commit

• 3db05fea5   [NETFILTER]: Replace sk_buff ** with sk_buff * ... Browse Code »

  With all the users of the double pointers removed, this patch mops up by
  finally replacing all occurances of sk_buff ** in the netfilter API by
  sk_buff *.

  Signed-off-by: Herbert Xu
  Signed-off-by: David S. Miller

  Herbert Xu

  2007-10-16 03:26:29 +0800  

11 Jul, 2007

3 commits

• 9f15c5302   [NETFILTER]: x_tables: mark matches and targets __read_mostly ... Browse Code »

  Signed-off-by: Patrick McHardy
  Signed-off-by: David S. Miller

  Patrick McHardy

  2007-07-11 13:17:15 +0800  
• a47362a22   [NETFILTER]: add some consts, remove some casts ... Browse Code »

  Make a number of variables const and/or remove unneeded casts.

  Signed-off-by: Jan Engelhardt
  Signed-off-by: Patrick McHardy
  Signed-off-by: David S. Miller

  Jan Engelhardt

  2007-07-11 13:17:01 +0800  
• e1931b784   [NETFILTER]: x_tables: switch xt_target->checkentry to bool ... Browse Code »

  Switch the return type of target checkentry functions to boolean.

  Signed-off-by: Jan Engelhardt
  Signed-off-by: Patrick McHardy
  Signed-off-by: David S. Miller

  Jan Engelhardt

  2007-07-11 13:16:59 +0800  

03 Dec, 2006

1 commit

• baf7b1e11   [NETFILTER]: x_tables: add NFLOG target ... Browse Code »

  Add new NFLOG target to allow use of nfnetlink_log for both IPv4 and IPv6.
  Currently we have two (unsupported by userspace) hacks in the LOG and ULOG
  targets to optionally call to the nflog API. They lack a few features,
  namely the IPv4 and IPv6 LOG targets can not specify a number of arguments
  related to nfnetlink_log, while the ULOG target is only available for IPv4.
  Remove those hacks and add a clean way to use nfnetlink_log.

  Signed-off-by: Patrick McHardy

  Patrick McHardy

  2006-12-03 13:31:31 +0800