01 Aug, 2017

1 commit

• 591bb2789   netfilter: nf_hook_ops structs can be const ... Browse Code »

  We no longer place these on a list so they can be const.

  Signed-off-by: Florian Westphal
  Signed-off-by: Pablo Neira Ayuso

  Florian Westphal

  2017-08-01 01:10:44 +0800  

02 Jun, 2017

1 commit

• e661a5827   smack: use pernet operations for hook registration ... Browse Code »

  It will allow us to remove the old netfilter hook api in the near future.

  Signed-off-by: Florian Westphal
  Signed-off-by: Casey Schaufler

  Florian Westphal

  2017-06-02 00:26:43 +0800  

09 Aug, 2016

1 commit

• 1a93a6eac   security: Use IS_ENABLED() instead of checking for built-in or module ... Browse Code »

  The IS_ENABLED() macro checks if a Kconfig symbol has been enabled
  either built-in or as a module, use that macro instead of open coding
  the same.

  Signed-off-by: Javier Martinez Canillas
  Acked-by: Casey Schaufler
  Signed-off-by: Paul Moore

  Javier Martinez Canillas

  2016-08-09 01:08:25 +0800  

09 Nov, 2015

1 commit

• 8827d90e2   smack: use skb_to_full_sk() helper ... Browse Code »

  This module wants to access sk->sk_security, which is not
  available for request sockets.

  Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener")
  Signed-off-by: Eric Dumazet
  Signed-off-by: David S. Miller

  Eric Dumazet

  2015-11-09 09:56:38 +0800  

17 Oct, 2015

1 commit

• 2ffbceb2b   netfilter: remove hook owner refcounting ... Browse Code »

  since commit 8405a8fff3f8 ("netfilter: nf_qeueue: Drop queue entries on
  nf_unregister_hook") all pending queued entries are discarded.

  So we can simply remove all of the owner handling -- when module is
  removed it also needs to unregister all its hooks.

  Signed-off-by: Florian Westphal
  Signed-off-by: Pablo Neira Ayuso

  Florian Westphal

  2015-10-17 00:21:39 +0800  

19 Sep, 2015

1 commit

• 06198b34a   netfilter: Pass priv instead of nf_hook_ops to netfilter hooks ... Browse Code »

  Only pass the void *priv parameter out of the nf_hook_ops. That is
  all any of the functions are interested now, and by limiting what is
  passed it becomes simpler to change implementation details.

  Signed-off-by: "Eric W. Biederman"
  Signed-off-by: Pablo Neira Ayuso

  Eric W. Biederman

  2015-09-19 04:00:16 +0800  

05 Apr, 2015

1 commit

• 238e54c9c   netfilter: Make nf_hookfn use nf_hook_state. ... Browse Code »

  Pass the nf_hook_state all the way down into the hook
  functions themselves.

  Signed-off-by: David S. Miller

  David S. Miller

  2015-04-05 00:31:38 +0800  

21 Jan, 2015

1 commit

• 69f287ae6   Smack: secmark support for netfilter ... Browse Code »

  Smack uses CIPSO to label internet packets and thus provide
  for access control on delivery of packets. The netfilter facility
  was not used to allow for Smack to work properly without netfilter
  configuration. Smack does not need netfilter, however there are
  cases where it would be handy.

  As a side effect, the labeling of local IPv4 packets can be optimized
  and the handling of local IPv6 packets is just all out better.

  The best part is that the netfilter tools use "contexts" that
  are just strings, and they work just as well for Smack as they
  do for SELinux.

  All of the conditional compilation for IPv6 was implemented
  by Rafal Krypa

  Signed-off-by: Casey Schaufler

  Casey Schaufler

  2015-01-21 08:34:25 +0800